Edit tour

Windows Analysis Report
WZ6RvDzQeq.exe

Overview

General Information

Sample name:	WZ6RvDzQeq.exe renamed because original name is a hash value
Original sample name:	25e947b199af51b580a7bc98e1ecea3dfdb1bac24403757a8e832adfb52f6738.exe
Analysis ID:	1591112
MD5:	d63f0d4ccf6dceeb0db924ce75a83251
SHA1:	3f0c5c70dd0d4e1a9052a2c6ce00da187b403566
SHA256:	25e947b199af51b580a7bc98e1ecea3dfdb1bac24403757a8e832adfb52f6738
Tags:	92-255-57-155exeuser-JAMESWT_MHT
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Tries to harvest and steal Bitcoin Wallet information

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

WZ6RvDzQeq.exe (PID: 4992 cmdline: "C:\Users\user\Desktop\WZ6RvDzQeq.exe" MD5: D63F0D4CCF6DCEEB0DB924CE75A83251)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4577622361.0000000003457000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WZ6RvDzQeq.exe PID: 4992	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:48:02.915791+0100	2035595	1	Domain Observed Used for C2 Detected	92.255.57.155	56001	192.168.2.6	49710	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: WZ6RvDzQeq.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: WZ6RvDzQeq.exe	Virustotal: Detection: 55%			Perma Link
Source: WZ6RvDzQeq.exe	ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: WZ6RvDzQeq.exe

Joe Sandbox ML: detected

Source: WZ6RvDzQeq.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: WZ6RvDzQeq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 92.255.57.155:56001 -> 192.168.2.6:49710

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 92.255.57.155:56001

Source: Joe Sandbox View	IP Address: 92.255.57.155 92.255.57.155
Source: Joe Sandbox View	IP Address: 92.255.57.155 92.255.57.155

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155

Source: WZ6RvDzQeq.exe, 00000000.00000002.4575778487.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: WZ6RvDzQeq.exe, 00000000.00000002.4575778487.00000000014FF000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: WZ6RvDzQeq.exe, 00000000.00000002.4575778487.00000000014FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5Z
Source: WZ6RvDzQeq.exe, 00000000.00000002.4581525625.0000000005A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabW
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_017848A0	0_2_017848A0
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_01784890	0_2_01784890
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_01781C30	0_2_01781C30
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_01781C1F	0_2_01781C1F
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_06520548	0_2_06520548
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_065253C3	0_2_065253C3
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_065230A0	0_2_065230A0
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_06524E53	0_2_06524E53
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_06524E5C	0_2_06524E5C
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_06524F48	0_2_06524F48
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_0652549B	0_2_0652549B
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_065253CC	0_2_065253CC
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_06523090	0_2_06523090
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_065229D2	0_2_065229D2

Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePutsblg.dll" vs WZ6RvDzQeq.exe
Source: WZ6RvDzQeq.exe, 00000000.00000000.2109053453.0000000000E5C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFzewje.exe" vs WZ6RvDzQeq.exe
Source: WZ6RvDzQeq.exe, 00000000.00000002.4580637086.00000000057A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePutsblg.dll" vs WZ6RvDzQeq.exe
Source: WZ6RvDzQeq.exe, 00000000.00000002.4575778487.000000000143E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs WZ6RvDzQeq.exe
Source: WZ6RvDzQeq.exe, 00000000.00000002.4579781808.0000000004317000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePutsblg.dll" vs WZ6RvDzQeq.exe
Source: WZ6RvDzQeq.exe	Binary or memory string: OriginalFilenameFzewje.exe" vs WZ6RvDzQeq.exe

Source: WZ6RvDzQeq.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: WZ6RvDzQeq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal96.spyw.evad.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Mutant created: \Sessions\1\BaseNamedObjects\ba5217eadeaf

Source: WZ6RvDzQeq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WZ6RvDzQeq.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WZ6RvDzQeq.exe	Virustotal: Detection: 55%
Source: WZ6RvDzQeq.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: WZ6RvDzQeq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: WZ6RvDzQeq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: WZ6RvDzQeq.exe

Static PE information: 0xCAFB9F6F [Tue Nov 30 08:53:03 2077 UTC]

Source: WZ6RvDzQeq.exe

Static PE information: section name: .text entropy: 7.872285671131451

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Memory allocated: 1780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Memory allocated: 3250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Window / User API: threadDelayed 2820			Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Window / User API: threadDelayed 6965			Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 7056	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -39000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3180	Thread sleep count: 2820 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -38844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3180	Thread sleep count: 6965 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -38733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -38625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -38507s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -38406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -38297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -38187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -38078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -37969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -37860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -37735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -37610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -37485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -37360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -37235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -37110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -36985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -36860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -36735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -36610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -36485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -36360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -36235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -36110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -35985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -35860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -35735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -35610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -35485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -35360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -35235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -35110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -34985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -34860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -34703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -34593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -34468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -34297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -34110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -33985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -33860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -33735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -33610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -33485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -33360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 1864	Thread sleep time: -33235s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 39000	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 38844	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 38733	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 38625	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 38507	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 38406	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 38297	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 38187	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 38078	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 37969	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 37860	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 37735	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 37610	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 37485	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 37360	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 37235	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 37110	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 36985	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 36860	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 36735	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 36610	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 36485	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 36360	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 36235	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 36110	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 35985	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 35860	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 35735	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 35610	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 35485	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 35360	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 35235	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 35110	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 34985	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 34860	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 34703	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 34593	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 34468	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 34297	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 34110	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 33985	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 33860	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 33735	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 33610	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 33485	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 33360	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 33235	Jump to behavior

Source: WZ6RvDzQeq.exe, 00000000.00000002.4581646255.0000000005AE9000.00000004.00000020.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.4581770840.0000000005B1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WZ6RvDzQeq.exe, 00000000.00000002.4581525625.0000000005A40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`N

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003632000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003632000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager*
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000358E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh{
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.00000000036D4000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003632000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003684000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Queries volume information: C:\Users\user\Desktop\WZ6RvDzQeq.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q com.liberty.jaxx
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q3C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: WZ6RvDzQeq.exe, 00000000.00000002.4580637086.00000000057A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Source: Yara match	File source: 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4577622361.0000000003457000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WZ6RvDzQeq.exe PID: 4992, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	321 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	341 Virtualization/Sandbox Evasion	LSASS Memory	421 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	341 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	213 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WZ6RvDzQeq.exe	56%	Virustotal		Browse
WZ6RvDzQeq.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
WZ6RvDzQeq.exe	100%	Avira	HEUR/AGEN.1323341
WZ6RvDzQeq.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://stackoverflow.com/q/14436606/23354	WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll	WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.4577622361.0000000003760000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354rCannot	WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe	WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe	WZ6RvDzQeq.exe, 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
92.255.57.155	unknown	Russian Federation		42253	TELSPRU	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591112
Start date and time:	2025-01-14 17:47:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WZ6RvDzQeq.exe renamed because original name is a hash value
Original Sample Name:	25e947b199af51b580a7bc98e1ecea3dfdb1bac24403757a8e832adfb52f6738.exe
Detection:	MAL
Classification:	mal96.spyw.evad.winEXE@1/2@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 85% Number of executed functions: 93 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WZ6RvDzQeq.exe, PID 4992 because it is empty
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:48:03	API Interceptor	11456401x Sleep call for process: WZ6RvDzQeq.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
92.255.57.155	http://92.255.57.155/1/1.png	Get hash	malicious	Unknown	Browse	92.255.57.155/1/1.png
	anyrunsample.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155/1/1.png
	https://reviewgustereports.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	92.255.57.155/1/1.png

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	ea354192.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	Ecastillo-In Service Agreement.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	2.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	Payment Receipt.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.232.214.172
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	email.eml	Get hash	malicious	unknown	Browse	199.232.214.172
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	final shipping documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.232.214.172
	0dsIoO7xjt.docx	Get hash	malicious	Unknown	Browse	199.232.210.172
	original.eml	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELSPRU	2.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155
	2.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155
	92.255.57_1.112.ps1	Get hash	malicious	XWorm	Browse	92.255.57.112
	book_lumm2.dat.exe	Get hash	malicious	XWorm	Browse	92.255.57.112
	http://92.255.57.155/1/1.png	Get hash	malicious	Unknown	Browse	92.255.57.155
	92.255.57.155.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	png2obj1_XClient.exe	Get hash	malicious	XWorm	Browse	92.255.57.155
	Dm35sdidf3.exe	Get hash	malicious	XWorm	Browse	92.255.57.155
	QP2uO3eN2p.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155

Process:	C:\Users\user\Desktop\WZ6RvDzQeq.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\WZ6RvDzQeq.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.253995428229511
Encrypted:	false
SSDEEP:	6:kK0Ml99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:MMlkDImsLNkPlE99SNxAhUe/3
MD5:	B59D015738F2E7429CEB8E6E77D239AC
SHA1:	245A66A1D57C159C3105A3A89A5099590AACFD0C
SHA-256:	48CD5014893ACF8EB97D68130AF8360D0B109553150A834AAE460C2C9228F023
SHA-512:	8569B467071C7A749D7A4E55B445D978AEBA4C53D74C28D23E2901DAF58FF80CBA07EF49862535162590422C588728F4C5CAB2D4B2196334C4923405089ABFCC
Malicious:	false
Reputation:	low
Preview:	p...... .............f..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.856791476993461
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	WZ6RvDzQeq.exe
File size:	365'568 bytes
MD5:	d63f0d4ccf6dceeb0db924ce75a83251
SHA1:	3f0c5c70dd0d4e1a9052a2c6ce00da187b403566
SHA256:	25e947b199af51b580a7bc98e1ecea3dfdb1bac24403757a8e832adfb52f6738
SHA512:	a9846ee5541e2a140a541b5d78af9476c2d9606a581d2eb0109b1ceb75abcb244e8b4c0f32facfff5f5e568e7b27b4cad9bccf26f3ba8720ebb58cb4cc0ef064
SSDEEP:	6144:rygIsrPEg1pEZS8pV07t854csHTE1WJvYSM3D5To6wUXZRC2L/mdsIsfyEaJaa:W21uZS8pq71cCJvCm6nXLFLO2qaa
TLSH:	9C74021077CF8321E1284AB688E7686613F5D3072E73C7577A4692C11EE33C69B96B8D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.................0.............~.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x45a97e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCAFB9F6F [Tue Nov 30 08:53:03 2077 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5a930	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x560	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x58984	0x58a00	d2ca19ae7178665eadbda2dac9b663f4	False	0.9205196579689704	data	7.872285671131451	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x560	0x600	d73e5769a0afb2d9a9a3c1152abe6084	False	0.4016927083333333	data	3.9326269831708895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	93e2d3f363bbc8046e2c6cbf9530b91e	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5c0a0	0x2d4	data			0.43370165745856354
RT_MANIFEST	0x5c374	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T17:48:02.915791+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	92.255.57.155	56001	192.168.2.6	49710	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 17:48:02.190282106 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:02.195281029 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:02.195389986 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:02.197079897 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:02.201916933 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:02.212008953 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:02.219254017 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:02.903613091 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:02.903748035 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:02.903801918 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:02.910928965 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:02.915791035 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:03.129693985 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:03.172312975 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:04.608978033 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:04.613822937 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:04.613898993 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:04.618701935 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:43.205076933 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:43.209937096 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:43.209995031 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:43.214868069 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:43.587377071 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:43.641148090 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:43.752687931 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:43.760411024 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:43.765286922 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:48:43.765388966 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:48:43.770186901 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:22.206440926 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:22.211364031 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:22.211436033 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:22.216636896 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:22.598876953 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:22.641168118 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:22.769231081 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:22.777062893 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:22.781954050 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:22.782008886 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:22.786875963 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:30.438930035 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:30.443825006 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:30.443880081 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:30.448720932 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:30.822124958 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:30.875545025 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:30.996279001 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:30.998936892 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:31.003691912 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:31.003739119 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:31.008548975 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:42.266974926 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:42.271858931 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:42.271917105 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:42.276729107 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:42.650149107 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:42.691871881 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:42.816564083 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:42.820827007 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:42.827712059 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:42.827754021 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:42.834305048 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:54.969779015 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:54.975044012 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:54.975086927 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:54.979876995 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:55.350784063 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:55.391201019 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:55.519763947 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:55.522073984 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:55.526885986 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:49:55.526979923 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:49:55.531822920 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:07.641923904 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:07.646656990 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:07.646733999 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:07.651712894 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:08.025417089 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:08.192013025 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:08.192257881 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:08.195672989 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:08.200463057 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:08.203557014 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:08.208329916 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:23.954164982 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:23.959255934 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:23.959480047 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:23.964623928 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:24.480982065 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:24.532717943 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:24.645549059 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:24.665165901 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:24.670116901 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:24.670802116 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:24.675663948 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:48.704292059 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:48.709147930 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:48.709212065 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:48.714011908 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:48.907308102 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:48.912153006 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:48.913552999 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:48.918448925 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:49.090600014 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:49.141496897 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:49.225541115 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:49.235065937 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:49.239875078 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:49.239922047 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:49.244769096 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:49.380124092 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:49.382692099 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:49.387487888 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:49.387542009 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:49.392348051 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.065515995 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:59.070358992 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.070461035 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:59.075248003 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.407561064 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:59.412417889 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.412465096 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:59.417494059 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.454435110 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:59.456933975 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.456991911 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:59.459207058 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.461770058 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.624793053 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.627322912 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:59.632117033 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.632169008 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:59.636950016 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.746521950 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.797533035 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:59.881472111 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.883579016 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:59.888436079 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:50:59.888489008 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:50:59.893265963 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:02.876966000 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:02.881767988 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:02.881856918 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:02.886666059 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:03.267570019 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:03.313155890 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:03.442817926 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:03.445048094 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:03.449887037 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:03.449937105 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:03.454684019 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:13.047976971 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:13.052870035 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:13.053692102 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:13.058537960 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:13.450968027 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:13.485951900 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:13.490830898 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:13.490891933 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:13.495820999 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:13.615932941 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:13.618985891 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:13.624965906 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:13.625025034 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:13.630569935 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:13.737550974 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:13.781939983 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:13.873555899 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:13.876365900 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:13.881455898 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:13.881520033 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:13.886600018 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:36.626256943 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:36.631197929 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:36.631267071 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:36.636085987 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:37.018682957 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:37.063270092 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:37.194842100 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:37.205591917 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:37.210551023 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:37.210658073 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:37.215512037 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:41.517510891 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:41.522547007 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:41.522614956 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:41.527559042 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:41.907774925 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:42.016477108 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:42.068605900 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:42.070818901 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:42.075675964 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:42.075745106 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:42.080636024 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:42.080708981 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:42.085540056 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:42.465138912 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:42.516400099 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:42.634242058 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:42.637206078 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:42.642026901 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:42.642354012 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:42.647191048 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:47.391760111 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:47.396781921 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:47.396852970 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:47.401674032 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:47.781730890 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:47.907562971 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:47.943939924 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:47.953560114 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:47.958506107 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:47.958585024 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:47.963434935 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:53.329467058 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:53.334305048 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:53.334403992 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:53.339282990 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:53.722717047 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:53.907011986 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:53.912482023 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:53.915290117 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:53.920247078 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:51:53.920305014 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:51:53.925411940 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:52:03.867623091 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:52:03.872509003 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:52:03.872597933 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:52:03.877474070 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:52:04.249299049 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:52:04.297621965 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:52:04.412991047 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:52:04.414235115 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:52:04.420108080 CET	56001	49710	92.255.57.155	192.168.2.6
Jan 14, 2025 17:52:04.420176029 CET	49710	56001	192.168.2.6	92.255.57.155
Jan 14, 2025 17:52:04.425007105 CET	56001	49710	92.255.57.155	192.168.2.6

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 17:48:03.241216898 CET	1.1.1.1	192.168.2.6	0xd8b0	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:48:03.241216898 CET	1.1.1.1	192.168.2.6	0xd8b0	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:47:55
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\WZ6RvDzQeq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WZ6RvDzQeq.exe"
Imagebase:	0xe00000
File size:	365'568 bytes
MD5 hash:	D63F0D4CCF6DCEEB0DB924CE75A83251
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4577622361.000000000327F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4577622361.0000000003457000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 065230A0 Relevance: 2.7, Strings: 1, Instructions: 1495COMMON

Download Yara Rule

Strings

h>{, xrefs: 0652341D

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: h>{
API String ID: 0-4049927388
Opcode ID: fa6f3aac2718bfe8a286924811ade69cfb41b2eb53bd019198e46b5678aacf69
Instruction ID: 0c1ba2fd313db02219aeb9eac7cd2ba80bb349165f691352f1601f4111e8b4cd
Opcode Fuzzy Hash: fa6f3aac2718bfe8a286924811ade69cfb41b2eb53bd019198e46b5678aacf69
Instruction Fuzzy Hash: 33E28874750114DFD798DF68E6A8B6A73E2FF88304F5281A9D80A9B754DF38AD41CB80

Function 06523090 Relevance: 2.7, Strings: 1, Instructions: 1493COMMON

Download Yara Rule

Strings

h>{, xrefs: 0652341D

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: h>{
API String ID: 0-4049927388
Opcode ID: 32732cea9cc19137a8fa505ebda2a3f15838cbd5ac05492cee9875f0ba5ad4ca
Instruction ID: 39aed317fd20d4b9edfcf6a64c5bf655c0202d9c0375a2d2adc3df89c34ce33b
Opcode Fuzzy Hash: 32732cea9cc19137a8fa505ebda2a3f15838cbd5ac05492cee9875f0ba5ad4ca
Instruction Fuzzy Hash: 6BE28874750114DFD798DF68E6A8B6A73E2FF88304F5281A9D80A9B754DF38AD41CB80

Function 065253C3 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

E't, xrefs: 06525893

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: E't
API String ID: 0-3500362013
Opcode ID: 69357226235a8f2cb5a4720a272bb14e870290cd592d8138ba5243ca79cd5d32
Instruction ID: 033f7f82314e1c434959cf6eef538c7e07f63eedba68dc5f58b9ab9e92ee197c
Opcode Fuzzy Hash: 69357226235a8f2cb5a4720a272bb14e870290cd592d8138ba5243ca79cd5d32
Instruction Fuzzy Hash: 4DD1FF34B501158FD794DF28D598A6A77F2FB88304F1581A9D90ADB354DF38AD82CF81

Function 065253CC Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

E't, xrefs: 06525893

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: E't
API String ID: 0-3500362013
Opcode ID: 029254c7afc66f0807abdc1ae26e0b48df2a24bfa9b0ecec3032a8adb03a71bf
Instruction ID: 284ccb28c4ef136e3dffbabc46f7c216ce003c4a14e42c3a0661c6da0dd59d6d
Opcode Fuzzy Hash: 029254c7afc66f0807abdc1ae26e0b48df2a24bfa9b0ecec3032a8adb03a71bf
Instruction Fuzzy Hash: A0D10F34B501168FD794DF28D698A6A77F2FB88304F1581A9D90ADB354DF38AD82CF81

Function 0652549B Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

E't, xrefs: 06525893

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: E't
API String ID: 0-3500362013
Opcode ID: d5efc5e5c90cd3acbf5a8d9bfc90a72068a17d56019093e4151b697b2021bd06
Instruction ID: 621297c28aaf8eacb6eadd7f5dd4b352fab2467c2d5b321ae0dab66c6c81ac46
Opcode Fuzzy Hash: d5efc5e5c90cd3acbf5a8d9bfc90a72068a17d56019093e4151b697b2021bd06
Instruction Fuzzy Hash: CBB1FF34B501168FD794DF28D698A6A77F2FB88344F1581A9D90ADB354DF38AD82CF80

Function 06520548 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f05515bbc3a3849192cb79b8929a38af7b3aa6607bf0c333678b05b604af5dbc
Instruction ID: 4c2988865c1c7c18062a9cfc53e8d197fb6327a1d28ee42d0304026afbc02445
Opcode Fuzzy Hash: f05515bbc3a3849192cb79b8929a38af7b3aa6607bf0c333678b05b604af5dbc
Instruction Fuzzy Hash: 89B16D70E0121A8FDF94CFA9C88579EBBF2BF89714F148529D415AB2D4EB749881CF81

Function 065202C0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\V[n, xrefs: 0652032F
\V[n, xrefs: 06520482

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: \V[n$\V[n
API String ID: 0-3705941238
Opcode ID: 5ee02c91928a8fa604f38095e77c34fc8ec37b35c594ad5593478fbc4a4bd97b
Instruction ID: 56221cf132fb38ec6027c41865442003c9b6cd87befb357b4a1eeee78d81e455
Opcode Fuzzy Hash: 5ee02c91928a8fa604f38095e77c34fc8ec37b35c594ad5593478fbc4a4bd97b
Instruction Fuzzy Hash: CE717670E0121ACFDB54CFA9C884B9EBBF2BF89714F148529E414AB290EB749841CF81

Function 065202B4 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

\V[n, xrefs: 0652032F
\V[n, xrefs: 06520482

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: \V[n$\V[n
API String ID: 0-3705941238
Opcode ID: 7ec077c4c81cdbf9b342acbd3080e50044f12eda4be53f2ce1f8aff8e542ac77
Instruction ID: 9e44104c5a5e7b5d6ad3fea2127a38338b51e7333be15b4464e4402dcd4c1e45
Opcode Fuzzy Hash: 7ec077c4c81cdbf9b342acbd3080e50044f12eda4be53f2ce1f8aff8e542ac77
Instruction Fuzzy Hash: 21718870E0166ACFDB50CFA8C885B9EBBF2BF89714F148529E414A72D0EB749841CF91

Function 06527F6F Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

t, xrefs: 065280DA

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: t
API String ID: 0-760408342
Opcode ID: 032400b3c616b85a69ddb3e33044f03b0622a771428b594e646faa62b6024156
Instruction ID: 59ddd47a4d53b369b650c0edc8fdd319ce3b05c46938723d4e5bd06c4fb6fca8
Opcode Fuzzy Hash: 032400b3c616b85a69ddb3e33044f03b0622a771428b594e646faa62b6024156
Instruction Fuzzy Hash: 8841E430B002498FC745DF68D450A6EBBF2FF9A304B60C56AD509DB255DF35AC46CB90

Function 065256EF Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

E't, xrefs: 06525893

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: E't
API String ID: 0-3500362013
Opcode ID: b9fd671e2aa6f7c254ecdaf6ea708506988463b20c9613fce165900462b20ccc
Instruction ID: 9dec7e638396bcad3337c250040524bee64cc1ea1c80771cd109adb154f97238
Opcode Fuzzy Hash: b9fd671e2aa6f7c254ecdaf6ea708506988463b20c9613fce165900462b20ccc
Instruction Fuzzy Hash: 3251FB74B501568FD794DF28D598A6AB7F2FB88204F2181A9D90ADB354DF38AD42CF80

Function 065256FC Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

E't, xrefs: 06525893

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: E't
API String ID: 0-3500362013
Opcode ID: e59f4ebfbe3b1bf5e4114fcf6f788ad7db5f9a292d2fc635cb7825ef6e0f1fa9
Instruction ID: 9c8f0f4c3a819878ed91f7a594bc53ef545f2647573af8c4479af3827d14f393
Opcode Fuzzy Hash: e59f4ebfbe3b1bf5e4114fcf6f788ad7db5f9a292d2fc635cb7825ef6e0f1fa9
Instruction Fuzzy Hash: BC51FB74B501568FD794DF28D598A6AB7F2FB88204F2181B9D90ADB354DF38AD42CF80

Function 06527F80 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

t, xrefs: 065280DA

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: t
API String ID: 0-760408342
Opcode ID: 33da6db66f60c991011c6bf38a8b8b2c228c3f3425a23a0c597cf6bc0f0600ba
Instruction ID: a37db989f63de96b1598eb43cd84160855a038477bbe1a6a076b9f73e6078306
Opcode Fuzzy Hash: 33da6db66f60c991011c6bf38a8b8b2c228c3f3425a23a0c597cf6bc0f0600ba
Instruction Fuzzy Hash: 0041D030B002098FCB45EF69D490A5EBBF6FF89304B608529D5099B369DF35AC46CB90

Function 06520CF8 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

t, xrefs: 065280DA

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: t
API String ID: 0-760408342
Opcode ID: d02ee8127d484021eb736136fa59e5779ae76208a44f34f8e62c90aaed91eb26
Instruction ID: bc81d5eae5257a381e99482d8b23c4609a9f681f9ed46deecd660721507de9e4
Opcode Fuzzy Hash: d02ee8127d484021eb736136fa59e5779ae76208a44f34f8e62c90aaed91eb26
Instruction Fuzzy Hash: 4F31E130A043559FC705DF68D8A099E7FF1FF8A314B10846AD546DB265DF38AC4ACBA1

Function 06526450 Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16ecc657a43f137967abd54f84822980aa687c12e3ab75864405193b04f94a6
Instruction ID: c39d27a14b48f03011777baf2a4218324c0c9b4b089a8afe557b9611ca754420
Opcode Fuzzy Hash: f16ecc657a43f137967abd54f84822980aa687c12e3ab75864405193b04f94a6
Instruction Fuzzy Hash: 71123830A007568FDB65DF79C450A9EB7F2BF89300F648A6DD4069B2A5DB74E881CF80

Function 01781EA8 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f514c30aadfebdba1a3328551aa1707ccd475bd0d2595a817f93e7027a36a5d
Instruction ID: 4dc3c2564d1ca242f77b651b462665f9840c0e14be0f1873f22adba1630518dd
Opcode Fuzzy Hash: 0f514c30aadfebdba1a3328551aa1707ccd475bd0d2595a817f93e7027a36a5d
Instruction Fuzzy Hash: 94B1BE71B002119FC715EF29D488A5AFBF6FF88350F1585A9D906AB3A2DB75EC01CB90

Function 06526DD5 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba5329cff66acc33b1c5554902ac69f52ff0f537b2388e3b1faa2a711fa0b04
Instruction ID: 8b3935243329950b8470f2ca1e010b13d4b714437a4c89affefae560b39e872a
Opcode Fuzzy Hash: aba5329cff66acc33b1c5554902ac69f52ff0f537b2388e3b1faa2a711fa0b04
Instruction Fuzzy Hash: 424104747053418FD315DF29D840A9A7FE1EFDA310B18866FD0858F2A6DA35DC0ACBA1

Function 0652053C Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188947cf63eff137e859d67fa567c67e5585ab39f0f605ed51f7974cc4cd69c3
Instruction ID: dc64faed948f1287472d1ed7b3a46644247d6f04cfa166b9b62b281c6454c52e
Opcode Fuzzy Hash: 188947cf63eff137e859d67fa567c67e5585ab39f0f605ed51f7974cc4cd69c3
Instruction Fuzzy Hash: CFA16D70E0122ACFDB90CFA9C88579EBBF1BF89714F148529E414A72D4EB749885CF81

Function 0652C6A8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec92822fe815edb61c4f0ec6382b1548e30367f1bceec84f113eeaf41784438
Instruction ID: ae3f89bdd4c9babba2ed3e819f5e68e7708c7e1f268c4cdfd90cd27d2024c96a
Opcode Fuzzy Hash: bec92822fe815edb61c4f0ec6382b1548e30367f1bceec84f113eeaf41784438
Instruction Fuzzy Hash: 7C714D787100158BC784EF69E66866F7AA7FBEC601B558029D907C7388DF38AC428BD5

Function 06525D58 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ca914341f7b3ff18fd1c0d1a7318f91c1e5eab331a56d70240d19fe1a09d8d
Instruction ID: e86a1d05117a0a1727035729fff901a301c402831bcc2b453012c783d9eda565
Opcode Fuzzy Hash: a7ca914341f7b3ff18fd1c0d1a7318f91c1e5eab331a56d70240d19fe1a09d8d
Instruction Fuzzy Hash: 80513935B0011A9FCF55CFA8D8409EEBBF6FF8C210B54816AE905A7360DB35D951CBA1

Function 065272BD Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9beb22d55df5bc8ce0af6be708fa0dc8912b01415a8e7e6d82973eec68fa67b
Instruction ID: db05c146f7d4917e2bac30f92917edc02765f959257d074f80f4b4a21a98e1fb
Opcode Fuzzy Hash: b9beb22d55df5bc8ce0af6be708fa0dc8912b01415a8e7e6d82973eec68fa67b
Instruction Fuzzy Hash: B871B734A10215DFCB54CFA9C994A9DBBB2FF89300F2485A9D9059B365DB31ED42CF50

Function 06529B30 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a13e7b4bb71dd4db33a3734ad46b1210c3e5dd553b4e548eefa041d1bac478d
Instruction ID: 61c34b936f55259463f01f87ee53ec34b21b47d784653f0065fc78060c80bc88
Opcode Fuzzy Hash: 1a13e7b4bb71dd4db33a3734ad46b1210c3e5dd553b4e548eefa041d1bac478d
Instruction Fuzzy Hash: 8921D6317083698FCB56AB68D4183AE7FF2EF86611F150066D441DB386CE781D06C7D6

Function 06529B8E Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a038b48293de39d11f027f6551472c9a74a75b02fb6be68aad3704825b1f257d
Instruction ID: 13ad66b8ed6067041d03e401c51b82c1f2673148049fb6943a34880b863b9c6f
Opcode Fuzzy Hash: a038b48293de39d11f027f6551472c9a74a75b02fb6be68aad3704825b1f257d
Instruction Fuzzy Hash: 4821D8317083A58FCB069B38D8696AE7FB2EF86210F15009AC4419B387CE781C07C795

Function 017818F1 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5098d72fb4131347d5e4e8354a228d69faaf29d4ec307fc5169e668c62b41be8
Instruction ID: b23a0fbb1f0493d23b52008a362abc5267cbbb3bc8409864110f3370d7ebabc0
Opcode Fuzzy Hash: 5098d72fb4131347d5e4e8354a228d69faaf29d4ec307fc5169e668c62b41be8
Instruction Fuzzy Hash: A1516E74B40104CFCB44EF79C498AADFBF6BF89310F6584A9E506AB3A5CA709D06CB51

Function 01781900 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b925fe9083cf931fd365bdb3fc3f5b9cf912130a441eb958ed8fea28a6d38d
Instruction ID: 92b0582330370299b4d0abd5d068187a354a51eaa93f1fcf574be98de316469a
Opcode Fuzzy Hash: 02b925fe9083cf931fd365bdb3fc3f5b9cf912130a441eb958ed8fea28a6d38d
Instruction Fuzzy Hash: 65514C74B40104CFC744EF79C498AADBBF6BF88310F6180A9E506AB3A5CA709D06CB51

Function 0652CE9C Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c14fb5a087db0b11370f06812af8c1c98c834709a8849be151b15ce87c0127
Instruction ID: e8eba9a4e3f91313d72179fc805a15d9530d9a0f95a3c97386d95010f9ca7e93
Opcode Fuzzy Hash: e4c14fb5a087db0b11370f06812af8c1c98c834709a8849be151b15ce87c0127
Instruction Fuzzy Hash: 0F514271D00269CFDB58CFA9C484B9EBBF0BF49310F14812AE815AB391D774A845CF95

Function 0652CEA8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b057ba7cfb497c360344ea83f9d51c05e2f578062e82c47c79ff07ffaeea7
Instruction ID: 5d0d156f44d5a875715180166626c1a9c63cd7ef95d0a940bdcda98a38906c2e
Opcode Fuzzy Hash: 241b057ba7cfb497c360344ea83f9d51c05e2f578062e82c47c79ff07ffaeea7
Instruction Fuzzy Hash: 49513171D00229CFDB58CFA9C884B9EBBF0BF49310F14812AE819AB391D774A845CF95

Function 065213E8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8f0b6181fcff88ddd43a6bbb9c69c747cee6b671c9c534b8734a4ce8fcb962
Instruction ID: 2f2697c116dfa9f7133d7672df885618d6538b566336e810832db995caf2df1b
Opcode Fuzzy Hash: 3f8f0b6181fcff88ddd43a6bbb9c69c747cee6b671c9c534b8734a4ce8fcb962
Instruction Fuzzy Hash: 8D313034B106269BDBA4DA68E95496E77F6FF89604F10806ADA06E73C0DF349C01CBD1

Function 065213D8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16aebef09765163cbd9205eeb57e90ca6770a13d9a4734d84a309c43d81352b
Instruction ID: b0cff78734b353796204dacad10445c667fd3757ffff0c6e58ae17954b07e06e
Opcode Fuzzy Hash: a16aebef09765163cbd9205eeb57e90ca6770a13d9a4734d84a309c43d81352b
Instruction Fuzzy Hash: 9B316E34B102269FDBA4DB68E554AAE77B6FF89204F10806ADA46A73C4DF349C01CBD5

Function 06527432 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b7f511b693ee7c8f20118dc04bb432de57bee0742d9a1c12e1433ad3dd013e
Instruction ID: 40782ffd945ccbf275828bbd717bbd800a7a5f1effb458ebcb586dacf70c1261
Opcode Fuzzy Hash: 43b7f511b693ee7c8f20118dc04bb432de57bee0742d9a1c12e1433ad3dd013e
Instruction Fuzzy Hash: 59314974A042198FDB54DFA9C954AADBBF2FF89340F608569C005AB295DB349C02CF54

Function 0652C372 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb89de655ffee698838bff6c0d9dd7c685d11d576bc8a0293e9c94c10e7f3d3
Instruction ID: 1db3ad6ba11359093d88ac66b9a13d8add3c40d6ab7cdb51ad064ce10b7f45f0
Opcode Fuzzy Hash: 3fb89de655ffee698838bff6c0d9dd7c685d11d576bc8a0293e9c94c10e7f3d3
Instruction Fuzzy Hash: 5721EC307007518FC742EF29A4142AE7BB2FF8A710B52456AE945CB385DB381D4A8BD2

Function 06529EB8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a210e78e9bc930f3abc10783d2e801711521ba8d9c3f9d36f8dd6568c4c587fe
Instruction ID: ac5be0774201b66e736504336ef0301220e2af71701167b1c34992c9b877c351
Opcode Fuzzy Hash: a210e78e9bc930f3abc10783d2e801711521ba8d9c3f9d36f8dd6568c4c587fe
Instruction Fuzzy Hash: DA210479B04119ABC745DF99C558A9F7BF6EB8D300F208068E906A7384CF345C428FE0

Function 06527968 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40508aab5866be083945ab68c1f3fdf077b480611aec83e5439d147d326dad58
Instruction ID: 98b600da42a55aa630bd37053f355dda205b8ad6273f0b186a22154cc4b78897
Opcode Fuzzy Hash: 40508aab5866be083945ab68c1f3fdf077b480611aec83e5439d147d326dad58
Instruction Fuzzy Hash: 45211530600A128FD724DF19D544A52F7F5FF89320F45CA6ED49E8BAA5D774E885CB80

Function 017817F8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167ed610e48699504a9530d50e187fa10d03a7efb320e2f8a101f6eef599492d
Instruction ID: 04d60f39e56e19f2bc661cdb780994d873efef4ecdc3d8e0edda3f6cc91f02ec
Opcode Fuzzy Hash: 167ed610e48699504a9530d50e187fa10d03a7efb320e2f8a101f6eef599492d
Instruction Fuzzy Hash: C711E7307402009FC305EB2DD859A2ABBE5FFC976076551A9E90ACF355EE74DC018B90

Function 06527A38 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10caf641ba7d84c9c908024c51e68416717f4cb801d1cda23f2a8e9268081f85
Instruction ID: 3252ceafdc4f978052e94605e010bf7c294b1d0e330012b5b5030240233c2b3f
Opcode Fuzzy Hash: 10caf641ba7d84c9c908024c51e68416717f4cb801d1cda23f2a8e9268081f85
Instruction Fuzzy Hash: 951160717002519FD774CF29D888E57BBE9FB8E324B5485ADE04AC72A2D730E846CB60

Function 01781808 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7ecb94bed3b7f7ac998515c68c1fce5724bffd6467645f5de5fdfbdadbcabd
Instruction ID: 85379504bdb4ea785a6f6d8c64eb72134bd8502e7ed4dda60f08069e72477410
Opcode Fuzzy Hash: 9c7ecb94bed3b7f7ac998515c68c1fce5724bffd6467645f5de5fdfbdadbcabd
Instruction Fuzzy Hash: 8911A5317401019FD305EB6DD859E2ABBE9FFC87A0B559169E90ACB354DF74DC018B90

Function 06529EC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9765d6eaa51be7315eed12254c60b37d0b07ef71f977a93fd314601d963ab77
Instruction ID: 0da556f91f543fd778f83213dc0b735aa18a0901fd534f78e722ed14198f9905
Opcode Fuzzy Hash: a9765d6eaa51be7315eed12254c60b37d0b07ef71f977a93fd314601d963ab77
Instruction Fuzzy Hash: 6411AC39B101199BC745DE99D558A9F77F6EBCC300F608069EA06AB384CE396D428FA1

Function 0652C725 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc6974f9641789d0b229b904fb841941cc4818f81951b78d229b0716afa5560
Instruction ID: beb4684192d216c81cdb85ede6d9fc8ea4b1e82b0b1e787b89fe03e60282e97f
Opcode Fuzzy Hash: 0bc6974f9641789d0b229b904fb841941cc4818f81951b78d229b0716afa5560
Instruction Fuzzy Hash: 8B114C793100158BC784EE69E62866F76A7EBEC301B558029D51ACB394CF386C428BD5

Function 0652C3A0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a400ed87557c3cb61d1b660cbc81a030a56137e5f40dd2befbf8a987b6e2f5
Instruction ID: b1131e2fb2752cf866e5196e39b1f4bbf59f4a3d19b298a06ded7efab4c37dea
Opcode Fuzzy Hash: 98a400ed87557c3cb61d1b660cbc81a030a56137e5f40dd2befbf8a987b6e2f5
Instruction Fuzzy Hash: B111D030B006258BC794EF2AA50969E7BB2FFD8710F518529D90ADB388DF345D418BD5

Function 06522770 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203f1c6abe0238c16d32eb6610854352f11fde20f7f0a43d4f8578cc6d72afb7
Instruction ID: 8713c8fd81ad405654d95ca30c568faa99211f27a1e7a37246fab46296983d30
Opcode Fuzzy Hash: 203f1c6abe0238c16d32eb6610854352f11fde20f7f0a43d4f8578cc6d72afb7
Instruction Fuzzy Hash: E4110876609104AFC341DF64CC4AA5A7BB4EF97200F5484EAD949CB362EE31EE16CB91

Function 06526AD1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e4f93416e2b07c387e7f9b7ae8b84b6c9c8c989878badeb92957e1c75146af
Instruction ID: 2960965f24534934a7494fdd36c4b9ae3f636b9b56b2aab593b26e6993f7e9e4
Opcode Fuzzy Hash: 94e4f93416e2b07c387e7f9b7ae8b84b6c9c8c989878badeb92957e1c75146af
Instruction Fuzzy Hash: 0C016D397043518FD7208F69D848DAABBF6EFDA260719446EF58ACB362D631EC01CB50

Function 017808F0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ece87d211e37c0a92eab45cab0adb1252ac6ea39a0279473929742ec97f7f88
Instruction ID: 00c1252e415a86f1167a1978a4702a66aa3e752b575674ca74634c7bc0a9b27e
Opcode Fuzzy Hash: 6ece87d211e37c0a92eab45cab0adb1252ac6ea39a0279473929742ec97f7f88
Instruction Fuzzy Hash: 2001E79158E3D40FDB03A7701D65860BF396A1315134E85CBE4CACF0A3E189490DCB7B

Function 0178097D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5d29c824adbd531d844cc39b32f7b9cbb642ba6a3441213a2a73948539eaa8
Instruction ID: 5a862b82d2f64235b62b47df54d83503b865209cb40c1b063d709699c22ca19b
Opcode Fuzzy Hash: fc5d29c824adbd531d844cc39b32f7b9cbb642ba6a3441213a2a73948539eaa8
Instruction Fuzzy Hash: 7D11C274A4C6168FD30AAF768004196F7E2FBD5301F69C1BBC44B8B655DA3898478F42

Function 06529C90 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d422fc72f3c68420060154d6a1be426f50c4d4ce771e75b843d455771fb02ccd
Instruction ID: ff8d0fac36c3e304acae14e313f2e226272abf2871fd7f2ded5cde67adf72a9b
Opcode Fuzzy Hash: d422fc72f3c68420060154d6a1be426f50c4d4ce771e75b843d455771fb02ccd
Instruction Fuzzy Hash: F9018431B002298BCB55EB68D5197AF76B3ABC9700F104119D905AB389CFB81D06CBD5

Function 06526AE0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2a19556ed1e800114e31e9018bcab5cbb8f5b4a00e0d81b278e7b15a21aa67
Instruction ID: 519b2519a27e2b7de461dda2e75478c453b89ac1b0a07cae8f76d43e592a7d36
Opcode Fuzzy Hash: 7b2a19556ed1e800114e31e9018bcab5cbb8f5b4a00e0d81b278e7b15a21aa67
Instruction Fuzzy Hash: 0A01A2397002058FC720CF6AD888D6ABBE6EFCE3607154469F549CB361DA31EC01CB50

Function 0142D7F1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4575723764.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142d000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff486ad1dd53fdfcf81fad308f466e71eb902093f806b690f97dd0ba1ca26b7
Instruction ID: f6970ac9ec78cd1bed0503018c5b1026129a6a8a1c29f26730bbc8a226bfe96e
Opcode Fuzzy Hash: eff486ad1dd53fdfcf81fad308f466e71eb902093f806b690f97dd0ba1ca26b7
Instruction Fuzzy Hash: 7A01A7718043549AE7104AAACD84B67BFD8EF41764F58C41BEE1D5B2A6C6F89480C6B1

Function 065226C8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b23b7643e4bdc9a368f3097cf24a2682b1c243e4d564f3a559e8b2044f816f2
Instruction ID: 92f0c375c9cb656b62c34feb6186c2647801d135eb1d6600161866b2a8dee492
Opcode Fuzzy Hash: 7b23b7643e4bdc9a368f3097cf24a2682b1c243e4d564f3a559e8b2044f816f2
Instruction Fuzzy Hash: F90181767092809FC782C714DC99615BFB1DB93110F0985EBD548CB3A3DA26AD1ACB51

Function 0652CDA0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdfc1f9376a9b0d60eb6faafc3d5dd0958fd7d1c7abdf15f6fcd34eb78b2590
Instruction ID: 96058b50774e711e9265db9551f5fd28fe90e7f00fbd9ba022eacad90be5caea
Opcode Fuzzy Hash: 1fdfc1f9376a9b0d60eb6faafc3d5dd0958fd7d1c7abdf15f6fcd34eb78b2590
Instruction Fuzzy Hash: 6C1103B58007498FDB60DFAAC984BDEBBF4BB48324F208419D519A7250C7B4A944CFA1

Function 0652CDA2 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63819ac6b9497e47a3dcd6f35a86c10cae39fe1714ff73ca7fb49cc4e96b8cd7
Instruction ID: 333d82cc0079780d2305a116c95ae23f9735b78e32ab2a33e2f16d00e0cfa14a
Opcode Fuzzy Hash: 63819ac6b9497e47a3dcd6f35a86c10cae39fe1714ff73ca7fb49cc4e96b8cd7
Instruction Fuzzy Hash: 6D1115B5800749CFDB60CFAAC5847DEBBF4BF48324F208419D519A7250C7B4A944CFA1

Function 0652C3E7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8719e44962776ccc254dfc9714d2a7334fde40e7ad9cbee87db1c5942bb7197a
Instruction ID: 44f71470cf10ee61c2b1e2e194e52fd0745d19d2a8cd113bc30204bb34b7d9d5
Opcode Fuzzy Hash: 8719e44962776ccc254dfc9714d2a7334fde40e7ad9cbee87db1c5942bb7197a
Instruction Fuzzy Hash: 97F0FF303002208BC694BA2AA41569E3BB2FFD4710F61892DDA069B388CFB82D4587D5

Function 06522830 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8458ec1970f64b517dbbbe7c159d0fc84efb903672d3fec513369e428e4be8ab
Instruction ID: dcb93c4ed280f4da305b9f763bc527b642c0687f881361225c3dcd08350c8c11
Opcode Fuzzy Hash: 8458ec1970f64b517dbbbe7c159d0fc84efb903672d3fec513369e428e4be8ab
Instruction Fuzzy Hash: 5DF0E97A505104AFD705DF64C8427997FB1EF87210F9844FE9906DF252EE329E064B81

Function 0142D7F0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4575723764.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142d000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d1cbb3594f250b4c8e2106a4245179b2a240aa62147e8ec4b9aea2b7cccb2e
Instruction ID: c30d341a73b9c93af1a4e5e15ccd3f1306d0a82b48ff90eeafb5b3bb378c58af
Opcode Fuzzy Hash: 50d1cbb3594f250b4c8e2106a4245179b2a240aa62147e8ec4b9aea2b7cccb2e
Instruction Fuzzy Hash: A5F062728053549EE7118A1ADDC4B63FFD8EB81734F18C45AED1C4B297C2B9A884CAB1

Function 01780860 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7628c7b8aa99a6ad5c9de8c42137cc49fe25f3b80ffc51535d7776c3062e540
Instruction ID: 536acf9fd60ca366a08da71f24a815c920ca0e5218d3f7df95cec87b6b49f193
Opcode Fuzzy Hash: d7628c7b8aa99a6ad5c9de8c42137cc49fe25f3b80ffc51535d7776c3062e540
Instruction Fuzzy Hash: ACE075980EE3C08FCB17676518292A4BF307E4316139E18D7E5C2CF4A7D108598E97AB

Function 06521001 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b6bd2675eb840c98d97ed4bf12a9d3cf2f9fe584544df906021af6f869c5b2
Instruction ID: a26ed373b9a7c6f61cc2bdcbdd3584f167434eecfbed761ca66a4b5173e8b26f
Opcode Fuzzy Hash: 92b6bd2675eb840c98d97ed4bf12a9d3cf2f9fe584544df906021af6f869c5b2
Instruction Fuzzy Hash: 21F0E571A493808FC702EBB48C516D93FB4DF57220F4902FBD019CB2E7E5244E08A782

Function 017808A4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb6417d161daf9189e37b5f5a35dab74dfac5543304adea53838b426962501d
Instruction ID: b77a0224b2786e83eac79509e851d1410664e26b217c213144185000e2afe783
Opcode Fuzzy Hash: 8eb6417d161daf9189e37b5f5a35dab74dfac5543304adea53838b426962501d
Instruction Fuzzy Hash: B0E08670945309EFDB04EFB4D94486DF7BCFB4421571044ADE906D7201EA351E049BD1

Function 06522728 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be6e72667cd1b798a75b1a0e8621ca818c0ec9bef2410bf684ed0e33c471ec0
Instruction ID: c039fd16e6e6926a31ac8d868a389872e8ee43fbb2fd7ab5ad4eb90a8ac33d9d
Opcode Fuzzy Hash: 1be6e72667cd1b798a75b1a0e8621ca818c0ec9bef2410bf684ed0e33c471ec0
Instruction Fuzzy Hash: 2DE04F753041056FC388DA14CC95916F7B1AFE9214B18C46D784DC7352EE32ED43C715

Function 0652C0D9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7efd5b558d7151bbce187c92597fe18174fff57b243dc342efd81d24d1ee755
Instruction ID: 0ba88a005e19e3621c95b99de40af2008c967f2ce2818350a80325cc30f51e64
Opcode Fuzzy Hash: e7efd5b558d7151bbce187c92597fe18174fff57b243dc342efd81d24d1ee755
Instruction Fuzzy Hash: CDE0867190A3C6EECB52CFB4845009EBFF49E4730071454DBD184D7552EE305E28DB51

Function 0652A818 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995e1cfdec375846884685d9343024603cde67dca4713e17edcd03c1718b1083
Instruction ID: 2e5dcffadd79da835c125e6e2d352c3bfa6d9a23b214d2a231e56bb20ea34b41
Opcode Fuzzy Hash: 995e1cfdec375846884685d9343024603cde67dca4713e17edcd03c1718b1083
Instruction Fuzzy Hash: A5E0C276608211DFC702DF90F9508DAFBB1EF8B600B05448BE880BB612C725AC46CBB3

Function 0652C110 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3ac7c860e261a761537a77fd3b5d1fb43095bb414733a18a73dfee0f3c6c9c
Instruction ID: 8b771078943607d577d8030da022d763017cf0fed037db5d8f86d7e0a8adac1b
Opcode Fuzzy Hash: 9b3ac7c860e261a761537a77fd3b5d1fb43095bb414733a18a73dfee0f3c6c9c
Instruction Fuzzy Hash: 4CE08C3910C2819FC302CBA8F950896FFB1AF8B600714488AE4C067312C6228C26DB72

Function 017808A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0980c094b856ac31384ac04333dd65040d9ea1062b3cc05e336675ca68e8b20e
Instruction ID: 07b2cd7b599d8723f6f42c6cd9c04bf7e5dc408398db0d511701be264cd5991c
Opcode Fuzzy Hash: 0980c094b856ac31384ac04333dd65040d9ea1062b3cc05e336675ca68e8b20e
Instruction Fuzzy Hash: BAE08C70A45309EFCB04EFB4EA0445CFBB8FB44211B1044ADE90A9B200EA361E009BC0

Function 0652CE68 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e025b635cac616074b65030ac856393162d7db1c43eea68d5ac47d1b6e3f506e
Instruction ID: 26939ec462948d915c22f7ce6b0fd8a27a8b064c9615ecb4f14ea3180a638156
Opcode Fuzzy Hash: e025b635cac616074b65030ac856393162d7db1c43eea68d5ac47d1b6e3f506e
Instruction Fuzzy Hash: CDE0EC7961C3C25FC742DB24E450896BF71AF972047259C8AE49087263D7228817D7A2

Function 06529E89 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7b4edaa4910d6bb26482b83e48947706c397c0f44d92f501f3103647445282
Instruction ID: 55f619868af9f79c9f0cf94eddfaf1dfed0266d891632594a11cf6aeada1175a
Opcode Fuzzy Hash: 3b7b4edaa4910d6bb26482b83e48947706c397c0f44d92f501f3103647445282
Instruction Fuzzy Hash: 42E0EC7520E382AFC742DB64E960867BFB59FDA600B19888EE4C097252C6219D26D772

Function 0652A8F9 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13f3b0bee747b6c6ce581894ec0b257f38a44da89c823d10e7174db0e9dd62b
Instruction ID: 2b159c3c69fa7d71acddf1829d201b62c427573c7ccb87a742094e871e684c3e
Opcode Fuzzy Hash: e13f3b0bee747b6c6ce581894ec0b257f38a44da89c823d10e7174db0e9dd62b
Instruction Fuzzy Hash: DFE01231108391CFC706DF54E4504A6FB71BF8B210715998AD4845B252C731DD1ACB61

Function 0652C670 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d087865f89daf53969eab63b46bcb232d7166cd27268ca38c9e0c850722bce26
Instruction ID: 64ad402698faa3345d1cd7d0c5b4c9a41ebdeb8dd6d9cb4207f52fb8610060a3
Opcode Fuzzy Hash: d087865f89daf53969eab63b46bcb232d7166cd27268ca38c9e0c850722bce26
Instruction Fuzzy Hash: D2D0522121E2801FC78293388C660D1BFA0CB4324836AC8DAC0C8CB2A3D621A81B9312

Function 0652A6A1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58ed12dd952049fbab8226eb227e68974b9bb1423ff7448a60e20d190e1a741
Instruction ID: 70f2c3f7872e86575dc826f5c8c11d469a3529f5433cc03f17d3a1a62581e859
Opcode Fuzzy Hash: f58ed12dd952049fbab8226eb227e68974b9bb1423ff7448a60e20d190e1a741
Instruction Fuzzy Hash: A5E0123510C3D15FC747DB24E460896BF61AFD720071848CAD4D18B293C7529916C761

Function 06522210 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca03090722a6c7bcd2065d86bbf71d7757470c161a22ea5d3dbc3c592168cd7
Instruction ID: 9dbb9328effd29fe16be8fd579d56e2269d2755778a3214247c224040b83bde1
Opcode Fuzzy Hash: dca03090722a6c7bcd2065d86bbf71d7757470c161a22ea5d3dbc3c592168cd7
Instruction Fuzzy Hash: 88D0C7352101019BDB55CF19DC81B5477B1EFC2305B94859D9504CB256DA77DD07CF84

Function 0652B0D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9571dfaa82dfd1c10160f8189cd7678774b01a86cee2abd3f91a4b6cf98eeca
Instruction ID: 8d64662b238c0958a23a7808168fdd8bd0ce2b8c905aff80e19774e9726fa410
Opcode Fuzzy Hash: a9571dfaa82dfd1c10160f8189cd7678774b01a86cee2abd3f91a4b6cf98eeca
Instruction Fuzzy Hash: AFE0C27624C2829FC342CB68F9A1856FFB09F86610718888FE0808B183C221CC1ACB72

Function 06521ED2 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f43b8bd62fedbcdd85a8553d9fc218f35bce371e7f11915301060180032717f
Instruction ID: 4b5a44a5c253e002c6164657058d4d0ed32eb10ad41f450239bc81298769893a
Opcode Fuzzy Hash: 7f43b8bd62fedbcdd85a8553d9fc218f35bce371e7f11915301060180032717f
Instruction Fuzzy Hash: CAD05E7A900009DFC740CFE8CA4179E7BF0EF45205B5145EA8648D7611EA329F249B81

Function 06528479 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7667c29ab92ee6e07dd9a86f5e6bc93c205342e174031c04fcccc05d423a5c32
Instruction ID: 3a593632909b2fe2bda00db1c66f1e19d5c705270192f03aed0472878b6210e5
Opcode Fuzzy Hash: 7667c29ab92ee6e07dd9a86f5e6bc93c205342e174031c04fcccc05d423a5c32
Instruction Fuzzy Hash: 94D05E7A2082909FD340DB08DC50D27BBA5EFD5204F14889EE85183352C772DC17CB50

Function 06521EE0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04293cf13b90ef0c6afe7e44052063948e3a24e3c1ed7048e0076197b2d8b1f
Instruction ID: 48f5a4107b73bf5ef9829e129f15cba53c45a68221c1cb526680b3a890b1ff99
Opcode Fuzzy Hash: d04293cf13b90ef0c6afe7e44052063948e3a24e3c1ed7048e0076197b2d8b1f
Instruction Fuzzy Hash: 5AD0127590110DEF8B04DFE4C90159EBBFDDB4A210B9055E6DA49D7210FE325F145BD1

Function 06522FC8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16cc1e70d7a9b32a800edd3da3ded567383de9ef01d4d93a99d99af83359ec8e
Instruction ID: f19a89618f836aa2b76e3e267ad17c5cfee053a81a2fbfb9f4fa53e09dec2add
Opcode Fuzzy Hash: 16cc1e70d7a9b32a800edd3da3ded567383de9ef01d4d93a99d99af83359ec8e
Instruction Fuzzy Hash: 59D012713010445BC304E504C842B11E3B5DBC5210F1DC42C654DC7357DA36EC0BCF00

Function 065285A8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fed1fd36e6a884054b329d8688d1de79b318a45e29d1ad9636087851f4abbef
Instruction ID: 71490d6a91e5ce3edec9f6ec2a6cdabcd97644c47e6f665f1d6023457cf9d372
Opcode Fuzzy Hash: 5fed1fd36e6a884054b329d8688d1de79b318a45e29d1ad9636087851f4abbef
Instruction Fuzzy Hash: 40D05E313086408FD204CF48E841E05B7A1FF84204F04884AE54197352CB22D816CB51

Function 06521030 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a70cd2aa22360b3db7c6664ad138d56c11497563ddaa031a958c48d40afd068
Instruction ID: 5755a98b78bfe6c2ceed75f924f0da9b3cb70104620ab026ee6f64ac2d964111
Opcode Fuzzy Hash: 9a70cd2aa22360b3db7c6664ad138d56c11497563ddaa031a958c48d40afd068
Instruction Fuzzy Hash: EFD0C97190110CEF8B01EFA4890159EBBFDDB49210B5045EA9A08D7210EE319E145B92

Function 0652C0E8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d392fdc0ca522b49b7c3752c9d4f7a7375c752626f4dca8a5f977fec0e8a26e
Instruction ID: 4ce8bffddb260f453716afb28b9973766fd70920331a519e570cd8aa8753f572
Opcode Fuzzy Hash: 5d392fdc0ca522b49b7c3752c9d4f7a7375c752626f4dca8a5f977fec0e8a26e
Instruction Fuzzy Hash: 35D0C971D0120CEB8B00DFE9894059EBBF9DB89210B5045E69A08D7610EE315E149B91

Function 0178152A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1945f835e14c66c2e38f9111cf81f309d4dc1cc76a304c8ed4c539b659b58d15
Instruction ID: 766d7cda7ce5c13334a98ad98aa9fca798c1c4e3d3df22ad313f3d21a32c5805
Opcode Fuzzy Hash: 1945f835e14c66c2e38f9111cf81f309d4dc1cc76a304c8ed4c539b659b58d15
Instruction Fuzzy Hash: 5BD09738A08600CAE704BF2BC000208F2DABF80302F90C17BD84FE2005EB30D8828B01

Function 065281A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9609dc4da50a9a7021ba3b31ac2705b1c66d7ae9b0492c35a875b78ddacb3f64
Instruction ID: 460bb59040731cd7dfb3cc21c802f794307402407d89d7b3d93cbb5ef9d9a06f
Opcode Fuzzy Hash: 9609dc4da50a9a7021ba3b31ac2705b1c66d7ae9b0492c35a875b78ddacb3f64
Instruction Fuzzy Hash: 0ED05E752082818FC240DF18E890D06B7A1FF85208F148889E55187366C722D816CB11

Function 06528E08 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6665a9771cd412db13637ae2e2fb388166c399cbf3c9f3f9a590b579eabf8e29
Instruction ID: a4e29b16a490031cd349b7495bf126292bb7d7ad18d8422271ab382a129588ea
Opcode Fuzzy Hash: 6665a9771cd412db13637ae2e2fb388166c399cbf3c9f3f9a590b579eabf8e29
Instruction Fuzzy Hash: B8D012742150408FD300CB54CC65E417761EF95705F14D0AFD4448B397DA32D907CB59

Function 065213B1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25089d970c508db3a3c3b32888ad378a7796468cad7db2423cadff88127632dd
Instruction ID: c4eee95065de7f8547a9735796998ef34a7efd0c20e13a552123a83f07c51574
Opcode Fuzzy Hash: 25089d970c508db3a3c3b32888ad378a7796468cad7db2423cadff88127632dd
Instruction Fuzzy Hash: C9D0C9797045419BD304C718CC95A16BBA5EFD4245B54C8ADA549C7366EB31EC22CB44

Function 0652A828 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 0652C120 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 017818C9 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8f0c154d442ede6ffe2cc654514b3dca254691dbe3877772c2a565a76b868a
Instruction ID: 3512274e3e751bdcd9f481688a06642982c10a5d154b410c3bdd2fa14242446d
Opcode Fuzzy Hash: 4e8f0c154d442ede6ffe2cc654514b3dca254691dbe3877772c2a565a76b868a
Instruction Fuzzy Hash: F0C080B6D403525FDB161F7450441E87BB0AE933313424597E005C9155D6744C66DB40

Function 06528AC0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d94cb996cc59753904e4089799e4cedb5b1d09fd0959e57f8831461b20fec3
Instruction ID: 799f2af3081a8eac231e5c0976a6e65e235c660d05d0a57214e27ab992887c9a
Opcode Fuzzy Hash: 62d94cb996cc59753904e4089799e4cedb5b1d09fd0959e57f8831461b20fec3
Instruction Fuzzy Hash: E8C012B1A0A2804FC30392288C61000BBB0EA9312434E81CAD498CB2E2EB22D8068701

Function 06529152 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fc692366b80803ead8efe92fd6a529898a56c016977388cb3a0c0c2bc11e5d
Instruction ID: 0781c1faccd27c6b1bde435debc9db51ad0e67e179fbd3221d87c73c688b02ca
Opcode Fuzzy Hash: d9fc692366b80803ead8efe92fd6a529898a56c016977388cb3a0c0c2bc11e5d
Instruction Fuzzy Hash: FDD0122000E3C1AFCB038B70C9A0411BFB0AE4321832E84C7C8C0CF2A3CB268827E311

Function 01782EB7 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7940867ca84e6b826953be9abd42eb3f0e5c7e76ccf5376398cede9c4698a4
Instruction ID: fa4d2170deb0ec13bfe87a23b0f4ec51db9f125bec686759cd9919704752348a
Opcode Fuzzy Hash: 5e7940867ca84e6b826953be9abd42eb3f0e5c7e76ccf5376398cede9c4698a4
Instruction Fuzzy Hash: F8C08034604004ABCF055B90D4144ECFAF3FFDC311F100015F50172254C6365D809B21

Function 06528FF0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd18fd0894951a8b2066becafef6a145b576581c0718b376c6d4e2d3ebc953c
Instruction ID: d37fc396eb4966a35102aa1b163a833becf11e04d19093aede5892f3e7885020
Opcode Fuzzy Hash: dbd18fd0894951a8b2066becafef6a145b576581c0718b376c6d4e2d3ebc953c
Instruction Fuzzy Hash: CFB092A27492D48FC30AA2288A288047F208F8350A72940EED0908F0BBEA958945C72A

Function 0652BFB1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69aa3918a531540b7955f0d4cb16fddcf549627cfd2fa616acc12f40f6d21703
Instruction ID: 53e95bfcc92b55302b1a76588d479e8b494b9f72e787d52d3562c38e39a47047
Opcode Fuzzy Hash: 69aa3918a531540b7955f0d4cb16fddcf549627cfd2fa616acc12f40f6d21703
Instruction Fuzzy Hash: D7C0024805E7C11ED74797745C74696BFB04F03249B2E11DBC1C08A4E3E256852AD71A

Function 06520EF0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 06520F50 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 0652BFC0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 065294E0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 06520A80 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 06529860 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 01780940 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4aa9c8f1760a98082a76ad6817ba82748750521c59cccbfdf2cda71b0266737
Instruction ID: 2c8a4bc6b5d4679f0dfaf04e4023551a50d37e3532c200495c1c00113b46a9da
Opcode Fuzzy Hash: b4aa9c8f1760a98082a76ad6817ba82748750521c59cccbfdf2cda71b0266737
Instruction Fuzzy Hash: 0290223000020CAB000023803008800330C80002223800000B00C000008A0020000AB2

Function 065287D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

Non-executed Functions

Function 065229D2 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

@, xrefs: 06522D90

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a386ffec25d5d16e98a5edbb7364551bf921cd592cd4103cac2812a6f62941f3
Instruction ID: 58c384b5ef4eef36d5dea7e832cad3841dd00f6e5c3e16a107457ac0346a0b15
Opcode Fuzzy Hash: a386ffec25d5d16e98a5edbb7364551bf921cd592cd4103cac2812a6f62941f3
Instruction Fuzzy Hash: 83A1EE39710011CFE784DF28F6A9A7637A2FB89205B5A8169DC06DB764DF38BD41CB80

Function 06524E53 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447f3079a8115211cf4a741215700920987bff0cf1f9aa469ff3a6077d07bbf8
Instruction ID: 9c8890a2272223f13521390ef14fae1cac2b6445a2f9036d19255334a8dbcdbf
Opcode Fuzzy Hash: 447f3079a8115211cf4a741215700920987bff0cf1f9aa469ff3a6077d07bbf8
Instruction Fuzzy Hash: 42D1BC74B501158FD794DF28DA98B6A77F2FB88204F5580A9D90ADB394DF38AD81CF80

Function 06524E5C Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: facdaa54b174cb68b646b889e9b2e238235c4427cf00200225a48c98fdb4691a
Instruction ID: 866841d28f782c19d7bbc51e834926d4f4aced7b589d2e0582f8680b1917ae68
Opcode Fuzzy Hash: facdaa54b174cb68b646b889e9b2e238235c4427cf00200225a48c98fdb4691a
Instruction Fuzzy Hash: 01D1BD74B501158FC794DF28DA98B6A77F2FB88204F5580A9D90ADB394DF38AD81CF80

Function 017848A0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00aa8b92bd3d480a85c0d55aa33fd15711c6c00449dbbbe5ba4b0343f69d06f5
Instruction ID: 23de359f702d1386d17190211738a5e004919a74e8ebbf4075ea8aa9b55b28ec
Opcode Fuzzy Hash: 00aa8b92bd3d480a85c0d55aa33fd15711c6c00449dbbbe5ba4b0343f69d06f5
Instruction Fuzzy Hash: 5BB17C71E0052A8FDB15DBA8C8807ADFBF1FB88304F588669D466E7206D774ED42CB94

Function 06524F48 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581985283.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7ecf5c64f5e7a6d507cd7ef30852b8fbf2ca3687373632fe0d83cc26d3c83a
Instruction ID: 37d3f0269b179a21967ba845372307f809bb9cb83794ccb67a71e4e129f9d78b
Opcode Fuzzy Hash: 0d7ecf5c64f5e7a6d507cd7ef30852b8fbf2ca3687373632fe0d83cc26d3c83a
Instruction Fuzzy Hash: 83B1BD74B501158FC794DF28DA98B6A77F2FB88204F5580A9990ADB394DF38AD81CF80

Function 01784890 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d9eaa77f1f33481a6e22235f30a84badbee533ff2721ae8335d8c0c3e5f288
Instruction ID: 5c604042409bec9d81d5d6b01a30cf96b2b71cdd428d99ec0ed846bea72db0b1
Opcode Fuzzy Hash: 89d9eaa77f1f33481a6e22235f30a84badbee533ff2721ae8335d8c0c3e5f288
Instruction Fuzzy Hash: 8D815B71E4052A8FDB15DFA9C8806AEFBF1FF88300F588269D456E7206D774E946CB90

Function 01781C1F Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58fcfb602a6ca8ad577cf4115b35406249149c5a87570d5e1e6e3f9d5972b98b
Instruction ID: 914dda68789e9605f71a8be98ad85575002d3e33e8379d5018c8cda1a3bef6b2
Opcode Fuzzy Hash: 58fcfb602a6ca8ad577cf4115b35406249149c5a87570d5e1e6e3f9d5972b98b
Instruction Fuzzy Hash: D8612671E006058FE70DDF6AE84469ABBF7FBC8341B14E52EC405AB2A9EF7859058B50

Function 01781C30 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4576560845.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587f5790416d13db08b5edf500763cb578921442c41878d27b0826160391d04e
Instruction ID: 21bed63d39d8318a98d6c1993214f4b8d132283142f9c85ce2ea908830d1fa6b
Opcode Fuzzy Hash: 587f5790416d13db08b5edf500763cb578921442c41878d27b0826160391d04e
Instruction Fuzzy Hash: 9D512771E006058FE70DDF6BE84469ABBF7FBC8340B14E52EC405AB2A9EF7859058B50

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WZ6RvDzQeq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
WZ6RvDzQeq.exe