Edit tour

Windows Analysis Report
DUWPFaZd3a.exe

Overview

General Information

Sample name:	DUWPFaZd3a.exe renamed because original name is a hash value
Original sample name:	030964274f733e0ee36325bb31c5782fcdbaebe2b5b48223f294a86748e6afa8.exe
Analysis ID:	1588949
MD5:	2223635bfd2858c030d72df51b6b9bac
SHA1:	325ddb9b3d095ef1a185d71dbb1677ef86ee2128
SHA256:	030964274f733e0ee36325bb31c5782fcdbaebe2b5b48223f294a86748e6afa8
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla, DarkTortilla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

AI detected suspicious sample

Allocates memory in foreign processes

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

DUWPFaZd3a.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\DUWPFaZd3a.exe" MD5: 2223635BFD2858C030D72DF51B6B9BAC)

cmd.exe (PID: 7672 cmdline: "cmd" /c ping 127.0.0.1 -n 15 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7724 cmdline: ping 127.0.0.1 -n 15 MD5: B3624DD758CCECF93A1226CEF252CA12)

reg.exe (PID: 7988 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 7840 cmdline: "cmd" /c ping 127.0.0.1 -n 28 > nul && copy "C:\Users\user\Desktop\DUWPFaZd3a.exe" "C:\Users\user\AppData\Roaming\Windowsx.exe" && ping 127.0.0.1 -n 28 > nul && "C:\Users\user\AppData\Roaming\Windowsx.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7884 cmdline: ping 127.0.0.1 -n 28 MD5: B3624DD758CCECF93A1226CEF252CA12)

PING.EXE (PID: 4080 cmdline: ping 127.0.0.1 -n 28 MD5: B3624DD758CCECF93A1226CEF252CA12)

Windowsx.exe (PID: 2916 cmdline: "C:\Users\user\AppData\Roaming\Windowsx.exe" MD5: 2223635BFD2858C030D72DF51B6B9BAC)

InstallUtil.exe (PID: 7268 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1804509534.0000000003908000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2932862230.0000000002A64000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2932862230.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.2792267079.0000000002981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.2815691384.0000000003A41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1802873796.00000000028E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000E.00000002.2932862230.0000000002A14000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2932862230.0000000002A14000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1805897613.0000000004ED0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000D.00000002.2792267079.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000D.00000002.2815691384.0000000003989000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2815691384.0000000003989000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1802873796.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: DUWPFaZd3a.exe PID: 7516	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: DUWPFaZd3a.exe PID: 7516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DUWPFaZd3a.exe PID: 7516	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DUWPFaZd3a.exe PID: 7516	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Windowsx.exe PID: 2916	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: Windowsx.exe PID: 2916	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Windowsx.exe PID: 2916	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Windowsx.exe PID: 2916	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 7268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7268	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.DUWPFaZd3a.exe.3aa4d92.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.DUWPFaZd3a.exe.3aa4d92.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DUWPFaZd3a.exe.3aa4d92.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUWPFaZd3a.exe.3aa4d92.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33d0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33e0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33f07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3400f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3409f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.Windowsx.exe.3a040c2.4.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.DUWPFaZd3a.exe.39088d0.5.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
13.2.Windowsx.exe.3c6b652.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
13.2.Windowsx.exe.3c6b652.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Windowsx.exe.3c6b652.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.Windowsx.exe.3c6b652.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33d0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33e0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33f07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3400f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3409f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DUWPFaZd3a.exe.4ed0000.6.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.DUWPFaZd3a.exe.39088d0.5.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.DUWPFaZd3a.exe.4ed0000.6.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.DUWPFaZd3a.exe.37f9562.1.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.DUWPFaZd3a.exe.37f9562.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DUWPFaZd3a.exe.37f9562.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUWPFaZd3a.exe.37f9562.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33d0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33e0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33f07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3400f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3409f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DUWPFaZd3a.exe.3ae2362.2.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.DUWPFaZd3a.exe.3ae2362.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DUWPFaZd3a.exe.3ae2362.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUWPFaZd3a.exe.3ae2362.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33d0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33e0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33f07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3400f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3409f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DUWPFaZd3a.exe.38740c2.4.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.DUWPFaZd3a.exe.38740c2.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DUWPFaZd3a.exe.38740c2.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUWPFaZd3a.exe.38740c2.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33d0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33e0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33f07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3400f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3409f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
14.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.Windowsx.exe.3c6b652.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
13.2.Windowsx.exe.3c6b652.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Windowsx.exe.3c6b652.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.Windowsx.exe.3c6b652.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.Windowsx.exe.3c6b652.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DUWPFaZd3a.exe.37f9562.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.DUWPFaZd3a.exe.37f9562.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DUWPFaZd3a.exe.37f9562.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DUWPFaZd3a.exe.37f9562.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUWPFaZd3a.exe.37f9562.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DUWPFaZd3a.exe.38b1678.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DUWPFaZd3a.exe.38b1678.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DUWPFaZd3a.exe.38b1678.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUWPFaZd3a.exe.38b1678.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DUWPFaZd3a.exe.3ae2362.2.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.DUWPFaZd3a.exe.3ae2362.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DUWPFaZd3a.exe.3ae2362.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DUWPFaZd3a.exe.3ae2362.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUWPFaZd3a.exe.3ae2362.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DUWPFaZd3a.exe.38b1678.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DUWPFaZd3a.exe.38b1678.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUWPFaZd3a.exe.38b1678.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33d0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33e0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33f07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3400f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3409f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.Windowsx.exe.3c2e082.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
13.2.Windowsx.exe.3c2e082.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Windowsx.exe.3c2e082.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.Windowsx.exe.3c2e082.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33d0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33e0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33f07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3400f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3409f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x730df:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x73151:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x731db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x7326d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x732d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x73349:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x733df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x7346f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.Windowsx.exe.3c2e082.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
13.2.Windowsx.exe.3c2e082.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Windowsx.exe.3c2e082.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.Windowsx.exe.3c2e082.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.Windowsx.exe.3c2e082.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x730df:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x73151:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x731db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x7326d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x732d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x73349:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x733df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x7346f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DUWPFaZd3a.exe.38740c2.4.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.DUWPFaZd3a.exe.38740c2.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DUWPFaZd3a.exe.38740c2.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DUWPFaZd3a.exe.38740c2.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUWPFaZd3a.exe.38740c2.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x730c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x73137:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x731c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x73253:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x732bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x7332f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x733c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x73455:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 65 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Windowsx.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7988, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Systemip

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "cmd" /c ping 127.0.0.1 -n 15 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7672, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe", ProcessId: 7988, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "cmd" /c ping 127.0.0.1 -n 15 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe", CommandLine: "cmd" /c ping 127.0.0.1 -n 15 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\DUWPFaZd3a.exe", ParentImage: C:\Users\user\Desktop\DUWPFaZd3a.exe, ParentProcessId: 7516, ParentProcessName: DUWPFaZd3a.exe, ProcessCommandLine: "cmd" /c ping 127.0.0.1 -n 15 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe", ProcessId: 7672, ProcessName: cmd.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.230.214.164, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 7268, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 57403

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DUWPFaZd3a.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windowsx.exe

Avira: detection malicious, Label: HEUR/AGEN.1307447

Found malware configuration

Source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windowsx.exe

ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: DUWPFaZd3a.exe	Virustotal: Detection: 47%			Perma Link
Source: DUWPFaZd3a.exe	ReversingLabs: Detection: 70%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windowsx.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DUWPFaZd3a.exe

Joe Sandbox ML: detected

Source: DUWPFaZd3a.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DUWPFaZd3a.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003908000.00000004.00000800.00020000.00000000.sdmp, DUWPFaZd3a.exe, 00000000.00000002.1805897613.0000000004ED0000.00000004.08000000.00040000.00000000.sdmp

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 15

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c6b652.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.37f9562.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38b1678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3ae2362.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c2e082.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38740c2.4.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:57403 -> 185.230.214.164:587

Source: global traffic

TCP traffic: 192.168.2.4:57134 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 185.230.214.164 185.230.214.164

Source: Joe Sandbox View

ASN Name: COMPUTERLINEComputerlineSchlierbachSwitzerlandCH COMPUTERLINEComputerlineSchlierbachSwitzerlandCH

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.4:57403 -> 185.230.214.164:587

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: smtp.zoho.eu

Source: InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2930634034.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2931516728.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2938506170.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
Source: InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2930634034.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2931516728.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2938506170.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p
Source: InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2931516728.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2938506170.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: InstallUtil.exe, 0000000E.00000002.2932862230.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: DUWPFaZd3a.exe, 00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp, DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp, Windowsx.exe, 0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Windowsx.exe, 0000000D.00000002.2815691384.0000000003989000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2931516728.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2938506170.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: InstallUtil.exe, 0000000E.00000002.2932862230.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.zoho.eu
Source: InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2930634034.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2931516728.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2938506170.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://status.thawte.com0:
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2930634034.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2931516728.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2938506170.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: DUWPFaZd3a.exe, 00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp, DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp, Windowsx.exe, 0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Windowsx.exe, 0000000D.00000002.2815691384.0000000003989000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2931516728.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2938506170.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.Windowsx.exe.3c6b652.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DUWPFaZd3a.exe.37f9562.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DUWPFaZd3a.exe.3ae2362.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DUWPFaZd3a.exe.38740c2.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.Windowsx.exe.3c6b652.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DUWPFaZd3a.exe.37f9562.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DUWPFaZd3a.exe.38b1678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DUWPFaZd3a.exe.3ae2362.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DUWPFaZd3a.exe.38b1678.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.Windowsx.exe.3c2e082.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.Windowsx.exe.3c2e082.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DUWPFaZd3a.exe.38740c2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\AppData\Roaming\Windowsx.exe

Code function: 13_2_0D1D28D0 CreateProcessAsUserW,

13_2_0D1D28D0

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_027D6C70	0_2_027D6C70
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_027D7B60	0_2_027D7B60
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E23B80	0_2_05E23B80
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E2BE94	0_2_05E2BE94
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E23B70	0_2_05E23B70
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E2DA68	0_2_05E2DA68
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E2DA57	0_2_05E2DA57
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E467F0	0_2_05E467F0
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E4DF50	0_2_05E4DF50
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E456B8	0_2_05E456B8
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E451E0	0_2_05E451E0
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E439F8	0_2_05E439F8
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E47D70	0_2_05E47D70
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E47D37	0_2_05E47D37
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E4D510	0_2_05E4D510
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05E439FA	0_2_05E439FA
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_02756F48	13_2_02756F48
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_02757C08	13_2_02757C08
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E33A40	13_2_05E33A40
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E3D928	13_2_05E3D928
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E3D917	13_2_05E3D917
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E33A30	13_2_05E33A30
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E956B8	13_2_05E956B8
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E939F8	13_2_05E939F8
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E97D70	13_2_05E97D70
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E97D37	13_2_05E97D37
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E967F0	13_2_05E967F0
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E9A6EF	13_2_05E9A6EF
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E9CE08	13_2_05E9CE08
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E951E0	13_2_05E951E0
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E939FA	13_2_05E939FA
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E9D0A1	13_2_05E9D0A1
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A47D9	13_2_078A47D9
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078ACF58	13_2_078ACF58
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A5688	13_2_078A5688
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A3E10	13_2_078A3E10
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A3598	13_2_078A3598
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A7D41	13_2_078A7D41
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A4161	13_2_078A4161
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A2977	13_2_078A2977
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A18E0	13_2_078A18E0
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A7B98	13_2_078A7B98
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A7BA8	13_2_078A7BA8
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A734E	13_2_078A734E
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A76E8	13_2_078A76E8
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A76F8	13_2_078A76F8
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A4610	13_2_078A4610
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A55F9	13_2_078A55F9
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A7921	13_2_078A7921
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A7930	13_2_078A7930
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A6560	13_2_078A6560
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A6570	13_2_078A6570
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078AC4A0	13_2_078AC4A0
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A34E0	13_2_078A34E0
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078AF4F0	13_2_078AF4F0
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A4028	13_2_078A4028
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A7040	13_2_078A7040
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A8852	13_2_078A8852
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_078A7050	13_2_078A7050
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D3148	13_2_0D1D3148
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D5180	13_2_0D1D5180
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D1791	13_2_0D1D1791
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D0A28	13_2_0D1D0A28
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D2E50	13_2_0D1D2E50
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D0110	13_2_0D1D0110
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D0169	13_2_0D1D0169
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D7998	13_2_0D1D7998
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D1190	13_2_0D1D1190
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D01FB	13_2_0D1D01FB
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D0C07	13_2_0D1D0C07
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D0311	13_2_0D1D0311
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D37E1	13_2_0D1D37E1
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D0A18	13_2_0D1D0A18
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D2E41	13_2_0D1D2E41
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_0D1D028B	13_2_0D1D028B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_027E41F0	14_2_027E41F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_027EA568	14_2_027EA568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_027E4AC0	14_2_027E4AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_027EEE20	14_2_027EEE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_027E3EA8	14_2_027E3EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_027EAD28	14_2_027EAD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_062F24F1	14_2_062F24F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_062FE128	14_2_062FE128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_06307E50	14_2_06307E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_063066C0	14_2_063066C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_06302430	14_2_06302430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0630C250	14_2_0630C250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_06305258	14_2_06305258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0630B300	14_2_0630B300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_06307770	14_2_06307770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0630E470	14_2_0630E470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_06300040	14_2_06300040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_063059C0	14_2_063059C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_06300017	14_2_06300017

Source: DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003908000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTopaknomiGortil.dllB vs DUWPFaZd3a.exe
Source: DUWPFaZd3a.exe, 00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7bc3a901-84f9-4a81-8277-20a61843655f.exe4 vs DUWPFaZd3a.exe
Source: DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7bc3a901-84f9-4a81-8277-20a61843655f.exe4 vs DUWPFaZd3a.exe
Source: DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7bc3a901-84f9-4a81-8277-20a61843655f.exe4 vs DUWPFaZd3a.exe
Source: DUWPFaZd3a.exe, 00000000.00000002.1802156876.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DUWPFaZd3a.exe
Source: DUWPFaZd3a.exe, 00000000.00000000.1674114593.0000000000CF0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename90989.exe@ vs DUWPFaZd3a.exe
Source: DUWPFaZd3a.exe, 00000000.00000002.1805897613.0000000004ED0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTopaknomiGortil.dllB vs DUWPFaZd3a.exe
Source: DUWPFaZd3a.exe	Binary or memory string: OriginalFilename90989.exe@ vs DUWPFaZd3a.exe

Source: DUWPFaZd3a.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe"

Source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.Windowsx.exe.3c6b652.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DUWPFaZd3a.exe.37f9562.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DUWPFaZd3a.exe.3ae2362.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DUWPFaZd3a.exe.38740c2.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.Windowsx.exe.3c6b652.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DUWPFaZd3a.exe.37f9562.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DUWPFaZd3a.exe.38b1678.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DUWPFaZd3a.exe.3ae2362.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DUWPFaZd3a.exe.38b1678.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.Windowsx.exe.3c2e082.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.Windowsx.exe.3c2e082.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DUWPFaZd3a.exe.38740c2.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/7@2/3

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DUWPFaZd3a.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03

Source: DUWPFaZd3a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DUWPFaZd3a.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DUWPFaZd3a.exe	Virustotal: Detection: 47%
Source: DUWPFaZd3a.exe	ReversingLabs: Detection: 70%

Source: unknown	Process created: C:\Users\user\Desktop\DUWPFaZd3a.exe "C:\Users\user\Desktop\DUWPFaZd3a.exe"
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 15 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 15
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 28 > nul && copy "C:\Users\user\Desktop\DUWPFaZd3a.exe" "C:\Users\user\AppData\Roaming\Windowsx.exe" && ping 127.0.0.1 -n 28 > nul && "C:\Users\user\AppData\Roaming\Windowsx.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Windowsx.exe "C:\Users\user\AppData\Roaming\Windowsx.exe"
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 15 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 28 > nul && copy "C:\Users\user\Desktop\DUWPFaZd3a.exe" "C:\Users\user\AppData\Roaming\Windowsx.exe" && ping 127.0.0.1 -n 28 > nul && "C:\Users\user\AppData\Roaming\Windowsx.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 15	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Windowsx.exe "C:\Users\user\AppData\Roaming\Windowsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: DUWPFaZd3a.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DUWPFaZd3a.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3a040c2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.39088d0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c6b652.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.4ed0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.39088d0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.4ed0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.37f9562.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3ae2362.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38740c2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c6b652.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.37f9562.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3ae2362.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c2e082.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c2e082.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38740c2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1804509534.0000000003908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2792267079.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2815691384.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1802873796.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1805897613.0000000004ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2792267079.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1802873796.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DUWPFaZd3a.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windowsx.exe PID: 2916, type: MEMORYSTR

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Code function: 0_2_05B63EF7 push ebp; ret	0_2_05B63EF8
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E9BE71 push ecx; ret	13_2_05E9BE82
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Code function: 13_2_05E9BE30 pushad ; ret	13_2_05E9BE43

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Windowsx.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Systemip			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Systemip			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	File opened: C:\Users\user\Desktop\DUWPFaZd3a.exe\:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	File opened: C:\Users\user\AppData\Roaming\Windowsx.exe\:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: DUWPFaZd3a.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windowsx.exe PID: 2916, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DUWPFaZd3a.exe, 00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp, DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp, Windowsx.exe, 0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Windowsx.exe, 0000000D.00000002.2815691384.0000000003989000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 15
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 15	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28	Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Memory allocated: 47F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory allocated: 2700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory allocated: 7A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory allocated: 8A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory allocated: 8BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory allocated: 9BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory allocated: 9F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory allocated: AF40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory allocated: BF40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 49E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Window / User API: threadDelayed 7356	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Window / User API: threadDelayed 1203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Window / User API: threadDelayed 7402	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Window / User API: threadDelayed 1168	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6558	Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe TID: 7688	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe TID: 7536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe TID: 3688	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe TID: 5900	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe TID: 3868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7724	Thread sleep count: 3266 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7724	Thread sleep count: 6558 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -199750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98183s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -97969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -97744s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -97641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -97391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -97063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -96938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -96813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -96703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -96594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -96469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -96359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -96250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -96141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -96031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -99375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -99108s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7728	Thread sleep time: -98110s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98183	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98110	Jump to behavior

Source: InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: DUWPFaZd3a.exe, 00000000.00000002.1805897613.0000000004ED0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: InstallUtil.exe, 0000000E.00000002.2938506170.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQc
Source: DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003908000.00000004.00000800.00020000.00000000.sdmp, DUWPFaZd3a.exe, 00000000.00000002.1805897613.0000000004ED0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTrayS
Source: InstallUtil.exe, 0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 14_2_027E70B0 CheckRemoteDebuggerPresent,

14_2_027E70B0

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\Windowsx.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\Windowsx.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 440000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 442000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 900008	Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 15 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 28 > nul && copy "C:\Users\user\Desktop\DUWPFaZd3a.exe" "C:\Users\user\AppData\Roaming\Windowsx.exe" && ping 127.0.0.1 -n 28 > nul && "C:\Users\user\AppData\Roaming\Windowsx.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 15	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Windowsx.exe "C:\Users\user\AppData\Roaming\Windowsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Users\user\Desktop\DUWPFaZd3a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUWPFaZd3a.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windowsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windowsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DUWPFaZd3a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c6b652.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.37f9562.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3ae2362.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38740c2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c6b652.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.37f9562.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38b1678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3ae2362.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38b1678.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c2e082.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c2e082.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38740c2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2932862230.0000000002A64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2932862230.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2932862230.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2815691384.0000000003989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DUWPFaZd3a.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windowsx.exe PID: 2916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7268, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c6b652.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.37f9562.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3ae2362.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38740c2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c6b652.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.37f9562.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38b1678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3ae2362.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38b1678.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c2e082.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c2e082.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38740c2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2932862230.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2815691384.0000000003989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DUWPFaZd3a.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windowsx.exe PID: 2916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7268, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c6b652.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.37f9562.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3ae2362.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38740c2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c6b652.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.37f9562.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38b1678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3ae2362.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38b1678.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c2e082.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.3aa4d92.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Windowsx.exe.3c2e082.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUWPFaZd3a.exe.38740c2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2932862230.0000000002A64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2932862230.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2932862230.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2815691384.0000000003989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DUWPFaZd3a.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windowsx.exe PID: 2916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7268, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Obfuscated Files or Information	1 Credentials in Registry	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 DLL Side-Loading	Security Account Manager	631 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	311 Process Injection	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Valid Accounts	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	261 Virtualization/Sandbox Evasion	Proc Filesystem	11 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DUWPFaZd3a.exe	48%	Virustotal		Browse
DUWPFaZd3a.exe	71%	ReversingLabs	Win32.Trojan.Jalapeno
DUWPFaZd3a.exe	100%	Avira	HEUR/AGEN.1307447
DUWPFaZd3a.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Windowsx.exe	100%	Avira	HEUR/AGEN.1307447
C:\Users\user\AppData\Roaming\Windowsx.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Windowsx.exe	71%	ReversingLabs	Win32.Trojan.Jalapeno

Source	Detection	Scanner	Label	Link
http://smtp.zoho.eu	0%	Avira URL Cloud	safe
http://status.thawte.com0:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.zoho.eu	185.230.214.164	true	true		unknown
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	DUWPFaZd3a.exe, 00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp, DUWPFaZd3a.exe, 00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp, Windowsx.exe, 0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Windowsx.exe, 0000000D.00000002.2815691384.0000000003989000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p	InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2930634034.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2931516728.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2938506170.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.tiro.com	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0	InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2930634034.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2931516728.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2938506170.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://smtp.zoho.eu	InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://status.thawte.com0:	InstallUtil.exe, 0000000E.00000002.2932862230.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2932862230.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2930634034.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2931516728.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2938506170.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	InstallUtil.exe, 0000000E.00000002.2932862230.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	InstallUtil.exe, 0000000E.00000002.2932862230.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	DUWPFaZd3a.exe, 00000000.00000002.1807310241.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
185.230.214.164	smtp.zoho.eu	Netherlands		41913	COMPUTERLINEComputerlineSchlierbachSwitzerlandCH	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588949
Start date and time:	2025-01-11 07:33:34 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DUWPFaZd3a.exe renamed because original name is a hash value
Original Sample Name:	030964274f733e0ee36325bb31c5782fcdbaebe2b5b48223f294a86748e6afa8.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/7@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 278 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:34:27	API Interceptor	41x Sleep call for process: DUWPFaZd3a.exe modified
01:35:34	API Interceptor	68x Sleep call for process: Windowsx.exe modified
01:36:19	API Interceptor	63x Sleep call for process: InstallUtil.exe modified
06:34:45	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Systemip C:\Users\user\AppData\Roaming\Windowsx.exe
06:34:53	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Systemip C:\Users\user\AppData\Roaming\Windowsx.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	tb4B9ni6vl.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	juE8dtqPkx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	YY3k9rjxpY.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Q5QrxfKnFA.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	RHOqJ5BrHW.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	J8V6dFanEo.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	3FjrbCZgDN.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
185.230.214.164	CdbVaYf8jC.exe	Get hash	malicious	AgentTesla	Browse
	kG713MWffq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Drawing_Products_Materials_and_Samples_IMG.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	CONSULTA#1604045 MATERIAL DE MUESTRA SEPTIEMBRE.exe	Get hash	malicious	GuLoader	Browse
	CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	Orden#46789_2024_Optoflux_mexico_sderlss.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Orden#46789_2024_Optoflux_mexico_sderls.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	okPY77wv6E.exe	Get hash	malicious	AgentTesla	Browse
	RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe	Get hash	malicious	AgentTesla	Browse
	RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exe	Get hash	malicious	GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	tb4B9ni6vl.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	juE8dtqPkx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	YY3k9rjxpY.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Q5QrxfKnFA.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RHOqJ5BrHW.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	J8V6dFanEo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	3FjrbCZgDN.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
smtp.zoho.eu	CdbVaYf8jC.exe	Get hash	malicious	AgentTesla	Browse	185.230.214.164
	kG713MWffq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.230.214.164
	Drawing_Products_Materials_and_Samples_IMG.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	185.230.214.164
	CONSULTA#1604045 MATERIAL DE MUESTRA SEPTIEMBRE.exe	Get hash	malicious	GuLoader	Browse	185.230.214.164
	CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	185.230.214.164
	INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	RFQ448903423_MAT_HASUE_de_Mexico.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	File.com.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	185.230.212.164

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COMPUTERLINEComputerlineSchlierbachSwitzerlandCH	https://zfrmz.com/3GiGYUP4BArW2NBgkPU3	Get hash	malicious	Unknown	Browse	89.36.170.147
	CdbVaYf8jC.exe	Get hash	malicious	AgentTesla	Browse	185.230.214.164
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGN	Get hash	malicious	Unknown	Browse	89.36.170.147
	https://workdrive.zohopublic.com/writer/open/p369v1c9203e54b114ff78bf68159454d9c26	Get hash	malicious	Unknown	Browse	89.36.170.147
	https://workdrive.zohopublic.com/writer/open/p369v39db425d23f84b09b5751cf359b081f4	Get hash	malicious	Unknown	Browse	89.36.170.147
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956235d3ed2bb80da1204238e412cdfe561cf1e7cff409a79a97da8a2d431ccef9065ebae57f03416d61f0971abb897fde199a21f0da5d9085251df31eb6747d99920190103a51a045e3e309308fa5f3a1ca3&action_type=SIGN	Get hash	malicious	HTMLPhisher	Browse	89.36.170.147
	2024 Tepa LLC RFP Proposal.docx	Get hash	malicious	Unknown	Browse	185.230.214.169
	https://forms.office.com/e/YpaL2Dw0r2	Get hash	malicious	Unknown	Browse	185.230.214.19
	https://jxgy-zcmp.maillist-manage.eu/click/1315cead38f4e738/1315cead38f50cec	Get hash	malicious	Unknown	Browse	185.230.212.29
	https://workdrive.zohoexternal.com/file/d3qaw4673940b54374623b165953068c580b5	Get hash	malicious	HTMLPhisher	Browse	89.36.170.147
TUT-ASUS	tb4B9ni6vl.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	juE8dtqPkx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	YY3k9rjxpY.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Q5QrxfKnFA.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RHOqJ5BrHW.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	J8V6dFanEo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	3FjrbCZgDN.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\DUWPFaZd3a.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
MD5:	7B709BC412BEC5C3CFD861C041DAD408
SHA1:	532EA6BB3018AE3B51E7A5788F614A6C49252BCF
SHA-256:	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
SHA-512:	B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windowsx.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Windowsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
MD5:	7B709BC412BEC5C3CFD861C041DAD408
SHA1:	532EA6BB3018AE3B51E7A5788F614A6C49252BCF
SHA-256:	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
SHA-512:	B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\Windowsx.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	669184
Entropy (8bit):	6.505210232985677
Encrypted:	false
SSDEEP:	12288:OT6TNcuLRQi1QKmm/SIo6I6JT/szfpdCM:BayRzzaY/szfXC
MD5:	2223635BFD2858C030D72DF51B6B9BAC
SHA1:	325DDB9B3D095EF1A185D71DBB1677EF86EE2128
SHA-256:	030964274F733E0EE36325BB31C5782FCDBAEBE2B5B48223F294A86748E6AFA8
SHA-512:	934C5FF2B10F82370781BB0B4E676C95B0DC1E1206D972F173D4239476852DED7E2F6AB3A6506243F4AF05BB7217634D6E37967775FD36CF6590364DFA77DBC2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......V.....................^........... ........@.. ....................................`.................................L...O.......tZ...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...tZ.......\..................@..@.reloc.......`.......4..............@..B........................H........b..............L...P...........................................x.X.."e........@.N.j.k\|}2..[@.......vg.F.....]ghq..G....P.Y..q.v..h.i....u.?.j..<..6.u.%...p#;X...R.^)6..7.-.'...5....n.d..W.9Tc.t......i...Y..s.L.[{...p.'...]..xr#W;#ws\....px....%F.Jk.f.~.~.e.$"O............p+._2...K...xB.s7LU.,.$.t.\.7.{.!..r.v.....X.>".i.7....A..{...uAV4..Z....d3..M...F.{.x.?13.....{..yXn.....~.L5.:^d]....s.'.".d..;...C.7.ax......S...7.:.).Y.$....g.!c..cQ......

C:\Users\user\AppData\Roaming\Windowsx.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1607
Entropy (8bit):	4.76085226484577
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeT0sR:/ZTAokItULVDv
MD5:	5040A956CEED74BBC4F0ED871791EA24
SHA1:	E99982033A3263C3D69FE812A23E1F59F0CDDDC2
SHA-256:	0871CCAE12C6B67BB8E64760D4850125AE4744A508CCA5A55A7A90813E53CF02
SHA-512:	834C9885244E4AD260FF322E1437676D1672DC40BF907D4A3D796D348FF612951C963BA52B1C23163EDEEAEA51DBA262C3EC7EF9F063D5AC612D2AFF6B366D6A
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.505210232985677
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DUWPFaZd3a.exe
File size:	669'184 bytes
MD5:	2223635bfd2858c030d72df51b6b9bac
SHA1:	325ddb9b3d095ef1a185d71dbb1677ef86ee2128
SHA256:	030964274f733e0ee36325bb31c5782fcdbaebe2b5b48223f294a86748e6afa8
SHA512:	934c5ff2b10f82370781bb0b4e676c95b0dc1e1206d972f173d4239476852ded7e2f6ab3a6506243f4af05bb7217634d6e37967775fd36cf6590364dfa77dbc2
SSDEEP:	12288:OT6TNcuLRQi1QKmm/SIo6I6JT/szfpdCM:BayRzzaY/szfXC
TLSH:	C3E4E10EB3889834E1692DB5C4F783B00174ED8BA462D2D70E6D3DA6ED64F5491F22F6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......V.....................^........... ........@.. ....................................`................................

File Icon


Icon Hash:	74f0d4d4d4d4d4cc

Static PE Info

General

Entrypoint:	0x49f59e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5619B8FA [Sun Oct 11 01:18:50 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9f54c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa0000	0x5a74	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9d5a4	0x9d600	9ae39178c44b8c19a6be8538ef57ffc9	False	0.6346011839753772	data	6.524720912226903	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa0000	0x5a74	0x5c00	eecb43b587fe3f2c66110b533d929a8a	False	0.28061311141304346	data	5.00749913499219	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa6000	0xc	0x200	c1438e8acfb72605ba364d0618d1202a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa0178	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.19060283687943264
RT_ICON	0xa05e0	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	0.11429872495446267
RT_ICON	0xa1708	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	0.07211147274206672
RT_ICON	0xa3d70	0x1952	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.7099660598580685
RT_GROUP_ICON	0xa56c4	0x3e	data	0.8709677419354839
RT_VERSION	0xa5704	0x370	data	0.45795454545454545

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:34:45.588342905 CET	57134	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:34:45.593214989 CET	53	57134	1.1.1.1	192.168.2.4
Jan 11, 2025 07:34:45.593342066 CET	57134	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:34:45.598268032 CET	53	57134	1.1.1.1	192.168.2.4
Jan 11, 2025 07:34:46.045622110 CET	57134	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:34:46.050712109 CET	53	57134	1.1.1.1	192.168.2.4
Jan 11, 2025 07:34:46.053133965 CET	57134	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:36:17.902466059 CET	57402	80	192.168.2.4	208.95.112.1
Jan 11, 2025 07:36:17.907293081 CET	80	57402	208.95.112.1	192.168.2.4
Jan 11, 2025 07:36:17.907464981 CET	57402	80	192.168.2.4	208.95.112.1
Jan 11, 2025 07:36:17.908416033 CET	57402	80	192.168.2.4	208.95.112.1
Jan 11, 2025 07:36:17.913168907 CET	80	57402	208.95.112.1	192.168.2.4
Jan 11, 2025 07:36:18.382730007 CET	80	57402	208.95.112.1	192.168.2.4
Jan 11, 2025 07:36:18.435180902 CET	57402	80	192.168.2.4	208.95.112.1
Jan 11, 2025 07:36:19.656599045 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:19.661508083 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:19.661582947 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:20.237716913 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:20.237972021 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:20.242881060 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:20.716078997 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:20.769068003 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:20.845627069 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:20.846057892 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:20.850936890 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:21.033030033 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:21.040841103 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:21.045741081 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:21.228615999 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:21.228660107 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:21.228693962 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:21.228723049 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:21.231895924 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:21.236769915 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:21.418989897 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:21.472208023 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:21.495594025 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:21.500554085 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:21.682352066 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:21.717364073 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:21.722237110 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:21.904088974 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:21.909884930 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:21.914742947 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:22.217353106 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:22.217601061 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:22.222662926 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:22.404457092 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:22.404685020 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:22.409533024 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:22.591377020 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:22.591605902 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:22.597526073 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:22.779344082 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:22.779942036 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:22.780035019 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:22.780035019 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:22.780055046 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:22.784786940 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:22.784801006 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:22.784878016 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:22.784890890 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:23.611994982 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:23.659724951 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:23.737159014 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:23.741938114 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:23.923813105 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:23.924204111 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:23.924264908 CET	587	57403	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:23.924268961 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:23.924313068 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:23.928041935 CET	57403	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:23.928863049 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:23.933672905 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:23.933862925 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:24.513597012 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:24.513761044 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:24.518604994 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:24.797249079 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:24.799123049 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:24.803993940 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:24.986989021 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:24.987339020 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:24.992754936 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.175138950 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.175154924 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.175168991 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.175184011 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.175503016 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:25.176855087 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:25.182583094 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.363950014 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.365371943 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:25.370232105 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.552015066 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.552826881 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:25.558433056 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.740564108 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.740889072 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:25.746114016 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.964026928 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:25.964302063 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:25.969470024 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.151942015 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.154572964 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:26.159478903 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.341495991 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.342032909 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:26.348853111 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.530632973 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.532226086 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:26.532356977 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:26.532357931 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:26.532481909 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:26.532557011 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:26.532632113 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:26.532632113 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:26.532690048 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:26.532690048 CET	57404	587	192.168.2.4	185.230.214.164
Jan 11, 2025 07:36:26.537175894 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.537226915 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.537255049 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.537360907 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.537447929 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.537576914 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.537661076 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.537708044 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.537735939 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.537761927 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:26.537789106 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:27.017453909 CET	587	57404	185.230.214.164	192.168.2.4
Jan 11, 2025 07:36:27.072427988 CET	57404	587	192.168.2.4	185.230.214.164

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:34:45.587856054 CET	53	51014	1.1.1.1	192.168.2.4
Jan 11, 2025 07:36:17.887098074 CET	52159	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:36:17.894404888 CET	53	52159	1.1.1.1	192.168.2.4
Jan 11, 2025 07:36:19.648256063 CET	59696	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:36:19.655553102 CET	53	59696	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 07:36:17.887098074 CET	192.168.2.4	1.1.1.1	0x7c62	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:36:19.648256063 CET	192.168.2.4	1.1.1.1	0xf0c0	Standard query (0)	smtp.zoho.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 07:36:17.894404888 CET	1.1.1.1	192.168.2.4	0x7c62	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:36:19.655553102 CET	1.1.1.1	192.168.2.4	0xf0c0	No error (0)	smtp.zoho.eu		185.230.214.164	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	57402	208.95.112.1	80	7268	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:36:17.908416033 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 11, 2025 07:36:18.382730007 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:36:18 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 11, 2025 07:36:20.237716913 CET	587	57403	185.230.214.164	192.168.2.4	220 mx.zoho.eu SMTP Server ready January 11, 2025 7:36:20 AM CET
Jan 11, 2025 07:36:20.237972021 CET	57403	587	192.168.2.4	185.230.214.164	EHLO 210979
Jan 11, 2025 07:36:20.716078997 CET	587	57403	185.230.214.164	192.168.2.4	250-mx.zoho.eu Hello 210979 (8.46.123.189 (8.46.123.189)) 250-STARTTLS
Jan 11, 2025 07:36:20.845627069 CET	587	57403	185.230.214.164	192.168.2.4	250 SIZE 53477376
Jan 11, 2025 07:36:20.846057892 CET	57403	587	192.168.2.4	185.230.214.164	STARTTLS
Jan 11, 2025 07:36:21.033030033 CET	587	57403	185.230.214.164	192.168.2.4	220 Ready to start TLS.
Jan 11, 2025 07:36:24.513597012 CET	587	57404	185.230.214.164	192.168.2.4	220 mx.zoho.eu SMTP Server ready January 11, 2025 7:36:24 AM CET
Jan 11, 2025 07:36:24.513761044 CET	57404	587	192.168.2.4	185.230.214.164	EHLO 210979
Jan 11, 2025 07:36:24.797249079 CET	587	57404	185.230.214.164	192.168.2.4	250-mx.zoho.eu Hello 210979 (8.46.123.189 (8.46.123.189)) 250-STARTTLS 250 SIZE 53477376
Jan 11, 2025 07:36:24.799123049 CET	57404	587	192.168.2.4	185.230.214.164	STARTTLS
Jan 11, 2025 07:36:24.986989021 CET	587	57404	185.230.214.164	192.168.2.4	220 Ready to start TLS.

Target ID:	0
Start time:	01:34:25
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\DUWPFaZd3a.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DUWPFaZd3a.exe"
Imagebase:	0xc50000
File size:	669'184 bytes
MD5 hash:	2223635BFD2858C030D72DF51B6B9BAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1804509534.0000000003908000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1804509534.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1804509534.0000000003A67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1802873796.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1804509534.0000000003874000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1805897613.0000000004ED0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1802873796.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:34:27
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c ping 127.0.0.1 -n 15 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:34:27
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:34:27
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 15
Imagebase:	0x5d0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:34:37
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c ping 127.0.0.1 -n 28 > nul && copy "C:\Users\user\Desktop\DUWPFaZd3a.exe" "C:\Users\user\AppData\Roaming\Windowsx.exe" && ping 127.0.0.1 -n 28 > nul && "C:\Users\user\AppData\Roaming\Windowsx.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:34:37
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:34:37
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 28
Imagebase:	0x5d0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:34:41
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Systemip" /t REG_SZ /d "C:\Users\user\AppData\Roaming\Windowsx.exe"
Imagebase:	0x6f0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:35:05
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 28
Imagebase:	0x5d0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:35:32
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\Windowsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windowsx.exe"
Imagebase:	0xbd0000
File size:	669'184 bytes
MD5 hash:	2223635BFD2858C030D72DF51B6B9BAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000D.00000002.2792267079.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2815691384.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000D.00000002.2815691384.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000D.00000002.2792267079.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2815691384.0000000003989000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2815691384.0000000003989000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:35:44
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x700000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2932862230.0000000002A64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2932862230.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2932862230.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2932862230.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2929592637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 027D6C70 Relevance: 11.2, Strings: 8, Instructions: 1224COMMON

Download Yara Rule

Strings

,bq, xrefs: 027D7830
(o^q, xrefs: 027D77AA
Hbq, xrefs: 027D733E
,bq, xrefs: 027D7822
(o^q, xrefs: 027D77B8
(o^q, xrefs: 027D7472
,bq, xrefs: 027D6D46
,bq, xrefs: 027D6D50

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq$,bq$,bq$Hbq
API String ID: 0-2809086048
Opcode ID: ec2707eb91a2f030ac9dbc6b5b70a0d1b556984bb19dc626280fd928bbdd5c20
Instruction ID: 46c9cc9421b00286b123c0f7cee74f55bfc2742ba5cfac74869d65bcad2dc123
Opcode Fuzzy Hash: ec2707eb91a2f030ac9dbc6b5b70a0d1b556984bb19dc626280fd928bbdd5c20
Instruction Fuzzy Hash: FFA26C71A002199FCB18DF69D894AAEBBF6FF89304F148569E405EB361DB35EC41CB90

Function 05E467F0 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

Xbq, xrefs: 05E46807
Te^q, xrefs: 05E46D6B

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: Te^q$Xbq
API String ID: 0-3350292367
Opcode ID: c37e46e81b2ad046d69904cedcd52763e3ea746e36c6d22c08af521db606c086
Instruction ID: 8f76b93440d291e4919386f2e9f8d1263fe7749174c548df22675ff6d6ce870b
Opcode Fuzzy Hash: c37e46e81b2ad046d69904cedcd52763e3ea746e36c6d22c08af521db606c086
Instruction Fuzzy Hash: 2EB1B930B04259CBEB2C5F7AA44427A76D7BBC1B05F289C6ED8C3DA294DE30C8459F56

Function 05E451E0 Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

Xbq, xrefs: 05E4520F
$^q, xrefs: 05E451F6

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 354901fb3790d2de947a0327214801f09f5424b9cdc03eb298bd5c4147410268
Instruction ID: 1bfd237bc83f22645a32703e5b4d6fc7c6182d2610a1754d78cb26dcd85ae206
Opcode Fuzzy Hash: 354901fb3790d2de947a0327214801f09f5424b9cdc03eb298bd5c4147410268
Instruction Fuzzy Hash: 1C819474F002189BDB18EF7894552BE7BB7BFC8711B14892AD447EB388DE348C029B95

Function 05E439F8 Relevance: .8, Instructions: 849COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72559d53a37beb5c778924b303576f25fc6328b05b7a9a7d2bc4925248bc5036
Instruction ID: 782ce9d8f8145592e44ca186b476014827de87ae56f20d4431c7d576c6adab87
Opcode Fuzzy Hash: 72559d53a37beb5c778924b303576f25fc6328b05b7a9a7d2bc4925248bc5036
Instruction Fuzzy Hash: D082F334701614CFDB59EF38D549A687BF2BF89319F2085A9E4068B7A5DB36D882CF40

Function 05E439FA Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c20a44eaabe6975e186805d912784780eaad44f83ab333f65bf65bf25ce2258
Instruction ID: e353bc2d51c378ecb46143cc0e1074382a76c3f1bf6d755501a06213db006473
Opcode Fuzzy Hash: 7c20a44eaabe6975e186805d912784780eaad44f83ab333f65bf65bf25ce2258
Instruction Fuzzy Hash: D772F534701614CFDB29AF38D559A287BF2BF89309F2485B9D4068B7A4DB76D882CF44

Function 05E23B80 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98aafe7f36ca884a30ca578451e94c016852f26bb912ba6c87069541628d12b9
Instruction ID: 8cc6fc10d225ef5263a7ebe1f3d2d4bacb2216754d8c535797db43f2d2f12658
Opcode Fuzzy Hash: 98aafe7f36ca884a30ca578451e94c016852f26bb912ba6c87069541628d12b9
Instruction Fuzzy Hash: F7525A34A002568FCB14DF28C844B99B7F2FF89314F2586A9D4586F3A5DB71AD86CF81

Function 05E23B70 Relevance: .6, Instructions: 586COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94ed1a21bcef6ae362b75c66955fdc3e3ddac1f3bbe65026b4d8a33cd3a98d4
Instruction ID: e01c1b3abcd935ec2d8b9c8fe5d001eacac3ba7215d8ec7710e188b5f7c0eb5d
Opcode Fuzzy Hash: a94ed1a21bcef6ae362b75c66955fdc3e3ddac1f3bbe65026b4d8a33cd3a98d4
Instruction Fuzzy Hash: E6525A34A003568FCB14DF28C844B99B7F2FF89314F2586A9D4586F3A5DB71A986CF81

Function 05E4DF50 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c837e6fd565753d80ef8a3e751a58b1a9bb912545bb2ef7d65ac54e0c6c03e
Instruction ID: 141a12825be60f268e74d26b50a499271515b4981dd0b8db519c7ebd75992109
Opcode Fuzzy Hash: 16c837e6fd565753d80ef8a3e751a58b1a9bb912545bb2ef7d65ac54e0c6c03e
Instruction Fuzzy Hash: C4C1A434B002059FDB05EF79D994B6EBBABFFC8300F148429E509A73A8DE759C468B51

Function 05E456B8 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df543b4318543d5468430506369cd4abdaead9251b6b22755a6765125fd4a9d0
Instruction ID: 0471c81299e8add42859154540c2dae448b03072518edb7dd89c5e76e21212fd
Opcode Fuzzy Hash: df543b4318543d5468430506369cd4abdaead9251b6b22755a6765125fd4a9d0
Instruction Fuzzy Hash: C1B1E331F002059FDB04AFB9D854A6E7BF6FFC9310B1485AAE546EB3A1DE349C058B51

Function 05B60399 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05B6050A

Strings

he%b, xrefs: 05B60426
he%b, xrefs: 05B60446

Memory Dump Source

Source File: 00000000.00000002.1806578015.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_DUWPFaZd3a.jbxd

Similarity

API ID: CreateWindow
String ID: he%b$he%b
API String ID: 716092398-2390798039
Opcode ID: cefbe16da640dba1cd92bd472d48a917a3383c9d5efdc9074ec75eba099f7186
Instruction ID: 5400c4f745661b485b172d98d617ecdecb333ba0afa0fe93d647b731f263dbf5
Opcode Fuzzy Hash: cefbe16da640dba1cd92bd472d48a917a3383c9d5efdc9074ec75eba099f7186
Instruction Fuzzy Hash: DD51EE75800209EFDF05DF99D984ADDBBB2BF48314F24816AE918AB220D775A991CF90

Function 05B603ED Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05B6050A

Strings

he%b, xrefs: 05B60426
he%b, xrefs: 05B60446

Memory Dump Source

Source File: 00000000.00000002.1806578015.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_DUWPFaZd3a.jbxd

Similarity

API ID: CreateWindow
String ID: he%b$he%b
API String ID: 716092398-2390798039
Opcode ID: 34b24d5d99fc64abe54a2fc3b83081da74ba8c17ef7d13a6166ec7f0bfbbb489
Instruction ID: 69b0369ee2dd3d019645b0397c3ffd622d713eab96c89d99e8cd8958013619f8
Opcode Fuzzy Hash: 34b24d5d99fc64abe54a2fc3b83081da74ba8c17ef7d13a6166ec7f0bfbbb489
Instruction Fuzzy Hash: 6451DDB1D00309DFDB14CFAAC984ADEBBB1FF49310F24816AE419AB210D775A985CF91

Function 05B603F8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05B6050A

Strings

he%b, xrefs: 05B60426
he%b, xrefs: 05B60446

Memory Dump Source

Source File: 00000000.00000002.1806578015.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_DUWPFaZd3a.jbxd

Similarity

API ID: CreateWindow
String ID: he%b$he%b
API String ID: 716092398-2390798039
Opcode ID: c1340d4f005453f121aac2aa42d2f3b3dce971a4d69b44c01c6005327272751d
Instruction ID: 7a332751acacf48c7b6c97287195ba63182129dee5799f986484c108dfef7cda
Opcode Fuzzy Hash: c1340d4f005453f121aac2aa42d2f3b3dce971a4d69b44c01c6005327272751d
Instruction Fuzzy Hash: 6D41CEB1D00309DFDB14CF9AC884ADEBBB5FF48310F24812AE419AB210D774A885CF91

Function 027DA474 Relevance: 5.2, Strings: 4, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 027DA4FC
Hbq, xrefs: 027DA49D
Hbq, xrefs: 027DA55B
Hbq, xrefs: 027DA5E4

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq
API String ID: 0-2881081751
Opcode ID: 91c532e28c9f0a16fae8cff198be9fb0bf0165263652bb8e2c0f63a364ddb9e3
Instruction ID: d7553b264c25714e414c9bbd3adc93e0c8d3201bb5a8594159deea67e71e3f65
Opcode Fuzzy Hash: 91c532e28c9f0a16fae8cff198be9fb0bf0165263652bb8e2c0f63a364ddb9e3
Instruction Fuzzy Hash: 9971DF307002458FDB15AB7898642AF3BA7FFCA340B144569D44ADB395DE38ED06CBA6

Function 027DB458 Relevance: 5.2, Strings: 4, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 027DB558
$^q, xrefs: 027DB564
4'^q, xrefs: 027DB653
Hbq, xrefs: 027DB604

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: 4'^q$Hbq$$^q$$^q
API String ID: 0-3400431855
Opcode ID: f7e2629d02119e835667b69fc0ccd243c3c29d157f9ea31a1e2f564f2be035ba
Instruction ID: b6f88cd13cddee5385d8c4eb906cf331379154e87343ce8f38ac49f89fb696f0
Opcode Fuzzy Hash: f7e2629d02119e835667b69fc0ccd243c3c29d157f9ea31a1e2f564f2be035ba
Instruction Fuzzy Hash: F051A2307042258FDB196B35A46863E3AFBBFC574831A556DE403DB390DF29CD028B55

Function 027D522F Relevance: 3.9, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 027D5278
$^q, xrefs: 027D526C
8bq, xrefs: 027D52DD

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: 8bq$$^q$$^q
API String ID: 0-2949139543
Opcode ID: e2925ba307832afa467c75b65e72f6856deff70a00837199782585cac3fbac33
Instruction ID: 2447dd082581e4c9ebbd9fd6a9f94c55bcc89019a8e02b790452ab60242eb6b8
Opcode Fuzzy Hash: e2925ba307832afa467c75b65e72f6856deff70a00837199782585cac3fbac33
Instruction Fuzzy Hash: 9C3157B0B182198FC7155B68945433A7BF2BB89718B68456AD006CF395CE71DC4ACB82

Function 05B629B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05B62A71

Strings

he%b, xrefs: 05B629C7

Memory Dump Source

Source File: 00000000.00000002.1806578015.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_DUWPFaZd3a.jbxd

Similarity

API ID: CallProcWindow
String ID: he%b
API String ID: 2714655100-3666205096
Opcode ID: 32ba7f0ed2d38abda57f44affa1677b05150d0aa4aeaa11e42a32ab82d4c73aa
Instruction ID: 91a8f924b1021289a161a62db2ba01eb0487c2ab28790d66034900e509645c44
Opcode Fuzzy Hash: 32ba7f0ed2d38abda57f44affa1677b05150d0aa4aeaa11e42a32ab82d4c73aa
Instruction Fuzzy Hash: DD41E5B99002098FDB14CF99C448AAAFBF5FB89314F24C499D519AB361D774A841CFA1

Function 05E455F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 05E45668

Strings

he%b, xrefs: 05E45617

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID: DeleteFile
String ID: he%b
API String ID: 4033686569-3666205096
Opcode ID: e2dc959ec1183ae753c0ebb26a7da86ac2a9da5d9fc058a4ff80aeadbbfaaaa4
Instruction ID: c0a632f58303bde4b404f781a78fd8292e602852cd5f092b71610482786b4277
Opcode Fuzzy Hash: e2dc959ec1183ae753c0ebb26a7da86ac2a9da5d9fc058a4ff80aeadbbfaaaa4
Instruction Fuzzy Hash: 2A2136B1C0061ADBCB14CFAAD545BAEFBB4FF48320F14816AD858B7240D738A944CFA5

Function 05E4234C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 05E45668

Strings

he%b, xrefs: 05E45617

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID: DeleteFile
String ID: he%b
API String ID: 4033686569-3666205096
Opcode ID: 1a349067e6bd73338818774caba43b2f9e4d4aab66d6a209a2c6156c66020df0
Instruction ID: bfd38f4376c257c91231339880cbb9e2cf144bfc5285d73d016c05a7065619c4
Opcode Fuzzy Hash: 1a349067e6bd73338818774caba43b2f9e4d4aab66d6a209a2c6156c66020df0
Instruction Fuzzy Hash: 8C2144B1C0061A9BDB10CFAAD544BAEFBB4FB48320F10816AD858B7250D738A940CFA4

Function 05E4E47A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05E4E4DD

Strings

he%b, xrefs: 05E4E49A

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID: MessagePost
String ID: he%b
API String ID: 410705778-3666205096
Opcode ID: 063b2b8dc63d47f1d910ab9498ad42b6c26db1b45e8f33d837c3b70282dec8b0
Instruction ID: 6f0f48e0a3945a9fccf52d68acceb9e7a7da5c47d62fbaa0e3c6b09b199b21aa
Opcode Fuzzy Hash: 063b2b8dc63d47f1d910ab9498ad42b6c26db1b45e8f33d837c3b70282dec8b0
Instruction Fuzzy Hash: A81122B58003099FCB10CF8AD485BDEFBF8FB48320F10845AE558A7200C375A984CFA1

Function 05E495B8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05E4E4DD

Strings

he%b, xrefs: 05E4E49A

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID: MessagePost
String ID: he%b
API String ID: 410705778-3666205096
Opcode ID: c69256624cc9b20789640b75f4cd1f32457d4dd770f319686f473a0e8301a45d
Instruction ID: 97ff745039f7747d72cd2a38c71bd3ed92c5d6741ae0de49857ce108275aee7f
Opcode Fuzzy Hash: c69256624cc9b20789640b75f4cd1f32457d4dd770f319686f473a0e8301a45d
Instruction Fuzzy Hash: FF11F2B58003499FDB10DF9AD489BEEBBF8FB48324F108459E958B7210C375A984CFA5

Function 027D6580 Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

Hbq, xrefs: 027D6751
Hbq, xrefs: 027D6784

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: b0fb1439d43cadda2c34fb533736c1970a08a001e325d9078f786dbb9e57c0a6
Instruction ID: 785407bb2c2af78db11ecd098118020a2d1e52f87fd0b2a9b8d832190c1ad942
Opcode Fuzzy Hash: b0fb1439d43cadda2c34fb533736c1970a08a001e325d9078f786dbb9e57c0a6
Instruction Fuzzy Hash: 18E1AA707002159FDB14AF68E868B6E7BBAEBC8315F148469E906DB394CF34DC81CB95

Function 05E2C4E0 Relevance: 2.8, Strings: 2, Instructions: 296COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05E2C7BC
PH^q, xrefs: 05E2C64E

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 8a868ea69106dccda12f6081ed2b96557cfdfc18fe5f43912725d0fc038a72f2
Instruction ID: 55bc18aac1f97afcde74fb37f364a660cc40fb9670ae4cd7e568100c06c784dd
Opcode Fuzzy Hash: 8a868ea69106dccda12f6081ed2b96557cfdfc18fe5f43912725d0fc038a72f2
Instruction Fuzzy Hash: FDC12734A40218CFCB14DF68C588AADBBF2BF88714F2555A8E546EB3A5DB31EC45CB50

Function 05E23A58 Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

(bq, xrefs: 05E250C2
Hbq, xrefs: 05E251E0

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 707e5c0d22f60e36fcbc5500026ec6ab75ec11623819709d0919af4e2999e0ca
Instruction ID: 2677de72e37b30c651312d94d8728816309ef1c9e54fba5de78b96905877dc81
Opcode Fuzzy Hash: 707e5c0d22f60e36fcbc5500026ec6ab75ec11623819709d0919af4e2999e0ca
Instruction Fuzzy Hash: F3513331A04260DFD714EB2CC5446A97BB2FFC5304B1884ABD08ADF759EB35AC42CB91

Function 05E2E3D8 Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

$^q, xrefs: 05E2E40D
4'^q, xrefs: 05E2E42F

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: 4'^q$$^q
API String ID: 0-432994343
Opcode ID: 3374502e42aada342710e5f2cc52ed08063dc843983b2b31bea2f1ab2796a216
Instruction ID: 4784be6684557654e3420c711b03e545db9130d4623ebe5523b917a0b6d029a9
Opcode Fuzzy Hash: 3374502e42aada342710e5f2cc52ed08063dc843983b2b31bea2f1ab2796a216
Instruction Fuzzy Hash: 66218B35A802489FCB05EBB8D94488DBFF6FF8930071085AAE415CF379EB3599498B80

Function 05E216E8 Relevance: 2.0, Strings: 1, Instructions: 776COMMON

Download Yara Rule

Strings

he%b, xrefs: 05E22682

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: he%b
API String ID: 0-3666205096
Opcode ID: 33c09c3c3748fbd9c62208b0a4ef89124662b6318a3cf5ae188c511376de2ad9
Instruction ID: 6e51e86d1435407d6c524109beffc70a62965c9187e24d3e3a8d960f64b3ee23
Opcode Fuzzy Hash: 33c09c3c3748fbd9c62208b0a4ef89124662b6318a3cf5ae188c511376de2ad9
Instruction Fuzzy Hash: A7623579F05B518FEB34DFB484583AD7AA2BB41304F50A96FC1EACA298DB359442CF41

Function 027D4E40 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

8bq, xrefs: 027D4ED5

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 2955a84bafbb30e97651a8d13500a479f43777c2ee1c8154258a516d0f6e0a20
Instruction ID: dc53d748fbd1b6a71708355e7709c9c819592265cca51382f6ead56decb59f58
Opcode Fuzzy Hash: 2955a84bafbb30e97651a8d13500a479f43777c2ee1c8154258a516d0f6e0a20
Instruction Fuzzy Hash: 9DA14D70E00204AFDB14DB79D8A4BAEBBF6FB88701F548869E416AB394DB359C41CB51

Function 027D4E0F Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

8bq, xrefs: 027D4ED5

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: b7c755b5b0f7a789a361e948f5cc544bca38b8c8afc3b84289fa87260a80a39e
Instruction ID: cdf34deb0eda6d63b035dc4e11c8ed9080c1dde9790f4b2fdee9b628203f8520
Opcode Fuzzy Hash: b7c755b5b0f7a789a361e948f5cc544bca38b8c8afc3b84289fa87260a80a39e
Instruction Fuzzy Hash: 70A18071E00204AFDB14DB79D8A4BAEBBF2FB89300F14846AE416EB395DB359C45CB51

Function 05E2C4D0 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05E2C64E

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: e42cb9f6b1036339958f840d965613edc156cd8289ee46590f78b4c52bccf9f5
Instruction ID: c263110f38661b2b3b31e9c2dd20b945ced88c13ac94e400e21cebbaad236b13
Opcode Fuzzy Hash: e42cb9f6b1036339958f840d965613edc156cd8289ee46590f78b4c52bccf9f5
Instruction Fuzzy Hash: 42513774A40214CFDB14DF28C588AADB7F1BF88714B2595A8E54AEB3B5DB31EC41CB50

Function 027D87E8 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

(o^q, xrefs: 027D8961

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 690767bedaa68d738d9b51c874bc60181fa1bc257c8ee61b7335650ac838c452
Instruction ID: 10efc4342e27e5395104277e6119460d5edaf63cb1bdec798975d44ad3ff5741
Opcode Fuzzy Hash: 690767bedaa68d738d9b51c874bc60181fa1bc257c8ee61b7335650ac838c452
Instruction Fuzzy Hash: BC419E31B002149FCB159B69D868AAE7BF6FFC9710F144069E916DB391CE359C02CBA2

Function 05E23A3C Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

he%b, xrefs: 05E25027

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: he%b
API String ID: 0-3666205096
Opcode ID: 6bc9b060fa15669c8c56be25b210e023b5e6f95da2ab2f518c01edb9b6d5b499
Instruction ID: a14902a122badd4d6210b2d0166aa193616be49948c32082edac06da97f2166b
Opcode Fuzzy Hash: 6bc9b060fa15669c8c56be25b210e023b5e6f95da2ab2f518c01edb9b6d5b499
Instruction Fuzzy Hash: F1419271A04229DFDF10DF99C884AAFBBFAFF84310F14D42AE455A7248D7359945CBA0

Function 05E28BE0 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

$^q, xrefs: 05E28C69

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 919bd9dc3f1b7834820eac7dc78516f760ed0d007df56c5bf827b8988c8aff86
Instruction ID: ea58c4c91e1df0dd59eab74aab415a215ef53621c5a940269f285fa6e02f214b
Opcode Fuzzy Hash: 919bd9dc3f1b7834820eac7dc78516f760ed0d007df56c5bf827b8988c8aff86
Instruction Fuzzy Hash: E421A1307493148FEB14DB398849A393BEAFF8461431454E9E44BCB3A8DF31CC418B56

Function 05E28BD0 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

$^q, xrefs: 05E28C69

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: ab70a99401edd6096a4e2f80a64a83ade55d86c7b54ee2113f9998b107d4d77c
Instruction ID: 108b7da06665a1fae3ad45a3bbe86ef0c3e7c66ad649cb5b980e2ea7b02e6a28
Opcode Fuzzy Hash: ab70a99401edd6096a4e2f80a64a83ade55d86c7b54ee2113f9998b107d4d77c
Instruction Fuzzy Hash: CC21B33430D7108FEB158B398949A393BE6BF8561930554EAE48BCB3A9DB31CC01CB16

Function 05E29C53 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee103f4eaeba84445d46602286dea5792cf76937d24a7eb526ac7469e7cf2984
Instruction ID: 02439ef014df8df0fb4e18e50e8e925920cfe3623cb5f6efa733d36423ca2a57
Opcode Fuzzy Hash: ee103f4eaeba84445d46602286dea5792cf76937d24a7eb526ac7469e7cf2984
Instruction Fuzzy Hash: 100225346002149FDB54DF68D498AADBBF2FF88314F5591A8E44ADB366DB30EC85CB50

Function 05E2BEB4 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e352d5fe5cb41e2919b4af09c39373068af11ac26e465850f5c8407894cd6c5
Instruction ID: 2936959d3d579517d9377ce6dc8df9141b11d415626065fead44da547e8331dc
Opcode Fuzzy Hash: 7e352d5fe5cb41e2919b4af09c39373068af11ac26e465850f5c8407894cd6c5
Instruction Fuzzy Hash: E9812630640624CFDB14DB28C988E697BF6FF85315F1599A9D48A8B37ADB30EC45CB50

Function 05E26F70 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b0367fb51bce77a3f4e6bad78f3056cb6df86f1d483e5efedab78a90c0f353
Instruction ID: f2f5171c2921c1f5b2cded4c5ecb6e0490b7cdd4adfaa8c6b14bf92eee86d1ac
Opcode Fuzzy Hash: 07b0367fb51bce77a3f4e6bad78f3056cb6df86f1d483e5efedab78a90c0f353
Instruction Fuzzy Hash: E651E2316002148FD724EF68C454AAEBBF6EF89204F1494AAD146DB3A5CB75EC45CB91

Function 027DA279 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5683deafaee57ecffc9b8ead56e7aaff9902e8acc0ea05d7cb192bb0869eb71
Instruction ID: 285ffec8f600a6dcc2368c9a6085d709c3d943a99e0012bda1e6b79ee4676ed4
Opcode Fuzzy Hash: c5683deafaee57ecffc9b8ead56e7aaff9902e8acc0ea05d7cb192bb0869eb71
Instruction Fuzzy Hash: 9A612C34A00609CFCB25DF65D994AAEBBF2FF88704F148A28E446A7764DB34EC45CB51

Function 05E2AF8F Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d566295cdb05a6f1e9b6db352df0d4e9117f59f730f65d8506955dc98d2d73d
Instruction ID: 1ed5941162b16aa51647bd5523cb74d4cbada0b020c544c298e381deef8aba6b
Opcode Fuzzy Hash: 8d566295cdb05a6f1e9b6db352df0d4e9117f59f730f65d8506955dc98d2d73d
Instruction Fuzzy Hash: 2E418030700625CFE7259F24C888F7AB3B6FF84314F145569D1968B2A5CBB5EC46CB51

Function 05E2AFA0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038f35264905d28c79f18e54fbbe53f7ec3d32c871f6806ccf226fb4dd013c62
Instruction ID: 56ae7a8af394b1f5c7294d0a7f96e438c1ed8d2a23034607063ca6ecbd344695
Opcode Fuzzy Hash: 038f35264905d28c79f18e54fbbe53f7ec3d32c871f6806ccf226fb4dd013c62
Instruction Fuzzy Hash: 29414F30700625CFE7259F24C988F7AB3B7BF84304F145569D1968B3A9CBB5AC46CB91

Function 05E2D6F8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23415ec52a6fe8b76d1d995657e4160b27c6d0e7fae4593337b0c6109689bc0
Instruction ID: 9711e96840f693a901b02b76173f950acb4b43298e788cbd6dc9884d3126b4e2
Opcode Fuzzy Hash: f23415ec52a6fe8b76d1d995657e4160b27c6d0e7fae4593337b0c6109689bc0
Instruction Fuzzy Hash: 99316B717046208FD715AB38D95862E7BF6FF89210B1046A9E49AC73D4DF74D842CB85

Function 05E2D708 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2067d63cdd48cf72ada071410d0e4ec9cc0cb6be8bfdd4e7b8c91f6241be3281
Instruction ID: 7b308590f74db4c6e8dd6709f8e749cdac5f78ed8a416b02f1c4b8c9994bfd4f
Opcode Fuzzy Hash: 2067d63cdd48cf72ada071410d0e4ec9cc0cb6be8bfdd4e7b8c91f6241be3281
Instruction Fuzzy Hash: 0B317A317046208FD719AB38D95862E7BF6FF89210B1046A9E48BC73A5DF74DC42CB85

Function 05E2ACB4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d10549437d20d48efe9712ba4aa6846c4dd026143346a8afa1dd100cd3731bf
Instruction ID: 631c88c886f6962d5324175a92e639064761394ee564081c5904cb95047f8e88
Opcode Fuzzy Hash: 5d10549437d20d48efe9712ba4aa6846c4dd026143346a8afa1dd100cd3731bf
Instruction Fuzzy Hash: 80313C353009209FDB14DB69C444F6EB3A6BF89714F25A4A9D58ACB369DE30EC41CB50

Function 05E2E0B0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60407c12304e818ee59482961dd510876508912a1da765cb3bc54f5fda138d3c
Instruction ID: 09a422ff9dcbd79242405efdb748f5a99dc2008d1bb43b22db54799d861b94e0
Opcode Fuzzy Hash: 60407c12304e818ee59482961dd510876508912a1da765cb3bc54f5fda138d3c
Instruction Fuzzy Hash: 9F411530600615CFDB14DF28C988E697BB6FF89314F1195A9E44A8B37ADB30EC49CB60

Function 027D47A8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e9a95e7cd4821c7d79a9a8e43619f3730b3c48f6b952d52daf14dcffcd9860
Instruction ID: 836e7b0101bd3812f9ea86024e1b4027a87f9a4d333795a13a2c95d24b1969dd
Opcode Fuzzy Hash: 00e9a95e7cd4821c7d79a9a8e43619f3730b3c48f6b952d52daf14dcffcd9860
Instruction Fuzzy Hash: DD315B76A496D18FE7118669D8767717FF2EB423A4F0880BBD055DB282CB39D84AC341

Function 027D5938 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb263f9a345a7f329fa0fe44141ced0b99ff780bae74988cae9234eecdd3cee2
Instruction ID: a845427691495d9bebdce71d369916ca974d6d1c1804909b19e47a699a4f24d5
Opcode Fuzzy Hash: fb263f9a345a7f329fa0fe44141ced0b99ff780bae74988cae9234eecdd3cee2
Instruction Fuzzy Hash: AF316B3170021AAFDF059F68D864AAE7BB6FB88314F508028F90597354CB39EC55CF95

Function 05E2C223 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f265965807bb2d124fcef4402a48ddaf4c7d548f5ec123c575b9ba1ad392359
Instruction ID: 8e02c21d74cb63a93eba6e3e8aa60d4a278c04230f62382a1a2a98f7850583c0
Opcode Fuzzy Hash: 7f265965807bb2d124fcef4402a48ddaf4c7d548f5ec123c575b9ba1ad392359
Instruction Fuzzy Hash: C63117353009109FEB14DB68C844B6A73E6FF89718F25A4A9D59ACB365DE30EC42CB50

Function 05E2CB18 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f7055637802ca0900fa867988110440de5adb8c328191056d555a2cd5b0a53
Instruction ID: d4859fc49a465869a02440e9cd65fb1443db67cd9182d79d6aaefa06f537e868
Opcode Fuzzy Hash: 76f7055637802ca0900fa867988110440de5adb8c328191056d555a2cd5b0a53
Instruction Fuzzy Hash: 6521F5353002285FAB146738D86463E3AEBAFC46557281879D84FCB79CEE24CC42C792

Function 05E2C3C0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14027367255d9981fbfd927d9cc03e74b82ca6274d7e1820355fb8822830aad1
Instruction ID: 941c562ae1923cb850da5662869aeeed55e4f024ab3e8bbee3a2446fe2f4cbd1
Opcode Fuzzy Hash: 14027367255d9981fbfd927d9cc03e74b82ca6274d7e1820355fb8822830aad1
Instruction Fuzzy Hash: 70314B312406108FD764DB28D849BAA77E6FF88315F5484B9E08ECB365DF71AC86CB80

Function 027D6550 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1112db9e189f20fd8cf1d809557dadd99301a895f17c954e76ce38fd31151b4
Instruction ID: 7724d23d2a71d3efd9200a8131e0ef86126c0750b459a8e5547c0606f56bafc2
Opcode Fuzzy Hash: d1112db9e189f20fd8cf1d809557dadd99301a895f17c954e76ce38fd31151b4
Instruction Fuzzy Hash: 96212171B042248FCB00AF28E4687A97FB9EF85321F0582A6D915DB365DB35DC85CBE1

Function 05E2C7D5 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd275b4ab1bab730f5890ca04806bb550233ccd18b30d297ed414297c7ff769e
Instruction ID: 502ea900e169944e454d2a700eef98faa21f93b5fa960a870278c43b30e6a063
Opcode Fuzzy Hash: dd275b4ab1bab730f5890ca04806bb550233ccd18b30d297ed414297c7ff769e
Instruction Fuzzy Hash: 1A31FE35B002189FD718DF64C594AADB7F2BF88314F2494A8D845A77A4DB31EC81CB61

Function 027D6AD8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c4a5b3f3324a23835181281e3cb6ebd89015cf7c8c2c79d1fbfd41935c55bd
Instruction ID: 9ecdb02437280a6822054945469408c12fc21724aa229b08aad7cf5d7af58cdf
Opcode Fuzzy Hash: f0c4a5b3f3324a23835181281e3cb6ebd89015cf7c8c2c79d1fbfd41935c55bd
Instruction Fuzzy Hash: 1221C3317006119BC725AB29E46892AB7AAFB897547244179D906DB354CF34EC02CB90

Function 05E2BE54 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10853c9ec31dc3cc9a036e03f43a11aeb43fc6c36b93a28139ec5a360a7ce49
Instruction ID: dcfe210d0dc84a50018ee17b1e4b77c4c55a0d9d82b5f653f3cc8ffe623911af
Opcode Fuzzy Hash: d10853c9ec31dc3cc9a036e03f43a11aeb43fc6c36b93a28139ec5a360a7ce49
Instruction Fuzzy Hash: 21315E302506018FD754DF28C888BAA77E2FF84315F5085A9E09ECB3A5CF70AC86CB40

Function 05E209D0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4105a90582717015e01b8b5b9bfa40c951e9f749884e97821053dcbb09fcf691
Instruction ID: 9d5a019f763635d8349a197534925ccd6487090e99dd438d436f6287928ebc4c
Opcode Fuzzy Hash: 4105a90582717015e01b8b5b9bfa40c951e9f749884e97821053dcbb09fcf691
Instruction Fuzzy Hash: 9C311032910B09DEDB01BFA8C844899F7B1FF95300B119A5AE5596B121FB70E6D5CB81

Function 05E20820 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4573b50e8a9b16b8c69b46f2615addb50edc075e59767607f83773b1f417c8a9
Instruction ID: 2752edbc1564e0b73f264516b18556342c077943a5c01d6e2a8b432f43a80829
Opcode Fuzzy Hash: 4573b50e8a9b16b8c69b46f2615addb50edc075e59767607f83773b1f417c8a9
Instruction Fuzzy Hash: 0E21D2743042145FEB05676CC85572B37A7EBC5B08F04806AE542DB7D9CDA9FC4257A1

Function 025ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802587633.00000000025ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 025ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25ed000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af910e488453175379c8b2937907377364466f9c8be90483c44e0dd78c5ea20
Instruction ID: bf9dac9c43ed89b38057b0d8fcceca2c4d25a750250b7c4eb632a826a9dca40c
Opcode Fuzzy Hash: 4af910e488453175379c8b2937907377364466f9c8be90483c44e0dd78c5ea20
Instruction Fuzzy Hash: 55212271604200DFDF18DF14D984B26BFB9FB84314F28C969D80A4B256D33BD447CA65

Function 025ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802587633.00000000025ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 025ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25ed000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb50893de518d5e55b890e94b2b03548bd5634207056cce7efd007b7cda7687
Instruction ID: dc9c08964c6c6d02eb1b36c4a9ed1c5d7f41f2672fee3e545c23a6c20f972ef9
Opcode Fuzzy Hash: 3cb50893de518d5e55b890e94b2b03548bd5634207056cce7efd007b7cda7687
Instruction Fuzzy Hash: 51210775504200DFDF09DF14D5C0B26BFB9FB84314F20C9ADD84A4B295C33AD446CA65

Function 027D466A Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4602262be6737d69eb6e4e9f1c10a6a077db3b929a207e663abfc35e7c3718f2
Instruction ID: f7ae474c9cc5db3d247cd6620fbc81c2112df234ab80f6576cfedce901a54686
Opcode Fuzzy Hash: 4602262be6737d69eb6e4e9f1c10a6a077db3b929a207e663abfc35e7c3718f2
Instruction Fuzzy Hash: 4E110675C092649FEB056BACD9B12DA3BB4EB56350F450093D046DB352E978890BCBD2

Function 05E25299 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be699dbf3d6fa2bb7a1ce29dd7894542bcd8a087def7662952f01de297264a3d
Instruction ID: 00cd1287dab9447ce64e1f32b4a0527e37cfe53b64ee21380e2e72e0ac4f86ff
Opcode Fuzzy Hash: be699dbf3d6fa2bb7a1ce29dd7894542bcd8a087def7662952f01de297264a3d
Instruction Fuzzy Hash: 711129357083109FE7259764CA50B6A77A6FBC5318F54E47BD4868B29CCB74D806CB90

Function 05E209C9 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b43684e6a8fc25d338996554145e728a37378a817c6bdab11ba4a53f1310e99
Instruction ID: efe175621a96895e736b63c069c04086307d55c8f06f42b24ed884fae24ba859
Opcode Fuzzy Hash: 7b43684e6a8fc25d338996554145e728a37378a817c6bdab11ba4a53f1310e99
Instruction Fuzzy Hash: 07314F32D10B0ADEDB01BFA8C844499F7B1FF95300B119B5AE9596B121FB70E6D5CB81

Function 027D4798 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9dce613efbe1e6c36e6cccc58d241d4d4db9f03627737b2386ae104f248d2ab
Instruction ID: 76f710272bea754e9177da1304414c8ef0994086bfd41e4faf608a6a5489b8cd
Opcode Fuzzy Hash: f9dce613efbe1e6c36e6cccc58d241d4d4db9f03627737b2386ae104f248d2ab
Instruction Fuzzy Hash: 7F218976A052D1DFD7108A6AE8657A17BF6FB82365F0881BBD055CB282CB39DC49C380

Function 05E2CB0B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df15361a7e6f1a688467d45cf81a311cec7db683d9d4152a181a698d8b1d0a5
Instruction ID: 472c2f0f7c9bdeb4403cf5acdbcacf1506c93f2d1d16f32aca45313d15b7a64f
Opcode Fuzzy Hash: 3df15361a7e6f1a688467d45cf81a311cec7db683d9d4152a181a698d8b1d0a5
Instruction Fuzzy Hash: 0D1103353042245BEB116739D81873E3BABBFC4655B281879E94BC7388EE28CC02C7D2

Function 027D5928 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1974f88334bf532a7396edc75d14bc981d0d38b79439ee27a10ad72bcc8b470f
Instruction ID: 7bbc8b9ecced261aea431b9813d4348cd1a78c58bdfe4622acd7cbf8320cb5c2
Opcode Fuzzy Hash: 1974f88334bf532a7396edc75d14bc981d0d38b79439ee27a10ad72bcc8b470f
Instruction Fuzzy Hash: A721D2317043459FDB119F68D45876A3BB2FF89324F548069E8459B354CB38EC15CF95

Function 027D6AC8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823e612790b0dae13456f1f50228d679928f94b00c4ec4547c2f943eb0793af5
Instruction ID: f99e1e0f50832b359dea04be79f1b63191143bc65e8b99479f1ce353a7020651
Opcode Fuzzy Hash: 823e612790b0dae13456f1f50228d679928f94b00c4ec4547c2f943eb0793af5
Instruction Fuzzy Hash: 4411E3313017129FC7159F6AE86892E7BBAFF8975432901BAD406DB360CF25DC028B90

Function 05E20830 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12359e582dd76dc53fdf35dbe7cf72eb0b0881bcd44ed2c42cbccfc9c0edaa9
Instruction ID: e9ccdf5b39521133f3989ebccd804b5cbbeaf0c802f4d6821f7d79b15b8a551f
Opcode Fuzzy Hash: e12359e582dd76dc53fdf35dbe7cf72eb0b0881bcd44ed2c42cbccfc9c0edaa9
Instruction Fuzzy Hash: E4118C343002245FEB05AB6DD86176F76DBEBC8B08F048029E506DB7D9CEB9F84257A5

Function 027D87D9 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6bfb410f96b99da07fee8b58f4f05eefa4c257245837b7df933c43f6519281
Instruction ID: 84533047b7390ad35b9fc17db43b99a8ff0d9dcb2ae3061c99a1c35dc0764cc9
Opcode Fuzzy Hash: 5e6bfb410f96b99da07fee8b58f4f05eefa4c257245837b7df933c43f6519281
Instruction Fuzzy Hash: 93213D76B00214DFDB149F65E899ADDBBB6FF8C310F144169E556A7350CB319C11CB50

Function 025ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802587633.00000000025ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 025ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25ed000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e549f0c0c861f5d00ccf6922c94091f231e11ffb1dd42dbc2899fef1050a9237
Instruction ID: 15cd64c8847fc6df40b89dd54746d42304b29183874555064595d497bb48af19
Opcode Fuzzy Hash: e549f0c0c861f5d00ccf6922c94091f231e11ffb1dd42dbc2899fef1050a9237
Instruction Fuzzy Hash: D6219F755093C08FCB06CF24D994715BF71FB46214F28C5DAD8898F2A7C33A980ACB62

Function 05E24F48 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52922b6319683a2ba6af45c280c9f120832fe049141b1093d8f1ac05ab69a5d8
Instruction ID: 082326ec1c0df705a8c18a1e549efeb29045a70249816ac599f96beefe10e967
Opcode Fuzzy Hash: 52922b6319683a2ba6af45c280c9f120832fe049141b1093d8f1ac05ab69a5d8
Instruction Fuzzy Hash: 641106327082399AEF04DF55CC8087F776AFFC1614705E42BE855DB489E635C906C350

Function 05E2CA70 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51b71a14c6f6894250bc429b27792d718944e5475ba04ec6422c6f29a1851b0
Instruction ID: 31c289dfa4f305ed5f91e527c43f53e9edeb283f4ba45deb5747df85267294a1
Opcode Fuzzy Hash: a51b71a14c6f6894250bc429b27792d718944e5475ba04ec6422c6f29a1851b0
Instruction Fuzzy Hash: 1B1144B2B00290AFD721C238C84076E7FA9BFC5214F5924AAD1CBCB699E9748C05C381

Function 05E2BD78 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729d3f79e093f30f8f046c80abb3ee2e8e83e007460a04ceedd940bd37c393a3
Instruction ID: 24bcc15a384f611464ec60e039d55cabc50a4672dcb45617097ef94f3a5fb5d2
Opcode Fuzzy Hash: 729d3f79e093f30f8f046c80abb3ee2e8e83e007460a04ceedd940bd37c393a3
Instruction Fuzzy Hash: 4C118E327006148FC7249F38C984869B7BAFF8621571405B9E14A9B364EA35E885CB51

Function 05E28181 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0591bf5f2a247515f1ab4f67e918914ee5e2d806a2e40a8cc36150bb38a2f8
Instruction ID: 0d7009e7a17324279b8ad1e9a74edd608f09e5285159ba50645184d9d703c066
Opcode Fuzzy Hash: dc0591bf5f2a247515f1ab4f67e918914ee5e2d806a2e40a8cc36150bb38a2f8
Instruction Fuzzy Hash: 82113A313083505BF3286779E53876A3F97DFD5314F0480AAE096877DACE69488547A9

Function 05E252A8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84bb19f030673e9a8c991232a08318d40616e2d51c3f2e526faa94a001b5e619
Instruction ID: 53ffec6d4e36e09f421c5e1c8f5bdf7997ce4de5e8f63888558060cfb57b5f50
Opcode Fuzzy Hash: 84bb19f030673e9a8c991232a08318d40616e2d51c3f2e526faa94a001b5e619
Instruction Fuzzy Hash: D811C6343083109FEB24D669D950B7AB397FBC4318F54D43AD4458B29CCFB4E8468B90

Function 05E2BD68 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342765d7deea36499515fe6c2f6ba7b8ab27079bfc5b7001378a3acf5983f147
Instruction ID: 8ad3255c0d67f934154ed1d176991ba9b478fa73977574f4e22631bba1e935a0
Opcode Fuzzy Hash: 342765d7deea36499515fe6c2f6ba7b8ab27079bfc5b7001378a3acf5983f147
Instruction Fuzzy Hash: 2111C672308220CFC725DF28D9408A57BB9FF8621535814EAE18ADB375DA39D841C761

Function 05E21450 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e33a9fe0d3ec46b61806057d50a5bd7b83e176651c04c92c7c2f623940a4ab2
Instruction ID: 8a87128969e292a8c89778586ba182059a90ed76c5445863eb79a433ad9b4a2d
Opcode Fuzzy Hash: 1e33a9fe0d3ec46b61806057d50a5bd7b83e176651c04c92c7c2f623940a4ab2
Instruction Fuzzy Hash: 8611EC71A002199FDB24CF69C885BAE7BF4FF48700F044429E919C7360EB38DA10CBA1

Function 05E29AB8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5fecdbd6e78ceb6141fc59d77ef02ccaffcbc49d81aecb3618934d5218d6de
Instruction ID: a375393213fff881d465665cec992ecf29347bc10e7c564cb69e32378bef7ff9
Opcode Fuzzy Hash: fe5fecdbd6e78ceb6141fc59d77ef02ccaffcbc49d81aecb3618934d5218d6de
Instruction Fuzzy Hash: 6A114970B006108FCB54EF28C89496AB7F2FF88608B2089ADD456CB3A5CB75EC06CB51

Function 027D46C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc95d90c5a90441f17686a7e6a3a47a61581b93c7cae4368b060fef66095a150
Instruction ID: ddd6693307346ce5916f2070318cbb584b389475791b00a15c0f9a255fc56a56
Opcode Fuzzy Hash: bc95d90c5a90441f17686a7e6a3a47a61581b93c7cae4368b060fef66095a150
Instruction Fuzzy Hash: 33017B31E053659BCB006FACE8A52DFBBF4FB0A760F5104A7D046E7341DA75890A8BD2

Function 027DBEC0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98311419c6aa67f9fbe2464160c4db4cec1c2bb0d837b61e964368be7723a670
Instruction ID: f84ca576d4f22bbf7955c2a1d24917f88b701113b8b28a7e192550b52e53a691
Opcode Fuzzy Hash: 98311419c6aa67f9fbe2464160c4db4cec1c2bb0d837b61e964368be7723a670
Instruction Fuzzy Hash: 590171307052549FC7052A7A986857FBAEFEFCA311B158876F506C7396CD38CC0A9761

Function 025ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802587633.00000000025ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 025ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25ed000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: c722d1538470cd860c3164445b6571c50472e254bb17c7e63a8a9ab06c484e94
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 9A118B75904280DFDB16CF14D5C4B15BFB1FB84218F24C6AAD84A4B696C33AD44ACB61

Function 05E2E320 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36855c56c54336615ab1be12e81299ea7572bd85b1addb4a66479df77baf9270
Instruction ID: 2d1036f2d4abd2f8275236d3d0cd3055019839ddbc5375ecae5aab6052812e86
Opcode Fuzzy Hash: 36855c56c54336615ab1be12e81299ea7572bd85b1addb4a66479df77baf9270
Instruction Fuzzy Hash: E101D2363483908FD3069738C42453E7FA6EFC721531944DBD486CB3AADD24DC458B92

Function 05E28308 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e1831383cc8de820f23a345490da68a5b7d00a346d27bc8221465005abfe95
Instruction ID: f062172965888b3fe9b2318683dc89fa604c6116f514953fefca381c6adaaad6
Opcode Fuzzy Hash: a0e1831383cc8de820f23a345490da68a5b7d00a346d27bc8221465005abfe95
Instruction Fuzzy Hash: EE11EB702047108FC325DB29D644207BFF1FF84724F108B69E096877E4DB7098468BD5

Function 05E21460 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782780747c60f62adee70d09e6efb79e5be09db318ed4b9f4bb727b2d267939b
Instruction ID: bd8374fe17c7c06ab06b84554145701247a3fac19ec1de75ec23a140347e262d
Opcode Fuzzy Hash: 782780747c60f62adee70d09e6efb79e5be09db318ed4b9f4bb727b2d267939b
Instruction Fuzzy Hash: 47116D71A002199FDB15DF69C884AAE7BF9FF48710F444469E919D7360EB74DA10CBA0

Function 05E2E348 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b0ef04bab38520bf6d7deef99bf477a967995eee1bd7bb52d83c6cce014222
Instruction ID: 43e7c56c7a5fd5fc960c2b000b511fb193d8fb90b15cd0840ff33058e0e9932b
Opcode Fuzzy Hash: 20b0ef04bab38520bf6d7deef99bf477a967995eee1bd7bb52d83c6cce014222
Instruction Fuzzy Hash: 8A018F353401244F9608A73DC46893E77DFEFC965531940A9D94ACB3A8EE34DC428792

Function 05E25108 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd2960672685224418b79f58d7dfe3da6ed66ef32882e8f8751dc68199b495e
Instruction ID: ccd09bdf3dd67240d960d8f9c67ecf89a6b26c709af2c7f2dc1c6d2d01164bec
Opcode Fuzzy Hash: 2dd2960672685224418b79f58d7dfe3da6ed66ef32882e8f8751dc68199b495e
Instruction Fuzzy Hash: 7C01B572D0AF32BBD7248F0ED200265F7B4BB44714B09121BD4995BA44E730B890CBD1

Function 025DD7ED Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802555680.00000000025DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25dd000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6dced360e850b097a8d905542f3a2b94081901d495f74bad065cf1163da607
Instruction ID: 6ffbd20e6bfbd324870adeb34b804b1137058474745cf65741bbc7032505f52a
Opcode Fuzzy Hash: 4e6dced360e850b097a8d905542f3a2b94081901d495f74bad065cf1163da607
Instruction Fuzzy Hash: 4401F73204A3409AE7218A1DCD84767FFA8FF41B34F08C829ED084A186C3399840C675

Function 05E28318 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b87aa31da0d83ae3120138c1a90492b7429d29aa14c6415d27f8463f3cfb446
Instruction ID: b6b1ef1b0914e3757ac729fefdb124f9c619e7eeaf992490c8d009036e9dd964
Opcode Fuzzy Hash: 8b87aa31da0d83ae3120138c1a90492b7429d29aa14c6415d27f8463f3cfb446
Instruction Fuzzy Hash: E9016170200B118FC325DF29D64460BBBE2FF88321F108B6CE06A877E4DB74A8468BD5

Function 05E2BE74 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5d3383692e13ce2d6740d5ead3f3bb39a77c687ffd37809882d3faaea8b5aa
Instruction ID: d82253efc740953a2dc6543b8b8a1aae1770f4adcb431a6b783cfda68f157018
Opcode Fuzzy Hash: 7b5d3383692e13ce2d6740d5ead3f3bb39a77c687ffd37809882d3faaea8b5aa
Instruction Fuzzy Hash: DAF0CD757501649FC620D63DC584B7E3AAAEFC4210F2428A9D29BCB768EE70DC408392

Function 025DD7EC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802555680.00000000025DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25dd000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a741daca7fa5e674899aa0fc800680612c745d7b825ab3651c5a5458f3ca21f
Instruction ID: 5cf093e948344318bcb2a893954a1ea2bc192a016da498729777cfbe5cd8354f
Opcode Fuzzy Hash: 9a741daca7fa5e674899aa0fc800680612c745d7b825ab3651c5a5458f3ca21f
Instruction Fuzzy Hash: 27F062724453449AE7218A1AC8C4B66FFA8FB41774F18C45AED585B286C379A844CA71

Function 05E22DD0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828d897cbf029effe7852438eaab76b210fbd1c7241c3080e35b96c70d578ab1
Instruction ID: c69fb8da805f79ed9c7014bf9c0dc28fa98f77554b4ba0e595118ca8ed1b543c
Opcode Fuzzy Hash: 828d897cbf029effe7852438eaab76b210fbd1c7241c3080e35b96c70d578ab1
Instruction Fuzzy Hash: 64F0E97260D3941BD30B17788C517953FD5CB8A650F4942EED185CB3E6D658E4028392

Function 05E2C6B9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba56b224169f7c7d1da8428eebc61ecd977f182123c9468525d0266e3b53401c
Instruction ID: 9a1799ff83a73d9b9d54cd2c9097245a3c961889a0280b19d35c0d649609caf0
Opcode Fuzzy Hash: ba56b224169f7c7d1da8428eebc61ecd977f182123c9468525d0266e3b53401c
Instruction Fuzzy Hash: F801DD79600218CFCB04CF68C088A9CBBB1FF48725F2451A9E806AB3A0C732ED81CF50

Function 027D4708 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15944ee394015dec032491d691c4657d2bfd651b4ad0425f05a5b6130434f0fe
Instruction ID: 588b8796938b4b3b37b66f24bb851dda0b978d9f13562a72991b7a069ccacffc
Opcode Fuzzy Hash: 15944ee394015dec032491d691c4657d2bfd651b4ad0425f05a5b6130434f0fe
Instruction Fuzzy Hash: 03F03034E102298BDF046FECD5542AE7BF9FB49721F51486BE546E3340DB7589108BD2

Function 05E21690 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6cb1832bde25ea6a60d2fd8788af30d7ab17be51d154254c974046d2a145df
Instruction ID: 968057be1ab27f12e0f065176d31e9aa9aadfdbd3eb35f7b23652578142db08a
Opcode Fuzzy Hash: 3b6cb1832bde25ea6a60d2fd8788af30d7ab17be51d154254c974046d2a145df
Instruction Fuzzy Hash: A7E06D32210574878710DB48F6914B9B3ABF79866932880A7E50C8AB14D33BDC02C3D8

Function 05E23A71 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f864c7d0ddd7e504b4b3f1ce9b4463b0c394eb292760106c1fdf9dbe2ed6af
Instruction ID: b2b0f79735068cdbd61a8d23a29cce2b6d6fe963463b3f84013d533f38946c05
Opcode Fuzzy Hash: 28f864c7d0ddd7e504b4b3f1ce9b4463b0c394eb292760106c1fdf9dbe2ed6af
Instruction Fuzzy Hash: 18E092371401108FD710D608D545BD433B9F78A318F1955B3E44AEF319C135E8428B80

Function 05E23A74 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75dfd36ea6704dc3c7087de4721b3267148aebb63aa8fde02b66ba5c0682bf02
Instruction ID: a50b6cac003fad5eee36ac50ed25594b306bd1db5e2dedb92109bc15b0860cde
Opcode Fuzzy Hash: 75dfd36ea6704dc3c7087de4721b3267148aebb63aa8fde02b66ba5c0682bf02
Instruction Fuzzy Hash: 0CE04F36250110CFC711E61CD688BE973B5FB8A354F1999B3F55AEF329C276A8818B80

Function 027DB360 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43d77cefae9f09f40f0db61767acd0b2f4f657d330aba9a56f531da008eca4c
Instruction ID: a3094e5c22ad675b9470068e088f5bb0af1c3a3976e9f8a5568612b80d034b66
Opcode Fuzzy Hash: a43d77cefae9f09f40f0db61767acd0b2f4f657d330aba9a56f531da008eca4c
Instruction Fuzzy Hash: 26E01270D452099FCB44EFA8E5466AEBFF0EB58300F11857AD448D7300EB705A568BC1

Function 05E22D91 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509b91f3377841c452e7a854a9bb68da8c925ad112f7c58545436f725dc2938c
Instruction ID: 46d904bd4a72d1e8813d6e421386e7fa6a2a2ddd5d14e6d005d080f27317f6ea
Opcode Fuzzy Hash: 509b91f3377841c452e7a854a9bb68da8c925ad112f7c58545436f725dc2938c
Instruction Fuzzy Hash: 81E0CD7170821117D709675CD8127D67AD98FCD760F0481FAD5598B3D1D668F80142D5

Function 05E216D9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3df23e78927e9d5f38e975570d25c547307c3efbef4594e16548e693ca8394d
Instruction ID: 9053b69c12c9c1f107e9b53f51a7aed4b0a422b45bb3a7114b41419b1ee8b8f6
Opcode Fuzzy Hash: d3df23e78927e9d5f38e975570d25c547307c3efbef4594e16548e693ca8394d
Instruction Fuzzy Hash: DBE02636900230DFE318AF98E845BA43765FB40315F4AE169F54587244D379DC42CBD5

Function 05E24F19 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e46ac4ba9f85e57481dfb8765093cd748cd7f1e49b9f1b69a5dac16734e2889
Instruction ID: a567e79a21dd14e485a6c506a7561829e7a457ed909f32b5a9ef7edfe8aa3389
Opcode Fuzzy Hash: 2e46ac4ba9f85e57481dfb8765093cd748cd7f1e49b9f1b69a5dac16734e2889
Instruction Fuzzy Hash: D1E08C33009298AEDB02D7C0DC05D46BF75AF99210B0994D2F19D8F873E111C564EBA1

Function 05E28190 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a170cbc9d79622316718af296d78867d0299c01beec98a63d12ca90448a172
Instruction ID: 1c19be129e62a1f809a25e0090bf7e0657560f7e1d7d6078b32f3dc3dae591f3
Opcode Fuzzy Hash: 51a170cbc9d79622316718af296d78867d0299c01beec98a63d12ca90448a172
Instruction Fuzzy Hash: CCD05B32350528479604226DA01D59EBE9FDBC56317050067F516C37D0CE654C4146E5

Function 05E2A747 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27aff4b603eb395a820ada4116416b0733b437797e719932c5fe7de96b951e3
Instruction ID: e6ad1de766b0c6662ec458eec30d3cc43225dafaaeaed83ed6aff75f2497687e
Opcode Fuzzy Hash: a27aff4b603eb395a820ada4116416b0733b437797e719932c5fe7de96b951e3
Instruction Fuzzy Hash: E8D0A7337191246BD255115CBC5136C6BA7DBCE151F9800BAFA81F3344DD889D0607DE

Function 05E22DA0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3d374c575ecfe6a4ab7315d7ae31507d6b83cc48a1eb7c40ec9f7dd42accd1
Instruction ID: dbba00dda0f5771723b64160eb3fb4cb17711cb2398467a8feedcb0219c092b4
Opcode Fuzzy Hash: dc3d374c575ecfe6a4ab7315d7ae31507d6b83cc48a1eb7c40ec9f7dd42accd1
Instruction Fuzzy Hash: B0D05E313052141BD709664CA41479A76CA8FCD650F05806AE5098B390CAA5BC0142D5

Function 027DB370 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cd99bccc94fd9252d3620578487af18546d926d37dcbfdd9c7ac1182fd2546
Instruction ID: 39f6158dd270480155fc456aa229257da33dabd94823021fd0a6c4b9134a7fa1
Opcode Fuzzy Hash: 40cd99bccc94fd9252d3620578487af18546d926d37dcbfdd9c7ac1182fd2546
Instruction Fuzzy Hash: 99E0E270E402089FCB84EFA9C9466AEBBF4EB48200F50816AD808E6340E7705A518BD1

Function 05E23924 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e175f86e9dec5a3724d7edb73956b17af0ba6efdc339079793ae7836fa9fa19
Instruction ID: f5416d09722581e6e67c6e85ea53bee2c534194dc4ca54f01d0ff3184b509f99
Opcode Fuzzy Hash: 3e175f86e9dec5a3724d7edb73956b17af0ba6efdc339079793ae7836fa9fa19
Instruction Fuzzy Hash: 51D0C936048019BFCF01ABC4DC48D96FBAAEB8C311B45D8A1B64D8A17AD622D5A0EF55

Function 027DD600 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53a27f67884b51b84844df4e6203b88ef2962e0e3dff475dcde7fba9eaacf25
Instruction ID: 3a2243f3882ed33961d896007b751e2e3f22002a2eec81e3361d30e545e173a0
Opcode Fuzzy Hash: b53a27f67884b51b84844df4e6203b88ef2962e0e3dff475dcde7fba9eaacf25
Instruction Fuzzy Hash: 12C0123004430B8EC601F7A5F854559772EFAC0304760C57091150632DDF7858894E94

Function 027DB7E8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb249c09631791179e0ec9766495ce0de4a49d4942e8d3c706f8be9d4ef256b
Instruction ID: 396fc39c9e5f8a568433c9e39249f150de47fb6251581bbc6753b66274baef0d
Opcode Fuzzy Hash: cbb249c09631791179e0ec9766495ce0de4a49d4942e8d3c706f8be9d4ef256b
Instruction Fuzzy Hash: 43C09B723401105F59053694786D47D373DD6C4B173001029F10BC1540CF380C52D795

Non-executed Functions

Function 027D7B60 Relevance: 12.2, Strings: 9, Instructions: 952COMMON

Download Yara Rule

Strings

(o^q, xrefs: 027D81C9
(o^q, xrefs: 027D7DBA
(o^q, xrefs: 027D7C36
,bq, xrefs: 027D80AA
(o^q, xrefs: 027D7D1D
(o^q, xrefs: 027D8109
,bq, xrefs: 027D809A
(o^q, xrefs: 027D7CF1
(o^q, xrefs: 027D8119

Memory Dump Source

Source File: 00000000.00000002.1802836898.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27d0000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2735749406
Opcode ID: a729b06f8cd4a0adba80bad708b2bc7c7fcbd5587692187fecf7d851cdbfaba1
Instruction ID: 552d19d0ca1dadfa1004a63ce603d529be037006e1e53d9dc5cf71f8b1d8b4d9
Opcode Fuzzy Hash: a729b06f8cd4a0adba80bad708b2bc7c7fcbd5587692187fecf7d851cdbfaba1
Instruction Fuzzy Hash: 6B825B34A00605DFCB15CFA8C984AAEBBF2FF88314F158659E855AB3A5D731EC42CB51

Function 05E2BE94 Relevance: 11.0, Strings: 8, Instructions: 975COMMON

Download Yara Rule

Strings

Hbq, xrefs: 05E2FB9B
Hbq, xrefs: 05E2FB3C
PH^q, xrefs: 05E2F449
Hbq, xrefs: 05E2FD5A
Hbq, xrefs: 05E2F71A
Hbq, xrefs: 05E2F938
Hbq, xrefs: 05E2F779
(bq, xrefs: 05E2F475

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID: (bq$Hbq$Hbq$Hbq$Hbq$Hbq$Hbq$PH^q
API String ID: 0-3076519024
Opcode ID: c72faf27e156e69b740b53e53e208ac6146ba635e24e9decdab6ae8de99a426d
Instruction ID: 04a665775ca2634449f5bd165be140a63d4a3e168667f8abba6ae89f79ebaf1c
Opcode Fuzzy Hash: c72faf27e156e69b740b53e53e208ac6146ba635e24e9decdab6ae8de99a426d
Instruction Fuzzy Hash: 6372CE30B002148FDB18EB78C855A6E7BA7FFC8354F648569D05ADB3A8DE34DC068B95

Function 05E2DA68 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116c4ef273f18d7a065c815947fb2263aa7a4986cb7a0981ee3a4ded89eb1baa
Instruction ID: afa49d631d1f5f30f3e023f738db590e02f9c806233976afd4d436403c79f3d3
Opcode Fuzzy Hash: 116c4ef273f18d7a065c815947fb2263aa7a4986cb7a0981ee3a4ded89eb1baa
Instruction Fuzzy Hash: 3AB1D670B002549FDB58ABBC891477F2AEBBFC8344F548568D04AE7398DE389D4387A5

Function 05E2DA57 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806841991.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e20000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a804ab14aac7bd8bb2bed25184b1204324036e922f9dbc6d260e0f1dfa761a
Instruction ID: e6f1166e6ffbfd77c0bef9765919197302e21690114a17d270736bd438087099
Opcode Fuzzy Hash: 31a804ab14aac7bd8bb2bed25184b1204324036e922f9dbc6d260e0f1dfa761a
Instruction Fuzzy Hash: 78A1D770B002549FDB58ABBC891477F2AEBBFC8350B54856DD04AEB398DE349C4387A5

Function 05E47D37 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa5d5de04f6c2dc7dd29f680f1ed6d773babb8392c24c515feef8d8656a6b3d
Instruction ID: 15c72bd658ecd38c3e6d1866d14c29de55a88115d35ee092f9153dc6deabb1a2
Opcode Fuzzy Hash: 1fa5d5de04f6c2dc7dd29f680f1ed6d773babb8392c24c515feef8d8656a6b3d
Instruction Fuzzy Hash: B2E14731C2465A8ACB10EF64D994A9DF7B1FF95300F10C79AE0497B225EB706AC9CF81

Function 05E47D70 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d7061d637205b81b976aefe7a38ffdc9089d4e2d61014f63b6300f1b78bb03
Instruction ID: d9d69912479d90ef4c152d036ceba91cef1324aa28f6221fbf7f42f1c1504907
Opcode Fuzzy Hash: 93d7061d637205b81b976aefe7a38ffdc9089d4e2d61014f63b6300f1b78bb03
Instruction Fuzzy Hash: 8FD10531D2465A9ACB10EF64D994A9DF7B1FF99300F50C79AE0493B224EB706AC5CF81

Function 05E4D510 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806908043.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_DUWPFaZd3a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625b856ffdcbe3cc14787216983f083ba8ff011f6baa2323259a275c3e16ad5c
Instruction ID: 3b445733df40e30396abfcfb327302c203c99208ce5d005739d5cebf289604a7
Opcode Fuzzy Hash: 625b856ffdcbe3cc14787216983f083ba8ff011f6baa2323259a275c3e16ad5c
Instruction Fuzzy Hash: AA714C71F00205AFCB08EF79E85496F7BF6BB88210B60C56DE44ADB395DA34D8058BA5

Analysis Process: Windowsx.exePID: 2916, Parent PID: 7840COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.8%
Total number of Nodes:	79
Total number of Limit Nodes:	6

Executed Functions

Function 02757C08 Relevance: 12.1, Strings: 9, Instructions: 879COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02757DBA
(o^q, xrefs: 02758119
(o^q, xrefs: 02758109
,bq, xrefs: 0275809A
(o^q, xrefs: 02757CF1
(o^q, xrefs: 02757D1D
(o^q, xrefs: 027581C9
(o^q, xrefs: 02757C36
,bq, xrefs: 027580AA

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2735749406
Opcode ID: 7c3bbb4ef257f040d17f6d898e4ca1d144ec1d7a5478f70ee9261614622f2c3f
Instruction ID: 97687b2830877b28047caf63294a5ceb0cc68480d7f86d19d62fa6211026691f
Opcode Fuzzy Hash: 7c3bbb4ef257f040d17f6d898e4ca1d144ec1d7a5478f70ee9261614622f2c3f
Instruction Fuzzy Hash: E1824C34A00219DFCB14CFA9C584AAEFBF2FF88314F158559E806AB2A5D771ED81CB51

Function 02756F48 Relevance: 3.1, Strings: 2, Instructions: 563
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 0275733E
(o^q, xrefs: 02757472

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 66bdf3db10e7a1e97253d4a67f4ec8f0bd2980451349ba1f5844f9f146d976c2
Instruction ID: 63a218b3bd97d663f6387ff4a412b8526dd2bf1155790c569675a05cf1863646
Opcode Fuzzy Hash: 66bdf3db10e7a1e97253d4a67f4ec8f0bd2980451349ba1f5844f9f146d976c2
Instruction Fuzzy Hash: EF226071A002299FDB18DF69C8547AEBBF6FF88304F148469E905EB391DB749D42CB90

Function 0D1D28D0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0D1D2A3B

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 5684d945fbe992441675278a076ffa13fdcc14a1cf7ac24f7fee22e21c149fd9
Instruction ID: 5e008c5102f1a9768cec6c59199077541e93545b2780997dbf62df3d45ccdfa5
Opcode Fuzzy Hash: 5684d945fbe992441675278a076ffa13fdcc14a1cf7ac24f7fee22e21c149fd9
Instruction Fuzzy Hash: 4F51E67190022ADFDB64CF99C940BEDBBB5BF48310F0480AAE958B7254DB759A85CF90

Function 05E33A40 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a6d128d4dd80e396e446cd94941148e20e226d0de8292891aadf041ce3a60b
Instruction ID: 7e5d919c1700a349517e0922222387d2352bd01a644f04e1397beb70327b92d9
Opcode Fuzzy Hash: 31a6d128d4dd80e396e446cd94941148e20e226d0de8292891aadf041ce3a60b
Instruction Fuzzy Hash: 3F524734A003458FDB14DF28C844B99B7B2FF89314F2586A9D4586F3A2DB71AD86CF81

Function 05E33A30 Relevance: .6, Instructions: 586COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dad3e98dbed757c1c9d489f3176fe4aa7348c5708f08b3bf34935712cde25e
Instruction ID: 028b08432bc7ead89f9c64225eb9752a7afa4fd4fc1672fd9cf80fc0691bc5d6
Opcode Fuzzy Hash: 49dad3e98dbed757c1c9d489f3176fe4aa7348c5708f08b3bf34935712cde25e
Instruction Fuzzy Hash: D9524834A003458FDB14DF28C844B99B7B2FF89314F2586A9D4586F3A2DB71AD86CF81

Function 02757759 Relevance: 5.4, Strings: 4, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 027577AA
,bq, xrefs: 02757830
(o^q, xrefs: 027577B8
,bq, xrefs: 02757822

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: ac752fc3b964b12abcf3f31f9b7f293f646e790e6718a435a144496b82e7b964
Instruction ID: 4d8d7d242aa45ee27d80505349c31402926608310cd5a332c0b69e0f27a2a0ba
Opcode Fuzzy Hash: ac752fc3b964b12abcf3f31f9b7f293f646e790e6718a435a144496b82e7b964
Instruction Fuzzy Hash: 33E15D34A00125CFCB18CF69D888AADFBB2FF89354F158096E805EB265DBB5ED41CB54

Function 02757C03 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02757DBA
(o^q, xrefs: 02757CF1
(o^q, xrefs: 02757D1D
(o^q, xrefs: 02757C36

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: 6530eb54804e7195a75b781782534ec70fcafe1417377e1305bf93fe804084ca
Instruction ID: e4dba6e561f903b29b1936ec44bf014ccf6ad3b0051129fe6a3c77597a7653d9
Opcode Fuzzy Hash: 6530eb54804e7195a75b781782534ec70fcafe1417377e1305bf93fe804084ca
Instruction Fuzzy Hash: EAC12A30A002199FCB18CF69C984AAEFBF2FF48314F148559E819EB2A5D771ED81CB50

Function 0275A474 Relevance: 5.2, Strings: 4, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 0275A4FC
Hbq, xrefs: 0275A55B
Hbq, xrefs: 0275A49D
Hbq, xrefs: 0275A5E4

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq
API String ID: 0-2881081751
Opcode ID: e69eac17cd8574d11024703a41b7191ca5a7166c7a49f3515fda7c9fbb015527
Instruction ID: bfa20ebb505afdbafe23fc632950321ef800c098dfb08e63de86d58601d7a629
Opcode Fuzzy Hash: e69eac17cd8574d11024703a41b7191ca5a7166c7a49f3515fda7c9fbb015527
Instruction Fuzzy Hash: 50710E34B002408FDB05AB7998683BE7BE3EFC9340B244569D5469B395CF38AC06C7A6

Function 0275B458 Relevance: 3.9, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0275B564
$^q, xrefs: 0275B558
Hbq, xrefs: 0275B604

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: Hbq$$^q$$^q
API String ID: 0-1611274095
Opcode ID: 8820c38cb3640dbd3e23252e49c2c9e68064d439a47ecea65b8c139af2a8da03
Instruction ID: a19a07db7a490860a3bed844afe14321fd685769016e1c1b3b6c5e8b008e31f1
Opcode Fuzzy Hash: 8820c38cb3640dbd3e23252e49c2c9e68064d439a47ecea65b8c139af2a8da03
Instruction Fuzzy Hash: 3151B1347042358FDB5D6B36A46823EBAA7BFC4748358542DD803CB399DF6ACD028B95

Function 0275522F Relevance: 3.9, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8bq, xrefs: 027552DD
$^q, xrefs: 02755278
$^q, xrefs: 0275526C

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: 8bq$$^q$$^q
API String ID: 0-2949139543
Opcode ID: 6687a71413c0d0e691c39f603a83c9d552ece52a8b92f745d23146f336767674
Instruction ID: b0b9519e0f69f86d7873415eda2e7e1fb199268adbe49e2d1eb764ae4c73812b
Opcode Fuzzy Hash: 6687a71413c0d0e691c39f603a83c9d552ece52a8b92f745d23146f336767674
Instruction Fuzzy Hash: 2931F2B0B182398FC7145BA8945433AF7E1AB89718F68456AD80ACF355DBF1CC45CB82

Function 02756580 Relevance: 2.9, Strings: 2, Instructions: 430
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 02756784
Hbq, xrefs: 02756751

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: e84321bc41157bc84e447c737f37c818128661709e2e0b8b461bbc881c52baaa
Instruction ID: 1c4135f600e96bb9b9becfa509152b86fae0c94725a48441855a20d0a6481c56
Opcode Fuzzy Hash: e84321bc41157bc84e447c737f37c818128661709e2e0b8b461bbc881c52baaa
Instruction Fuzzy Hash: 50E1D0747002259FDB04AF29C858B7EBBAAFB88710F548428E906DB390CFB5DC45CB95

Function 05E3C3A0 Relevance: 2.8, Strings: 2, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 05E3C67C
PH^q, xrefs: 05E3C50E

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 0c8b0dc49e57b622ae4736ff4cf774d55a5fb33b780f3a19426022f3e4297c8b
Instruction ID: 3ac354f26d240e49c459447e5abe10c54d49692c9455bc2b104c21a308dac64b
Opcode Fuzzy Hash: 0c8b0dc49e57b622ae4736ff4cf774d55a5fb33b780f3a19426022f3e4297c8b
Instruction Fuzzy Hash: 7FC13630B00214CFDB14DF68D599AADBBF2BF88315F2155A8E44AAB3A1DB31EC45CB50

Function 02756C70 Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 02756D46
,bq, xrefs: 02756D50

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: cbea181c2068072d04d7f21827a094a9216c3f6cae593cce729d3346e18243e4
Instruction ID: 6d593097dc9fadcb9713da860ee83fc56437ae2d3311582c97a8d24503adfee2
Opcode Fuzzy Hash: cbea181c2068072d04d7f21827a094a9216c3f6cae593cce729d3346e18243e4
Instruction Fuzzy Hash: 9091C234B01225CFCB14CF79C88896AF7BAFF89214B958569D805EB365DB71EC41CB90

Function 02755778 Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

(bq, xrefs: 027558B9
(bq, xrefs: 0275588D

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 24a6ae62a23943b30c59d477468036054d335faed780afe5681376d5f00efdf0
Instruction ID: 48d365e1ff16e082a2ba89f0fdd9c627d30d396e4e7f84dbed4c76c89e6ec646
Opcode Fuzzy Hash: 24a6ae62a23943b30c59d477468036054d335faed780afe5681376d5f00efdf0
Instruction Fuzzy Hash: C5710235B05219DFDB05DF65D8546ADBBB2FF88310F508069E902AB390DB79AC09CF91

Function 05E33908 Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

(bq, xrefs: 05E34F82
Hbq, xrefs: 05E350A0

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 06c74bb1c04ff37430c6ef97459b4eac7924d2b644ace90b5a2b6f0915b10aea
Instruction ID: f1d11bb3d37b28ede0010232cf710b4700ae369bf4d66a797334432a93e259af
Opcode Fuzzy Hash: 06c74bb1c04ff37430c6ef97459b4eac7924d2b644ace90b5a2b6f0915b10aea
Instruction Fuzzy Hash: AE5136316082509FD715AF28C0096BE7BE6FBC5314F1885ABD08ADB795DA31AC42CBD1

Function 0D1D6DF0 Relevance: 1.8, APIs: 1, Instructions: 303windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0D1D705D

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ae690239302703384b9f58258ae69122819b6bb313d285d675ec6fe07c001453
Instruction ID: 5112a506c6acc53ea32855a6e5a8006219a433d4c24eeca9c6841076aafc2e5d
Opcode Fuzzy Hash: ae690239302703384b9f58258ae69122819b6bb313d285d675ec6fe07c001453
Instruction Fuzzy Hash: 1C1156B68043888FDB11CFA9D848BDEBFF4EF49310F14845AD498A7651C378A984CFA1

Function 0D1D28C5 Relevance: 1.7, APIs: 1, Instructions: 166processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0D1D2A3B

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: fde64b8c6aa0e478ad1b218eeeb91982736d781149e313c6b2b34acf8cbfdb4e
Instruction ID: 9e7f5c4b8b24c2fc9d86f530c504e049a4c2966803bb2fdd64f5f8c65acc4cc5
Opcode Fuzzy Hash: fde64b8c6aa0e478ad1b218eeeb91982736d781149e313c6b2b34acf8cbfdb4e
Instruction Fuzzy Hash: 7751157190022ADFDB24CF99C840BEDBBB5FF48310F0484AAE958B7254DB759A85CF50

Function 078A2891 Relevance: 1.6, APIs: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 078A293B

Memory Dump Source

Source File: 0000000D.00000002.2823738050.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78a0000_Windowsx.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2f7b2c0f8e343cabb7b2037e9b208d047f2b9d67bd9c8f12d85732a4848208d8
Instruction ID: 99990e8a8f4fea1261d0d32ea9ed24fed709e0ebb724336c66f0ad9aecb85765
Opcode Fuzzy Hash: 2f7b2c0f8e343cabb7b2037e9b208d047f2b9d67bd9c8f12d85732a4848208d8
Instruction Fuzzy Hash: 863138B59043898FDB11CFA9D454AEEFFF0BF4A320F14849AD598A7252C3389545CFA1

Function 0D1D4EB0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0D1D4F48

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 79be4581bdc97f366bc1d64df171d723c46443a4f84b998147293db2ab2ad84f
Instruction ID: 35c706aafefb6b373a0e024e9dfe13630256554f29acbd8d1b3758d486b330e4
Opcode Fuzzy Hash: 79be4581bdc97f366bc1d64df171d723c46443a4f84b998147293db2ab2ad84f
Instruction Fuzzy Hash: E3216BB19003199FDB10CFA9C885BEEBBF5FF48320F108429E958A7250C7789545CFA4

Function 0D1D4EB8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0D1D4F48

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6b89703dce7ffa14f7ca3f8add08daaa8da2e185dc1086cdea681fab4296a715
Instruction ID: 80fac772dfaf21ee7598bc81cc2fc3a41134627ee696d6cef709b98ae88f6ed9
Opcode Fuzzy Hash: 6b89703dce7ffa14f7ca3f8add08daaa8da2e185dc1086cdea681fab4296a715
Instruction Fuzzy Hash: 312139B19003599FDB10CFA9C985BEEBBF5FF48310F108429E958A7250C778A945CFA4

Function 0D1D65C9 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0D1D664E

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f3c747276d7972563e49ac183d6218a8f9f5bf9432253f34b7780955e0afb460
Instruction ID: 9ea520a5be061167c1f807bffebba78a9480209a186a92eb4180e548994c1a73
Opcode Fuzzy Hash: f3c747276d7972563e49ac183d6218a8f9f5bf9432253f34b7780955e0afb460
Instruction Fuzzy Hash: 9A2138B19003098FDB10DFAAC485BEEBBF4EF48324F10842AD459A7241CB78A945CFA5

Function 0D1D448A Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0D1D450E

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2e2bee4e7c1a61b2d230dfcf1b76c5ae0047664ea81875f6b0842509cb6b0b80
Instruction ID: 8ed59c9ba3827aca120b61937886cf2899987ea5af602674c51648323d4466db
Opcode Fuzzy Hash: 2e2bee4e7c1a61b2d230dfcf1b76c5ae0047664ea81875f6b0842509cb6b0b80
Instruction Fuzzy Hash: 672129B19003098FDB10DFAAC4857EEBBF4EF48324F14842AD459A7251DB78A985CFA5

Function 0D1D65D0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0D1D664E

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c7098c6651ab32b6b068aae82fe688da26b272af05a6189e098e1c55529d5ca8
Instruction ID: ac2caedc38d7781ba80f8f32ff1366cf38246a05b3782b3c0d1f39b0d2133445
Opcode Fuzzy Hash: c7098c6651ab32b6b068aae82fe688da26b272af05a6189e098e1c55529d5ca8
Instruction Fuzzy Hash: C72149B1D003098FDB10DFAAC4857EEBBF4EF48324F108429D459A7240CB78A945CFA5

Function 0D1D4490 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0D1D450E

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e0e6c8f201b7f3525eff1d5c71375d47870543c6edef78f1e0537126cb901c97
Instruction ID: e5cedf51e21198d500554a314f64b5d31e419093b3d73ade29e1e5deb71b19d3
Opcode Fuzzy Hash: e0e6c8f201b7f3525eff1d5c71375d47870543c6edef78f1e0537126cb901c97
Instruction Fuzzy Hash: 4F2129B19003098FDB10DFAAC4857EEBBF4EF48324F14842AD459A7241DB78A985CFA5

Function 0D1D6328 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 0D1D63A7

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 13d8ed08370197599603ff710defb6a7652c9f2cf7db553fcfee6a266a20468b
Instruction ID: 63b19cd3f9780a4df32f038ffb5d208f5ba0a11d53c9a70db99fc5eeec40f6d8
Opcode Fuzzy Hash: 13d8ed08370197599603ff710defb6a7652c9f2cf7db553fcfee6a266a20468b
Instruction Fuzzy Hash: F42138B18002099FDB10DFAAC444BEEBBF5FF48320F10842AE459A7250CB799945DFA1

Function 0D1D6330 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 0D1D63A7

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d9c4b1f70bfef9fc468e84e5dd2dffebbf84f73589d5852d1e38c6501a5e7f4a
Instruction ID: 602d9e9d68204c1ee7714a9e0fbadbd60bab7bd417b0f10d20beacc7eafe765b
Opcode Fuzzy Hash: d9c4b1f70bfef9fc468e84e5dd2dffebbf84f73589d5852d1e38c6501a5e7f4a
Instruction Fuzzy Hash: 7D2115B18002499FDB10DFAAC444BEEBBF5FF88320F10842AD559A7250CB78A945DFA5

Function 05E9233C Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 05E95668

Memory Dump Source

Source File: 0000000D.00000002.2821164145.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e90000_Windowsx.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ce423ca1d452349ccb82c477f42f591d83e080f29aecedcbc6d3145864214dcd
Instruction ID: cd88aca1fd220bef58aa1a6dad55a69fdda87f263d2c8f8dfb52463409727549
Opcode Fuzzy Hash: ce423ca1d452349ccb82c477f42f591d83e080f29aecedcbc6d3145864214dcd
Instruction Fuzzy Hash: 232124B1C0065A9BDB14CF9AC544BAEFBB4FF48320F14812AD899A7251D738A944CFA5

Function 05E955F3 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 05E95668

Memory Dump Source

Source File: 0000000D.00000002.2821164145.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e90000_Windowsx.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 669b50d9e3c9c298acee8359c0c6f4927640bed47abb78421244d011ab39229b
Instruction ID: 3b96d0a2f01ad4bd037862a27f50a08f377d6af02941a01fa4cdfe95aedbcc5e
Opcode Fuzzy Hash: 669b50d9e3c9c298acee8359c0c6f4927640bed47abb78421244d011ab39229b
Instruction Fuzzy Hash: 322136B2C006599BDB14CF9AC545BAEFBF4FF48320F14812AD858A7341D738A944CFA5

Function 078AAF78 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 078AAFEB

Memory Dump Source

Source File: 0000000D.00000002.2823738050.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78a0000_Windowsx.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 91cc2d2b9a2787a55dee903eb2da87e46d2fdd464b561308f6591f5d25793a44
Instruction ID: 74b1e2c37593fd6356132cd90776f9ad7082ff954517f8e1c9d03ef7e862aeab
Opcode Fuzzy Hash: 91cc2d2b9a2787a55dee903eb2da87e46d2fdd464b561308f6591f5d25793a44
Instruction Fuzzy Hash: 6C21E4B59002499FDB10DF9AC484BDEFBF4FB48320F10842AE968A7651D378A544CFA5

Function 078A28C8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 078A293B

Memory Dump Source

Source File: 0000000D.00000002.2823738050.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78a0000_Windowsx.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5f01ab868524ff3ba7034c5e4f988994b65d4037a3b02c1e7557a70ccb532013
Instruction ID: 3503e2e1cb96abcbefad054aaca668f2aa5c55ab9de641db3259b84e30745f08
Opcode Fuzzy Hash: 5f01ab868524ff3ba7034c5e4f988994b65d4037a3b02c1e7557a70ccb532013
Instruction Fuzzy Hash: 8621E4B59002499FDB10DF9AC484BDEFBF4FB48320F148429E998A7251D378A545CFA5

Function 0D1D4B78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0D1D4BE6

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 09611db7df4e448aed8c53e2ab32bb74dc4adbb0e59909762a24c17da04f4532
Instruction ID: 2c47a0a2543bb2955d294739f3f55f3d9ba82413b81c50cd41a60f2339bda508
Opcode Fuzzy Hash: 09611db7df4e448aed8c53e2ab32bb74dc4adbb0e59909762a24c17da04f4532
Instruction Fuzzy Hash: B61137B69002499FDB20DFAAC844BEEBFF5FF88320F108419E559A7250CB75A544CFA5

Function 0D1D4B71 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0D1D4BE6

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 75860ea919e6759a27c2642d816b1f0dd3b5f65e3b7a93a156769980cfc9acb3
Instruction ID: b5b9cef1e951838a4ff8e29b3f045c0b0db2b9af4334f3ae8094f0b13612a6c5
Opcode Fuzzy Hash: 75860ea919e6759a27c2642d816b1f0dd3b5f65e3b7a93a156769980cfc9acb3
Instruction Fuzzy Hash: 99117C768002499FCB20DFA9C844BDEBFF5FF88320F208419D469A7290CB35A540CFA4

Function 0D1D6830 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0D1D689A

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ab9fbc28ec5036b4b723ffcba3eb4d2e7d346df082ed046392302341bdc155fa
Instruction ID: 6b33bb30b04dc565e3ec2e535cfb598dfab50631e6fbb91c91d8d461dc49b5eb
Opcode Fuzzy Hash: ab9fbc28ec5036b4b723ffcba3eb4d2e7d346df082ed046392302341bdc155fa
Instruction Fuzzy Hash: F01158B19003488BDB20DFAAC4457DEFBF4EF88324F208829D459A7250CB39A545CF95

Function 0D1D6838 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0D1D689A

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9801f136c13a3ec3cbacfe8b05a9b5bb8d67430807c3f666e5713ee7efcefc3e
Instruction ID: 72eb37930fc240afba99656b0355b7cbbfedfe82490c2a59739f61f18579f5e9
Opcode Fuzzy Hash: 9801f136c13a3ec3cbacfe8b05a9b5bb8d67430807c3f666e5713ee7efcefc3e
Instruction Fuzzy Hash: A31128B19003488BDB20DFAAC4457DEFBF4EB88324F208429D459A7250CB79A544CF95

Function 0D1D56B0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0D1D705D

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fef0850a1d51b698e9cafb06bf76478ed7740382d97d90f197e0667bcab29ea5
Instruction ID: da7bef22647947226b74a5d7523b026ddd1d0bd2a9e27f9d33ddc06663025f19
Opcode Fuzzy Hash: fef0850a1d51b698e9cafb06bf76478ed7740382d97d90f197e0667bcab29ea5
Instruction Fuzzy Hash: 2C1125B58003489FDB20DF9AC488BEEFBF8FB48320F108419E559A7240C375A940CFA5

Function 02754E40 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

8bq, xrefs: 02754ED5

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 21f2231ffe0def84a76ad76d511b01e1f16cbb560b1d821e2934b2ecfe2b47ee
Instruction ID: a930c65cf20de098fa74c7189ad6423611651a2338847e6b2595f5b4232bee07
Opcode Fuzzy Hash: 21f2231ffe0def84a76ad76d511b01e1f16cbb560b1d821e2934b2ecfe2b47ee
Instruction Fuzzy Hash: 0BA18E74F002149FDB14DF69D894BAEBBF2FB88700F148469E816AB394DBB59C85CB50

Function 02754E0F Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

8bq, xrefs: 02754ED5

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 2d4a4331e16703b02aed60a501ea90149f9a3146c400ba5de0d452c817c81f11
Instruction ID: 0ac74dbec7c88259bd9d733af80a261891b5095fa94d7646eda680b47c2cf965
Opcode Fuzzy Hash: 2d4a4331e16703b02aed60a501ea90149f9a3146c400ba5de0d452c817c81f11
Instruction Fuzzy Hash: 30A1AF75E002149FDB14DF69D894BAEBBF2FB88700F148469E806AB394DB749C85CB91

Function 05E3C390 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05E3C50E

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: bbc429a212ee0c2fb8376cfca186e0ef1f3b66d7bdb7aebce78a36566fdc2d46
Instruction ID: 98224bf1268e9012edc28234adec9f54b5d4b3c64eecfa5e4ed74d5fce9fc424
Opcode Fuzzy Hash: bbc429a212ee0c2fb8376cfca186e0ef1f3b66d7bdb7aebce78a36566fdc2d46
Instruction Fuzzy Hash: 5C512335B00204CFDB18DF28C589AA8BBF1BF88315B2155A8E44AEB3B1DB31EC45CB50

Function 05E38A98 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

$^q, xrefs: 05E38B21

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: b41486fc82aff9874d041bce5c46f0a5bded0175787c70910b7621be475e4620
Instruction ID: 53222155b25c255bed06b0cf6374e0230e53e8225b974995a5063273085dc106
Opcode Fuzzy Hash: b41486fc82aff9874d041bce5c46f0a5bded0175787c70910b7621be475e4620
Instruction Fuzzy Hash: D42171347092018F97589B39D45992A3AE7FF88755310906AF846CB3A4DE22CC06CB15

Function 05E38A88 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

$^q, xrefs: 05E38B21

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 8f284a8fd00f08dcb67c45453740886135f08cb89660e19592e8c7197e5041e7
Instruction ID: afef8a285265f34d5d0099bd961c563a10117e0be474fe4df00307a777b111d7
Opcode Fuzzy Hash: 8f284a8fd00f08dcb67c45453740886135f08cb89660e19592e8c7197e5041e7
Instruction Fuzzy Hash: 2121A1387092018FEB548F36D45D92A7BE7FF8575970590AAF486CB2A1DF21CC02C711

Function 0275FEF0 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0275FEF7

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: c8c34b80abc998381868a7087a023895b8dde641e953e0363f08732cafd9d20f
Instruction ID: f9d688ba51f32e59f277b522662e74823327ca9d36f2caa6cbc096098ab0c1ec
Opcode Fuzzy Hash: c8c34b80abc998381868a7087a023895b8dde641e953e0363f08732cafd9d20f
Instruction Fuzzy Hash: 5E1170347501155FDB08AB6AD454B2F32EBEBC9E18F108069D50A8F3E8DE609C0387DB

Function 0D1D6DE4 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0D1D7EB1,?,?), ref: 0D1D8058

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f6bb3491309139c8c886a73fe52cc4085fc30c15abefcc0cda1c64d470c699d1
Instruction ID: 29ca7d96ee882b9e077afd427bcbb30fac8dd6e211cb281c983d8f406262a1c7
Opcode Fuzzy Hash: f6bb3491309139c8c886a73fe52cc4085fc30c15abefcc0cda1c64d470c699d1
Instruction Fuzzy Hash: 1C1113B58003598FDB20DF9AC549BEEBBF4EF48320F208459D568A7241D778A944CFA5

Function 0D1D7FFA Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0D1D7EB1,?,?), ref: 0D1D8058

Memory Dump Source

Source File: 0000000D.00000002.2825408955.000000000D1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d1d0000_Windowsx.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5e908f609c5e9f0a825c84858d4a1329f6184641561b8be4340f1ef6024e0dbd
Instruction ID: bdd9aab83b39347626c79ac9eb939e5fef3e1c5933832ce5f15f9e642db19a48
Opcode Fuzzy Hash: 5e908f609c5e9f0a825c84858d4a1329f6184641561b8be4340f1ef6024e0dbd
Instruction Fuzzy Hash: 2E1125B58003498FDB20DF9AC545BDEBBF4EF48320F208419D558A7651D739A544CFA5

Function 05E315A8 Relevance: .8, Instructions: 777COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fab70e894c01de58462e879b97dd02090505b79439efba7d7a494eab72cfbef
Instruction ID: 10a213468cdea189cd33320b2d04db5f1e7133f36b96f59062183ec0211e583f
Opcode Fuzzy Hash: 8fab70e894c01de58462e879b97dd02090505b79439efba7d7a494eab72cfbef
Instruction Fuzzy Hash: FF625D74F48B819BEB349F68849D3AE7AA1BF41304F50595EC7EBCA280CB399045DF46

Function 05E39B13 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3873793c6d7aa7340750bd49e20ecd00d3acc83b138160f20e4c0962b3f7e43e
Instruction ID: b5b2e7edbee4a0a6ba58142039567a007fe6886ecb2fb6e07c72e41f971fe127
Opcode Fuzzy Hash: 3873793c6d7aa7340750bd49e20ecd00d3acc83b138160f20e4c0962b3f7e43e
Instruction Fuzzy Hash: D5020334A001049FDB54DF68D499AADBBF2FF89314F5581A8E44ADB3A6DB30EC85CB50

Function 05E3BD64 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f458ad07490e86c4b4c4efd01758d6509e0f31813ab0f277b9e1965b3f70b8fc
Instruction ID: 83a410caf6ae24b6f9d9af359c7f5558abfd9ccf0ef327b72a0c4de3716f61ca
Opcode Fuzzy Hash: f458ad07490e86c4b4c4efd01758d6509e0f31813ab0f277b9e1965b3f70b8fc
Instruction Fuzzy Hash: 3B712630240604CFDB14DF28C989E6ABBF6FF85214F1595A9E48A8B376DB31EC45CB61

Function 05E36E30 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff66ac0051298d0dd2ff1fd8aab283c21f74b712a6a460e3d8a5337dfa7b1dc
Instruction ID: 8ac19451fd36cf0e5cb30be8afe6689d994134d4f0ea37a61d405f0c54e38b81
Opcode Fuzzy Hash: 1ff66ac0051298d0dd2ff1fd8aab283c21f74b712a6a460e3d8a5337dfa7b1dc
Instruction Fuzzy Hash: 9351E4317002109FDB14EF78D459AAEBBF6EF89644F1458AAD046DB361CB71EC45CBA0

Function 0275A279 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ad36cb903104efc5c02b7225490a09876c53911521b111b7d91e00139b013b
Instruction ID: 55c0fdddd439de03c1e721ab78de3e30f5b0c544299860e6a696c32279ffa953
Opcode Fuzzy Hash: 46ad36cb903104efc5c02b7225490a09876c53911521b111b7d91e00139b013b
Instruction Fuzzy Hash: 9D615F34A00615CFCB21DF65D984A9EFBF2FF88304F148628E8466B264D775A845CF61

Function 05E3AE4F Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b025446ffa5b62279370bf46ce3bbf373e1395a5ad7f424ed982996f10f7ec
Instruction ID: e7c1809ed26ad1ae29b73fb80efa68794776a3c03af4cff7acbc16e112487fdc
Opcode Fuzzy Hash: 29b025446ffa5b62279370bf46ce3bbf373e1395a5ad7f424ed982996f10f7ec
Instruction Fuzzy Hash: FE414C303006119FD724AF25C89EB7EB3A6BF85314F149579E0C68B2A0DB75AC8ACB50

Function 05E3AE60 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b139edfc390a14c56f3a309eb4393548dbd584358f24467223744a54757a7c9
Instruction ID: 0f3a54babe48741077bef3b2a045ff6f9b84d23c8d4170dce1ce3d662b96f8f1
Opcode Fuzzy Hash: 0b139edfc390a14c56f3a309eb4393548dbd584358f24467223744a54757a7c9
Instruction Fuzzy Hash: 35416F303006109FD724AB25D89DB7EB3B7BF84304F105579E0C68B2A0DB75AC8ACB50

Function 05E3D5B8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f339488ce38ab40694f61924672dfe9668a2ff2b7d8d93075bb626040acf295
Instruction ID: 6e9961467af328d881247e67d747038abb40177a29c17c2ad651b7faa393d276
Opcode Fuzzy Hash: 5f339488ce38ab40694f61924672dfe9668a2ff2b7d8d93075bb626040acf295
Instruction Fuzzy Hash: 42314A707006109FDB15AF39D85962EB6F6FF88215B10466AE09AC73A4DF34DC06CB85

Function 05E3D5C8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5517e46c3481f494b3401361e5e1a31a7f936a59027722ef4202afa37a9651
Instruction ID: ec93cc75da9a679233e9bb3605b9527b9ad526378c135ca2fd9f087c63a3a083
Opcode Fuzzy Hash: 7b5517e46c3481f494b3401361e5e1a31a7f936a59027722ef4202afa37a9651
Instruction Fuzzy Hash: 29314871700A109FDB14AF39D85962EB7E6BF88615B10466AE09AC73A4DF34DC06CB81

Function 05E3AB64 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfdebeb857ae786f4c7bb148b6547c9ebfa4627847b0017df444bcc2279b6b22
Instruction ID: e9f3c8a7148ea86058b72d2834a80204db67a30adceeed33723af27baa694972
Opcode Fuzzy Hash: bfdebeb857ae786f4c7bb148b6547c9ebfa4627847b0017df444bcc2279b6b22
Instruction Fuzzy Hash: AD3128343046108FEB14DB29C849F6AB3B6BF85708F2594A9E59ADB361DF30EC41DB50

Function 027587E8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f299451e40bf6ef285f51608b000136d3c31401ca6a51fb42e1acf9a54e828b
Instruction ID: 195a30dd46456a71a5b2c925372454760e2fba4e0da984b4930a55507a1f49d2
Opcode Fuzzy Hash: 2f299451e40bf6ef285f51608b000136d3c31401ca6a51fb42e1acf9a54e828b
Instruction Fuzzy Hash: F031AC35B042149FCB049F6AD858BAE7BB6FBC8610F144069E902EB391CF35AC01CBA5

Function 027547A8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad43a57ea429c14ea73f4678f5607e380e35691539a9ca68dbdb9333485e15d
Instruction ID: 6304b5f617efa8c5e9b80355dee7ef3f124201e357a09b86c333dbbd22d306f1
Opcode Fuzzy Hash: dad43a57ea429c14ea73f4678f5607e380e35691539a9ca68dbdb9333485e15d
Instruction Fuzzy Hash: AA315C76A081F08FD7208F2A9876371FBA19B82210F0844ABD855DB182DBEDBCC5C341

Function 05E3C9D8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024d3e41a4601cdfbabc7c1f09c2b74967c5ecd4fa6ddb75c19ac28f3743c90d
Instruction ID: c14a265dc59bc9ba74e397ddcc7adf84e5b6f2a89b744745be015f323bd73564
Opcode Fuzzy Hash: 024d3e41a4601cdfbabc7c1f09c2b74967c5ecd4fa6ddb75c19ac28f3743c90d
Instruction Fuzzy Hash: 2D21C234B242058F9B15A638D42E13E3AABAFC47457285029EC4BDB394EE28CC42C397

Function 05E3C280 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939b5c52dc1ba365bc74f6c1e0a2a9841ba1b6ac135cc84c9ba8395674561a70
Instruction ID: 77134400d8bccfd968b2a80f766ff2b49223218422a9696aca50ace283afc136
Opcode Fuzzy Hash: 939b5c52dc1ba365bc74f6c1e0a2a9841ba1b6ac135cc84c9ba8395674561a70
Instruction Fuzzy Hash: 3A314A31200600CFD7549B28D849BA577A6FF89315F1495A9E09ECB3A1DF71EC8ACB80

Function 02756550 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6c23bf06996fc17078fe5794dfc4d983a61f4469dc5fa69e7ccd50c4b1187b
Instruction ID: d68387a603451a629abfea3e2e8d9360951dda9ff1d36fdbb3087231d5e9c024
Opcode Fuzzy Hash: 9a6c23bf06996fc17078fe5794dfc4d983a61f4469dc5fa69e7ccd50c4b1187b
Instruction Fuzzy Hash: 90216671A002308FCB109F28D0987A9BFB6EF85321F4541A6DD06CB262DBB4DC4ACBD1

Function 05E3C695 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02923a06b27b1769167fec99b35706fcad8ae0ba8fb0787eb242c254f0f49821
Instruction ID: a43cc942f2ab72e7ca7b40958702c4c6b3d2a265b6c4cb941a02b4259c463ee4
Opcode Fuzzy Hash: 02923a06b27b1769167fec99b35706fcad8ae0ba8fb0787eb242c254f0f49821
Instruction Fuzzy Hash: 71311635700208CFDB14DB64D559AADBBF2BF88315F246069D84AAB3A0DB35EC81CB60

Function 05E30889 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5411c4eb6ea0d0284d0312c26e1a6a67cf9347cb954b4b0d802f7bb3f97a1550
Instruction ID: 1349bed5943f151534c4a9af0de5a98af7781c7f2a5b88f3e876c6430473afbb
Opcode Fuzzy Hash: 5411c4eb6ea0d0284d0312c26e1a6a67cf9347cb954b4b0d802f7bb3f97a1550
Instruction Fuzzy Hash: 1C312132D10B09DECB01EF68D8448A9F7B1FF95300B118B59E9596B221FB30E695CB81

Function 05E35159 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948266e9001d514f7e8f6a863daebc436a41ff776e47bdbe8ef1f869b5c6c430
Instruction ID: 6394d435f40fe9bd0930411a57f48855b91d45aefdd9aabbfceba33ac2b1f80e
Opcode Fuzzy Hash: 948266e9001d514f7e8f6a863daebc436a41ff776e47bdbe8ef1f869b5c6c430
Instruction Fuzzy Hash: B4216B343087404FE7258624C856B7A73E3FBC5724F1495BBD4D68B395EA708846C780

Function 02756AD8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3e69c2bf2ae2e98247fa9977b69778772d2fad2673b52fd6796961a01f40c0
Instruction ID: c584373cb1884e9b00e54584364f77b9a174f164d782edc3c8c37aa69eac8ff0
Opcode Fuzzy Hash: 2f3e69c2bf2ae2e98247fa9977b69778772d2fad2673b52fd6796961a01f40c0
Instruction Fuzzy Hash: AE21D135700A219BC7259A2AD458A2EF7AAFBC97557644169D90ADB350CF71DC02CBC0

Function 05E306E0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7130394de4b7158deb4d06daced58ee9123d344e4d89a3ec5cc0feb892bbd0a7
Instruction ID: 8647d58ef6bd287e7a020d5851c79162442494897598b49929a730e62c64c6f1
Opcode Fuzzy Hash: 7130394de4b7158deb4d06daced58ee9123d344e4d89a3ec5cc0feb892bbd0a7
Instruction Fuzzy Hash: FE219D343042100FFB046B69D42676F77E7EFC6B04F044029E942DB7A9CDA9EC4197A1

Function 05E3BD04 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bc278fa343af0ec284316f726a333023ffaec0274aba56875b2237125e1545
Instruction ID: f3f9aeb9979a2f4968d74a09aa4223c208707e7fee73363d74558611908328d5
Opcode Fuzzy Hash: 34bc278fa343af0ec284316f726a333023ffaec0274aba56875b2237125e1545
Instruction Fuzzy Hash: 0E313A302406008FD764DB28C848BA677E6FF89315F1195A9E08ECB3A5CF70EC8ACB40

Function 05E30890 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f7d32447bca5c937e30e00d51f551e75e311855da2e50e61be018f2cb6de0e
Instruction ID: f7402fbaa55d20b0feff3d3ee65f70f652cd0637f4c9c7527dfff8717f6cb7bb
Opcode Fuzzy Hash: 32f7d32447bca5c937e30e00d51f551e75e311855da2e50e61be018f2cb6de0e
Instruction Fuzzy Hash: 25310132D10B09DECB01EFA9C854899F7B1FF95340B118B5AE9596B221FB30E6D5CB81

Function 0257D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2790620329.000000000257D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0257D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_257d000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a6a6a9b193b2f40321be2f0a22d2d82bd565104eb2ae941fba25e86e567e70
Instruction ID: 922fdefb910a92b2708a4ff4e3328a0493365d7d0505a2231793310a4baf7066
Opcode Fuzzy Hash: 36a6a6a9b193b2f40321be2f0a22d2d82bd565104eb2ae941fba25e86e567e70
Instruction Fuzzy Hash: 1B21D071684200EFDB05DF14E980B26BFB5FF98314F24CAA9E94A4B256C33AD446CA65

Function 0257D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2790620329.000000000257D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0257D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_257d000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3c09270c4516ab26b1e3a00a6eef33bf8b9a7f82ea4a3238c128962b6dbce5
Instruction ID: 6e98e4bec101a73f4bdd723d032b3c7ba66fa6af3018656ce6e12e75dd887e05
Opcode Fuzzy Hash: 8c3c09270c4516ab26b1e3a00a6eef33bf8b9a7f82ea4a3238c128962b6dbce5
Instruction Fuzzy Hash: 94212F75684200DFDB14DF24E984B26BFB5FF88314F20C96DE80A4B296D33AD847CA65

Function 0275466A Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14b83845a7b3b7fb3576412043bbeb5845a28bada20bd24fb7836d4396359a5
Instruction ID: ec6195bb0341727a46ceeab4550576c50a5f51489ce24d77149aba11ea3ee38f
Opcode Fuzzy Hash: e14b83845a7b3b7fb3576412043bbeb5845a28bada20bd24fb7836d4396359a5
Instruction Fuzzy Hash: 431136B2D092704FD7056F6CE8622DA7BB4EB06354F020497C445DB352FA75894F8BD2

Function 02754798 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c504cd738d7d9f120ad51c1711beca70849009faf6c7144d8506f8e82c3dfd
Instruction ID: 8cf92549bed36fbb1865b20e36c13d0a5f41ef6359cbe6ae66444a1b24fbeae2
Opcode Fuzzy Hash: a1c504cd738d7d9f120ad51c1711beca70849009faf6c7144d8506f8e82c3dfd
Instruction Fuzzy Hash: B521607A6041B19BD3144F15D4657A1F7E6EB82205F0984BBD854CB282DBB9EC85C780

Function 05E3C9CB Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e795c1c332edfec35b7b800b5ee06e7191f2e1f18bbc6095b37c89e752785ffd
Instruction ID: d32052ecb3123b97aa4781a2386f8dd00d02881ace9d9b6d2a0a31b9f40d92b1
Opcode Fuzzy Hash: e795c1c332edfec35b7b800b5ee06e7191f2e1f18bbc6095b37c89e752785ffd
Instruction Fuzzy Hash: 0C11E635B146044B9B159639D41E23E7AABAFC4745B2C5429EC4BD73D4EE28CC02C797

Function 02757B60 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3a89d137ce8323a6b3eedc37c88e6f6784c423a49804f269036a8ed36df171
Instruction ID: c5d377e2589ea3dcd74992cfe0a4c0b19729b8ae63f1e33113e607fb982ec050
Opcode Fuzzy Hash: 5b3a89d137ce8323a6b3eedc37c88e6f6784c423a49804f269036a8ed36df171
Instruction Fuzzy Hash: BD214D361099209FC709CF2CC884A56F7B1AF4A334B158355EC288B3E1C770E855CBA1

Function 02755928 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3dd2ec92aca22a41e3b6da8b63172e9cccefb3d80bd3f46ea59a501bbf89fa
Instruction ID: 738d6941cec713d05bdb279028958bee05fe0a410ae22cb5b5c5b5e77c80f172
Opcode Fuzzy Hash: 5a3dd2ec92aca22a41e3b6da8b63172e9cccefb3d80bd3f46ea59a501bbf89fa
Instruction Fuzzy Hash: 44212031709256AFEB019F64D44872EBBA2EF89324F444069E8459F350CB78DC45CB90

Function 02756AC8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a419573a22bdee55933de548c6302a989410d2354a8f0f42c7c1ee0e8465be03
Instruction ID: 7d602915105571f3388c8781e1ddaeb5cd904435ce28356480132287ecbb33a0
Opcode Fuzzy Hash: a419573a22bdee55933de548c6302a989410d2354a8f0f42c7c1ee0e8465be03
Instruction Fuzzy Hash: 26115731301A129FC7155F2AD458A3EB7A6EFC53503290179D906DF360CF30DC028B90

Function 05E306F0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e3e7585adc7cfd48c3775341bd93ad6489e7d9afee6631b510aae2e10c19fa
Instruction ID: a99e135c22b7f4478c0abb2ded5a17b10b1072d8358a44c08e6fd74044598a85
Opcode Fuzzy Hash: d3e3e7585adc7cfd48c3775341bd93ad6489e7d9afee6631b510aae2e10c19fa
Instruction Fuzzy Hash: 98118F343006104FFB04AB6DD41176F76D7EBC5B44F144029E902DB7A9CDB9EC5157A1

Function 05E38039 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f25043cd24e713894b460c0d88f843815b422cd69ce04c4e24f68f23be0f00
Instruction ID: 060978704853f9f64eb41765d635a46b7b9c34543b94ba33e218c81de05c0829
Opcode Fuzzy Hash: 72f25043cd24e713894b460c0d88f843815b422cd69ce04c4e24f68f23be0f00
Instruction Fuzzy Hash: BA1157316083808BF3195B79D41936A3FA7EBC1315F0881BAE895C72D5CE798C498B92

Function 0257D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2790620329.000000000257D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0257D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_257d000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d220e501e50e36bb5af5f5c028385726d6bda530e7e66e100d393ee0b96505
Instruction ID: a2aed3d8723a5eb405da6135dd42ad874d098fefe04198989dccc146d359b9af
Opcode Fuzzy Hash: e3d220e501e50e36bb5af5f5c028385726d6bda530e7e66e100d393ee0b96505
Instruction Fuzzy Hash: CF215E755493808FDB12CF24D994B15BF71FF46214F28C5DAD8898F6A7C33A980ACB62

Function 02755938 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a43f19ac00bfbc27ea5e2f5a303b25241636c1cacd271efb78e1fe1028e799a
Instruction ID: 003a64eabdff705e6f88b62fa95fc171f3cf4f877f5721cfd22d681a96818885
Opcode Fuzzy Hash: 9a43f19ac00bfbc27ea5e2f5a303b25241636c1cacd271efb78e1fe1028e799a
Instruction Fuzzy Hash: 4F11D331705219AFDB009F65D44877EBBA2FB88724F408029F9059F754DB78DC55CB94

Function 02757B51 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9713155c1fc10b3a2a3ecfce9e03d891750f2f579a0facdfcd3aea9a09aa9f
Instruction ID: 24f4fe91c63ea08d624648d0941a09c189e82fc0058afb18fcadb27dfae1b70e
Opcode Fuzzy Hash: 1e9713155c1fc10b3a2a3ecfce9e03d891750f2f579a0facdfcd3aea9a09aa9f
Instruction Fuzzy Hash: BC11197A6049209FCB09CF2DC8C4A56F7B1FF4A334B158255EC298B3A4C370E855CB90

Function 05E3BC38 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576bced0fa1d9797e52c17d90b03221a5f512c9670d4323799cc3efa54e8f6cb
Instruction ID: 2e9e50fedd736e32ef017bb0f2b5b7b20d32e00f1da2afb3b197337b251cf31c
Opcode Fuzzy Hash: 576bced0fa1d9797e52c17d90b03221a5f512c9670d4323799cc3efa54e8f6cb
Instruction Fuzzy Hash: 27118B317006048FCB24AF39D58986ABBBABF9621571515BAE0868B371EE31E985CB11

Function 05E3BC28 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984ca8f2d0d761dc51570317e63c8ee7e49e6ab2fd0444f9beb75ef7b6c3d8ab
Instruction ID: bc1b80a3a3af3c91f8704a59710c5e79b5af1eabf30e49ab7cde9ccdac0cfd8e
Opcode Fuzzy Hash: 984ca8f2d0d761dc51570317e63c8ee7e49e6ab2fd0444f9beb75ef7b6c3d8ab
Instruction Fuzzy Hash: 8711C632304200CFDB24DF29D99AC66BBBAFF9621471955AEE087CB272DA31DC85C751

Function 027587E3 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ec932481b3940e619e702d0a79dcbc4104e23e410a3f5f77ca56e748b4a4f9
Instruction ID: a9504d3ef1af9765f6666c5393babf218ee7b40a7deaa9faa29c17ddbc97be99
Opcode Fuzzy Hash: d3ec932481b3940e619e702d0a79dcbc4104e23e410a3f5f77ca56e748b4a4f9
Instruction Fuzzy Hash: 3F115B39B00114AFDB149F65D884BEDBBB6FF8C720F144069E916AB390CB75AC51CBA0

Function 05E35168 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40ec6b439efba37d1a137bd6c8f4bf71088e82b880bafc37b41530c80d77715
Instruction ID: 3d021a421deebfab44a1e451d5959dae3f76c50d7ef9af22aed5e9e7962ad65f
Opcode Fuzzy Hash: b40ec6b439efba37d1a137bd6c8f4bf71088e82b880bafc37b41530c80d77715
Instruction Fuzzy Hash: D31173343043005FEB25D625C859B7BB3E7FBC5718F54987AA88687394DB71D846CB90

Function 05E3C930 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ec3e022184c3108d4bba2aa24a84235a8736243ab368b7e83413d20dcc82e7
Instruction ID: a590c107a00fcdbb82791d69588690428c242a2729b55917e755cbd96959dcb1
Opcode Fuzzy Hash: 26ec3e022184c3108d4bba2aa24a84235a8736243ab368b7e83413d20dcc82e7
Instruction Fuzzy Hash: B8012B323002809FD716D638C44AB697BF9EF81250F9A54EED5C9D7252F964DD06C782

Function 05E31310 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac37ecd780ef8a9e938a9754767f455323cb1b2010622aea6af386075b56be9
Instruction ID: dafcba97fe1694c7a1cc15fe1c6c87d86bc1a620d2a2fbd6be83fa98a64fbbf8
Opcode Fuzzy Hash: aac37ecd780ef8a9e938a9754767f455323cb1b2010622aea6af386075b56be9
Instruction Fuzzy Hash: A111B871A002099FDB14DF29C889BEEBBF5FF48600F044029E919C7210EB34D915CBA1

Function 05E39978 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2949ccdc7fc3da261de1b1ef7073a8f888a7fb01d68d182f27d7f41d6d219ef5
Instruction ID: b24814ac95e8bf5a84a80c3fb7b6b40fc54ceec0a017a7b84bc3337f58183437
Opcode Fuzzy Hash: 2949ccdc7fc3da261de1b1ef7073a8f888a7fb01d68d182f27d7f41d6d219ef5
Instruction Fuzzy Hash: 69114C70B016008FC714EF38D89596AB7F6FF88214B208969E0568B3A5CB71EC0ACB51

Function 027546C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d951797c28e0c5c735701827ed6103ef30c0aa8e9bb60f06f884d8c587495d
Instruction ID: 24170ae13c6008cb3aadfe3edf989aa547d6b762169581ac947d5d227099af61
Opcode Fuzzy Hash: 50d951797c28e0c5c735701827ed6103ef30c0aa8e9bb60f06f884d8c587495d
Instruction Fuzzy Hash: 30012872E192604BCB046FACE8521DABBB4FB0A350F51085BD446D7251EA75494A8BD2

Function 0275BEC0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11a589bd5458fbb59e34f4fb8776c0e531e20c630b1d7b755f019d850216893
Instruction ID: 1fcd57b5037307106c82c99d83d93e1abb08fc25b0bd4a6c96ecdfe65f0a8483
Opcode Fuzzy Hash: d11a589bd5458fbb59e34f4fb8776c0e531e20c630b1d7b755f019d850216893
Instruction Fuzzy Hash: 1B015E247052549BC7052A7B985867BFADBEBCA310B148876A906C72DACE798C0A8771

Function 0257D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2790620329.000000000257D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0257D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_257d000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 05a30b7ef0b4e15a02cbc7a382e24fc3c8fb4e88a3cf7c712eafa26c350e212c
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A611BB75544280DFCB02CF10D5C4B15BFB1FF84218F28C6AADC494B296C33AD40ACB61

Function 05E3E1E0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd050e5445180e832ec852e3f4596359eb86282bd5cb9f0600c1b6169494340d
Instruction ID: 14f95414906c0cc8a6a271e336cea9539e9862355440099abd0799d67a5a1baa
Opcode Fuzzy Hash: cd050e5445180e832ec852e3f4596359eb86282bd5cb9f0600c1b6169494340d
Instruction Fuzzy Hash: E20196353487404FC30A9778C56956E7BA7AFC722131A51EBE482CB3B6DD24CC45C792

Function 05E381C0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ef1956c4f4db6bdf4aaa339f7b4665278b878078c8a24e944ee8dcaa5518d7
Instruction ID: f4de8031ab50fc38b8ac4147b0fae5eeff3f1df6be88cab64e5ec74a71786b11
Opcode Fuzzy Hash: 21ef1956c4f4db6bdf4aaa339f7b4665278b878078c8a24e944ee8dcaa5518d7
Instruction Fuzzy Hash: 0211A7712047418FC7259B29D914207BBF2EFC5725F10872AD096877E4DB749C0ACBD0

Function 05E31320 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15851399f473d4664c082436564d5b7a27b4e1c77aa788853ca9b84ea496ab41
Instruction ID: c818c9c4f8542430f23a67890e9c76c7ea908b04b7a0cecf606ddcad64f94668
Opcode Fuzzy Hash: 15851399f473d4664c082436564d5b7a27b4e1c77aa788853ca9b84ea496ab41
Instruction Fuzzy Hash: 43116D71A002199FDF15DF69D888AAEBBF9FF48610F044429E919D7750EB30D914CBA1

Function 05E3E208 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba91e48bb4c3be1f6b6c1fbbcfc9cbb2ca682102e36ebb976b581f53cb96ba1
Instruction ID: 714bd2b2fd955437d04eaeee188d8f742247ebd044c34a8a73a7f146583ac68a
Opcode Fuzzy Hash: 6ba91e48bb4c3be1f6b6c1fbbcfc9cbb2ca682102e36ebb976b581f53cb96ba1
Instruction Fuzzy Hash: EA014F353441008F9709A77CD46C93E76EBABC965031A5169E906CB3B8EE64CC02C792

Function 05E34FC8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ff6e2636bdd06fe3aeeae7864cc5ccfaec774dc13824faa7ef568e6fffe55d
Instruction ID: bd81c4358bf9930beeab7c46ca339fbab1da8bf49ac2407081f1316b753e575d
Opcode Fuzzy Hash: 76ff6e2636bdd06fe3aeeae7864cc5ccfaec774dc13824faa7ef568e6fffe55d
Instruction Fuzzy Hash: 0901D832909621BBD7358F09D00A569F7A4BF44718B08529FD49953B00C773F491CFE1

Function 0256D7ED Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2790572696.000000000256D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0256D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_256d000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2924d1b7900ab8c36e6292935236a4161d22cb71bed291b610a28643be7ccdaf
Instruction ID: 06107bba1ba40992984e0885e5b67691d3f52d7bf8979bac0c43bdf9d1602707
Opcode Fuzzy Hash: 2924d1b7900ab8c36e6292935236a4161d22cb71bed291b610a28643be7ccdaf
Instruction Fuzzy Hash: 1B01F73120A3409AE7104A55CD8C777BFA8FF41774F18CC2AED190B186C3389840C675

Function 05E381D0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78630996746b99618505719a5acea62a1207f86933bc8baf64564ee4c93dc55
Instruction ID: 3f078a16bfead0370d8d8cac2c644a969b49b2906c99ddf1a8150faffc2137d2
Opcode Fuzzy Hash: e78630996746b99618505719a5acea62a1207f86933bc8baf64564ee4c93dc55
Instruction Fuzzy Hash: 91012571210B118FC724DF2AD51460BBBE6EBC4725F108B2DD1A647BE8DB74AC4A8B90

Function 05E3BD24 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e4f0759f55812da6b6846dd728c5cad88690bdbceffbf919f2f3a075d8a5e8
Instruction ID: b7a75b82cf5d15c07abb46a57f7e1e215fc6e49427f31f8939c4ac8d81e03689
Opcode Fuzzy Hash: e6e4f0759f55812da6b6846dd728c5cad88690bdbceffbf919f2f3a075d8a5e8
Instruction Fuzzy Hash: 90F0A4343401048FDB14D628C48AB7E7AAAEFC0614F161469D68AD7294ED70EC40C796

Function 0256D7EC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2790572696.000000000256D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0256D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_256d000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216854ac8752686752b8c49dc7dd748bde64c8b8fd916ff4b0d3ffc4f0fd935d
Instruction ID: 606a2189911908e7c9c1d477447e94ba01d8b1efc5ba8e8fa342a5c0bcefeb87
Opcode Fuzzy Hash: 216854ac8752686752b8c49dc7dd748bde64c8b8fd916ff4b0d3ffc4f0fd935d
Instruction Fuzzy Hash: F7F0C2715093409AE7108A16C8C8B62FFA8FF81674F18C85AED580B286C379A844CA70

Function 05E32C90 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78043a7ec12286541a417f4237c1d7e6f6e85028f8595efd6e2875872910caf
Instruction ID: c376a587d3914294fb79cbae4321a7118199ed79a0c1ae6b2afeb4bd8a489f12
Opcode Fuzzy Hash: f78043a7ec12286541a417f4237c1d7e6f6e85028f8595efd6e2875872910caf
Instruction Fuzzy Hash: 79F0E96270D3540BE70B17689C127953BD5CB8A650F4941EFD685CF7F6D558E8018391

Function 05E3C579 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1fb4a671c8c7ca8a889a43e730a6067e17b49895de9a189761a78b397b46c7
Instruction ID: 4e243d436c79b33c40206bead93951b0d6da320ef686021b3d243ffc7cee1ce7
Opcode Fuzzy Hash: cb1fb4a671c8c7ca8a889a43e730a6067e17b49895de9a189761a78b397b46c7
Instruction Fuzzy Hash: 1E019275600204DFCB14DF68D48999CBBB1FF48325F255199E846AB3A1C735ED82CF50

Function 02754708 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9204eaa2693d9714ccfa7b0ebfabac00c657dbf436b6e61591a0f671871ea7
Instruction ID: 1fd4cabe03106a9a73825451d05d27fd36e1b15537cb3b18099417ef140ec38f
Opcode Fuzzy Hash: 4b9204eaa2693d9714ccfa7b0ebfabac00c657dbf436b6e61591a0f671871ea7
Instruction Fuzzy Hash: 3BF03034E142358BCB046FEC94142AEBBF9FB49711F51486BE506E3340DBB589508BD2

Function 05E31550 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22607a14b605eadf76c9890f3d83c5469ce47f527bcc2bd1302e0b7d8ea2350
Instruction ID: d09cdec85f8a7aa2c857be9d59526fe2d581e6699b6a3c394486500ee9666383
Opcode Fuzzy Hash: c22607a14b605eadf76c9890f3d83c5469ce47f527bcc2bd1302e0b7d8ea2350
Instruction Fuzzy Hash: 24E0923368052497C710EB58F4814BAB3A9EB87A69318C456E51DCA611D337D822C3C0

Function 05E33918 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91c4a227fcac931f7bb434c43b0ddc11ac3a58d563f6ba346da80f50e54282b
Instruction ID: d8259415b6f9fad7934587efe062c8e9b559c1a628f795ec2826cda9c5c7991d
Opcode Fuzzy Hash: c91c4a227fcac931f7bb434c43b0ddc11ac3a58d563f6ba346da80f50e54282b
Instruction Fuzzy Hash: 14F02B311446108FD711EB2CC4897D977A5EB86314F1484F3E186DF325D17598C6CB94

Function 05E33924 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931877c237042d43df0561bbdbe93f78530b4b9437d142e1a689cc6fb7c1ce62
Instruction ID: b1dd65fdc56e973efac306c73759d67251c301aba9b2bf174dba0224a342b409
Opcode Fuzzy Hash: 931877c237042d43df0561bbdbe93f78530b4b9437d142e1a689cc6fb7c1ce62
Instruction Fuzzy Hash: 9BE0D8312445008BC710D71CC48ABD533A5EB89304F1445F3F54ADB314C131AC46C780

Function 05E32C51 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7cdbc39c800c18503884d81871a401562d1d6a653deae4dcfd688b09c923a7
Instruction ID: 76b9f28e07285f57a9939295abdd2196023b9cde9e7c6d969e846e4b87134649
Opcode Fuzzy Hash: 1d7cdbc39c800c18503884d81871a401562d1d6a653deae4dcfd688b09c923a7
Instruction Fuzzy Hash: E8E0CD3170461407EB09665CD411BCE76C9CFCD760F09817AD909CB3D1D9A4EC0143D5

Function 05E31599 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a131a53014be0789516d2ec805a46ed2d9487c34f1fb30c9121a5e488d759f
Instruction ID: c7b546c11d3a4776c345040f8dd1b9832a8db6e1a0edc8de5440e7d2fc8ec9a5
Opcode Fuzzy Hash: b2a131a53014be0789516d2ec805a46ed2d9487c34f1fb30c9121a5e488d759f
Instruction Fuzzy Hash: DEE0DF32900320EFD708AB88E44ABA03795FB40325F42A269E5868B240D7B9CC42CBC6

Function 05E38048 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c547a70fd3c04cebe571fa719bdbad8118713daccff6c835b2646f59a36aeab0
Instruction ID: ae2bf8371a70196dcc54c39c1383cad64f710b4638645fa22661f635addaec9f
Opcode Fuzzy Hash: c547a70fd3c04cebe571fa719bdbad8118713daccff6c835b2646f59a36aeab0
Instruction Fuzzy Hash: EAD05B3171011487C708126EF01855EBE9FEBC57627040027F90AC3394DEA94C4246E6

Function 0275B36B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1a7889ea37faf2ba0120c1942296daaf2ff95c6566cbe1db255959a19b924e
Instruction ID: 045f414ea4203e3a2250f26e90afc7b884ae5e2b3f56b4f86a614037fd798865
Opcode Fuzzy Hash: 1a1a7889ea37faf2ba0120c1942296daaf2ff95c6566cbe1db255959a19b924e
Instruction Fuzzy Hash: 1EE0EC70D452189FDB94EFA9D5463BEBFF0EB48200F10826AD818EB344E7744A568BD1

Function 05E3A607 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd12e5380af0811a652c64d734628e5835dd5fd301dc0a66ed41bdf191e40ad6
Instruction ID: 075d789622c98b62d16744ce42a67e0ba7f9bf042d024eda8b2ec8b5cbe5b002
Opcode Fuzzy Hash: bd12e5380af0811a652c64d734628e5835dd5fd301dc0a66ed41bdf191e40ad6
Instruction Fuzzy Hash: ECD05E237150502BD205615C78163BD77C7D7CA522F14107AE581E3384C8549D4A43EA

Function 05E32C60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f115ac6d0b5d77af5a25110e21baff2c3a197ce0c49cc05b583305283da23232
Instruction ID: 2d592f0ec81d9a162fc93a8455fb7653536814e4526f33e0e902f45d18c45bca
Opcode Fuzzy Hash: f115ac6d0b5d77af5a25110e21baff2c3a197ce0c49cc05b583305283da23232
Instruction Fuzzy Hash: 32D05E313046140BEB09664DA0107DA76CA9FC9650F04806BEA0A8B3A0CDB1AC0142E5

Function 0275B370 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c2fc690bf880199899ca30247f75f6b0cf0744e64a64c24dd3aed5e5b93197
Instruction ID: 4e0cf9ee3407df81ae840cd7f48cc585f377038111425d80d8e4c030eafdb226
Opcode Fuzzy Hash: 20c2fc690bf880199899ca30247f75f6b0cf0744e64a64c24dd3aed5e5b93197
Instruction Fuzzy Hash: B1E0E270E0520C9FDB94EFA9C9467BEBBF4EB48200F10816AD808E7344E7705A518BE1

Function 0275D600 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98449aa02696452fbd1e819829863c6bd224208cd7206c4cbba9733c3113a50
Instruction ID: ed16f7247bcf5e2d6834c30fd0a11085d49b675ab9520fc1a62a56d6e89f05ba
Opcode Fuzzy Hash: c98449aa02696452fbd1e819829863c6bd224208cd7206c4cbba9733c3113a50
Instruction Fuzzy Hash: 18C0123144C20B8EC601F76DF944A59772EEAC0304750853092060E22EDF749C894694

Function 0275B7E8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2791291583.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2750000_Windowsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c337f93aa9efc902642620a69b2d44eebb4db14035270280d97b509d33c42f
Instruction ID: a3905eafd37c23ab64398367c54ff66c0c494b6154ef60a664dcdff0d3097bc1
Opcode Fuzzy Hash: 61c337f93aa9efc902642620a69b2d44eebb4db14035270280d97b509d33c42f
Instruction Fuzzy Hash: 81C09B773000105F55053795B85857D7729D6C4B273041069F10BD5440CF3C0C4287B5

Non-executed Functions

Function 05E3BD44 Relevance: 5.5, Strings: 4, Instructions: 481COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05E3F309
Hbq, xrefs: 05E3F639
Hbq, xrefs: 05E3F5DA
(bq, xrefs: 05E3F335

Memory Dump Source

Source File: 0000000D.00000002.2820814481.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5e30000_Windowsx.jbxd

Similarity

API ID:
String ID: (bq$Hbq$Hbq$PH^q
API String ID: 0-3283118425
Opcode ID: 504b3c405c80b61eabfaa378138508fccecbd8716347930996e6b1ed0db99a40
Instruction ID: 251277cf562c8d7c3e15d84fefc0dc745c426d9a36132dcb84ce86adb9b71c5c
Opcode Fuzzy Hash: 504b3c405c80b61eabfaa378138508fccecbd8716347930996e6b1ed0db99a40
Instruction Fuzzy Hash: 70029C31B002048FDB14EB38C459B6E7BE6BF88314F5495A9D49ADB3A5DE34DC46CB90

Analysis Process: InstallUtil.exePID: 7268, Parent PID: 2916COMMON

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.3%
Total number of Nodes:	70
Total number of Limit Nodes:	8

Executed Functions

Function 06302430 Relevance: 9.0, Strings: 6, Instructions: 1490COMMON

Download Yara Rule

Strings

$^q, xrefs: 06303854
$^q, xrefs: 0630386C
$^q, xrefs: 0630381F
$^q, xrefs: 0630382B
$^q, xrefs: 06303848
$^q, xrefs: 06303878

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 8f04f41fc893a920431ec7fb167c833a43b4b9bcf9d6d3f71b87a4da326d6c9f
Instruction ID: c1cf56a0f254449d58ffdbf248009cab2463a830992cd181619e0d76ba8fe0cd
Opcode Fuzzy Hash: 8f04f41fc893a920431ec7fb167c833a43b4b9bcf9d6d3f71b87a4da326d6c9f
Instruction Fuzzy Hash: C9D27D34E102058FEB64DF68C598A9EB7B2FF85310F1485A9D449AB395DB31ED89CF80

Function 0630B300 Relevance: 8.3, Strings: 6, Instructions: 770COMMON

Download Yara Rule

Strings

$^q, xrefs: 0630BC75
$^q, xrefs: 0630BC9D
$^q, xrefs: 0630BCA9
$^q, xrefs: 0630BC69
$^q, xrefs: 0630BCD1
$^q, xrefs: 0630BCDD

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: ae72cc461882441ed7634faeb16f24c38edd5c2d6505768be6b1f47203dc4415
Instruction ID: b1f3a1051ae4c2f3159e972b674671af230e17cde3239d6a0920f1920cc859ee
Opcode Fuzzy Hash: ae72cc461882441ed7634faeb16f24c38edd5c2d6505768be6b1f47203dc4415
Instruction Fuzzy Hash: 42527134E101098FEF64DB68D5A07AEF7B5EB85310F208925E406DB395DB36DC89CB91

Function 06307E50 Relevance: 3.0, Strings: 2, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06308199
$^q, xrefs: 0630818D

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 5113d92bd5a4e51dfe4839a7879bb90f2e9a732c7b8188122bdd39d12fc8c17b
Instruction ID: e44cc11cc23af844d6739934585ba02f20f606e458f21668e5f72290734b8c9f
Opcode Fuzzy Hash: 5113d92bd5a4e51dfe4839a7879bb90f2e9a732c7b8188122bdd39d12fc8c17b
Instruction Fuzzy Hash: 58029D34B002059FEF58DB68D9A46AEB7E6FF84304F148529D4159B395DB31EC8ACBC1

Function 0630C250 Relevance: 1.9, Strings: 1, Instructions: 640
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 0630C89C

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 15b75f4e840afe7b063358b1c073dbb8818d5ccf818b6654744a43155d11a5e2
Instruction ID: abd3a425baf6f8a6af60eac86666fe0b01248a3e09e9d0424556d1bbe1f0b644
Opcode Fuzzy Hash: 15b75f4e840afe7b063358b1c073dbb8818d5ccf818b6654744a43155d11a5e2
Instruction Fuzzy Hash: B632B134B102099FEF54DB68D990BAEB7B6FB88310F109625E405EB395DB34DC4ACB91

Function 06305258 Relevance: 1.8, Strings: 1, Instructions: 597COMMON

Download Yara Rule

Strings

$, xrefs: 063055A3

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 4440e5edcd8a360ebc777acded9f0f96a1e6a8c9062217fe8bb60c98a9d3f368
Instruction ID: 35569c5d7ebad36f90d4c9dc68a9f6df3a58325144e0e9fa14fd51cc83ff65ef
Opcode Fuzzy Hash: 4440e5edcd8a360ebc777acded9f0f96a1e6a8c9062217fe8bb60c98a9d3f368
Instruction Fuzzy Hash: D422D175E002159BEF64CBA4C5946AEBBB6FF88320F208469D445AB384DB31DC4ACFD1

Function 027E70B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 027E7127

Memory Dump Source

Source File: 0000000E.00000002.2932194785.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_27e0000_InstallUtil.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: ecbeda6c6dea7e5a913de4167765b2bcdf2b52bd2bd694f0ad42e725fdd08de3
Instruction ID: be024b10e5886bacada707322414666f9227b09ee1fd5bc1b8449bbb18d0fdfd
Opcode Fuzzy Hash: ecbeda6c6dea7e5a913de4167765b2bcdf2b52bd2bd694f0ad42e725fdd08de3
Instruction Fuzzy Hash: F52145B1800259CFCB10CF9AD884BEEFBF4AF48320F14846AE459A3350C738A944CFA0

Function 063066C0 Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c835f5be4bf2aa0d9c305ac8800441aa3c4375c90d603c6eb71d0b5fe8537a2a
Instruction ID: 93bced8c0579444fc0191e3ae423b79e2ca472d2ad99d2a1d575e305c17c2fb9
Opcode Fuzzy Hash: c835f5be4bf2aa0d9c305ac8800441aa3c4375c90d603c6eb71d0b5fe8537a2a
Instruction Fuzzy Hash: D962D134B002048FEF54DB68D5A46ADB7F2EF89314F248429E406DB399DB35EC5ACB90

Function 0630AD98 Relevance: 10.4, Strings: 8, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0630AF70
$^q, xrefs: 0630AF64
$^q, xrefs: 0630AF18
$^q, xrefs: 0630AF0C
$^q, xrefs: 0630AEC5
$^q, xrefs: 0630AEB9
$^q, xrefs: 0630AF3B
$^q, xrefs: 0630AF47

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: dc53cac0c06b593f420a8eb46ab05bc8a1d39f5826092167dab5a8109b28ff00
Instruction ID: 9db84237c5e996bf6be4858c4ed8996dd368435658dfe0587c5d1f6a3f6e574d
Opcode Fuzzy Hash: dc53cac0c06b593f420a8eb46ab05bc8a1d39f5826092167dab5a8109b28ff00
Instruction Fuzzy Hash: B3E17F30E102098FDF65DF68E9A46AEB7F6EF84304F108529D406AB395DB71DC4ACB91

Function 062F6ED0 Relevance: 6.1, APIs: 4, Instructions: 142
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 062F6F5E
GetCurrentThread.KERNEL32 ref: 062F6F9B
GetCurrentProcess.KERNEL32 ref: 062F6FD8
GetCurrentThreadId.KERNEL32 ref: 062F7031

Memory Dump Source

Source File: 0000000E.00000002.2939584939.00000000062F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_62f0000_InstallUtil.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e4bf37a1903fd5512dfe039343165f7b40867d9ce2d82ff447d5925686cbf0bc
Instruction ID: 19be8bf761ff7f3c59227a9fc9192629b9ea6737c6fb7d3e01e67b17a74ef83f
Opcode Fuzzy Hash: e4bf37a1903fd5512dfe039343165f7b40867d9ce2d82ff447d5925686cbf0bc
Instruction Fuzzy Hash: F35168B09113498FDB54CFA9D948B9EFBF1EF48304F208469E949AB260CB759884CF65

Function 062F6EE0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 062F6F5E
GetCurrentThread.KERNEL32 ref: 062F6F9B
GetCurrentProcess.KERNEL32 ref: 062F6FD8
GetCurrentThreadId.KERNEL32 ref: 062F7031

Memory Dump Source

Source File: 0000000E.00000002.2939584939.00000000062F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_62f0000_InstallUtil.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a9b36af872fc06b914270ca23676bc2a80fad409e8b92467ca9b3ff5e0affd6c
Instruction ID: 57ec5a9401888ca7c1508242e29e4cf999ae2d85e0ad09f76070b06e4ac37e01
Opcode Fuzzy Hash: a9b36af872fc06b914270ca23676bc2a80fad409e8b92467ca9b3ff5e0affd6c
Instruction Fuzzy Hash: 645155B09103098FDB54CFA9D948B9EFBF1EF48304F208469E809AB260CB755884CF65

Function 06309218 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 063092C3
$^q, xrefs: 063092CF
$^q, xrefs: 06309288
$^q, xrefs: 06309294

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: fcd7607b4ca0ea1fdd1f2d6f4e49480651a89d683861236e1719eeb9a179308d
Instruction ID: 4937cdd5b12e7f42750b7e36ff483a822ff863b26a6ec50e3b514f4634022ad2
Opcode Fuzzy Hash: fcd7607b4ca0ea1fdd1f2d6f4e49480651a89d683861236e1719eeb9a179308d
Instruction Fuzzy Hash: 0B913E34B1020A9FDF54DB65D9607AEB3F6EBC9204F108569C409EB3C9EB71DC4A8B91

Function 0630D018 Relevance: 4.6, Strings: 3, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0630D41F
$^q, xrefs: 0630D413
$^q, xrefs: 0630D40B

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 822901cd7d4773409455520195cef9b8da2c152ef50e833bf42f146d6dc907b8
Instruction ID: 450833bb3cc95fca2095272ec21e55f681c90108b46cb1ac210101860e2b1f65
Opcode Fuzzy Hash: 822901cd7d4773409455520195cef9b8da2c152ef50e833bf42f146d6dc907b8
Instruction Fuzzy Hash: 03624E30A002069FDB55EB68D590A5EB7F2FF84304F208A69D4099F359DB75ED8ACBC0

Function 06304820 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 063049D7
fcq, xrefs: 06304F2D
XPcq, xrefs: 0630494D

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 1441024146e99029925b178fcf0725c26014fc77018a1830c94691f60138617c
Instruction ID: c9a197f4315765ce0c6e7703b0de751fe154155ce43e964724f734bfd0257696
Opcode Fuzzy Hash: 1441024146e99029925b178fcf0725c26014fc77018a1830c94691f60138617c
Instruction Fuzzy Hash: 93616F74E102089FEF549FA5C8557AEBAF6FB88300F208429E109AB3D5DF758D05CB95

Function 06309208 Relevance: 2.7, Strings: 2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 063092C3
$^q, xrefs: 06309288

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: e37fac7c0dc5f3e4d570ccbcfcd61abd4a98808542a34c8089c1970e6ed1c22e
Instruction ID: 99eb0e502e70a6c841d1198b36b5e48aabb7264e123f9f9a2a3022a212718831
Opcode Fuzzy Hash: e37fac7c0dc5f3e4d570ccbcfcd61abd4a98808542a34c8089c1970e6ed1c22e
Instruction Fuzzy Hash: FA515F34B001099FDB55DB74E8607AEB7FAEBC8244F108569C409EB3C9EB31DC468B91

Function 062FF2F8 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 062FF55E

Memory Dump Source

Source File: 0000000E.00000002.2939584939.00000000062F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_62f0000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 15e63e0cb8af445aa7509e096e2636825b6f46b12f91074898cdd0ea480d0a0d
Instruction ID: 9af02dcd39a10cbcd48963fa05d384056ad8b12ef4e395dbb85313b9f97026bb
Opcode Fuzzy Hash: 15e63e0cb8af445aa7509e096e2636825b6f46b12f91074898cdd0ea480d0a0d
Instruction Fuzzy Hash: B4814370A20B458FD764CF29D64079ABBF1BF88300F108A2DD986DBB50DB75E949CB91

Function 027EF2B8 Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2932194785.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_27e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4bb9a392fe02178d112c689a2d52fae4528a1197a6d2e722c4d6b8611173d16
Instruction ID: 600544bfcc2d6a0ce3378ef6364168335750752a9d63990569c127a2a52b9b06
Opcode Fuzzy Hash: b4bb9a392fe02178d112c689a2d52fae4528a1197a6d2e722c4d6b8611173d16
Instruction Fuzzy Hash: 58412472E043998FCB04CFB9D80429EBBF5EF89210F1485AAD404E7681DB789845CBE1

Function 062F7120 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 062F71AF

Memory Dump Source

Source File: 0000000E.00000002.2939584939.00000000062F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_62f0000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9ebb505773e2286f8409923279452babe4e69ec3cfb1923f14cbc431d9bfd7f5
Instruction ID: b88835a13956055024ff40bcc3062e95f2a1e8661f4e7127ebc61cacaa8088c0
Opcode Fuzzy Hash: 9ebb505773e2286f8409923279452babe4e69ec3cfb1923f14cbc431d9bfd7f5
Instruction Fuzzy Hash: C021E5B5900209AFDB10CFAAD984ADEFFF8FB48310F14842AE954A7310D374A944DFA5

Function 027E70A8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 027E7127

Memory Dump Source

Source File: 0000000E.00000002.2932194785.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_27e0000_InstallUtil.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 86755a33d7e3eb0f06ef5ffc6441e5dba59524323e391119ece1568ad874ffdf
Instruction ID: e8bcf0587485455e0191e6708cda226eb8bfda4b87d906f3a7a91791eceb54fe
Opcode Fuzzy Hash: 86755a33d7e3eb0f06ef5ffc6441e5dba59524323e391119ece1568ad874ffdf
Instruction Fuzzy Hash: 8C2139B1901259CFCB10CF9AD884BEEFBF4AF49310F14846AE455A7350D738A944CF61

Function 062F7128 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 062F71AF

Memory Dump Source

Source File: 0000000E.00000002.2939584939.00000000062F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_62f0000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6efe5fbaf79fe8b46e7bd1ff84fef661a1ee05c453cd7e9adf083fc7d7521fda
Instruction ID: fa77bd00d8bffaa191aa151354e6c4ebdccbbc110c605e16b0b13055b5f74bb2
Opcode Fuzzy Hash: 6efe5fbaf79fe8b46e7bd1ff84fef661a1ee05c453cd7e9adf083fc7d7521fda
Instruction Fuzzy Hash: 0621E4B59002089FDB10CFAAD984ADEFBF4FB48310F14801AE954A3310D374A944CFA4

Function 027EF388 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 027EF3F7

Memory Dump Source

Source File: 0000000E.00000002.2932194785.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_27e0000_InstallUtil.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 91f3ca732213678875161e699a906f66f3f16282aae4c68d8276faab531ac763
Instruction ID: a36045a04b104d9ad4ae7b271eb34f31a1c8867ee069ac46d7f9eb3490a92646
Opcode Fuzzy Hash: 91f3ca732213678875161e699a906f66f3f16282aae4c68d8276faab531ac763
Instruction Fuzzy Hash: 2A1122B1D002599BCB10CFAAD544BDEFBF4BF08324F10816AD458A7640D378A944CFA6

Function 062FF4F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 062FF55E

Memory Dump Source

Source File: 0000000E.00000002.2939584939.00000000062F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_62f0000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bec4076a71a2f24a09519219333b61b8a3662acd92bfc0ecee1a6b126fa63975
Instruction ID: 6761502c358c936aa222b2ec12e51178210bfa532d49bb48b1e7dcfd35c77853
Opcode Fuzzy Hash: bec4076a71a2f24a09519219333b61b8a3662acd92bfc0ecee1a6b126fa63975
Instruction Fuzzy Hash: 8A110FB6C002498FCB10CF9AC544ADEFBF4EB88224F10842AD969A7310D379A545CFA1

Function 06304810 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

XPcq, xrefs: 0630494D

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: bd6188335a0a409faa0d4ad5e6574bebf7648dd71c69a73094580454dca32f0d
Instruction ID: ee419e7cadd1f4df9acb9a724c64232c13b40a9e49537a8ae07872a30c7b602d
Opcode Fuzzy Hash: bd6188335a0a409faa0d4ad5e6574bebf7648dd71c69a73094580454dca32f0d
Instruction Fuzzy Hash: E4419170A002089FDB449FA5C854B9EBBF6FF88700F20852AE145AB3D6DA748D06CB90

Function 0630DB85 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0630DCE1

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: c03b97ed60b41a166f586c9d8760fa2268c677e8dc6102117186625f9df5f3c7
Instruction ID: 5bf37d41ec606aca8298f0cfa984965fa15267700a2f2baab1833b0c7c9e07d6
Opcode Fuzzy Hash: c03b97ed60b41a166f586c9d8760fa2268c677e8dc6102117186625f9df5f3c7
Instruction Fuzzy Hash: 01419170E003499FDB15DFA4C86469EBBF6FF85200F104529D402EB290EBB1994ACB81

Function 0630DB98 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0630DCE1

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 1478366dab8af8a220271433d1a396b3ae84bfb7bdd57c09399c0a73cccab59f
Instruction ID: fafdf71e5f0215baf5b6a582e3d84eb2d5ce456e5a7e00589b59307620a4f1e2
Opcode Fuzzy Hash: 1478366dab8af8a220271433d1a396b3ae84bfb7bdd57c09399c0a73cccab59f
Instruction Fuzzy Hash: C1418070E002499FEB54DFA5C9646AEBBF6FF85300F104929D406EB294DFB0D94ACB81

Function 06302297 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

PH^q, xrefs: 063023E3

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 013bf787d0b920c34bdb41e661a7d731b95cf70f57af018da330a121746f4fb0
Instruction ID: fe5b5d20767bfb5febad5b954f4935efda189fe5ebbd42c846344abc3bfe916c
Opcode Fuzzy Hash: 013bf787d0b920c34bdb41e661a7d731b95cf70f57af018da330a121746f4fb0
Instruction Fuzzy Hash: DA31F230B002058FEB59AB74C96866F77E6EF89604F108468D406DB391EF35DD4ACBD1

Function 063022A8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 063023E3

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 7d1f26c06b692e4390852f9b4499ae605e6992e8bb607d69587cd41e8ea593d3
Instruction ID: 6d3294996c2f8350f83c58394151cbaabf34381bc7dd197f8319c5a14cf8a144
Opcode Fuzzy Hash: 7d1f26c06b692e4390852f9b4499ae605e6992e8bb607d69587cd41e8ea593d3
Instruction Fuzzy Hash: 5B31D030B002058FEB59AB74D96866F76E6AFC8600F208468D406DB395DF35DD4ADBE1

Function 06304709 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06304715

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 81efa22a9a1b3723d27eb408b4cf24f257e67063cb51f29ca9e7e119e25bbf36
Instruction ID: cb50b9f78b89a3ee0590f442794259fbf9ee87309fb568a57361c656f1355974
Opcode Fuzzy Hash: 81efa22a9a1b3723d27eb408b4cf24f257e67063cb51f29ca9e7e119e25bbf36
Instruction Fuzzy Hash: D5F0DA34A20119DBDB54DF94E969BAEBBB6BF84B00F204119E512A7295CB741D49CBC0

Function 0630B2F0 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed55ab81dba3aab955c63d0748ccdd2c891625c35d5e39120f768073adad7a4b
Instruction ID: afb54bec3c31fee773060974827651694c80a63abebedd5b70582935af5f7979
Opcode Fuzzy Hash: ed55ab81dba3aab955c63d0748ccdd2c891625c35d5e39120f768073adad7a4b
Instruction Fuzzy Hash: F0B18434F101099FFF649A6CD5A07AEF6F6EB89310F204825E406E73D5CA36DD898B91

Function 06304F80 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e32b4128ed66d1145b06af57361df0e3eb4c1a09045b2730e8b10f44de6d11
Instruction ID: 1e8566a176c2ab512b2118bcbf77f4183f43fe95c9b7385c320b7aab2320da6c
Opcode Fuzzy Hash: 46e32b4128ed66d1145b06af57361df0e3eb4c1a09045b2730e8b10f44de6d11
Instruction Fuzzy Hash: DB818F71A006098FEB60CFA9D990BAFBBF6FF44320F10492AE155D7691D730E9498BD0

Function 06305EB8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdfa49524b4f5c04b8dd42c8d52a0de5920d4f6caddf2a1345c14ee20d0b81a5
Instruction ID: c4d09f9b380ca4942c9350918a26711e18ee976eba77db516c5939e89f2e385f
Opcode Fuzzy Hash: bdfa49524b4f5c04b8dd42c8d52a0de5920d4f6caddf2a1345c14ee20d0b81a5
Instruction Fuzzy Hash: 8661C3B1F000114FDF549A7DC89466FAADBAFC4620B15443AE80EDB364DE6ADD068BD2

Function 06303F59 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d31cbe2f28bcf2769a4a7d2e31363f6a5ffa3bc3edd844b515503262d821f7
Instruction ID: 68a77db430902deb4e616480ce7fb7e3bbf4421624383bf2e2aa54ba5c823cf3
Opcode Fuzzy Hash: b2d31cbe2f28bcf2769a4a7d2e31363f6a5ffa3bc3edd844b515503262d821f7
Instruction Fuzzy Hash: 48816E34B102069FDF44DBA8D56476EB7F6AFC8304F108429D50AEB395EB35ED4A8B81

Function 06304274 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f046066dbe1361967b8bbd50489e8fa7ffc16dee86d71ccf8ee2b21281b1f8a2
Instruction ID: cde0647e9a36f2290c2279be4741e7b8067337c673e689d3731f559cf1733798
Opcode Fuzzy Hash: f046066dbe1361967b8bbd50489e8fa7ffc16dee86d71ccf8ee2b21281b1f8a2
Instruction Fuzzy Hash: EC914030E102198BDF50DF68C890B9DB7B1FF89310F208695D549BB295EB70AA89CF91

Function 06303F68 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61933c2032b7cae99038155175bc0f715b80716b4bb1c9a9c3cca37976880df0
Instruction ID: ae18c7c4cd0d2cdb977a962efe737df1159cc6fe1f437c8235102e8fb086572b
Opcode Fuzzy Hash: 61933c2032b7cae99038155175bc0f715b80716b4bb1c9a9c3cca37976880df0
Instruction Fuzzy Hash: AA815D34B102069FDF44DBA8D56476EB7F6AFC8304F108429D50AEB395EB35ED4A8B81

Function 06304288 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654a47a850bad3e8633e7d40e55c6fd1a0829fd3781de73651e0f769ac95bba4
Instruction ID: 81375f15fa12c2815d372b3a4224b04207db32f3046ff79b429cb8de7888c092
Opcode Fuzzy Hash: 654a47a850bad3e8633e7d40e55c6fd1a0829fd3781de73651e0f769ac95bba4
Instruction Fuzzy Hash: 7C914030E102198BDF60DF68C890B9DB7B1FF89304F208595D549BB395DB70AA85CF91

Function 0630EBE3 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379789704d6c47c2e47216b02df2724ea6fe8e8befee0cc4f32ba05803440d1f
Instruction ID: 073494259f4661b47e1f21dd2f7fe6511e6b76df35cb2c36016f9dcff9ae3330
Opcode Fuzzy Hash: 379789704d6c47c2e47216b02df2724ea6fe8e8befee0cc4f32ba05803440d1f
Instruction Fuzzy Hash: 09713D71B002089FDB55DFA9D994A9DBBF6FF88300F148829D415EB395DB30E94ACB90

Function 0630EBF0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77f85a4ddb4ab67ca09639cfc06b2efc0a21b0667b3fb63a9d7a63d7472a078
Instruction ID: bebf141b99670559f367c92eeed3703f62efccad21786e45eee3b2a3e9d43c1e
Opcode Fuzzy Hash: c77f85a4ddb4ab67ca09639cfc06b2efc0a21b0667b3fb63a9d7a63d7472a078
Instruction Fuzzy Hash: 80710C71B002089FDB54DBA9D994A9DBBF6FF88300F148929D415EB395DB30ED4ACB90

Function 0630F700 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b125ef531e82547a32a57fcc883620c271c9bf5c6157b7692f7e12f9673a0b
Instruction ID: 59ebe0aa1be4bb8b2087fee34a61af3c94877edf8fed0296d8399724ffb77a49
Opcode Fuzzy Hash: d1b125ef531e82547a32a57fcc883620c271c9bf5c6157b7692f7e12f9673a0b
Instruction Fuzzy Hash: 6551B534B102049FFF74666CD9A476E265AD789750F20083EE40ADB3D9CA6DCC8D87D2

Function 0630FD68 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3fbdb2aeb41285978d414e94e04d2bc5f4b95b4a480281140be443bc34ade0e
Instruction ID: f40dd345828b3072e0a3ba4d5a8dede2e5f8c6044704465d8d0ea023467c5374
Opcode Fuzzy Hash: b3fbdb2aeb41285978d414e94e04d2bc5f4b95b4a480281140be443bc34ade0e
Instruction Fuzzy Hash: 7351D071E001059FEF24EB78E4646ADBBB6EF85314F10886EE50AD7291DF319849CBC0

Function 0630F710 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4a20b36ff436ec4741c2c40d15e238c901236525a03d037274ae0f8ee72277
Instruction ID: be7882c3b2de1caa6ca1a82664c4eb8954a2dbc80c022d125a5e67bb06c14b72
Opcode Fuzzy Hash: 8a4a20b36ff436ec4741c2c40d15e238c901236525a03d037274ae0f8ee72277
Instruction Fuzzy Hash: C951B434B102049FFF74666CD9A476F265AD789B50F20482EE40ADB3D9CA6ECC4D47D2

Function 06305249 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b526f07c0ced53a6f439f1ff9b0dc74ec3a0eee4064198cd6e2f7522d92c38
Instruction ID: 0c486d32d018b9925c56eafb64de4fc55147c222c560e3316f377ec9cde88aa7
Opcode Fuzzy Hash: 51b526f07c0ced53a6f439f1ff9b0dc74ec3a0eee4064198cd6e2f7522d92c38
Instruction Fuzzy Hash: 9351C271E101099BEF64CB68C9907AEBBB2FB49320F248966E455DB2C1C774D849CFD1

Function 063045A8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5d84baceee01597c879e7322c1c6758a1c7021fba4e19099bbbee7446666ce
Instruction ID: 2bd001b234a458fd75c0cf6d34be90881b012ac3ff57f41d67f04c63801294b2
Opcode Fuzzy Hash: 4f5d84baceee01597c879e7322c1c6758a1c7021fba4e19099bbbee7446666ce
Instruction Fuzzy Hash: B2418330E10208DFEB54DB68C49476EBBF1EF89304F218569E509DB3A2DA35DD49CB91

Function 06304598 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78376c4d2b985ecaabc179009ade90d32ddf0cbe83120998b251628c3924dbb9
Instruction ID: f32b82747a39de731b796f053e08cffc8f6fcd9393ce71ac885b70fcb5b3340c
Opcode Fuzzy Hash: 78376c4d2b985ecaabc179009ade90d32ddf0cbe83120998b251628c3924dbb9
Instruction Fuzzy Hash: 8541A130A10108DFEB54DB78C494B9EBBF1EF89304F248569E149DB392DA35DD49CB91

Function 06302158 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a01922d4453b8e6ec5a78ceb423d040a7009a684e0dd10a58558e4eca042be
Instruction ID: 592eb852b55aab611392c3fd870f37d8efa12e739b46e3429d0b7dfe9ad87432
Opcode Fuzzy Hash: b7a01922d4453b8e6ec5a78ceb423d040a7009a684e0dd10a58558e4eca042be
Instruction Fuzzy Hash: D8317274E102069BDB49CFA4D89869EF7B6FF89300F108519E815EB390DB71E94ACB80

Function 00C1D005 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2930589034.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c1d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9c170537242bd2d757729bff59aeb99d65f619c7c42832d4b8d2ddabaa93a0
Instruction ID: 92a84cb922bd703f1b3d8fe90ffceb6828af53b92382611d0d766c6f30a53c0a
Opcode Fuzzy Hash: 7b9c170537242bd2d757729bff59aeb99d65f619c7c42832d4b8d2ddabaa93a0
Instruction Fuzzy Hash: 1B314D7150E3C49FC703CB24C9A4755BF71AF57214F29C5DBD8898F2A3C22A984ADB62

Function 06302168 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8e344e7e2a736500328a599f06b5856a556d05fec389dbfc2df0771087ffc6
Instruction ID: dfa3e792eaed606822fdb1e7a9b1dcd41ce766dd520970f46799096be22aed96
Opcode Fuzzy Hash: 1b8e344e7e2a736500328a599f06b5856a556d05fec389dbfc2df0771087ffc6
Instruction Fuzzy Hash: 76316170E102059BDB49CFA4D89969EF7B6BF89300F108529E815E7380DB70A94ACB80

Function 063050C8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c45eac66f137030f2cc7047de70328dbc9c52244aabe259b31c36519d010ef1
Instruction ID: 578df626eb7613d4c58aae2ddab2ed97f2c7e346e35b471a1c8d0b63f6eace97
Opcode Fuzzy Hash: 2c45eac66f137030f2cc7047de70328dbc9c52244aabe259b31c36519d010ef1
Instruction Fuzzy Hash: 9C318E31A007099BDF65CEA9CDC0AAFFBB6EF85320F10492AD15697691D730A84D8FD1

Function 06303B61 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58115872e2b7992802e09a7c0c334ff88b2c0454a94ff53ea183f4e2af6007b
Instruction ID: db41ae158f4598b43ff11bd0042c5db225b09cfb147667926cafe5c096cdce2d
Opcode Fuzzy Hash: f58115872e2b7992802e09a7c0c334ff88b2c0454a94ff53ea183f4e2af6007b
Instruction Fuzzy Hash: 9521A175F012159FEB50EF79D880AAEBBF5EB88710F108029E905E7390E731D9068B95

Function 06303B70 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c536cbe400ea149e4f0da9711359cddfa5952ebad41a9b37d95cb05528ed2899
Instruction ID: c34d52babfa9e6cfc57199f7ce7d2f902cfd9325bfdcd5fc6c7afa2df0082a01
Opcode Fuzzy Hash: c536cbe400ea149e4f0da9711359cddfa5952ebad41a9b37d95cb05528ed2899
Instruction Fuzzy Hash: 39218E79F002169FEF50EF69D890AAEBBF5EB88710F108025E905E7394E731D9068B94

Function 063050D8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d1c40dbb1107ccfdc4fed88a132d5ed3bb3d416445957cbaa15d0e8e1a90ab
Instruction ID: 5269d6bd45ab9257220b6727b1523dfc9ee61fc3310b180a835484015526d180
Opcode Fuzzy Hash: 81d1c40dbb1107ccfdc4fed88a132d5ed3bb3d416445957cbaa15d0e8e1a90ab
Instruction Fuzzy Hash: 1B214F71A006099BEF64CEA9DD90A6FFBB6FB84320F104929E15697690C770A8498FD0

Function 00C1D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2930589034.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c1d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0400be1b68935876e41717bc1473d7f366f2f05270deca5ee783392ea3c7abf1
Instruction ID: 22b7d69250b8b18d0326b49757d41fa09476e68e49a8d1357126ace6dc875f13
Opcode Fuzzy Hash: 0400be1b68935876e41717bc1473d7f366f2f05270deca5ee783392ea3c7abf1
Instruction Fuzzy Hash: B9210771504204EFCB14DF24D9C4B66BB65FB89314F30C6ADE84A4B251C736D886EA62

Function 0630EE61 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9f334c8ed7dfa1f893d63d1efc095fadfcdf35082ce04836c5018333fc861f
Instruction ID: 60cb9f74e59d021f345ee31b3ecff3e6329485941204624a64e87af651ef2e7c
Opcode Fuzzy Hash: 9a9f334c8ed7dfa1f893d63d1efc095fadfcdf35082ce04836c5018333fc861f
Instruction Fuzzy Hash: 2611D6317102045BDB65A67CA8A4B2F7BEADBCA610F108939F509CB391EE25DC0BC7D5

Function 06303C80 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526453ea9fb363f34ec8188c1817b37222f112b0398ad45e509a08d84ec22952
Instruction ID: 6398722b164279eab2a553a0d14ea94f5290c1da75223bbb3241867ffbaeb4fc
Opcode Fuzzy Hash: 526453ea9fb363f34ec8188c1817b37222f112b0398ad45e509a08d84ec22952
Instruction Fuzzy Hash: 0D11A135B141295FEF549A78DC646AF73AAEBC9311F00843AD40AE7384EE25DC078BD2

Function 06303EB7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2add8069a6a801c145f0cd97180fa0950c97acb9f7cfd455a28905c20eaa420c
Instruction ID: eca3bafbe51ca057479911be8c4bf4415935a17c6e78b7a44c011ac30159fc5d
Opcode Fuzzy Hash: 2add8069a6a801c145f0cd97180fa0950c97acb9f7cfd455a28905c20eaa420c
Instruction Fuzzy Hash: 6F012875B101120FFB11856CA82432EA7EADFC9614F14883AF10ACB386EA24CC0687D1

Function 06303939 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca71b170dda6065287dc54271b992141fa5c02164a9c085bdc80a542c456d13
Instruction ID: 2908aa1a882cc509b6868e629795ac9a6a08fdf574863df68db9982b4d190362
Opcode Fuzzy Hash: aca71b170dda6065287dc54271b992141fa5c02164a9c085bdc80a542c456d13
Instruction Fuzzy Hash: 3621EDB5D01259AFDB00CF9AD984BCEFFB4BB08314F10816AE918A7240C374A548CFA4

Function 0630A3D1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a638b725888bf01305e9415ca49096306c8a1b5fa517770d6f5d9cdadbf817
Instruction ID: d31a7d205b6e467f800e792db537a335b4570212d749819fd9e369b97e19b797
Opcode Fuzzy Hash: 39a638b725888bf01305e9415ca49096306c8a1b5fa517770d6f5d9cdadbf817
Instruction Fuzzy Hash: D701D438B142401FDB529678F57471E7BE6DB8A704F14886AE18ACB38ADE25CC4AC781

Function 06303C71 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfcf4a3a5e82a8cd0e47d951024ae1cc8d659d10121c522e8ca96ff384038bac
Instruction ID: 72a048d30a25dc9913098b4ceb2ca5e78d1b33b7ea95d0ddc797f8d748e22751
Opcode Fuzzy Hash: cfcf4a3a5e82a8cd0e47d951024ae1cc8d659d10121c522e8ca96ff384038bac
Instruction Fuzzy Hash: 3D01D476F100265BFB549A789C156EF77AA9BC4200F00443BC54AD3684EE20C80B47D2

Function 06303940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bb2b954b65341adf48b6c1ad44ee5a23f039be0db63dda0dc6ffb41ac70f90
Instruction ID: 2b18596233702f559f21afe22cc75c4d59038b4d02208b63f2216feeb6f9b9d4
Opcode Fuzzy Hash: d3bb2b954b65341adf48b6c1ad44ee5a23f039be0db63dda0dc6ffb41ac70f90
Instruction Fuzzy Hash: 7A11C2B5D01259AFDB00DF9AD884ACEFFB4FB49314F10812AE518A7340C374A544CFA5

Function 06303EC8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ffb4acaa9921048b72b86851ac5a12541617b53e187a7cf1c051ede29097b6
Instruction ID: cdd958aace388778f1b105ce43891bc63143a5d88ba4271cdb57f82db6de793e
Opcode Fuzzy Hash: a9ffb4acaa9921048b72b86851ac5a12541617b53e187a7cf1c051ede29097b6
Instruction Fuzzy Hash: 9A01D131B100121FEB64956EA42072FA2EEDBC9764F108839F50ECB385DE65DC0A87C5

Function 0630EE70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70c75575deda16eec2c607b47e2ce7f9825f80a99d0b6b60ad1bbbc513becbf
Instruction ID: de6187760f655783c8cf7c7ba56c0c41c9af9d6345f5e351a7435a4c8645a577
Opcode Fuzzy Hash: a70c75575deda16eec2c607b47e2ce7f9825f80a99d0b6b60ad1bbbc513becbf
Instruction Fuzzy Hash: 1901A431B104145BDB64A66DA4A472F77DADBC9610F208C39F10ACB380EE25DC0B87C5

Function 0630A3E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7471a4c4cdd5ef6c0f97ef7fbd127e87c8f5ca974cb783c2c2f274d8084e91ab
Instruction ID: 31496b95ec7d4365f0cd9c709cf02e4071f808c1ed30057fd232942fdb88cde4
Opcode Fuzzy Hash: 7471a4c4cdd5ef6c0f97ef7fbd127e87c8f5ca974cb783c2c2f274d8084e91ab
Instruction Fuzzy Hash: A6018139B102106BDB54D66CF864B1EB3DAEB89714F108839E50ACB389DE25DC4A8BC5

Function 0630AFE8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec93032b693528d5bddd41626ed6e2decb374e879c939578374a1cdba400404
Instruction ID: 8b0ef52a67dcba976bcf4d5085a272aa29e37c8f17c2b362b1a073faa040b67b
Opcode Fuzzy Hash: dec93032b693528d5bddd41626ed6e2decb374e879c939578374a1cdba400404
Instruction Fuzzy Hash: 5101D171E142098BEF249A68D56079EFBB8E745320F00483AE51ADB280D732984D8BC1

Function 0630FD58 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99308f805a4a02fd46329bd9428a30eff1bc491540581252a70ac5eac5b297b
Instruction ID: 4242708f101d3f893b151f1ed5244ef731095475e8bc4278378f72d0b76477f3
Opcode Fuzzy Hash: c99308f805a4a02fd46329bd9428a30eff1bc491540581252a70ac5eac5b297b
Instruction Fuzzy Hash: 2EF02B37B211159BCF244E35DC484EAB766EFC8311B10453EE551E3240DA31441B87C1

Function 06306540 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c01f8519070b7192c754533c9bd19c5fe74502d36b2435d6366e1ee69b9ba8d
Instruction ID: ef2c83637918c505b22622dc26be8390763171cc83a9cf784160b14195776023
Opcode Fuzzy Hash: 5c01f8519070b7192c754533c9bd19c5fe74502d36b2435d6366e1ee69b9ba8d
Instruction Fuzzy Hash: 18E0D871D19289AFEB50CA708D6E24B7BB8DB07204F2048D6D448CB187F536CE1E8790

Function 06306550 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1236a262dee9047603fdb89833b2ef459f3a4d183b80d5a5b84eddf46488d7bf
Instruction ID: 68d1c68ac24ef60e1f502343193c6ff5b84237aad75e4b5e99134dc2ed62ea62
Opcode Fuzzy Hash: 1236a262dee9047603fdb89833b2ef459f3a4d183b80d5a5b84eddf46488d7bf
Instruction Fuzzy Hash: AEE01275E10108ABEF50DEB4C96B75F77ADD706214F2088A5D409C728AE577DA1D87C0

Non-executed Functions

Function 06307770 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06307D22
$^q, xrefs: 06307C6D
$^q, xrefs: 06307D16
$^q, xrefs: 06307C61
$^q, xrefs: 063078B0
$^q, xrefs: 063078A4
$^q, xrefs: 063078D5
$^q, xrefs: 063078E1
$^q, xrefs: 06307D00
$^q, xrefs: 06307D0C

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 644bd416e95aa7353b2a343916aaba1555200f950ce5b95a53a43b292a780aaa
Instruction ID: cbf4dc23d44c75695d01f5387ba413e236c3e3ae87398b68d342c52df8bdfbe5
Opcode Fuzzy Hash: 644bd416e95aa7353b2a343916aaba1555200f950ce5b95a53a43b292a780aaa
Instruction Fuzzy Hash: 85121034E002198FDB68DF65C954A6DB7F6BF84304F208569D409AB394DB31AD8ACF91

Function 0630AA00 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 0630ABB2
$^q, xrefs: 0630AAF6
$^q, xrefs: 0630AB88
$^q, xrefs: 0630ABBE
$^q, xrefs: 0630AB02
$^q, xrefs: 0630AB7C
$^q, xrefs: 0630AB51
$^q, xrefs: 0630AB5D

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 5859ff9673f5a49e97faa7617856a17e131ab7f230d2179fb0ffd62cb716aa0e
Instruction ID: fa54c01f3f6296ba1e4c021bfb6604773fb6aae8e60fc639862b58c700272115
Opcode Fuzzy Hash: 5859ff9673f5a49e97faa7617856a17e131ab7f230d2179fb0ffd62cb716aa0e
Instruction Fuzzy Hash: 35913D30E00309DFEB69DB64E564BAEB7B6EF84305F108529D402AB2D6DB759849CBD0

Function 06307170 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 0630760C
$^q, xrefs: 06307452
$^q, xrefs: 06307678
$^q, xrefs: 063074B8
$^q, xrefs: 063074AC
$^q, xrefs: 06307684
.5vq, xrefs: 063071CB

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 9644c875fee4c6d46101532b75da18d2eb13ac8a496216f515ea9de7bebbf70b
Instruction ID: 8220e37e2cf3a75a1909e41257e02843fcff2ed838ded69d0deba6148d80ecbb
Opcode Fuzzy Hash: 9644c875fee4c6d46101532b75da18d2eb13ac8a496216f515ea9de7bebbf70b
Instruction Fuzzy Hash: 8AF12034B00208DFDB55EF68D554A6EB7B6FF88304F248568D406AB399DB71EC4ACB90

Function 063084A0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06308706
$^q, xrefs: 063086FA
$^q, xrefs: 0630875F
$^q, xrefs: 0630876B

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 5762d946ee03b76fa1b2bff1f7c42b56c508b6490762968f0088f4f1397c6e45
Instruction ID: 02c1b985e93271ada98adaf0d07ec92b535a0ae463ca219dbaa898ecd03ecf24
Opcode Fuzzy Hash: 5762d946ee03b76fa1b2bff1f7c42b56c508b6490762968f0088f4f1397c6e45
Instruction Fuzzy Hash: A9B11E34E002088FEF54DF68D59466EB7B6FF88304F248929D4069B399DB75DC8ACB90

Function 0630AD88 Relevance: 5.2, Strings: 4, Instructions: 185COMMON

Download Yara Rule

Strings

$^q, xrefs: 0630AF64
$^q, xrefs: 0630AF0C
$^q, xrefs: 0630AEB9
$^q, xrefs: 0630AF3B

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 6be2dc44d3986682585938b9bb26749314be2ce51e02ebf0ee25efdbefe8e9b9
Instruction ID: 28fe6b7913c4a0c66083b83e091e9b9103eaff4c44ea0106194e057f9f71b03c
Opcode Fuzzy Hash: 6be2dc44d3986682585938b9bb26749314be2ce51e02ebf0ee25efdbefe8e9b9
Instruction Fuzzy Hash: C361E074A103058FEF65DB64F9A06AEB7F6EF84311F10852AD8059B296DB30DC4ACBD0

Function 063088B8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 063089AB
LR^q, xrefs: 063089FA
$^q, xrefs: 06308943
$^q, xrefs: 06308937

Memory Dump Source

Source File: 0000000E.00000002.2939649463.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6300000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: dc99a4ee0aab0cfcad50248a33a6996478d106796a1dccdba17628cf3305dded
Instruction ID: cf3394def3c537b06a5742a24fec0fa26f6a8c0f623e744e55b4f1865db859db
Opcode Fuzzy Hash: dc99a4ee0aab0cfcad50248a33a6996478d106796a1dccdba17628cf3305dded
Instruction Fuzzy Hash: E751C434B002059FEF54EB68D860A6AB7E6FF88704F148968E4059F3D9DB71EC49CB91

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DUWPFaZd3a.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DUWPFaZd3a.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windowsx.exe.log

C:\Users\user\AppData\Roaming\Windowsx.exe

C:\Users\user\AppData\Roaming\Windowsx.exe:Zone.Identifier

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
DUWPFaZd3a.exe

Function 05B60399 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132
COMMON

Function 05B603ED Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123
COMMON

Function 05B603F8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre