Edit tour

Windows Analysis Report
eovQPjY5wz.exe

Overview

General Information

Sample name:	eovQPjY5wz.exe renamed because original name is a hash value
Original sample name:	84263ab03b0a0f2b51cc11b93ec49c9f.exe
Analysis ID:	1519285
MD5:	84263ab03b0a0f2b51cc11b93ec49c9f
SHA1:	e6457eb0e0131bec70a2fd4d4a943314f0bd28d4
SHA256:	7d6e4e01c452dd502361640ee095e2bee35e3f55fd11edc9e94c3580d2c132b5
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected RedLine Stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Installs new ROOT certificates

LummaC encrypted strings found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

eovQPjY5wz.exe (PID: 1060 cmdline: "C:\Users\user\Desktop\eovQPjY5wz.exe" MD5: 84263AB03B0A0F2B51CC11B93EC49C9F)

conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 6688 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

saLBqUuaxl.exe (PID: 732 cmdline: "C:\Users\user\AppData\Roaming\saLBqUuaxl.exe" MD5: A3EF9920A91B891837705E46BB26DE17)

aqYlLZ8hwJ.exe (PID: 6904 cmdline: "C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe" MD5: 4E60F3FD76D9EAB244F9DC00F7765B0B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: LummaC

{"C2 url": ["offensivedzvju.shop", "reinforcenh.shop", "ghostreedmnu.shop", "lootebarrkeyn.shop", "gutterydhowi.shop", "drawzhotdog.shop", "stogeneratmns.shop", "vozmeatillu.shop", "fragnantbui.shop"], "Build id": "FATE99--Mix"}

Threatname: RedLine

{"C2 url": "65.21.18.51:45580", "Bot Id": "@LOGSCLOUDYT_BOT", "Authorization Header": "3b888690d495b9792a58ef1c36d35d19"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.1717964881.0000000000252000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.1864748963.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6688	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: aqYlLZ8hwJ.exe PID: 6904	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aqYlLZ8hwJ.exe PID: 6904	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.RegAsm.exe.436080.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.aqYlLZ8hwJ.exe.250000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.RegAsm.exe.436080.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Suricata Signatures

ET MALWARE Redline Stealer TCP CnC - Id1Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:58:25.615211+0200	2043234	1	A Network Trojan was detected	65.21.18.51	45580	192.168.2.4	49730	TCP

ET MALWARE Redline Stealer TCP CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:58:25.407694+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:30.721331+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:31.062539+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:31.334152+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:31.658118+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:31.867486+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:32.081416+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:32.353299+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:32.737429+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:33.066743+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:33.273704+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:33.483573+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:33.749163+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:33.958138+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:35.187403+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:35.488246+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:35.696227+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:35.903268+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:36.123951+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:36.374287+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:36.586135+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:36.791735+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:37.235137+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:58:31.067627+0200	2046056	1	A Network Trojan was detected	65.21.18.51	45580	192.168.2.4	49730	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:58:25.407694+0200	2046045	1	A Network Trojan was detected	192.168.2.4	49730	65.21.18.51	45580	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: lootebarrkeyn.shop	Avira URL Cloud: Label: malware
Source: reinforcenh.shop	Avira URL Cloud: Label: malware
Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: drawzhotdog.shop	Avira URL Cloud: Label: malware
Source: vozmeatillu.shop	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe

Avira: detection malicious, Label: HEUR/AGEN.1318482

Found malware configuration

Source: 00000003.00000002.2945554718.0000000000D87000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["offensivedzvju.shop", "reinforcenh.shop", "ghostreedmnu.shop", "lootebarrkeyn.shop", "gutterydhowi.shop", "drawzhotdog.shop", "stogeneratmns.shop", "vozmeatillu.shop", "fragnantbui.shop"], "Build id": "FATE99--Mix"}
Source: 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "65.21.18.51:45580", "Bot Id": "@LOGSCLOUDYT_BOT", "Authorization Header": "3b888690d495b9792a58ef1c36d35d19"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: eovQPjY5wz.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: reinforcenh.shop
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: stogeneratmns.shop
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: fragnantbui.shop
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: drawzhotdog.shop
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: vozmeatillu.shop
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: offensivedzvju.shop
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: gutterydhowi.shop
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: lootebarrkeyn.shop
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmp	String decryptor: FATE99--Mix

Source: eovQPjY5wz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: eovQPjY5wz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_004FD2C0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then jmp eax	3_2_00537600
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0053A7E0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	3_2_0053AC00
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then push ebx	3_2_00505078
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_005240F5
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_005240F5
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	3_2_005350E0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then movzx edi, byte ptr [eax+esi]	3_2_004F7120
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0051A274
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov word ptr [edx], ax	3_2_0051A274
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0051A2F9
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov word ptr [edx], ax	3_2_0051A2F9
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	3_2_00532280
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0051A345
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov word ptr [edx], ax	3_2_0051A345
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0051A345
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_00521370
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov ebx, eax	3_2_004FA3C0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov ebp, eax	3_2_004FA3C0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	3_2_0051C390
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	3_2_0051C390
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	3_2_00539390
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00539390
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00514490
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	3_2_005104A0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_005104A0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov ecx, esi	3_2_0051D56C
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0052B510
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esi+000006A8h]	3_2_0050E52C
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov ecx, esi	3_2_0051D58E
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0051F5B7
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esi]	3_2_005046B5
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	3_2_004FF7E0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_005227B0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	3_2_005227B0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_005227B0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_005227B0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_005227B0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_005227B0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_005227B0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_005227B0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_005227B0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [edx], cl	3_2_005227B0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp al, 2Eh	3_2_0051C891
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then xor eax, eax	3_2_0051C891
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	3_2_0050A880
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	3_2_00534970
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	3_2_005389F0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00524A2F
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	3_2_00535AD0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esi]	3_2_00503AE6
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov ebx, ecx	3_2_00503AE6
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	3_2_00503AE6
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	3_2_0051BB00
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then jmp edx	3_2_00517B0F
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00520BD0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	3_2_00538BE0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	3_2_004F4C10
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	3_2_00516CA0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then add edi, 02h	3_2_0050DD64
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [ebx]	3_2_0050DD64
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	3_2_004F5D20
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00524DF6
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	3_2_0053AD90
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	3_2_00535D80
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00539E60
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	3_2_00504E26
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then xor eax, eax	3_2_00504E26
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_00537EDE
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esi+1Ch]	3_2_004FFEBC
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0053AF10
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	3_2_0053AF10
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00516F20
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	3_2_0050CFF0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then xor eax, eax	3_2_004FEFFC
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000120h]	3_2_004FEFFC
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4x nop then jmp 073C0538h	4_2_073C0040

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49730 -> 65.21.18.51:45580
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49730 -> 65.21.18.51:45580
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 65.21.18.51:45580 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 65.21.18.51:45580 -> 192.168.2.4:49730

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: lootebarrkeyn.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: 65.21.18.51:45580

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 65.21.18.51:45580

Source: Joe Sandbox View

IP Address: 65.21.18.51 65.21.18.51

Source: Joe Sandbox View

ASN Name: CP-ASDE CP-ASDE

Source: unknown

DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.18.51
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9;
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002C6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002C6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002C6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000000.1717964881.0000000000252000.00000002.00000001.01000000.00000007.sdmp, aqYlLZ8hwJ.exe.2.dr	String found in binary or memory: https://api.ip.sb/ip

Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe

Code function: 3_2_00529000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00529000

Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe

Code function: 3_2_00529000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00529000

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp9FD.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File created: C:\Users\user\AppData\Local\Temp\TmpA0E.tmp			Jump to dropped file

System Summary

.NET source code contains very large array initializations

Source: eovQPjY5wz.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 892928

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00402320	2_2_00402320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004050C0	2_2_004050C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00420470	2_2_00420470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040FCF0	2_2_0040FCF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419D19	2_2_00419D19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041951B	2_2_0041951B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415635	2_2_00415635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00404F00	2_2_00404F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040CF8F	2_2_0040CF8F
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00537600	3_2_00537600
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0053004B	3_2_0053004B
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004F1000	3_2_004F1000
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0053B020	3_2_0053B020
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_005240F5	3_2_005240F5
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_005350E0	3_2_005350E0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004F91F0	3_2_004F91F0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004F12A7	3_2_004F12A7
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0051A345	3_2_0051A345
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0053B300	3_2_0053B300
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004FA3C0	3_2_004FA3C0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0051C390	3_2_0051C390
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00539390	3_2_00539390
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004F7470	3_2_004F7470
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004FB470	3_2_004FB470
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004FE470	3_2_004FE470
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004F5400	3_2_004F5400
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00501420	3_2_00501420
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00500480	3_2_00500480
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0051D56C	3_2_0051D56C
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0050E52C	3_2_0050E52C
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0051D58E	3_2_0051D58E
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00527620	3_2_00527620
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004F9737	3_2_004F9737
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004F3790	3_2_004F3790
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_005227B0	3_2_005227B0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0051C891	3_2_0051C891
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00539970	3_2_00539970
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004F9A02	3_2_004F9A02
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00535AD0	3_2_00535AD0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00539B60	3_2_00539B60
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0051BB00	3_2_0051BB00
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00517B0F	3_2_00517B0F
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00528C00	3_2_00528C00
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0052FD0E	3_2_0052FD0E
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00539E60	3_2_00539E60
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004F7E70	3_2_004F7E70
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00537EDE	3_2_00537EDE
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0051DEF8	3_2_0051DEF8
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004FFEBC	3_2_004FFEBC
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0052EF50	3_2_0052EF50
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004FAFD0	3_2_004FAFD0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_0051DFE0	3_2_0051DFE0
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_004FBF80	3_2_004FBF80
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00538F80	3_2_00538F80
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_009BDC74	4_2_009BDC74
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_05E967D8	4_2_05E967D8
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_05E9A3D8	4_2_05E9A3D8
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_05E96FE8	4_2_05E96FE8
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_05E96FF8	4_2_05E96FF8
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_073CF358	4_2_073CF358
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_073C2110	4_2_073C2110
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_073C0040	4_2_073C0040
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_073C2D18	4_2_073C2D18
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_073C7CB8	4_2_073C7CB8
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_073CBBA8	4_2_073CBBA8

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe D6945846CC23C01B9C9AD2B97D35B5A14C01F1A4CC2EC651A596F06777BA4FEC
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe 171CEF885F6C285E995CE3EC5960C5EA4E4ED049CEC362745058FEE39E4136CC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00407D30 appears 55 times
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: String function: 004FCAD0 appears 53 times
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: String function: 004FED80 appears 194 times

Source: eovQPjY5wz.exe, 00000000.00000002.1713699229.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs eovQPjY5wz.exe
Source: eovQPjY5wz.exe	Binary or memory string: OriginalFilenameVQP.exe< vs eovQPjY5wz.exe

Source: eovQPjY5wz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: eovQPjY5wz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/9@1/1

Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe

Code function: 3_2_005281AA CoCreateInstance,

3_2_005281AA

Source: C:\Users\user\Desktop\eovQPjY5wz.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eovQPjY5wz.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe

File created: C:\Users\user\AppData\Local\Temp\Tmp9FD.tmp

Jump to behavior

Source: eovQPjY5wz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: eovQPjY5wz.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\eovQPjY5wz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: eovQPjY5wz.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\eovQPjY5wz.exe "C:\Users\user\Desktop\eovQPjY5wz.exe"
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe "C:\Users\user\AppData\Roaming\saLBqUuaxl.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe "C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe"
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe "C:\Users\user\AppData\Roaming\saLBqUuaxl.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe "C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Google Chrome.lnk.4.dr

LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: eovQPjY5wz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: eovQPjY5wz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: eovQPjY5wz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: aqYlLZ8hwJ.exe.2.dr

Static PE information: 0xAD9C209F [Wed Apr 19 16:38:55 2062 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00428E7D push esi; ret	2_2_00428E86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004076E0 push ecx; ret	2_2_004076F3
Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	Code function: 3_2_00527333 push 04EC839Eh; mov dword ptr [esp], edi	3_2_0052733A
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_05E81015 push FFFFFF8Bh; ret	4_2_05E8101A
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_05E84A48 pushad ; ret	4_2_05E84A49
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_05E9D413 push es; ret	4_2_05E9D420
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_05E9C711 push es; ret	4_2_05E9C720
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_05E9ECF2 push eax; ret	4_2_05E9ED01
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_05E949AB push FFFFFF8Bh; retf	4_2_05E949AD
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_05E93B4F push dword ptr [esp+ecx*2-75h]; ret	4_2_05E93B53
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_073CB924 push FFFFFF8Bh; iretd	4_2_073CB92E
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_073CB89B push FFFFFF8Bh; iretd	4_2_073CB89E
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Code function: 4_2_073CB8E0 push FFFFFF8Bh; iretd	4_2_073CB8E3

Source: eovQPjY5wz.exe

Static PE information: section name: .text entropy: 7.999068736163035

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Memory allocated: 910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Memory allocated: 2700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Memory allocated: 910000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Window / User API: threadDelayed 1433			Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Window / User API: threadDelayed 6970			Jump to behavior

Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe

API coverage: 6.3 %

Source: C:\Users\user\Desktop\eovQPjY5wz.exe TID: 2596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe TID: 3624	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe TID: 3624	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe TID: 3236	Thread sleep count: 1433 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe TID: 3236	Thread sleep count: 6970 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe TID: 980	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: aqYlLZ8hwJ.exe, 00000004.00000002.1870551549.0000000006272000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe

API call chain: ExitProcess graph end node

graph_3-16677

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe

Code function: 3_2_00537560 LdrInitializeThunk,

3_2_00537560

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00407B01 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00407B01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041914C mov eax, dword ptr fs:[00000030h]		2_2_0041914C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004114A6 mov ecx, dword ptr fs:[00000030h]		2_2_004114A6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0041EFD8 GetProcessHeap,

2_2_0041EFD8

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00407B01 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00407B01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00407C63 SetUnhandledExceptionFilter,	2_2_00407C63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00407D75 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00407D75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040DD78 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0040DD78

Source: C:\Users\user\Desktop\eovQPjY5wz.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\eovQPjY5wz.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\eovQPjY5wz.exe

Code function: 0_2_02C92145 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02C92145

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\eovQPjY5wz.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: RegAsm.exe, 00000002.00000002.1718315778.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: RegAsm.exe, 00000002.00000002.1718315778.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: RegAsm.exe, 00000002.00000002.1718315778.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: RegAsm.exe, 00000002.00000002.1718315778.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: RegAsm.exe, 00000002.00000002.1718315778.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: RegAsm.exe, 00000002.00000002.1718315778.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: RegAsm.exe, 00000002.00000002.1718315778.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: RegAsm.exe, 00000002.00000002.1718315778.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop
Source: RegAsm.exe, 00000002.00000002.1718315778.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: lootebarrkeyn.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 434000	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 436000	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 4DC000	Jump to behavior
Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AE8008	Jump to behavior

Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\saLBqUuaxl.exe "C:\Users\user\AppData\Roaming\saLBqUuaxl.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe "C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004077E0 cpuid

2_2_004077E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_0041E825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_00414138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	2_2_0041EA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0041EBA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_0041E412
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	2_2_0041ECA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_0041ED76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	2_2_0041465E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	2_2_0041E60D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_0041E6FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_0041E6B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_0041E79A

Source: C:\Users\user\Desktop\eovQPjY5wz.exe	Queries volume information: C:\Users\user\Desktop\eovQPjY5wz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004079F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_004079F4

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: aqYlLZ8hwJ.exe, 00000004.00000002.1860186223.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r\MsMpeng.exe
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1870551549.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1860186223.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.RegAsm.exe.436080.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.aqYlLZ8hwJ.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.436080.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1717964881.0000000000252000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aqYlLZ8hwJ.exe PID: 6904, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxE#
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.walletLR^q
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\walletsLR^qt\
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q%appdata%`,^qdC:\Users\user\AppData\Roaming`,^qdC:\Users\user\AppData\Roaming\Binance
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q&%localappdata%\Coinomi\Coinomi\walletsLR^q
Source: aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1864748963.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aqYlLZ8hwJ.exe PID: 6904, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.RegAsm.exe.436080.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.aqYlLZ8hwJ.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.436080.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1717964881.0000000000252000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aqYlLZ8hwJ.exe PID: 6904, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	411 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	134 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	241 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	241 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	411 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eovQPjY5wz.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Amadey

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	100%	Avira	HEUR/AGEN.1318482
C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	47%	ReversingLabs	Win32.Trojan.MintZard

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id2Response	0%	Avira URL Cloud	safe
lootebarrkeyn.shop	100%	Avira URL Cloud	malware
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23ResponseD	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
reinforcenh.shop	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id21Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id9	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	0%	Avira URL Cloud	safe
stogeneratmns.shop	100%	Avira URL Cloud	malware
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6ResponseD	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id4	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id7	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id19Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	0%	Avira URL Cloud	safe
ghostreedmnu.shop	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id13ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/sc	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id9Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id20	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21ResponseD	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	0%	Avira URL Cloud	safe
fragnantbui.shop	100%	Avira URL Cloud	malware
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	0%	Avira URL Cloud	safe
offensivedzvju.shop	100%	Avira URL Cloud	malware
drawzhotdog.shop	100%	Avira URL Cloud	malware
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/trust	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id12	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id16Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id16	0%	Avira URL Cloud	safe
vozmeatillu.shop	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id5Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id18	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id19	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id17	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9;	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
18.31.95.13.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
lootebarrkeyn.shop	true	Avira URL Cloud: malware	unknown
reinforcenh.shop	true	Avira URL Cloud: malware	unknown
stogeneratmns.shop	true	Avira URL Cloud: malware	unknown
ghostreedmnu.shop	true	Avira URL Cloud: malware	unknown
fragnantbui.shop	true	Avira URL Cloud: malware	unknown
offensivedzvju.shop	true	Avira URL Cloud: malware	unknown
drawzhotdog.shop	true	Avira URL Cloud: malware	unknown
vozmeatillu.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14ResponseD	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002800000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23ResponseD	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002C6E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id2Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id9	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6ResponseD	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id4	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id7	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id19Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13ResponseD	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002800000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/ip	RegAsm.exe, RegAsm.exe, 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000000.1717964881.0000000000252000.00000002.00000001.01000000.00000007.sdmp, aqYlLZ8hwJ.exe.2.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id1ResponseD	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id9Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id20	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id1Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21ResponseD	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027F7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10ResponseD	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002C6E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id17	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id18	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id19	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15ResponseD	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11ResponseD	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8Response	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9;	aqYlLZ8hwJ.exe, 00000004.00000002.1864748963.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
65.21.18.51	unknown	United States		199592	CP-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519285
Start date and time:	2024-09-26 09:57:27 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eovQPjY5wz.exe renamed because original name is a hash value
Original Sample Name:	84263ab03b0a0f2b51cc11b93ec49c9f.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/9@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 103 Number of non-executed functions: 125
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: eovQPjY5wz.exe

Simulations

Behavior and APIs

Time	Type	Description
03:58:31	API Interceptor	43x Sleep call for process: aqYlLZ8hwJ.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
65.21.18.51	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse
	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.1325.25139.exe	Get hash	malicious	Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse
	file.exe	Get hash	malicious	Amadey, Cryptbot, PureLog Stealer, RedLine, XWorm, zgRAT	Browse
	VMRhiAFJtl.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog Stealer, RedLine, Stealc	Browse
	XpCyBwDzEt.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, DanaBot, PureLog Stealer, RedLine	Browse
	g082Q9DajU.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CP-ASDE	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	65.21.18.51
	Audio playback00_05-30-00000.html	Get hash	malicious	HTMLPhisher	Browse	65.21.45.74
	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	65.21.18.51
	http://ipscanadvsf.com	Get hash	malicious	Unknown	Browse	65.21.119.50
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	65.21.18.51
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	65.21.18.51
	SecuriteInfo.com.Win32.TrojanX-gen.1325.25139.exe	Get hash	malicious	Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	65.21.18.51
	LgzpILNkS2.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	ncOLm62YLB.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	3e#U043c.scr	Get hash	malicious	RMSRemoteAdmin	Browse	65.21.245.7

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\saLBqUuaxl.exe	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse
C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

Download File

Process:	C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:34 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.4591763193933103
Encrypted:	false
SSDEEP:	48:8S8dGTi+GRYrnvPdAKRkdAGdAKRFdAKR/U:8Slt
MD5:	289FF15F91075A12C31FF35E2BEEDA03
SHA1:	0ED299567D741B1C9EE66FD730DD52A930FBDEB0
SHA-256:	CCC31C32E9B2B6116E2165E225971A87F4269044320F011A610D95050B6E3579
SHA-512:	5A23EEB7E6F33D31096F041772550C988BDB1BB62E7BFCC202B5672A2D4FD7A408EE37DE25BD43DA324AE01611AB309C5C000605070B894F5AE3B475B0C8C272
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ......,..............q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWR`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWR`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWR`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aqYlLZ8hwJ.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
MD5:	0B2E58EF6402AD69025B36C36D16B67F
SHA1:	5ECC642327EF5E6A54B7918A4BD7B46A512BF926
SHA-256:	4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
SHA-512:	1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eovQPjY5wz.exe.log

Download File

Process:	C:\Users\user\Desktop\eovQPjY5wz.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Tmp9FD.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\TmpA0E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	311296
Entropy (8bit):	5.082543579488037
Encrypted:	false
SSDEEP:	3072:Oq6EgY6iYrUj1Np/wPG/2hIUrTA7tMSiy1cZqf7D34teqiOLibBOQ:1qY6i3wPtIUrTAxMY1cZqf7DIXL
MD5:	4E60F3FD76D9EAB244F9DC00F7765B0B
SHA1:	1A154D6E837E7105C551793131CDE89F157C4330
SHA-256:	D6945846CC23C01B9C9AD2B97D35B5A14C01F1A4CC2EC651A596F06777BA4FEC
SHA-512:	44727E25781F448579AC35AAB94AFF550ED9FE5AC58D95BD394569C62892DC78216AC687BAA43CEF66187EBE629F5DD9CD63EA274222D11DBEF3440EC4D7F77A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ................0................. ... ....@.. ....................... ............@.....................................O.... ..............................h................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\saLBqUuaxl.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	364544
Entropy (8bit):	6.656062545289343
Encrypted:	false
SSDEEP:	6144:PJdHU1vR3RO5NSdLcHUPnAGrV1GdauIgmxmbsWeSI9ifLW3:PJS1vRhOfX0PA61Gig0mQY
MD5:	A3EF9920A91B891837705E46BB26DE17
SHA1:	9CFBCD0F46EC86FB57D3D6D74A064F9098ADF117
SHA-256:	171CEF885F6C285E995CE3EC5960C5EA4E4ED049CEC362745058FEE39E4136CC
SHA-512:	C65E91091B95C3ABA0AF7DF4ED6543D26BCB5B54D6FAB82F9D2AC1BA156F475F98124A1A0E8851D69BE23B1DC945C76C075CD32515203273260802E1224DBD6E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....#.f..........................................@..........................P............@.....................................x................................J...................................................................................text...~........................... ..`.rdata...).......*..................@..@.data............b..................@....reloc...J.......L...D..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\eovQPjY5wz.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	2.2845972159140855
Encrypted:	false
SSDEEP:	3:i6vvRyMivvRya:iKvHivD
MD5:	45B4C82B8041BF0F9CCED0D6A18D151A
SHA1:	B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
SHA-256:	7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
SHA-512:	B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
Malicious:	false
Preview:	0..1..2..3..4..0..1..2..3..4.....

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.997700688704897
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	eovQPjY5wz.exe
File size:	903'168 bytes
MD5:	84263ab03b0a0f2b51cc11b93ec49c9f
SHA1:	e6457eb0e0131bec70a2fd4d4a943314f0bd28d4
SHA256:	7d6e4e01c452dd502361640ee095e2bee35e3f55fd11edc9e94c3580d2c132b5
SHA512:	db35a02345b5166077e300524675c523a8b4082fa62fc151c0797141348cae5e173eeaec5ad1e95556e048ea6ed34a78b90b1184420557c53cd91f351417ebb2
SSDEEP:	24576:9YroRg0QD2ZDvpSgezC2pSSqb9VAMsGm1ykciQgh75tT:9YroRmgSPC2MSpMsGmGiQg95t
TLSH:	BB15336CEE844BA7DCE69ABDC1077FB8330EDC8744CA3948D986124C111CD9A9E779D1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.f................................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4ddcee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F464B6 [Wed Sep 25 19:29:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xddc94	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xde000	0x5b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xddb5c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdbcf4	0xdbe00	f8d06f126e6f8959ee85698393fa56c6	False	0.9977515189738487	data	7.999068736163035	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xde000	0x5b8	0x600	be0c6503cf5b18649d1fe184002f6a0a	False	0.4381510416666667	data	4.114519052070512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe0000	0xc	0x200	fd5c6017bdd8c4e893e6ac38c438a6f5	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xde0a0	0x324	data			0.4552238805970149
RT_MANIFEST	0xde3c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T09:58:25.407694+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:25.407694+0200	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:25.615211+0200	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	1	65.21.18.51	45580	192.168.2.4	49730	TCP
2024-09-26T09:58:30.721331+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:31.062539+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:31.067627+0200	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	65.21.18.51	45580	192.168.2.4	49730	TCP
2024-09-26T09:58:31.334152+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:31.658118+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:31.867486+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:32.081416+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:32.353299+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:32.737429+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:33.066743+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:33.273704+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:33.483573+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:33.749163+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:33.958138+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:35.187403+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:35.488246+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:35.696227+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:35.903268+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:36.123951+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:36.374287+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:36.586135+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:36.791735+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP
2024-09-26T09:58:37.235137+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	65.21.18.51	45580	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:58:24.548475981 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:24.553452015 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:24.553683996 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:24.562705040 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:24.567523956 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:25.235713959 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:25.306453943 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:25.407694101 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:25.412713051 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:25.615211010 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:25.665838957 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:30.721330881 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:30.726269007 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:30.929128885 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:30.929148912 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:30.929160118 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:30.929172993 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:30.929184914 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:30.929198027 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:30.929225922 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:30.929267883 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:31.062539101 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:31.067626953 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.268326998 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.322077036 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:31.334151983 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:31.339111090 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.339134932 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.339159012 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.339171886 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.339184999 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.339207888 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.339220047 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:31.339220047 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.339294910 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.339307070 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.343744040 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.343997002 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.344011068 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.344043970 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.344212055 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.648180008 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.658118010 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:31.662975073 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.863095999 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:31.867486000 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:31.872361898 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.072911978 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.081415892 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:32.086445093 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.086466074 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.086493015 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.086505890 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.086520910 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.086534023 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.086546898 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.086563110 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.301126957 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.353298903 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:32.737428904 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:32.742398977 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.742419004 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:32.742430925 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:33.064280987 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:33.066742897 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:33.071746111 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:33.271542072 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:33.273704052 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:33.278513908 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:33.478478909 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:33.483572960 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:33.488492966 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:33.688282013 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:33.728526115 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:33.749162912 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:33.754091978 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:33.953929901 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:33.958137989 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:33.963346004 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:34.163645029 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:34.212691069 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:35.187402964 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:35.192290068 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:35.393275023 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:35.447421074 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:35.488245964 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:35.493354082 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:35.693662882 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:35.696227074 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:35.701184034 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:35.901185989 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:35.903268099 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:35.908067942 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:36.122826099 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:36.123950958 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:36.128880024 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:36.328840971 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:36.374286890 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:36.379179955 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:36.579425097 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:36.586134911 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:36.590984106 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:36.790910006 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:36.791734934 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:36.796582937 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:37.058495045 CEST	45580	49730	65.21.18.51	192.168.2.4
Sep 26, 2024 09:58:37.103349924 CEST	49730	45580	192.168.2.4	65.21.18.51
Sep 26, 2024 09:58:37.235136986 CEST	49730	45580	192.168.2.4	65.21.18.51

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:58:53.814085007 CEST	53	63380	162.159.36.2	192.168.2.4
Sep 26, 2024 09:58:54.285024881 CEST	62025	53	192.168.2.4	1.1.1.1
Sep 26, 2024 09:58:54.292188883 CEST	53	62025	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 09:58:54.285024881 CEST	192.168.2.4	1.1.1.1	0x50b7	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 09:58:54.292188883 CEST	1.1.1.1	192.168.2.4	0x50b7	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	03:58:19
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\eovQPjY5wz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eovQPjY5wz.exe"
Imagebase:	0x760000
File size:	903'168 bytes
MD5 hash:	84263AB03B0A0F2B51CC11B93EC49C9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:58:19
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:58:21
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x840000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:58:21
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\saLBqUuaxl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\saLBqUuaxl.exe"
Imagebase:	0x4f0000
File size:	364'544 bytes
MD5 hash:	A3EF9920A91B891837705E46BB26DE17
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:58:21
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe"
Imagebase:	0x250000
File size:	311'296 bytes
MD5 hash:	4E60F3FD76D9EAB244F9DC00F7765B0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1864748963.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000000.1717964881.0000000000252000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1864748963.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe, Author: Joe Security
Antivirus matches:	Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	35.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	28.6%
Total number of Nodes:	21
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02C92145 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02C920B7,02C920A7), ref: 02C922B4
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02C922C7
Wow64GetThreadContext.KERNEL32(000000A0,00000000), ref: 02C922E5
ReadProcessMemory.KERNELBASE(0000009C,?,02C920FB,00000004,00000000), ref: 02C92309
VirtualAllocEx.KERNELBASE(0000009C,?,?,00003000,00000040), ref: 02C92334
WriteProcessMemory.KERNELBASE(0000009C,00000000,?,?,00000000,?), ref: 02C9238C
WriteProcessMemory.KERNELBASE(0000009C,00400000,?,?,00000000,?,00000028), ref: 02C923D7
WriteProcessMemory.KERNELBASE(0000009C,?,?,00000004,00000000), ref: 02C92415
Wow64SetThreadContext.KERNEL32(000000A0,01150000), ref: 02C92451
ResumeThread.KERNELBASE(000000A0), ref: 02C92460

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02C922B3
CreateProcessA, xrefs: 02C921F9
VirtualAllocEx, xrefs: 02C92245
VirtualAlloc, xrefs: 02C9220C
ResumeThread, xrefs: 02C92281
WriteProcessMemory, xrefs: 02C92258
ress, xrefs: 02C921CF
SetThreadContext, xrefs: 02C9226B
aryA, xrefs: 02C9218B
ReadProcessMemory, xrefs: 02C92232
GetP, xrefs: 02C921C7
TerminateProcess, xrefs: 02C92343
GetThreadContext, xrefs: 02C9221F
Load, xrefs: 02C92183

Memory Dump Source

Source File: 00000000.00000002.1714105495.0000000002C91000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c91000_eovQPjY5wz.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 78c26038a607ee4df82e4a7b6ce4566d278efe032b380fe1e75b10d029dc9bb2
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 6FB1F57664024AAFDB60CF68CC80BDA77A9FF88714F158124EA0CAB341D770FA51CB94

Function 010F1268 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 010F12F0

Memory Dump Source

Source File: 00000000.00000002.1714004114.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_eovQPjY5wz.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9a5b9ba12a1569ff38e8bd6a28e055e2dd80e10f4eda2a8bd40e72c05bcbebcc
Instruction ID: f0482ef69cb4cc989898cb8e31cf502850e3da8aef221df65451d29774b37839
Opcode Fuzzy Hash: 9a5b9ba12a1569ff38e8bd6a28e055e2dd80e10f4eda2a8bd40e72c05bcbebcc
Instruction Fuzzy Hash: C92116B19013499FDB10DFAAC881ADEBFF4FF48314F10841DDA59A7250D735A915CBA1

Function 010F1270 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 010F12F0

Memory Dump Source

Source File: 00000000.00000002.1714004114.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_eovQPjY5wz.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cd9fb536bfd776aa9b43d7e04983d4349df455e060b60b5e3d951ae54dedebf6
Instruction ID: 683b79c51e6a0cee6e5bc01095fda848f78851cbd266365a83ca9b8a5e81d866
Opcode Fuzzy Hash: cd9fb536bfd776aa9b43d7e04983d4349df455e060b60b5e3d951ae54dedebf6
Instruction Fuzzy Hash: 7B2110B19002499FCB10DFAAC881ADEFBF4FF48310F10842EEA59A7250C774A914CFA1

Analysis Process: RegAsm.exePID: 6688, Parent PID: 1060COMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	62

Executed Functions

Function 00402320 Relevance: 7.9, Strings: 5, Instructions: 1670
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9@, xrefs: 00403710
shell32.dll, xrefs: 00403905
%x and %p, xrefs: 004035F2
open, xrefs: 00403E04, 00403E25
.exe, xrefs: 004039E4, 004039F5, 00403C28, 00403C39

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 9@$%x and %p$.exe$open$shell32.dll
API String ID: 0-1499470633
Opcode ID: 569a7f47ffdd8adeeff8127ab31c8b2c5ec200de375ad0e47e65cd08048f4f44
Instruction ID: b3621ca4427cacb3bc8dd38ebfce6b13c7c8c57b5ac8815a6f58a24341565fb5
Opcode Fuzzy Hash: 569a7f47ffdd8adeeff8127ab31c8b2c5ec200de375ad0e47e65cd08048f4f44
Instruction Fuzzy Hash: 4392B017A30D1F06E30C64398D562E6A94AD7EA731F869337BD76EB3F4D36E48428244

Function 0041FEAF Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041FB65: CreateFileW.KERNELBASE(?,00000000,?,0041FF58,?,?,00000000,?,0041FF58,?,0000000C), ref: 0041FB82

GetLastError.KERNEL32 ref: 0041FFC3
__dosmaperr.LIBCMT ref: 0041FFCA
GetFileType.KERNELBASE(00000000), ref: 0041FFD6
GetLastError.KERNEL32 ref: 0041FFE0
__dosmaperr.LIBCMT ref: 0041FFE9
CloseHandle.KERNEL32(00000000), ref: 00420009
CloseHandle.KERNEL32(?), ref: 00420156
GetLastError.KERNEL32 ref: 00420188
__dosmaperr.LIBCMT ref: 0042018F

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 87ef763bbd003f1d2de960a3db6ca709dde3cd444b7d1b6f895e6fd8deb0075d
Instruction ID: c043dc6610800097a8c7d9f7805d75e01504a092e95ab29a96a2aa982ce353c5
Opcode Fuzzy Hash: 87ef763bbd003f1d2de960a3db6ca709dde3cd444b7d1b6f895e6fd8deb0075d
Instruction Fuzzy Hash: FCA14732A041559FCF19DF28EC91BAE3BA1AB46314F18016EF801EB3D2C7398957D759

Function 004038C0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 401
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(shell32.dll), ref: 0040390A

Strings

shell32.dll, xrefs: 00403905
open, xrefs: 00403E04, 00403E25
.exe, xrefs: 004039E4, 004039F5, 00403C28, 00403C39

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .exe$open$shell32.dll
API String ID: 1029625771-3690275032
Opcode ID: c9f59ac015d61ec70614d93d888e022ef416f64b299715dc7f56bdbe0cac2894
Instruction ID: 7d5b2598125341daaadbafcfaee473a7e4c633bdeea8f021ad5caa46309aa23f
Opcode Fuzzy Hash: c9f59ac015d61ec70614d93d888e022ef416f64b299715dc7f56bdbe0cac2894
Instruction Fuzzy Hash: EFE12A712083408BD718CF28CC45B6FBBE5BF85305F244A2DF489AB2D2D779E6458B5A

Function 00411432 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0041142C,00000016,0040BD98,?,?,52949588,0040BD98,?), ref: 00411443
TerminateProcess.KERNEL32(00000000,?,0041142C,00000016,0040BD98,?,?,52949588,0040BD98,?), ref: 0041144A
ExitProcess.KERNEL32 ref: 0041145C

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
Instruction ID: 3fe6f93935658f8ab67006e652a10cd0383134051074610e396dae59c432ecd7
Opcode Fuzzy Hash: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
Instruction Fuzzy Hash: 5DD09E31100148ABCF117F61EC0DA993F2AAF407557858025FA0A56131CB369993AA58

Function 00416DAF Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004164C2: GetConsoleOutputCP.KERNEL32(52949588,00000000,00000000,0040BDB8), ref: 00416525

WriteFile.KERNELBASE(FFBF5BE8,00000000,?,0040BC75,00000000,00000000,00000000,00000000,?,?,0040BC75,?,?,004328B8,00000010,0040BDB8), ref: 00416F18
GetLastError.KERNEL32(?,0040BC75,?,?,004328B8,00000010,0040BDB8,?,?,00000000,?), ref: 00416F22

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
Instruction ID: cb585fdb2482b244a4d3bef91fab55670e651a1c55327e645a67e42ff2a15e13
Opcode Fuzzy Hash: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
Instruction Fuzzy Hash: 4461D775D04249AFDF10CFA8C844AEF7FB9AF09308F16415AF804A7252D379D986CB69

Function 00414A96 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00414AE2
GetFileType.KERNELBASE(00000000), ref: 00414AF4

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 14da27bdb5d952759cc947a18c1f6313485b17a09da5127208cbfccaf6a1781a
Instruction ID: 68df3f11dd2f645efc31e1e90aadc3e75d180b75955679e0b2236dab09e8ba97
Opcode Fuzzy Hash: 14da27bdb5d952759cc947a18c1f6313485b17a09da5127208cbfccaf6a1781a
Instruction Fuzzy Hash: 141175712087514AC7308E3E9C887637AD4ABD6370B39071BD1B6962F1C328E9C6965D

Function 00403EE0 Relevance: 3.0, APIs: 2, Instructions: 22
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,004038C0,00000000,00000000,52949588), ref: 00403F06
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403F0F

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: af3e1afe4429c917983b20489d93451d494df3de1508f1cbbf6b72916d2180c4
Instruction ID: 9ada69c4f7ca39928594594d106047c4e65b58e1a3541a0c5f1fc3d2bb6a9bfa
Opcode Fuzzy Hash: af3e1afe4429c917983b20489d93451d494df3de1508f1cbbf6b72916d2180c4
Instruction Fuzzy Hash: 10E08675758300BBD710EF24EC07F1A3BE4BB48B05F914A39F295A62D0D674B404965E

Function 00414D5D Relevance: 2.6, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(00000000,00000000,CF830579,?,00414C44,00000000,CF830579,00432C48,0000000C,00414D00,0040BD0B,?), ref: 00414DB3
GetLastError.KERNEL32(?,00414C44,00000000,CF830579,00432C48,0000000C,00414D00,0040BD0B,?), ref: 00414DBD

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
Instruction ID: ceb111eb948f9657ebdeceefd9bfba8073a9b29251fc9eed98a790ab6a2c0bec
Opcode Fuzzy Hash: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
Instruction Fuzzy Hash: 06114C336041241ADB246635BC867FE6749CBC1738F290A5FF808C72C1DE388CC2929C

Function 004143CC Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
Instruction ID: d7b25293e7db54f96000769fea1aeb7630fb582f3d7d0c2fc2c622193e8995c8
Opcode Fuzzy Hash: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
Instruction Fuzzy Hash: 620128373002255F9F25CF6EEC40ADB33A6FBC07243148136FA20CB684DA34D8829799

Function 00413EF2 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00413F2C

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 86b5a37895ede01666616fd7f26fe40e68c10059cd8d9e9be6e6956d389c093e
Instruction ID: be02312cd07e58b193bdeee16c95f5fde802225de20a5ed1c7ae4422ede983e8
Opcode Fuzzy Hash: 86b5a37895ede01666616fd7f26fe40e68c10059cd8d9e9be6e6956d389c093e
Instruction Fuzzy Hash: 46110375A0420AAFCB05DF58E9419DB7BF9EF48304F04406AF809AB351D630EA15CBA8

Function 00414094 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,0000000C,?,?,004152D9,00000001,00000364,?,00000006,000000FF,?,?,0040E077,00415469), ref: 004140D5

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 14b8f9ac75b8980b6812ff089cde42dce8ba1f12a125e940596199f5ca44a4d3
Instruction ID: 7a371578952800d697783e4f14dfa84f7cfeb60b6085e341501622e7ba028638
Opcode Fuzzy Hash: 14b8f9ac75b8980b6812ff089cde42dce8ba1f12a125e940596199f5ca44a4d3
Instruction Fuzzy Hash: E9F0BB35605625ABDB215A63DC05BDB3F489FC5760B158123B904EB1A0CA68D9D1819D

Function 0041FB65 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,00000000,?,0041FF58,?,?,00000000,?,0041FF58,?,0000000C), ref: 0041FB82

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
Instruction ID: 28cfbda6749b70c9de2fbd9d245fef773b8951bf2dd70127050a9a6bf190398c
Opcode Fuzzy Hash: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
Instruction Fuzzy Hash: 05D06C3210010DFBDF128F84DC06EDA3FAAFB4C714F018010FA5856021C732E832AB94

Non-executed Functions

Function 00420470 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00420654

Strings

1#QNAN, xrefs: 00420583
1#INF, xrefs: 004205A6
1#IND, xrefs: 00420575
1#SNAN, xrefs: 0042057C

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 04691cd5221879a38aa0f057816d8a73d07112325195ad38bce5c0dde7aa5ce2
Instruction ID: 5123da61b8cdaac21cd302dc6e4a5341095d796461dc8fa416339e05d9df0b54
Opcode Fuzzy Hash: 04691cd5221879a38aa0f057816d8a73d07112325195ad38bce5c0dde7aa5ce2
Instruction Fuzzy Hash: 58D23A71E082289FDB65CE28ED407EAB7B5EB94304F5441EBD80DE7241DB78AE818F45

Function 0041EBA1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(3FC00000,2000000B,0041EEBF,00000002,00000000,?,?,?,0041EEBF,?,00000000), ref: 0041EC3A
GetLocaleInfoW.KERNEL32(3FC00000,20001004,0041EEBF,00000002,00000000,?,?,?,0041EEBF,?,00000000), ref: 0041EC63
GetACP.KERNEL32(?,?,0041EEBF,?,00000000), ref: 0041EC78

Strings

OCP, xrefs: 0041EBF5
ACP, xrefs: 0041EBBF

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
Instruction ID: 81a9d30784dd22d719d41cfb92251f6e816e7a4bc62bdb22216d11a6fc444572
Opcode Fuzzy Hash: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
Instruction Fuzzy Hash: 92218E3AB04101AADB34CF56CD05AD773A7AF50B50B568826FD0AD7211F736EE81C798

Function 0041ED76 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0041EE82
IsValidCodePage.KERNEL32(00000000), ref: 0041EECB
IsValidLocale.KERNEL32(?,00000001), ref: 0041EEDA
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0041EF22
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0041EF41

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 1f142972335a53d1e2416df24534188105d76140515381cc06687f0020485920
Instruction ID: eeabbf5cfaddba79e94d22b4dd48aaeada7d5b667952b3c456454f902e5df75d
Opcode Fuzzy Hash: 1f142972335a53d1e2416df24534188105d76140515381cc06687f0020485920
Instruction Fuzzy Hash: B4519075A00315ABDF20DFA6DC41BEB77B8FF48700F54442AAD14E7290E7789980CB69

Function 0041E412 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

GetACP.KERNEL32(?,?,?,?,?,?,00411EE1,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041E4D3
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00411EE1,?,?,?,00000055,?,-00000050,?,?), ref: 0041E4FE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0041E661

Strings

utf8, xrefs: 0041E5D0

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: d2e92ad91d33230e432f41824a885b4f53a9106f8c4d9673b702c20c8aa694f9
Instruction ID: 5e8f11e88951c7c1c9557d61489bca48d24d80555c5ca4e9e4b82e7d51b65768
Opcode Fuzzy Hash: d2e92ad91d33230e432f41824a885b4f53a9106f8c4d9673b702c20c8aa694f9
Instruction Fuzzy Hash: 8F711775A00611AADB24AB77CC42BE773A8EF54708F14442BFD05D7281FB7CE9818799

Function 00415635 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004156C2

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
Instruction ID: 91afe31f9ab3d507f6121463a8ee3d13cfef47ac4a512e863f990cc27fdcea00
Opcode Fuzzy Hash: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
Instruction Fuzzy Hash: 92B15872E00645DFDB119F68C891BEEBBE5EF85310F14816BE815AB341D2389D81CBA9

Function 00407B01 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407B0D
IsDebuggerPresent.KERNEL32 ref: 00407BD9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00407BF9
UnhandledExceptionFilter.KERNEL32(?), ref: 00407C03

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
Instruction ID: ca20a48664bdef0e78e9b146848890f6e34f40b99dedcfcf476291c653997e40
Opcode Fuzzy Hash: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
Instruction Fuzzy Hash: 1B314B75D0521CDBDF20DFA0D9497CDBBB8BF04304F1040AAE50DA7290EB756A859F09

Function 0041E825 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E879
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E8C3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E989

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: dd539c89c5381dfdaac91928ad5ed676a1006981e28db1904c6f4bbe4cde2b34
Instruction ID: efc99f0a6d6f1c6c35933ec1b38cf6b3cd41524c9fcadcabef19194d257b4763
Opcode Fuzzy Hash: dd539c89c5381dfdaac91928ad5ed676a1006981e28db1904c6f4bbe4cde2b34
Instruction Fuzzy Hash: EB618CB59101079BDB689F26CD82BEA77A8FF04340F14417BED16C6281F738D981DB58

Function 0040DD78 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 0040DE70
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 0040DE7A
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 0040DE87

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b5dd4f76152aea6ca03237fb28cccd4ebdc33645a90cdebeab5d7b36533c9830
Instruction ID: 2886232a598c6d0739cb6745ed5e05dca1263a9451a5c599d013a0f88592b0f0
Opcode Fuzzy Hash: b5dd4f76152aea6ca03237fb28cccd4ebdc33645a90cdebeab5d7b36533c9830
Instruction Fuzzy Hash: 4131E574D012189BCB21DF69D98878DBBB8BF08310F5041EAE41CA7291E774AF858F48

Function 0040FCF0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddea241b9222524aa140a82a6791fc6d0ddcc5cf7be7707f7ebfe0d02a874e92
Instruction ID: 2f25568155576164fff2026d57733e275abf4854a932f81770cec84d7f7bd70a
Opcode Fuzzy Hash: ddea241b9222524aa140a82a6791fc6d0ddcc5cf7be7707f7ebfe0d02a874e92
Instruction Fuzzy Hash: 86F17F71E002199FDF14CF68D8806EEBBB1FF88314F15826AE819AB381D775AD45CB84

Function 0041951B Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,3FC00000,?,00000008,?,?,00419516,3FC00000,?,00000008,?,?,00422FF7,00000000), ref: 00419748

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 66bd135522bfd48ef431717ac9a2d3ac4e718912ce61b150da326bc1aaae8d12
Instruction ID: 8ce61fd47942680b4b6d640883987f5213aad906e3822604c48ba3c560e6b802
Opcode Fuzzy Hash: 66bd135522bfd48ef431717ac9a2d3ac4e718912ce61b150da326bc1aaae8d12
Instruction Fuzzy Hash: BCB15D31620605DFD719CF28C496BA57BA0FF45364F258659E8AACF3A1C339ED82CB44

Function 004077E0 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004077F6

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 96a2ba3aa580dc615e5e38e6a61e3a4296c942238419a14d8ec0a8789d2e52c4
Instruction ID: 853601205c21894bcdc8f75123652b739dccbac0e00907a06a8c71bf04373a9d
Opcode Fuzzy Hash: 96a2ba3aa580dc615e5e38e6a61e3a4296c942238419a14d8ec0a8789d2e52c4
Instruction Fuzzy Hash: 865180B2E056059FEB18CF54E9857AEBBF0FB48350F14913AD501EB390D378A940CB59

Function 0041EA78 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041EACC

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 22a4290edeb40b255e0ef88b49f21dfdd78c731e0f866b45595c0c5f80cee5a7
Instruction ID: 09566a44d01ac47d2cdad9f49e07ec0328cace9eeb3adbfa8c3b07b4827ecd72
Opcode Fuzzy Hash: 22a4290edeb40b255e0ef88b49f21dfdd78c731e0f866b45595c0c5f80cee5a7
Instruction Fuzzy Hash: D321AF36605206ABDB28DE26DD42AFB73A8EF44314B10407FED02D6241EB78AD81CB58

Function 0040CF8F Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 0040D119

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: a0aab24acc3b3978c9a5ada52a2d7b7c9db1a835270475109fab3b2612413d47
Instruction ID: db3753c2c33e7530f0929c46863b0870b75bf5936d116eaba6b158d6d29c11f4
Opcode Fuzzy Hash: a0aab24acc3b3978c9a5ada52a2d7b7c9db1a835270475109fab3b2612413d47
Instruction Fuzzy Hash: CEB19470D0060A8BCB249FE4C991ABFB7A1AB05308F14463FD456F73D1CA39D94ACB5A

Function 0041E6FF Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

EnumSystemLocalesW.KERNEL32(0041E825,00000001,00000000,?,-00000050,?,0041EE56,00000000,?,?,?,00000055,?), ref: 0041E771

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 9637497d46bd12567f8eabdc0472934baf484039a92a8dbd1bfa50b3c5102b1b
Instruction ID: f28f85ac1fea5866725ce88a4d547c14bcace0560233e7335010750b785556cb
Opcode Fuzzy Hash: 9637497d46bd12567f8eabdc0472934baf484039a92a8dbd1bfa50b3c5102b1b
Instruction Fuzzy Hash: F0112C3A6007019FEB189F3AD8916FAB791FF80368B14442ED95747740E7757843C744

Function 0041ECA7 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0041EB22,00000000,00000000,?), ref: 0041ECD3

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: f78a423274370276909a02de998c8e2fb19ace7283c045400ea6aabaf7fbf6a9
Instruction ID: 6e93bce3e8a9596dc076f6a872b53f7d727095e2315f943068ff1bd0afa52940
Opcode Fuzzy Hash: f78a423274370276909a02de998c8e2fb19ace7283c045400ea6aabaf7fbf6a9
Instruction Fuzzy Hash: 56F02D3A600113BFDB245B26EC09BFB7764EB40354F19442AEC06A3280EA78FDC2C694

Function 0041E60D Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0041E661

Strings

utf8, xrefs: 0041E5D0

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 2152daac5f42ae25a129a23ac8d896ce75da55d7df13b3f6dfbcda70826a3db5
Instruction ID: d369d087f973f2c2e7390e19339e1b86590d8fa7fa541369cb1b30fd3d4077c9
Opcode Fuzzy Hash: 2152daac5f42ae25a129a23ac8d896ce75da55d7df13b3f6dfbcda70826a3db5
Instruction Fuzzy Hash: B0F0F436A10105ABC714AF25DC45FFA73A8EB84324F40007EAA02D7281EA78AD418758

Function 0041E79A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

EnumSystemLocalesW.KERNEL32(0041EA78,00000001,45F1B473,?,-00000050,?,0041EE1A,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0041E7E4

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7822a5e4b117a09642d2d9f73cbe77476052005b15321de9f48d0f235ef5c92f
Instruction ID: 0c0c1f316863ef4a6d30beb722119c93d5a9d1266b3f20af8045389666d513f6
Opcode Fuzzy Hash: 7822a5e4b117a09642d2d9f73cbe77476052005b15321de9f48d0f235ef5c92f
Instruction Fuzzy Hash: BDF0C23A2003045FEB249F3A9881ABABB95FF80368F15442EFD568B690D6759C82C718

Function 00414138 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040E0C6: EnterCriticalSection.KERNEL32(?,?,00412EDC,00000000,00432B68,0000000C,00412EA3,0000000C,?,004140C7,0000000C,?,004152D9,00000001,00000364,?), ref: 0040E0D5

EnumSystemLocalesW.KERNEL32(0041412B,00000001,00432BE8,0000000C,0041455A,00000000), ref: 00414170

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 80f246e533dc21f73d9613eff5259b5841ca6d0f841dd3ce2907f16627d73c59
Instruction ID: 198ab3507c4040aae18c9164df511e00e81c972c753b4360ebc7eca8a0771405
Opcode Fuzzy Hash: 80f246e533dc21f73d9613eff5259b5841ca6d0f841dd3ce2907f16627d73c59
Instruction Fuzzy Hash: 14F03C72A14204DFD710EF99E842B9C77B0FB84725F10422BE811DB2A0C7B959409B98

Function 0041E6B4 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

EnumSystemLocalesW.KERNEL32(0041E60D,00000001,45F1B473,?,?,0041EE78,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041E6EB

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 8c2aaa4c0cd0d54cc735e91a7a0ddb58f51471a544283acf310fccb30414098b
Instruction ID: d7e3b5c502124c080ac9a43a58f0728b4bb26e435a168ea3e401fe3e83efba30
Opcode Fuzzy Hash: 8c2aaa4c0cd0d54cc735e91a7a0ddb58f51471a544283acf310fccb30414098b
Instruction Fuzzy Hash: A9F0E53A30025597CB149F3AD8557AABF94EFD1724F87405AEE06CB250C6799883C758

Function 0041465E Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00412A47,?,20001004,00000000,00000002,?,?,00412049), ref: 00414692

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a79f5b4871ba1c4f54388a69458767bdf475af3fdf68469de367ee09879fad86
Instruction ID: f9bd5592f4a27906ba0b7000611c056f456b6c13901b9127fc06cc884ae94f8f
Opcode Fuzzy Hash: a79f5b4871ba1c4f54388a69458767bdf475af3fdf68469de367ee09879fad86
Instruction Fuzzy Hash: 63E04F31540268BBCF122F61DC04EEE3F19FF85761F064026FC1566261CB7A9D61AA9D

Function 00407C63 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00007C6F,00407287), ref: 00407C68

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 91f082824127807ca67e9bea16e4e1142dcaa675fdc02378074aa91e014118a9
Instruction ID: 0ff61591fe6e7fdbf664e27eab8a47433d3f920744837751a1e33914f5cec1be
Opcode Fuzzy Hash: 91f082824127807ca67e9bea16e4e1142dcaa675fdc02378074aa91e014118a9
Instruction Fuzzy Hash:

Function 0041EFD8 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0041EFD8

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 960917853a08cbcbaec74a3857df259023f2eba71cc87e2cdee0c8228e0b7f47
Instruction ID: d5d072ba9748c195f736b78e16f2f5f2af1f06de213b616d404cea10f9c51eb0
Opcode Fuzzy Hash: 960917853a08cbcbaec74a3857df259023f2eba71cc87e2cdee0c8228e0b7f47
Instruction Fuzzy Hash: 01A02230300280CF83808F32AE0CB0C3FF8AE082E0B0AC03AA000C80B0EF3080A0AF08

Function 00419D19 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516d30cb957660e1ce7009900f7c89419000928a7b4542a70a6d7973bb8b5465
Instruction ID: e0b6eab36911d749f2a52d9d755c71c6f3a9b3d1a8d09863ec84b4b35a7f43a0
Opcode Fuzzy Hash: 516d30cb957660e1ce7009900f7c89419000928a7b4542a70a6d7973bb8b5465
Instruction Fuzzy Hash: 47320231E29F014DD7339634C922336A248AFB73D4F55D737E81AB5AA5EB28C4E34106

Function 004050C0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b451423774f390a84f535dcfe3ba546839b42ee0b499e0766b2c7a98dc649c
Instruction ID: 5feebbaa43ed32d93f9715846b212e544a85bbfc92224125606550ec09a82999
Opcode Fuzzy Hash: 93b451423774f390a84f535dcfe3ba546839b42ee0b499e0766b2c7a98dc649c
Instruction Fuzzy Hash: CB51A531711A168BD708CF39C895666F7E1FB98310F148779E429CB2C1EB35E915CB94

Function 00404F00 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c71e8a4d4c822c2af38b7bb403b9e2aeae5574d6a876ff0dc428173de2df168
Instruction ID: 2e6b64c01918b1979876a487fb5af248adadb05a606b7677175458bc7ad97d97
Opcode Fuzzy Hash: 8c71e8a4d4c822c2af38b7bb403b9e2aeae5574d6a876ff0dc428173de2df168
Instruction Fuzzy Hash: A6519171711A128FD70CCF39C895A66B7E1FB98310F048779E42ACB2D6DB34A915CB94

Function 0041914C Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0ba1e5d9a22f7c6db1b863d068fd7604d8ca8b2c2046f773a74d09f23aaf89
Instruction ID: ed00e364353b2709b8c4936f7de79ec0fff9d1aa87bc6e08b7c0caa285f9e44e
Opcode Fuzzy Hash: fa0ba1e5d9a22f7c6db1b863d068fd7604d8ca8b2c2046f773a74d09f23aaf89
Instruction Fuzzy Hash: 73E04632911268EBCB18DB89C95898AB2ACEB44B04B15009AF902D3210C274DE80C7D4

Function 004114A6 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eafc9afbd71d0c63c25bd700d152b00fba6a1b79f89aedc9458559ba3c3e83a7
Instruction ID: 9d670eee6a7ff43784672fcc557034ad53df9d6dcb31fc26035e34de67efaf71
Opcode Fuzzy Hash: eafc9afbd71d0c63c25bd700d152b00fba6a1b79f89aedc9458559ba3c3e83a7
Instruction Fuzzy Hash: 6EC08C3420098046CF29CE10C2713EA33D5A392B82F80098ECA0A0F752CA1E9CC2DA44

Function 00404B20 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404B4C
std::_Lockit::_Lockit.LIBCPMT ref: 00404B69
std::_Lockit::~_Lockit.LIBCPMT ref: 00404B8D
std::_Lockit::~_Lockit.LIBCPMT ref: 00404BB8
std::_Lockit::_Lockit.LIBCPMT ref: 00404C2A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00404C7F
__Getctype.LIBCPMT ref: 00404C96
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00404CD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00404D78
std::_Facet_Register.LIBCPMT ref: 00404D7E

Strings

bad locale name, xrefs: 00404D98

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_GetctypeLocinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 103145292-1405518554
Opcode ID: 07779c633be37db408639f77928584da0fe84fd984f841e2fd8ba1ab6a6bcfd4
Instruction ID: c45789c66640c356b2bc41b45c406846e681c44b1f4b151baf81fb86c109fe15
Opcode Fuzzy Hash: 07779c633be37db408639f77928584da0fe84fd984f841e2fd8ba1ab6a6bcfd4
Instruction Fuzzy Hash: 7B619FB19043408BD720DF65D941B5BB7F4AFD4304F05493EE989A7392E738E948CB5A

Function 0040A998 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0040AAB7
___TypeMatch.LIBVCRUNTIME ref: 0040ABC5
_UnwindNestedFrames.LIBCMT ref: 0040AD17
CallUnexpected.LIBVCRUNTIME ref: 0040AD32

Strings

csm, xrefs: 0040AA42
csm, xrefs: 0040A9D5
hqB, xrefs: 0040AAAE
csm, xrefs: 0040AAEE

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm$hqB
API String ID: 2751267872-961717235
Opcode ID: 5312b3d91eab99b169114e3402d6476c4e494fcb55b904c8292e4fd39c2bab0a
Instruction ID: 1a84720c735a061b690d6f447b3278b908e1dcb1436106e9bb87ee9a1a6810cd
Opcode Fuzzy Hash: 5312b3d91eab99b169114e3402d6476c4e494fcb55b904c8292e4fd39c2bab0a
Instruction Fuzzy Hash: 2DB18A718003099FDF14DFA5C9809AEBBB5FF14304B19456BE8017B282C739DA61CF9A

Function 00422D42 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042485F), ref: 00422D5B

Strings

log, xrefs: 00422DB8, 00422DC7
pow, xrefs: 00422DF9, 00422EA3, 00422EF0
log10, xrefs: 00422D9D, 00422DAC
asin, xrefs: 00422E88
sqrt, xrefs: 00422E9A
acos, xrefs: 00422E91
exp, xrefs: 00422DDA, 00422E3F

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 99bc9cc3bdd9136b520063792197f245364da15bbda7aca5a31b7bed04557963
Instruction ID: 541d14d2076966b173cd57405107be29c5c83d47e8039af315078564b0fddfcc
Opcode Fuzzy Hash: 99bc9cc3bdd9136b520063792197f245364da15bbda7aca5a31b7bed04557963
Instruction Fuzzy Hash: 76514371B0062AEBCB108F59FA4C1AEBBB0FB45304F924057D480A6354CBBD8925EB5E

Function 0040718A Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00407190
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0040719E
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004071AF
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004071C0

Strings

GetTempPath2W, xrefs: 004071B5
GetSystemTimePreciseAsFileTime, xrefs: 004071A4
kernel32.dll, xrefs: 0040718B
GetCurrentPackageId, xrefs: 00407198

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
Instruction ID: 3afd18a413fbafaec0d1884410ec314f69904bb85606d66d63126fe90f125993
Opcode Fuzzy Hash: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
Instruction Fuzzy Hash: 3CE0EC71749671AB83209F70BC0EDAA3AA4EE0971139205B2BD15D2361D6BC44559B9C

Function 00424323 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 004243C9
__alloca_probe_16.LIBCMT ref: 00424484
__alloca_probe_16.LIBCMT ref: 00424513
__freea.LIBCMT ref: 0042455E
__freea.LIBCMT ref: 00424564
__freea.LIBCMT ref: 0042459A
__freea.LIBCMT ref: 004245A0
__freea.LIBCMT ref: 004245B0

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 8a56644c9f658ced4a7fecf9f58cf2b799a0c4498a4b3962048a55bd8390d3ba
Instruction ID: b3b1fd3be87dc675253da9249cad55eb0a70a834b65d1a532299ad71412a1fff
Opcode Fuzzy Hash: 8a56644c9f658ced4a7fecf9f58cf2b799a0c4498a4b3962048a55bd8390d3ba
Instruction Fuzzy Hash: 24711872B00625ABDF20AE64AC41BAF77B5DFC5314F94005BEA44A7381D73CDC8187A9

Function 00414301 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,52949588,?,0041440E,004038E3,?,?,00000000), ref: 004143C2

Strings

api-ms-, xrefs: 00414358
ext-ms-, xrefs: 0041436C

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
Instruction ID: 9d281342414512710d521e2bc5e8bd8d189b06f0c9bb1d1e4d3acc3ca9f27be4
Opcode Fuzzy Hash: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
Instruction Fuzzy Hash: 9E21F371B41219ABCB219B61AC41F9B77589F817B4F250222ED26A73C0D738ED42C6D8

Function 00422232 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dfbc0b19412f8332e2df089f070eab11bf50ad423d98e1f5d4bef1ead3c863
Instruction ID: 9d2747a7e5b70225cc448f1b3832819408a251e63c6cb1e4317f51345b07cf5e
Opcode Fuzzy Hash: 34dfbc0b19412f8332e2df089f070eab11bf50ad423d98e1f5d4bef1ead3c863
Instruction Fuzzy Hash: B9B1E870B00215BFDB11DF59D980BAE7BB1BF45304F94816AE401AB392C7B99D42CB69

Function 0040A62A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040A621,00408D5A,00407CB3), ref: 0040A638
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040A646
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040A65F
SetLastError.KERNEL32(00000000,0040A621,00408D5A,00407CB3), ref: 0040A6B1

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ea70f88f1a7dd67ad85e4a1eb3bc890aa5c44d2470a951be6c0d9591e2143091
Instruction ID: 78011c5e5d228000ed262031febe4d72c2c7c60d5ad4d387ad9a5ce747099190
Opcode Fuzzy Hash: ea70f88f1a7dd67ad85e4a1eb3bc890aa5c44d2470a951be6c0d9591e2143091
Instruction Fuzzy Hash: 530128332093112ED62427B6BD45A5B2678DB51774738063FF510722F1EF7E5C11554D

Function 004114C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,52949588,?,?,00000000,0042534E,000000FF,?,00411458,?,?,0041142C,00000016), ref: 004114FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041150F
FreeLibrary.KERNEL32(00000000,?,00000000,0042534E,000000FF,?,00411458,?,?,0041142C,00000016), ref: 00411531

Strings

CorExitProcess, xrefs: 00411507
mscoree.dll, xrefs: 004114F6

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5db7edf03dd5c6a86733f78c3fc37fecd77a691f09511d684ccae05772ab5e40
Instruction ID: 91ec29eb5be505712193f20e889ba6035279a869843729da5c2c1c8d1a6e38dc
Opcode Fuzzy Hash: 5db7edf03dd5c6a86733f78c3fc37fecd77a691f09511d684ccae05772ab5e40
Instruction Fuzzy Hash: 5E018431A50625EBDB218F50DC09BAEB7F9FB44B11F400526F912A22A0DB789900CA58

Function 00418EB1 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00418F38
__alloca_probe_16.LIBCMT ref: 00418FF9
__freea.LIBCMT ref: 00419060

Part of subcall function 00415426: HeapAlloc.KERNEL32(00000000,?,?,?,00407448,?,?,004038E3,0000000C), ref: 00415458

__freea.LIBCMT ref: 00419075
__freea.LIBCMT ref: 00419085

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: b34ec7378ed80fdedf5b3cd9fd74b686b7ca20f323847e8b562edae9002d46d2
Instruction ID: 5a58541e407446bb28ced3c61191459bbd43b91e1c19ac61a4b7f941500e9d67
Opcode Fuzzy Hash: b34ec7378ed80fdedf5b3cd9fd74b686b7ca20f323847e8b562edae9002d46d2
Instruction Fuzzy Hash: 1451E572600206AFDB249E65CC81EFB3AA9EF48754B15012EFD05D7250EB39DD81C7A9

Function 00405A29 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00405A30
std::_Lockit::_Lockit.LIBCPMT ref: 00405A3A

Part of subcall function 00401980: std::_Lockit::_Lockit.LIBCPMT ref: 0040199C
Part of subcall function 00401980: std::_Lockit::~_Lockit.LIBCPMT ref: 004019B9

codecvt.LIBCPMT ref: 00405A74
std::_Facet_Register.LIBCPMT ref: 00405A8B
std::_Lockit::~_Lockit.LIBCPMT ref: 00405AAB

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 08d409ab8f65cfa251cbcb9404e233e286c333acaa76841f7ef905a91d8db047
Instruction ID: b96a9e16e5313ba5d76a5da041c455aafda494eca7322fa8897946df384a052d
Opcode Fuzzy Hash: 08d409ab8f65cfa251cbcb9404e233e286c333acaa76841f7ef905a91d8db047
Instruction Fuzzy Hash: 7C01AD75A00A168BCB05EB65C881AAF7771EF84354F24052EE414BB3D2CB3CAE058F99

Function 00401F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00401F9D

Part of subcall function 00408090: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407FAB,?,?,?,?,00407FAB,0000000C,00432FA4,0000000C), ref: 004080F0

Strings

ios_base::eofbit set, xrefs: 00401F46
ios_base::failbit set, xrefs: 00401E62, 00401F41
ios_base::badbit set, xrefs: 00401F37, 00401F62, 00401F80

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 6db5754c0c3f7c630e456a44fc8a01ec81c9786fca09fcb0a19a2d9224875447
Instruction ID: 39c8128b798e2086e3302e8ab46e2dce8cada1f1b911e2d41b88b79c7a5bec65
Opcode Fuzzy Hash: 6db5754c0c3f7c630e456a44fc8a01ec81c9786fca09fcb0a19a2d9224875447
Instruction Fuzzy Hash: BD1136B29107156BC710DF68D801B86B3E8AF08310F14853FFA54E7291F778E804CBA9

Function 00407420 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407DA8
___raise_securityfailure.LIBCMT ref: 00407E90

Strings

@SC, xrefs: 00407E8B
#7@, xrefs: 00407E13

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: #7@$@SC
API String ID: 3761405300-54278199
Opcode ID: be0408e9841c2604ed6c70be4b6810e12912a1b256ed321422f905974070e74f
Instruction ID: 0d92a2c854cdd6e88b4d1eeb56e5bf4da0bfe8ec24aca00867b110679a0b03e4
Opcode Fuzzy Hash: be0408e9841c2604ed6c70be4b6810e12912a1b256ed321422f905974070e74f
Instruction Fuzzy Hash: DA2107B4640A00DBD318CF15F9857943BF4BB68355FA0643AE9088B3B1D3B46485CF1E

Function 0040B772 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,0040B723,00000000,00000001,0043568C,?,?,?,0040B8C6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx), ref: 0040B77F
GetLastError.KERNEL32(?,0040B723,00000000,00000001,0043568C,?,?,?,0040B8C6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx,00000000,?,0040B67D), ref: 0040B789
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,0040A593), ref: 0040B7B1

Strings

api-ms-, xrefs: 0040B796

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
Instruction ID: 4a96934300341e5ece3864587fe3feae18b3ac400cb1fe2ce3454729e361f76d
Opcode Fuzzy Hash: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
Instruction Fuzzy Hash: 29E01A30384208BBEF205B61EC06F5A3E64EB40B85F904031FB0DE91E1E775A9519ACC

Function 004164C2 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(52949588,00000000,00000000,0040BDB8), ref: 00416525

Part of subcall function 0041B08B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419056,?,00000000,-00000008), ref: 0041B137

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00416780
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004167C8
GetLastError.KERNEL32 ref: 0041686B

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 82cd919ffc66cdbec26423ec8f462efebf3297e9721ada9a3fb481d80f0d1854
Instruction ID: 1bb8143dd65314e62236f50c93da9e0a6d801424c5e2e01ca8c3ea5794d6433d
Opcode Fuzzy Hash: 82cd919ffc66cdbec26423ec8f462efebf3297e9721ada9a3fb481d80f0d1854
Instruction Fuzzy Hash: 7DD158B5E002589FCB11DFA9D880AEDBBB5FF48304F19412AE856E7351D734E882CB58

Function 0040A741 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0040A808
___AdjustPointer.LIBCMT ref: 0040A82B
___AdjustPointer.LIBCMT ref: 0040A8C7

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
Instruction ID: 639cff4bd66d4eed68713a8ae307c2d2d1180f9e9004782a502f2a6fa8fea26a
Opcode Fuzzy Hash: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
Instruction Fuzzy Hash: 3D51CF72A00302AFEB29AF52C941B7A73A4EF40304F14853FE805672D1D739EC62C79A

Function 0041B4A7 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0041B08B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419056,?,00000000,-00000008), ref: 0041B137

GetLastError.KERNEL32 ref: 0041B50B
__dosmaperr.LIBCMT ref: 0041B512
GetLastError.KERNEL32(?,?,?,?), ref: 0041B54C
__dosmaperr.LIBCMT ref: 0041B553

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
Instruction ID: cec987ca27f54d0df3a57789ab5f391b1316bc0051da666ab1eca3c5aeea150a
Opcode Fuzzy Hash: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
Instruction Fuzzy Hash: 3221B671600215BFDB20EF66C8418ABB7ADFF043A8710852FF85997251D779ED9087D4

Function 004108A2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
Instruction ID: f8db4804455f599fb5fabd8b5f86bcd1d132503182311fbe19c9dedc91394c0d
Opcode Fuzzy Hash: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
Instruction Fuzzy Hash: 8F21F9B1610205AFEB20AF62CC90DAB776CFF40368710452BF415D7252D7B9EDD097A8

Function 0041C43D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041C445

Part of subcall function 0041B08B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419056,?,00000000,-00000008), ref: 0041B137

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C47D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C49D

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
Instruction ID: cd346ceb72f841712861b774b6322b7d2f9c84398f992d5f92ec2fcb375f728e
Opcode Fuzzy Hash: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
Instruction Fuzzy Hash: 091104B2A48515BF672127B25CDACFF6D5CDE99398310402AF802D2102EE2CDD8285BD

Function 004241E7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000), ref: 004241FE
GetLastError.KERNEL32(?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8,0040BDB8,?,00416E7D,?), ref: 0042420A

Part of subcall function 004241D0: CloseHandle.KERNEL32(FFFFFFFE,0042421A,?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8,0040BDB8), ref: 004241E0

___initconout.LIBCMT ref: 0042421A

Part of subcall function 00424192: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004241C1,00421C31,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8), ref: 004241A5

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8), ref: 0042422F

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
Instruction ID: 4f4531f6176a0c5b6c9a7a905856594723a902087f3f8d784f297790ae8fc46e
Opcode Fuzzy Hash: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
Instruction Fuzzy Hash: C1F03736200124BBCF222FD5FC0899A7F26FB853B0F414065FA5995130C6319870AB99

Function 004102AD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0041033D

Strings

pow, xrefs: 00410315, 00410332

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c0cf26b477ce003e2ec9021a6fbfbc89d90c79d8eb5fc1b2203591be7fd8a1bc
Instruction ID: ba283ab10e86f0ff01337ebee0106e11519cd21400a500e12903ed81b54b832b
Opcode Fuzzy Hash: c0cf26b477ce003e2ec9021a6fbfbc89d90c79d8eb5fc1b2203591be7fd8a1bc
Instruction Fuzzy Hash: CD517EB1A4A6068BCB117714DA413EB37A09B40701F604D6BE8D5413E9EB7D8CF69A4F

Function 00401E50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00401F9D

Part of subcall function 00408090: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407FAB,?,?,?,?,00407FAB,0000000C,00432FA4,0000000C), ref: 004080F0

Strings

ios_base::failbit set, xrefs: 00401E62
ios_base::badbit set, xrefs: 00401F37, 00401F62, 00401F80

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 093cf63a05e0c9d9e505c411f0024045c7293edf30539a5a4b0b12754ed88584
Instruction ID: 797d091bbb829d4e8b0eea89e00af225cce609620468ab5527f299f1bcc47ce9
Opcode Fuzzy Hash: 093cf63a05e0c9d9e505c411f0024045c7293edf30539a5a4b0b12754ed88584
Instruction Fuzzy Hash: 2D414771504301AFC304DF29C841A9BB7E8EF89310F14862FF994A76A1E778E945CB99

Function 0040A430 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0040A46F
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A523

Strings

csm, xrefs: 0040A50D

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
Instruction ID: 2e999a1580a82348229a279466bd0bfc2513c0ac70a5a2249b741fcd72562a23
Opcode Fuzzy Hash: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
Instruction Fuzzy Hash: 2741C834A00318ABCF10DF69C844A9E7BB0FF45314F1481A6E8146B3D2D779E961CB9A

Function 0040AD3D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0040AD62

Strings

RCC, xrefs: 0040AD7C
MOC, xrefs: 0040AD74

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
Instruction ID: a4c454b0bcb5eef0a2e58a0d06434270c6490fd8828ce8058ef1224e804d7477
Opcode Fuzzy Hash: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
Instruction Fuzzy Hash: 4C416E71900209AFCF15DFA4CD81AEEBBB5FF48304F19846AF904B7291D3399960DB95

Function 00407EA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407EAE
___raise_securityfailure.LIBCMT ref: 00407F6B

Strings

@SC, xrefs: 00407F66

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: @SC
API String ID: 3761405300-4053289583
Opcode ID: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
Instruction ID: 10e33e2e5eb9a3d5286ccbecc20551b6eaee076d59bf9c7ce06d7c1cd455d27c
Opcode Fuzzy Hash: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
Instruction Fuzzy Hash: 2D11E3B4651A04DBD318CF15F8817883BA4BB28346B50B03AE8088B371E3B09595CF5E

Function 00401870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00401875
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004018BA

Part of subcall function 004058AA: _Yarn.LIBCPMT ref: 004058C9
Part of subcall function 004058AA: _Yarn.LIBCPMT ref: 004058ED

Strings

bad locale name, xrefs: 004018C8

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
Instruction ID: 698a41e2f8890499ec269fe88a942146f7bab7e11b1414401b60b7a9d3f26e65
Opcode Fuzzy Hash: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
Instruction Fuzzy Hash: 90F01D71515B408ED370DF3A8404743BEE0AF29714F048E2EE4CAD7A92E379E508CBA9

Function 00405ABE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00405AC5

Strings

A]@, xrefs: 00405AEB
pdB, xrefs: 00405B01

Memory Dump Source

Source File: 00000002.00000002.1718315778.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID: A]@$pdB
API String ID: 431132790-1964063989
Opcode ID: a80e33e7d8d27686206c715740f2a372a192bd8069830a42d80d814282e980e6
Instruction ID: 9708e6e5fcb6faf266b2e239077eb0a834cba51f5faa1665736d4655e106cb5a
Opcode Fuzzy Hash: a80e33e7d8d27686206c715740f2a372a192bd8069830a42d80d814282e980e6
Instruction Fuzzy Hash: AE01D6B4A00615CFC761DF68C580A5ABBF0FF08344B51896EE489DB751D7B5AA40CF98

Analysis Process: saLBqUuaxl.exePID: 732, Parent PID: 6688COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	82.9%
Total number of Nodes:	41
Total number of Limit Nodes:	9

Executed Functions

Function 004FD2C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 159
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 004FD2D1
GetCurrentThreadId.KERNEL32 ref: 004FD2E6
GetCurrentProcessId.KERNEL32 ref: 004FD2EC
ExitProcess.KERNEL32 ref: 004FD4B0

Strings

'GFA, xrefs: 004FD3C3, 004FD3CB
edgf, xrefs: 004FD44E

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: 'GFA$edgf
API String ID: 1029096631-957644222
Opcode ID: ebbc75f925856320ad03f6ce7c498b9c5e30680585271db283c9dbd57ede9196
Instruction ID: 04534c71aef8d73787e2a4bc56b9c1b3ecd4b73ddb8051c0e0b3dea340a8cd8f
Opcode Fuzzy Hash: ebbc75f925856320ad03f6ce7c498b9c5e30680585271db283c9dbd57ede9196
Instruction Fuzzy Hash: 7141477480C280ABC301BF68D544A2EFFE6AF52709F148D1DE6C487362C73AD8549B6B

Function 00537600 Relevance: 6.9, Strings: 5, Instructions: 614
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EBC, xrefs: 00537775
2wS, xrefs: 00537724
B{S, xrefs: 00537B35
%sgh, xrefs: 00537A40
4`[b, xrefs: 00537E00

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: %sgh$2wS$4`[b$B{S$EBC
API String ID: 0-1545865569
Opcode ID: 239ed56840dcfff025aba0fd1ab06c0343091fa5a4243e9a2dd9f735627ee503
Instruction ID: 04c520ea8ddf455d9ab30c268f0e80c94312e311a953b4864f01bb94dd4ae8ca
Opcode Fuzzy Hash: 239ed56840dcfff025aba0fd1ab06c0343091fa5a4243e9a2dd9f735627ee503
Instruction Fuzzy Hash: 70228BB5D0420ADFDB24CF94D892ABEBFB1FF1A314F240858E941AB352D7359845DBA0

Function 00537560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00534FF1,00000001,00000005,?,00000000,?,?,005114D5), ref: 0053758E

Strings

7654, xrefs: 00537582
7654, xrefs: 00537564

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: InitializeThunk
String ID: 7654$7654
API String ID: 2994545307-1888865020
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0053A7E0 Relevance: 2.6, Strings: 2, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0053A8A7
MNOP, xrefs: 0053A8F3, 0053A8FB

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: InitializeThunk
String ID: @$MNOP
API String ID: 2994545307-2234187807
Opcode ID: fddd3b3084a6a3a1594481a66cd80efacf819fec0a712af71c8c33b6e1179dab
Instruction ID: d529139cd8395f122d8712c14a10f6a194d1de396e2b9005002c192f145f4c75
Opcode Fuzzy Hash: fddd3b3084a6a3a1594481a66cd80efacf819fec0a712af71c8c33b6e1179dab
Instruction Fuzzy Hash: E641DEB25082049FD710DF58C885B6BBBE5FF85318F09882DE4C5CB261E375D914CB52

Function 0053AC00 Relevance: 1.4, Strings: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MNOP, xrefs: 0053AC34, 0053AC3D

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: MNOP
API String ID: 0-783613192
Opcode ID: 6c18c838f411b530292cd5d5f5b4d579124e92d97f5bb9e82ffce46905ba899a
Instruction ID: c640b6a03e824592c386bc5143ac3cf2ddef86cab35fa03368a5579c5853297f
Opcode Fuzzy Hash: 6c18c838f411b530292cd5d5f5b4d579124e92d97f5bb9e82ffce46905ba899a
Instruction Fuzzy Hash: A4418C38608304AFD7249F14D885B2BBFA5FB96B15F248C2CF9C997251D335EC109B56

Function 00534200 Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00534257

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 41b3e00b31ddd3b54ad9cab8188d48ebf3aef553956a5e689608b6baa9d01e09
Instruction ID: 78d75ed1e37f4ed9e5b38f8609e24691a781db1010b9d3b7dc2a945f14ccc3e5
Opcode Fuzzy Hash: 41b3e00b31ddd3b54ad9cab8188d48ebf3aef553956a5e689608b6baa9d01e09
Instruction Fuzzy Hash: 9BF0177850C2809BD601EB58E945A1EFBE5EB55705F44482CF4C497262C235E824DB62

Non-executed Functions

Function 0050E52C Relevance: 38.6, Strings: 30, Instructions: 1100COMMON

Download Yara Rule

Strings

AFGD, xrefs: 0050ED3B
$+*), xrefs: 0050ECE1
t{zy, xrefs: 0050EC19
UJKH, xrefs: 0050ED1D
HFo, xrefs: 0050EF0D
4;:p, xrefs: 0050ECB9
Ug0a, xrefs: 0050F579
pwvu, xrefs: 0050EC0F
PWVU, xrefs: 0050EC5F
qvw=, xrefs: 0050ECC3
1674, xrefs: 0050EC23
X_^], xrefs: 0050EC73
-"# , xrefs: 0050EC41
lSRQ, xrefs: 0050EC55
<jkh, xrefs: 0050ECCD
S=S?, xrefs: 0050E5DD
L321, xrefs: 0050ECA5
i'&%, xrefs: 0050ECD7
Xa!m, xrefs: 0050EEA9
076|, xrefs: 0050ECAF
7654, xrefs: 0050E79F
honm, xrefs: 0050EC4B
`gfe, xrefs: 0050EC37
(/.-, xrefs: 0050ECEB
@GFE, xrefs: 0050EC87
eZ[X, xrefs: 0050ECF5
\CBA, xrefs: 0050EC7D
DKJI, xrefs: 0050EC91
|cba, xrefs: 0050EC2D
T[ZY, xrefs: 0050EC69

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: $+*)$(/.-$-"# $076|$1674$4;:p$7654$<jkh$@GFE$AFGD$DKJI$HFo$L321$PWVU$S=S?$T[ZY$UJKH$Ug0a$X_^]$Xa!m$\CBA$`gfe$eZ[X$honm$i'&%$lSRQ$pwvu$qvw=$t{zy$|cba
API String ID: 0-1574315579
Opcode ID: 7210e6eda30d98f42701af48799cefd4f7ca9062ce420171aea62b1a3a42c424
Instruction ID: dce86a3284dc02c33b89a844d736e88cf7d13c901eed5d3ac5cdbb13cab2acf4
Opcode Fuzzy Hash: 7210e6eda30d98f42701af48799cefd4f7ca9062ce420171aea62b1a3a42c424
Instruction Fuzzy Hash: C3A253B4600B419FE770CF24C891BABBBE2BB85704F544C2CE5AA9B691DB31B845CF51

Function 00529000 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00529010
GetWindowLongW.USER32 ref: 00529035
GetClipboardData.USER32 ref: 00529045
GlobalLock.KERNEL32 ref: 00529068
GlobalUnlock.KERNEL32 ref: 0052914A
CloseClipboard.USER32 ref: 00529155

Strings

3, xrefs: 00529090
e, xrefs: 005290D1
?, xrefs: 005290BD

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: 3$?$e
API String ID: 2832541153-3975470078
Opcode ID: 07026e4112402cac1f4e983f854593267be134c3828748d7eee95c103254cac3
Instruction ID: 2e2d00ed593a56283a63242692ef8c462b143a4d737e7d037e7971dad3be89cf
Opcode Fuzzy Hash: 07026e4112402cac1f4e983f854593267be134c3828748d7eee95c103254cac3
Instruction Fuzzy Hash: F5416F7040C3918ED311EF3D948872EBFE0AF96314F144A6DE4DA863D2C6758549D7A3

Function 0053004B Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 420COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 0052FED4
VariantInit.OLEAUT32(?), ref: 00530071
VariantClear.OLEAUT32(?), ref: 00530130
SysFreeString.OLEAUT32(?), ref: 00530155
SysFreeString.OLEAUT32(?), ref: 00530162
SysFreeString.OLEAUT32(?), ref: 00530179

Strings

7654, xrefs: 0053048D
4`[b, xrefs: 00530430

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: String$Free$Variant$ClearInit
String ID: 4`[b$7654
API String ID: 4205145696-3675246634
Opcode ID: 4e1bc9004b2d6ce942eb359ace718d1fdf4a5896e6ed384c1c26f67335757800
Instruction ID: 48dad36bf811a6d1968cf775b553d9ba829828855b5d73aaed410c11ea8ac638
Opcode Fuzzy Hash: 4e1bc9004b2d6ce942eb359ace718d1fdf4a5896e6ed384c1c26f67335757800
Instruction Fuzzy Hash: DCE1FC75A083019FDB04CF68E895BAEBBB1FB89305F14482CE485E7291D735D909DB51

Function 0052FD0E Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 403memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0052FD6C
SysAllocString.OLEAUT32 ref: 0052FE2C

Strings

7654, xrefs: 0053048D
4`[b, xrefs: 00530430
,/, xrefs: 0052FDD9

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: AllocString
String ID: ,/$4`[b$7654
API String ID: 2525500382-138038313
Opcode ID: c090b6ffad8847001c5a3f7fda7c6102de1ff5cce7e037af5f66181763f6bf4a
Instruction ID: 9c3fadba1f03a4414a85aebbbd7fbd75842956469a541723e2594e344c531ee9
Opcode Fuzzy Hash: c090b6ffad8847001c5a3f7fda7c6102de1ff5cce7e037af5f66181763f6bf4a
Instruction Fuzzy Hash: 33E1DB75A08305EFDB108F68EC85BAEBBB1FB8A305F14482CF585A7291C735D915CB62

Function 004FFEBC Relevance: 13.2, Strings: 10, Instructions: 710COMMON

Download Yara Rule

Strings

PQ, xrefs: 00500941
f, xrefs: 00500824, 0050082D
I1, xrefs: 0050002F
13, xrefs: 00500039
58, xrefs: 00500043
89, xrefs: 00500866
us, xrefs: 005008F9
9lji, xrefs: 005007A4, 005007AD
8<, xrefs: 0050004D
w%r', xrefs: 0050085E

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 13$58$89$8<$9lji$I1$PQ$w%r'$us$f
API String ID: 0-2782953580
Opcode ID: f6b0829606f129af945a0ad4bec6688cf4081706a4116d4718fba0fa6a4680b3
Instruction ID: 9f428832397a687612c06b0ad80f041230d6799e99c2deed0b6e1b2c34386b17
Opcode Fuzzy Hash: f6b0829606f129af945a0ad4bec6688cf4081706a4116d4718fba0fa6a4680b3
Instruction Fuzzy Hash: 90429BB4104740DFD3248F25D884B5ABBF5FF8A308F64996CE58A8B2A1D735E80ADF51

Function 00517B0F Relevance: 10.8, Strings: 8, Instructions: 813COMMON

Download Yara Rule

Strings

r~Q, xrefs: 00517E64
=I# , xrefs: 00517BFB
E'I, xrefs: 00517BEB
QQ;%, xrefs: 00517C03
7654, xrefs: 00518474, 0051847D
?8N, xrefs: 00517BF3
7654, xrefs: 00517B64, 00517B6D
-17E, xrefs: 00517BE3

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: -17E$7654$7654$=I# $?8N$QQ;%$r~Q$E'I
API String ID: 0-1005114666
Opcode ID: 42be1b2bd8f8ddc6a9ebaaa3e6d1397d4ee521d0a624622f34786315f19278ee
Instruction ID: 1c4a633a06849663492c6205f5ca8231c72da3589561d7b18b9d8a1b329e2fc8
Opcode Fuzzy Hash: 42be1b2bd8f8ddc6a9ebaaa3e6d1397d4ee521d0a624622f34786315f19278ee
Instruction Fuzzy Hash: A542DD79608315DFD714CF28D8806AABBE2FF9A708F48896CE88587391D735DC44DB52

Function 0050DD64 Relevance: 10.6, Strings: 8, Instructions: 613COMMON

Download Yara Rule

Strings

Vwvu, xrefs: 0050E029
7654, xrefs: 0050E3B5
4`[b, xrefs: 0050E380
8C-A, xrefs: 0050E006
4`[b, xrefs: 0050E440
;[6Y, xrefs: 0050DFF8
3_], xrefs: 0050DFFF
{/}-, xrefs: 0050DFE3

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 3_]$4`[b$4`[b$7654$8C-A$;[6Y$Vwvu${/}-
API String ID: 0-2602927754
Opcode ID: 70b16fd379dc429d66a2f9ebc869de221c84966013635e4fa97cd70ac1ca8ad8
Instruction ID: 3c412153af55728a240450b8b48ef641837020457336567d2065d06d50241ef2
Opcode Fuzzy Hash: 70b16fd379dc429d66a2f9ebc869de221c84966013635e4fa97cd70ac1ca8ad8
Instruction Fuzzy Hash: 49129BB4600700DFC764CF24C892BA6BBF2FF56308F24885CE59A8B692D775E855CB91

Function 005227B0 Relevance: 9.2, Strings: 6, Instructions: 1749COMMON

Download Yara Rule

Strings

~PF<, xrefs: 00522851
drC, xrefs: 005227D1
.L6j, xrefs: 00523301
KJIg, xrefs: 005239FB
>Wv, xrefs: 00522879
vRTb, xrefs: 00523C60

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: drC$.L6j$>Wv$KJIg$vRTb$~PF<
API String ID: 0-2296406947
Opcode ID: 3c0866ba8491ddc01819ff91803c9692e71513fc88e649fde970f54960b0c9aa
Instruction ID: 11f9662e4fe79356818a9ed25d53f5a3f1ca408080ffc755635aac278e72b2f2
Opcode Fuzzy Hash: 3c0866ba8491ddc01819ff91803c9692e71513fc88e649fde970f54960b0c9aa
Instruction Fuzzy Hash: 3AD29B74405B908AE7328F35D894BA3BFE1BF1B305F48499DD4EB8B282D739A505CB61

Function 0051C891 Relevance: 8.3, Strings: 6, Instructions: 837COMMON

Download Yara Rule

Strings

vrhz, xrefs: 0051C8D1
4`[b, xrefs: 0051D110
cb`d, xrefs: 0051CD6E
gzyi, xrefs: 0051CD66
7654, xrefs: 0051D0D3, 0051D0DB
HK, xrefs: 0051CF41

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 4`[b$7654$HK$cb`d$gzyi$vrhz
API String ID: 0-2685429167
Opcode ID: 504f530e61fdbb3279a171f038a9da2b03754779cdcdde51dc5fecb4cf2e0857
Instruction ID: bfad44f8fd0b2cbeb069b4ae68a51a7b6812593a63f5ce9faf35d945aa39d236
Opcode Fuzzy Hash: 504f530e61fdbb3279a171f038a9da2b03754779cdcdde51dc5fecb4cf2e0857
Instruction Fuzzy Hash: 0542EBB9508380DFE7019F24D891AAFBBE1FF9A348F14482DE5D58B262D335D944CB52

Function 005104A0 Relevance: 6.9, Strings: 5, Instructions: 683COMMON

Download Yara Rule

Strings

`c, xrefs: 00510BCE
[Z], xrefs: 00510554
wy, xrefs: 00510BB6
su, xrefs: 00510BAE
^G, xrefs: 00510923, 0051092B

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: ^G$`c$[Z]$su$wy
API String ID: 0-2730888924
Opcode ID: 2988da92bdab4c1bbdf3d76df03f071b5c0d4159d40f6fac2bf6c13030aa2aaf
Instruction ID: d3e504cf21e64dda683e4787946edeaba12aa0ed5910e38ee88c80aa90d854b7
Opcode Fuzzy Hash: 2988da92bdab4c1bbdf3d76df03f071b5c0d4159d40f6fac2bf6c13030aa2aaf
Instruction Fuzzy Hash: B62287B44083419BE700EF58D881A6EBBF1BF95358F088D1CF4D48B292D37AD995CB92

Function 004FEFFC Relevance: 6.8, Strings: 5, Instructions: 550COMMON

Download Yara Rule

Strings

:g;1, xrefs: 004FF279
yE, xrefs: 004FF10B
%!-0, xrefs: 004FF2A1
j, xrefs: 004FF2B8
GA, xrefs: 004FF0FB

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: %!-0$:g;1$GA$j$yE
API String ID: 0-657862259
Opcode ID: aca411b9b7aac31a24052d60ea2461692290f42512563979b15b7b570176493e
Instruction ID: eea7b14aba043a789fcb70a26beaeb6bdae1155d9a9f5c224cdbcafa5c6342e3
Opcode Fuzzy Hash: aca411b9b7aac31a24052d60ea2461692290f42512563979b15b7b570176493e
Instruction Fuzzy Hash: B102AD741083858FD321DF14D4806AFBBE1FF9A308F144A6DE5C98B392E3799919CB5A

Function 0051BB00 Relevance: 6.7, Strings: 5, Instructions: 428COMMON

Download Yara Rule

Strings

7654, xrefs: 0051BE64, 0051BE6D
L], xrefs: 0051BBCF
4`[b, xrefs: 0051BEB0
4`[b, xrefs: 0051C090
7654, xrefs: 0051C053, 0051C05B

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$7654$7654$L]
API String ID: 0-1286059558
Opcode ID: d11bca47a4bfd2ef0943396b863a8aee990ec181336ca56b38793adb843adc5e
Instruction ID: 89cbabaf4c1eaebdf24250dad4eaab44ab5117345c78c8510c7f29d2889959d6
Opcode Fuzzy Hash: d11bca47a4bfd2ef0943396b863a8aee990ec181336ca56b38793adb843adc5e
Instruction Fuzzy Hash: 39E1ADB9508344DFE320DF14D881BAEBBE5FB9A344F548C2CE68887261D736D944CB52

Function 004FF7E0 Relevance: 6.6, Strings: 5, Instructions: 400COMMON

Download Yara Rule

Strings

6, xrefs: 004FFA0F
M|, xrefs: 004FF917
s, xrefs: 004FF907
H, xrefs: 004FF7FE
rF, xrefs: 004FF90F

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: s$6$H$M|$rF
API String ID: 0-3047902030
Opcode ID: 81bfb6b8e75b6afd9ebea2c1e720f5be70c650965b45644092199cbce57488b4
Instruction ID: c656bbb131f7bb613208754673b939f8adffe5432eee25eb3f60249344700880
Opcode Fuzzy Hash: 81bfb6b8e75b6afd9ebea2c1e720f5be70c650965b45644092199cbce57488b4
Instruction Fuzzy Hash: 33D1A97050C3859BD311DF18D494A2FBBE1AF82744F18496EE9D58B342D33AD909CBAB

Function 0051A345 Relevance: 4.3, Strings: 3, Instructions: 529COMMON

Download Yara Rule

Strings

lk, xrefs: 0051A3B4
,+, xrefs: 0051A186
;9, xrefs: 0051A0B7, 0051A0C3

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: ,+$lk$;9
API String ID: 0-1734778162
Opcode ID: 2c01eafc1130ae515fc26536b35f4a2a6b731f89b335b825641a85d99546c6ad
Instruction ID: f3f9d930d91754c4f9df4cdd0d67500c2f190f5c5c4fc08cb216ece4292ab35b
Opcode Fuzzy Hash: 2c01eafc1130ae515fc26536b35f4a2a6b731f89b335b825641a85d99546c6ad
Instruction Fuzzy Hash: 6F02B5745093428BE721DF28C480AABBBF2FF95744F58891CE4C58B260E775D984DBA3

Function 00516F20 Relevance: 4.2, Strings: 3, Instructions: 405COMMON

Download Yara Rule

Strings

7654, xrefs: 00517313, 0051731B
4`[b, xrefs: 00517350
defg, xrefs: 0051713A

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 4`[b$7654$defg
API String ID: 0-754973257
Opcode ID: 3e2da0fef9aedbb9e5dd99d19858a3045bc5f96fa9cfc2cf3645d58adaadc6f8
Instruction ID: 2f9fa9f285f22c8ac2994b7500c0c864f0690fa6a2cc449082bf39d9c065ab3a
Opcode Fuzzy Hash: 3e2da0fef9aedbb9e5dd99d19858a3045bc5f96fa9cfc2cf3645d58adaadc6f8
Instruction Fuzzy Hash: 2BC1AD755083089BE711EF18D881AABBBF5FF99354F08081CF8D18B251E335E995CBA2

Function 005350E0 Relevance: 3.1, Strings: 2, Instructions: 576COMMON

Download Yara Rule

Strings

7654, xrefs: 00535144, 0053514D
f, xrefs: 005352A6

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 7654$f
API String ID: 0-930265988
Opcode ID: ae44eabd4c394d94cf16a17d8a40a58f2ad476ef01930b0e2262e6c7612552fe
Instruction ID: ac63e5213c2b7a87f6a588ae5d578b87d464dc33d95db0425c0cfcc50faeaf13
Opcode Fuzzy Hash: ae44eabd4c394d94cf16a17d8a40a58f2ad476ef01930b0e2262e6c7612552fe
Instruction Fuzzy Hash: A412AB756087419FC715CF18C880B2EBFE6BBD9354F589A2CF8958B2A1E331E844CB52

Function 0051D56C Relevance: 3.1, Strings: 2, Instructions: 553COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0051D860
7654, xrefs: 0051D823

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 4`[b$7654
API String ID: 0-3675246634
Opcode ID: d1c02695cd90b86a503f5cae28e7e1f9dc34b51f131f4e2258c8a797abb135cd
Instruction ID: 89b140f34a4d7b332adb9fc321b5aaa9c70f840b8d6279e28b60a43789f338d0
Opcode Fuzzy Hash: d1c02695cd90b86a503f5cae28e7e1f9dc34b51f131f4e2258c8a797abb135cd
Instruction Fuzzy Hash: C8121274608341DFD724CF28D8807AABBF2BF9A314F15896CE489873A2D771D948DB52

Function 005240F5 Relevance: 3.0, Strings: 2, Instructions: 452COMMON

Download Yara Rule

Strings

#,), xrefs: 00524979
J(Z4, xrefs: 00524387

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: #,)$J(Z4
API String ID: 0-1033251941
Opcode ID: 9223f37d2801a19cf1798b238ef5aba093cd8b274f6746d8fe81b1a83dfa7c95
Instruction ID: 44a25a4d020c8ae3fa41bb6ca2a332df9325f2546e91a68790b940fdce1be420
Opcode Fuzzy Hash: 9223f37d2801a19cf1798b238ef5aba093cd8b274f6746d8fe81b1a83dfa7c95
Instruction Fuzzy Hash: 0BF1DE71604B908BE7658F34D494BE7BBE2BF13304F14886ED5EA87282CB39A505CF61

Function 0050CFF0 Relevance: 2.9, Strings: 2, Instructions: 428COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0050D3C0
7654, xrefs: 0050D383

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 4`[b$7654
API String ID: 0-3675246634
Opcode ID: 278f4d794d5ced5f37c0f82e328750123d5d8bfc0b3d970b6476b120aa12bede
Instruction ID: 788ec2c23bf3ca5a9e0ccedb180fcd5a70e24131568baae357a8e333c5faeeef
Opcode Fuzzy Hash: 278f4d794d5ced5f37c0f82e328750123d5d8bfc0b3d970b6476b120aa12bede
Instruction Fuzzy Hash: FDA1FF75804208DBC720AF58DC92A7B77B4FFA2368F084428E88987391F735AD54C7A6

Function 0051D58E Relevance: 2.9, Strings: 2, Instructions: 396COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0051D860
7654, xrefs: 0051D823

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 4`[b$7654
API String ID: 0-3675246634
Opcode ID: 570126bd1a829a07e639b5fd39fbedf37c03624331cf43b74e0a694a82222f79
Instruction ID: 3deef79b55124abca87f5a92e2c29746de864cf59e5c9e1ea7b0909f1fe93e1b
Opcode Fuzzy Hash: 570126bd1a829a07e639b5fd39fbedf37c03624331cf43b74e0a694a82222f79
Instruction Fuzzy Hash: 79D12674A08381DFD724CF24D8807AABBF2BFAA318F15496CE489973A1D3719D48DB51

Function 00539390 Relevance: 2.9, Strings: 2, Instructions: 384COMMON

Download Yara Rule

Strings

P, xrefs: 00539537
5S, xrefs: 00539728

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 5S$P
API String ID: 0-164877797
Opcode ID: fb9079a04a99d42f6b598dd8e4fc53c98ad80bce3f414638b18d964096442139
Instruction ID: 77d8ab05b2b00845175652d9df03c925200ed2997845133d5190ca4d54d3ba3f
Opcode Fuzzy Hash: fb9079a04a99d42f6b598dd8e4fc53c98ad80bce3f414638b18d964096442139
Instruction Fuzzy Hash: 1AD1A4B29082658FC726CE18989071EBBE1FBC5718F158A2CE8B5AB390C7B1DC45D7D1

Function 0051C390 Relevance: 2.9, Strings: 2, Instructions: 361COMMON

Download Yara Rule

Strings

7654, xrefs: 0051C3C3, 0051C3CB
e, xrefs: 0051C710

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: InitializeThunk
String ID: 7654$e
API String ID: 2994545307-2460420260
Opcode ID: c0582c18f568c2f36b29d21144d15eaacc8256eff10d68def4b00fd53ccf143a
Instruction ID: aac539d7856812032a8b5aecd704ca75fef9696c00d731c83a9ba4e2bacff27e
Opcode Fuzzy Hash: c0582c18f568c2f36b29d21144d15eaacc8256eff10d68def4b00fd53ccf143a
Instruction Fuzzy Hash: BEA1FF755483458FE714DF18C890ABBBFE2FF95314F14892CE58597252E33AE884CB92

Function 00524DF6 Relevance: 2.8, Strings: 2, Instructions: 301COMMON

Download Yara Rule

Strings

O<>5, xrefs: 00524DFE
J(Z4, xrefs: 0052507A

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: J(Z4$O<>5
API String ID: 0-1381569939
Opcode ID: e54240440999cb06d3e823ec5474e314e41f2ca0186008e6457507ef1147b1cb
Instruction ID: be79734e122c3ba1f0b4e88e7cc9e4c12aae337b7ffc8e0fea259332c121b05d
Opcode Fuzzy Hash: e54240440999cb06d3e823ec5474e314e41f2ca0186008e6457507ef1147b1cb
Instruction Fuzzy Hash: 2CA1A670008B918AE766CF39D060BA3FFE1BF16304F54485ED4EB8B682DB76A405CB61

Function 0051A2F9 Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

,+, xrefs: 0051A186
;9, xrefs: 0051A0B7, 0051A0C3

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: ,+$;9
API String ID: 0-1035581042
Opcode ID: f84b49f46518d03c9b64f7b40594a55f3355ac16a61985211282ab312580802d
Instruction ID: dfeb2bf20199340f3c41873b871dd33885c16f12ae265d051c28673f4743c3be
Opcode Fuzzy Hash: f84b49f46518d03c9b64f7b40594a55f3355ac16a61985211282ab312580802d
Instruction Fuzzy Hash: 9E715678409381DAE7258F24C980BABBBF1FF86304F549A1DE9D987221EB35D844DB52

Function 0051A274 Relevance: 2.7, Strings: 2, Instructions: 202COMMON

Download Yara Rule

Strings

,+, xrefs: 0051A186
;9, xrefs: 0051A0B7, 0051A0C3

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: ,+$;9
API String ID: 0-1035581042
Opcode ID: 2397affcfe93ec8df7ef763751062344f8f303f251ed03f625a326026d4d1549
Instruction ID: 2dc262214535e29141ebc36649e545c1146ec4b15e8203fd2ad3a4ec52e67c4b
Opcode Fuzzy Hash: 2397affcfe93ec8df7ef763751062344f8f303f251ed03f625a326026d4d1549
Instruction Fuzzy Hash: 64617578009381DAE7258F24C980BABBBF1FF86304F649A1DE5D987221EB35D844DB53

Function 0053AF10 Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 0053AF60
MNOP, xrefs: 0053AFA3, 0053AFAB

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: InitializeThunk
String ID: @$MNOP
API String ID: 2994545307-2234187807
Opcode ID: f3069ddb15e8720421a09270459d5b1417719fbec599cb25232acaad3cdd0a3d
Instruction ID: b38d303afd9ae436f2fbda224afc46d16c3d6ab7f730aad7d47d3993bf522611
Opcode Fuzzy Hash: f3069ddb15e8720421a09270459d5b1417719fbec599cb25232acaad3cdd0a3d
Instruction Fuzzy Hash: 3F3145B89083049BD314DF18D884A2BFBF9FF9A318F14992CE6C897251D335D9049BA6

Function 00516CA0 Relevance: 1.8, APIs: 1, Instructions: 255comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0053EB80,00000000,00000001,0053EB70), ref: 00516CC9

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: a032c05504cc778d3613ce96eab69f4f2d9a780765e749bc5e2e2d3d0524c62f
Instruction ID: e8dc9bae32ad741c8bd08d90627dc4f156e72279991f0e8be000b0bc8ff205aa
Opcode Fuzzy Hash: a032c05504cc778d3613ce96eab69f4f2d9a780765e749bc5e2e2d3d0524c62f
Instruction Fuzzy Hash: 1B61E0B56002049BEB20DB24DC96BB73BB8FF81358F044A58F9468F290F775E885C761

Function 00521370 Relevance: 1.6, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

", xrefs: 00521658

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: ebf93012f695f814ea8beb274b67aa73a9487f93ba687a60f16075264e124bcf
Instruction ID: 9821acff46e79e6fc6c0d4fe986edbc4458d22d88e16e9a2b4c692260d88374b
Opcode Fuzzy Hash: ebf93012f695f814ea8beb274b67aa73a9487f93ba687a60f16075264e124bcf
Instruction Fuzzy Hash: 0BC12472A04B255BD714CE24E48076BBBE9BFE6350F18896DE8968B3C1D734EC04CB95

Function 00524A2F Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

J(Z4, xrefs: 00524CAC

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: J(Z4
API String ID: 0-2186490230
Opcode ID: 405294fb29117ab8fe4584bd3fc9c6969d18b272f5481f1204e4113e86cccb46
Instruction ID: 074fe630e0f532fb743b7100f395eb8d9d86d9eb2978919577c69fc353c1cb51
Opcode Fuzzy Hash: 405294fb29117ab8fe4584bd3fc9c6969d18b272f5481f1204e4113e86cccb46
Instruction Fuzzy Hash: 05A16670408B918AE7768F39D090BA3BFE1BF16304F44489DD4EA8B682D776A845CF65

Function 00538BE0 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00538DF0

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: 44576e2e486db3da04b7dd12b701db24dd430d0626392413d565ddc462f15d90
Instruction ID: 26b309458b7ceedcd59d4f4a2260a6a33b3f6de790235544cff3e825634cd592
Opcode Fuzzy Hash: 44576e2e486db3da04b7dd12b701db24dd430d0626392413d565ddc462f15d90
Instruction Fuzzy Hash: 28918C75608301ABDB28DB14C881BBBBBE6FBD5354F544C1CF99897291EB30E844DB92

Function 00535AD0 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

7654, xrefs: 00535CF3, 00535CFB

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 7654
API String ID: 0-4024152101
Opcode ID: 026be2b67953c20b80e0967e47d80ba4db2d61dcf0757a95451455372a70017d
Instruction ID: cdc5075bdeb7e90d7b0f1a5c67237ae3cf623a3a491b67c5741cd9c74019a027
Opcode Fuzzy Hash: 026be2b67953c20b80e0967e47d80ba4db2d61dcf0757a95451455372a70017d
Instruction Fuzzy Hash: 4171E0716087459FD725CE29C880B2ABBE6FFD5314F18A92CE9C587291E330DC45CB52

Function 005389F0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00538BA0

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: a1aaf3ff043a6121b783216efa723e6495537043a70cdc1f305e24dacbeebe80
Instruction ID: 76b70a406de678b04e56ad74f5d6534a2bde79443b6d86597a7146772b709937
Opcode Fuzzy Hash: a1aaf3ff043a6121b783216efa723e6495537043a70cdc1f305e24dacbeebe80
Instruction Fuzzy Hash: 3151D275608305ABC7199E18CCA1B3EFBE6FB85724F188A2CF8D597391CB35AC049791

Function 00534970 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

7654, xrefs: 00534A33, 00534A3B

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 7654
API String ID: 0-4024152101
Opcode ID: 0ab95aca48e35b66f4ba1842e4daba50eeed1e37279f6e4588369a91ec0e57a5
Instruction ID: 352b3b4e9dc2b3f7f432587ffaf2d1b73850d477aaec3f9d168ff24fff3c5c29
Opcode Fuzzy Hash: 0ab95aca48e35b66f4ba1842e4daba50eeed1e37279f6e4588369a91ec0e57a5
Instruction Fuzzy Hash: B751897560C244ABCB249F18D994B2AFFE6FB99709F18881CE5C987251D331EC50DF62

Function 0053AD90 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

MNOP, xrefs: 0053ADC4, 0053ADCD

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: MNOP
API String ID: 0-783613192
Opcode ID: 0479d4551ea498b97b698d33a1fc63832f8a9b87c8bfd013e3c1e05e6dd61870
Instruction ID: 87efb49e9895d1becd4b3aa413e3f2c9455c5b9fe0f585b24b749ea3add99e5d
Opcode Fuzzy Hash: 0479d4551ea498b97b698d33a1fc63832f8a9b87c8bfd013e3c1e05e6dd61870
Instruction Fuzzy Hash: 9E416078608344AFD724DE14D881F2BBFAAFB95714F24881CF9C997252D335DC10AB52

Function 00514490 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

80, xrefs: 005144D5

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 80
API String ID: 0-1093746208
Opcode ID: 3b938ec33b79cb07b324fddb144679aebf8eea7869a4707d11d7253f39b0cd9f
Instruction ID: 056456ab1082530534698247a43f59163de0a620ccccae91bca898f370ef1b6f
Opcode Fuzzy Hash: 3b938ec33b79cb07b324fddb144679aebf8eea7869a4707d11d7253f39b0cd9f
Instruction Fuzzy Hash: D1219FB55082009BE310AF18C841A6BBBF5FF92765F5A590CF4D59B291E338C940CBA7

Function 005281AA Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

PS, xrefs: 0052822C

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: PS
API String ID: 0-489029678
Opcode ID: 573b00587521d222294b4bc5f5baf3881d7dc7814fdc8f789029d51a15ffa3a0
Instruction ID: 98c5f71b69e01a94a1728d837399afda551d6180931086361812e499d4b4d0b0
Opcode Fuzzy Hash: 573b00587521d222294b4bc5f5baf3881d7dc7814fdc8f789029d51a15ffa3a0
Instruction Fuzzy Hash: 9221D8F0900B40AFD360EF3AC90675BBFE8EB45350F104A1DF8AA87690D371A4058BD6

Function 00539E60 Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84dc163cc3c49e41649ec4ca698097034249f4fc0e626d71a11f795a22b880a
Instruction ID: b9e2058edc32edfea5d56f23d95a9485a1b427c39cf1183bcbd5c21744cb3789
Opcode Fuzzy Hash: c84dc163cc3c49e41649ec4ca698097034249f4fc0e626d71a11f795a22b880a
Instruction Fuzzy Hash: 4D12DC75A08251DFCB04CF28D8946AEBBF1FF8A314F19882DE585D7252E335D918CB92

Function 00537EDE Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c71bcd3bb9e8a53968e71587fc4bfeb634880dd02ff28e94598dad06f64446a
Instruction ID: 004862680549059e0d4d8c187c9734c828872442f17d5acbb344a959650181c3
Opcode Fuzzy Hash: 2c71bcd3bb9e8a53968e71587fc4bfeb634880dd02ff28e94598dad06f64446a
Instruction Fuzzy Hash: FA022279A08659CFCB14CF68D8806AEBBB1FF1A318F1449A8D851E7392D331E944DF90

Function 004FA3C0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0537d3602b05352d162d47d3b37e8bd64bb5caa79fc0b4c4570d86523830f7e
Instruction ID: b4142265368e93a6a5c6d504f5a620a96731403476b1c813a752864ce5e8fbb6
Opcode Fuzzy Hash: e0537d3602b05352d162d47d3b37e8bd64bb5caa79fc0b4c4570d86523830f7e
Instruction Fuzzy Hash: C3F1FF756083458FC724DF29C88063BFBE2AFD9304F08882EE5C987751E679E859CB56

Function 005046B5 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d08f85603ca87d3e1ddb34cb26a64c77bbefebfde8a6128f6fa46cc998501f
Instruction ID: 7fbdac6ee44727208a20488c3299d5499499dbc873ea16f3d322eda445d3c453
Opcode Fuzzy Hash: 00d08f85603ca87d3e1ddb34cb26a64c77bbefebfde8a6128f6fa46cc998501f
Instruction Fuzzy Hash: AAA147B05006819FE3218F29D884B1AFBF5FF5A300F244D1DE5DA87792E336A854CB95

Function 00503AE6 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1942f4fac88b38fd3ab4b40a097851fc7591de249ba2f4ef44b3b64fe7370d0c
Instruction ID: 542c062d053952e8706aebee437ced1a8e0e4340b2771047f44b63b9d680e489
Opcode Fuzzy Hash: 1942f4fac88b38fd3ab4b40a097851fc7591de249ba2f4ef44b3b64fe7370d0c
Instruction Fuzzy Hash: D9916D749006419FD725CF28D880B2AFBFAFF96304F24491DD49A87392E735E945CB94

Function 00505078 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8780f4132df6fa53c8f78823ccf45832734a0569ecd0f62527ef1b13f6a6269
Instruction ID: 3f31ab89dc94698284a95d6d115cac4892ab9cc93d3d5926ef7207e69b5ebabe
Opcode Fuzzy Hash: a8780f4132df6fa53c8f78823ccf45832734a0569ecd0f62527ef1b13f6a6269
Instruction Fuzzy Hash: 78818AB4A00A01DFD321DF29D880A2BBBF5FF9A304F14491DE58687792E735E855CBA4

Function 0051F5B7 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fdc577f74a6e05371dcd5b63f229eff325bed8fc8107d70147d47fda5614830
Instruction ID: e47fb7f3625996194a482ff0ece9c3010f993bee3331cd0494b658efc342c110
Opcode Fuzzy Hash: 3fdc577f74a6e05371dcd5b63f229eff325bed8fc8107d70147d47fda5614830
Instruction Fuzzy Hash: 18717BB81083518BE720EF18C890B6ABBF0FF96344F141D1CE4D59B2A1E379D945CB96

Function 00504E26 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbc45808b30e6fa3db3aa9c258438acafcf36f73bc8f78da09728321f052cbe
Instruction ID: 22d4916db5ecfc233750a6e25f4f981edebe6ece89220ab90430b6be8b03b6cc
Opcode Fuzzy Hash: 9dbc45808b30e6fa3db3aa9c258438acafcf36f73bc8f78da09728321f052cbe
Instruction Fuzzy Hash: 8D61C1B5900B01DFD7259F35E880A27BBF5FB55318F144A2CE18687AA2E771F884CB85

Function 004F5D20 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4315b43ef7fcd122fe05b4bf651397eeb99478655ea21026eccc6ad8bb353e
Instruction ID: fbb91685d2ea1fb4bc1875e80fa525b487b5d229761d083c21230c5cfcef4bf8
Opcode Fuzzy Hash: da4315b43ef7fcd122fe05b4bf651397eeb99478655ea21026eccc6ad8bb353e
Instruction Fuzzy Hash: D851E6759046099FC714DF18C48093BBBA1FF85324F19466EFA958B392D734EC42CB9A

Function 004F4C10 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c903a2774bc6df5269ec9394e4d2b4249a1b345d6e6f96374d041045904a8a
Instruction ID: 05cf065d2e99cf3c1fb4e756df20ac5fd19b9ccb8ee8b492044bea60d59097d6
Opcode Fuzzy Hash: 08c903a2774bc6df5269ec9394e4d2b4249a1b345d6e6f96374d041045904a8a
Instruction Fuzzy Hash: 0E310A306052489BD7109E59D8C093BB7E1EFC5318F1A993EE99AC7351DB39DC42CB4A

Function 0052B510 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: c0e677af2e3a7c479a1ff78ec79fcec749961dd80f1706acb8e251997b8da6dd
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: A111C633B051E40ED3168D3C9480565BFE31E97735F1D4399E4B89F2D2E7228D8A8754

Function 00520BD0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280971b818c92cda73003084fe35fa709fc308098d1831b144d262705e9ce05f
Instruction ID: 5f5d547feabcd67f010ff072108fa14054916ccec0c9806df44ccf66075cfabe
Opcode Fuzzy Hash: 280971b818c92cda73003084fe35fa709fc308098d1831b144d262705e9ce05f
Instruction Fuzzy Hash: 6701F1F1A0231947E720DE11A5C0B3BFAA9BF82318F18152CE909672C3DBB9FC15C695

Function 00535D80 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba806809778c19953ac0a2dfb69ae2c54a95d2828d67140244f0c5282ef7af9
Instruction ID: 8082f58c41aff677a1afd9aa6f895085e9c39b84eb4eef4cca2472f1b31d5d1e
Opcode Fuzzy Hash: 3ba806809778c19953ac0a2dfb69ae2c54a95d2828d67140244f0c5282ef7af9
Instruction Fuzzy Hash: 561134B4518380AFD304DF689448A1FFBE8BB96708F50982CF4D487242E735D909CB56

Function 004F7120 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9cf59fee9e0ef29fe80cc11bb054a4cf5ef83a9304f2cd08d63badaad85c0b
Instruction ID: 07daf8d6993372a4d65729e8ca94de5d00d6f1736d774af90b590ce8e6ec24ec
Opcode Fuzzy Hash: 0b9cf59fee9e0ef29fe80cc11bb054a4cf5ef83a9304f2cd08d63badaad85c0b
Instruction Fuzzy Hash: 4FF02B3676821A0BE718CD56ECD0D77B377D7D6255B09103EDA42D3341C968E80AE264

Function 0050A880 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a262c98f02bee36f9e7b41f4a9b905533450b75733afa39f2542f44ca0caaf6
Instruction ID: 6714b73fbfbf4692ad59c699e468258131d04c0480774c9c83004c9c77b749a6
Opcode Fuzzy Hash: 7a262c98f02bee36f9e7b41f4a9b905533450b75733afa39f2542f44ca0caaf6
Instruction Fuzzy Hash: D8F027B1A0421027EB2299449C80B7BBF9CEF86314F090415E840571C2E2715C4183E7

Function 00532280 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 0301f9b3e8e1e81f4a8901530123be484c128a1bd1b924a9b5f39e7ec3a30523
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 60D0A73560872146AB788E19A800977FBF0FEC7B11F89955EF582E3148D630DC41C2A9

Function 00529170 Relevance: 49.1, APIs: 2, Strings: 26, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 005291B9
GetSystemMetrics.USER32 ref: 005291C9

Strings

9T, xrefs: 005293B5
hAT, xrefs: 00529281
9T, xrefs: 0052935D
9T, xrefs: 005293CB
9T, xrefs: 00529439
9T, xrefs: 0052944F
9T, xrefs: 0052939F
9T, xrefs: 00529465
xAT, xrefs: 00529297
PAT, xrefs: 00529260
9T, xrefs: 0052940D
AT, xrefs: 00529331
@AT, xrefs: 0052924A
9T, xrefs: 0052947B
AT, xrefs: 00529326
`AT, xrefs: 00529276
9T, xrefs: 00529181
HAT, xrefs: 00529255
XAT, xrefs: 0052926B
9T, xrefs: 005293E1
pAT, xrefs: 0052928C
9T, xrefs: 00529234
9T, xrefs: 00529373
9T, xrefs: 00529423
9T, xrefs: 00529389
9T, xrefs: 005293F7

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: MetricsSystem
String ID: 9T$ 9T$ 9T$ 9T$ 9T$ 9T$ 9T$ 9T$ 9T$ 9T$ 9T$ 9T$ 9T$ 9T$ 9T$ 9T$@AT$HAT$PAT$XAT$`AT$hAT$pAT$xAT$AT$AT
API String ID: 4116985748-1672365463
Opcode ID: 7b930825331fb1c4761206d92d4202e45d8c890fa8eff8f7e17cdba08252b2b5
Instruction ID: b5f90eae336d387d3bcc58f67e9103bf7e9daa706a62021ea4f9bd89ad234a79
Opcode Fuzzy Hash: 7b930825331fb1c4761206d92d4202e45d8c890fa8eff8f7e17cdba08252b2b5
Instruction Fuzzy Hash: E86131B44497819AE3B49F14E888BCFBEE0BB9530CF51AD1CD5896A350CBB55588CF82

Function 005271AB Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 89COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 005271C3
VariantInit.OLEAUT32 ref: 005271CF

Strings

(, xrefs: 0052724F
0, xrefs: 005271FF
2, xrefs: 005271F7
H, xrefs: 0052723F
?, xrefs: 00527237
4, xrefs: 00527217
e, xrefs: 00527263
-, xrefs: 00527247
?, xrefs: 00527227
7, xrefs: 00527257
V, xrefs: 0052721F
9, xrefs: 005271EF
#, xrefs: 00527207
8, xrefs: 0052720F
!, xrefs: 0052722F

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$($-$0$2$4$7$8$9$?$?$H$V$e
API String ID: 2610073882-164105402
Opcode ID: 8e8c8c174750e2c20a27c658743d462d17eab5d4cd26e93a3f5349cfd5fbfc56
Instruction ID: 7e35ceff986f869d943b4eaaf1eb5de7d59d4b332c5f62b8cfc7b38ae6b178fe
Opcode Fuzzy Hash: 8e8c8c174750e2c20a27c658743d462d17eab5d4cd26e93a3f5349cfd5fbfc56
Instruction Fuzzy Hash: 5741F9600087C1CED726CF298488606BFA1AF16224F488ADDD8E54F7DBC775D519C7A6

Function 00525993 Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 81COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0052599D
VariantInit.OLEAUT32 ref: 005259A9

Strings

?, xrefs: 00525A01
H, xrefs: 00525A19
9, xrefs: 005259C9
e, xrefs: 00525A3D
4, xrefs: 005259F1
0, xrefs: 005259D9
2, xrefs: 005259D1
V, xrefs: 005259F9
-, xrefs: 00525A21
7, xrefs: 00525A31
!, xrefs: 00525A09
#, xrefs: 005259E1
?, xrefs: 00525A11
8, xrefs: 005259E9
(, xrefs: 00525A29

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$($-$0$2$4$7$8$9$?$?$H$V$e
API String ID: 2610073882-164105402
Opcode ID: f7dadb894d6df3ef0b20a3ca8127cd61282e919bbe5f88a6130b8e5ae3a753d3
Instruction ID: 7ecdb03911f84c6684e513ee825ff621f95bb5c12cc5721ad20935a2c1ae6b27
Opcode Fuzzy Hash: f7dadb894d6df3ef0b20a3ca8127cd61282e919bbe5f88a6130b8e5ae3a753d3
Instruction Fuzzy Hash: 2641D6601087C1CED726CF288488616BFA16F26224F488ADDD8E54F7DBC375E519CBA2

Function 00526BEE Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00526BF4
VariantInit.OLEAUT32 ref: 00526C03

Strings

u, xrefs: 00526C37
y, xrefs: 00526C47
e, xrefs: 00526C77
c, xrefs: 00526C6F
i, xrefs: 00526C87
s, xrefs: 00526C2F
w, xrefs: 00526C3F
f, xrefs: 00526C83
2, xrefs: 00526C43
}, xrefs: 00526C57
{, xrefs: 00526C4F
a, xrefs: 00526C67
q, xrefs: 00526C27
g, xrefs: 00526C7F

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: Variant$ClearInit
String ID: 2$a$c$e$f$g$i$q$s$u$w$y${$}
API String ID: 2610073882-100263010
Opcode ID: 1176002ba606681c395935ce2a51cc97cf37c060c4ebd76c7dbcff0460936c95
Instruction ID: 724cad5064af8c78832bafaecad91cbd50bf8e172bbccce055dae3c0c6d3f187
Opcode Fuzzy Hash: 1176002ba606681c395935ce2a51cc97cf37c060c4ebd76c7dbcff0460936c95
Instruction Fuzzy Hash: 8941F330508B818ED715DF28C488616BFA1AF16314F088A8CD8EA4F797C375E519CBA2

Function 00527333 Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 77COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(04EC839E), ref: 0052733D
VariantInit.OLEAUT32 ref: 0052734C

Strings

s, xrefs: 00527378
}, xrefs: 005273A0
w, xrefs: 00527388
a, xrefs: 005273B0
e, xrefs: 005273C0
2, xrefs: 0052738C
u, xrefs: 00527380
{, xrefs: 00527398
q, xrefs: 00527370
y, xrefs: 00527390
i, xrefs: 005273D0
g, xrefs: 005273C8
c, xrefs: 005273B8
f, xrefs: 005273CC

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: Variant$ClearInit
String ID: 2$a$c$e$f$g$i$q$s$u$w$y${$}
API String ID: 2610073882-100263010
Opcode ID: 869a3955a04cc5ca8adba8f8054f601161e58253b9b17f89021d7a3bd0635965
Instruction ID: fcabf3c3eed3f953be7eda13d52191e5bcc53919f4194a0450df5257834f1ee4
Opcode Fuzzy Hash: 869a3955a04cc5ca8adba8f8054f601161e58253b9b17f89021d7a3bd0635965
Instruction Fuzzy Hash: 1B41D630508B818ED715DF28C588716BFE1AF16314F088A8CD8EA4F797C375E519CBA2

Function 00518680 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 391COMMON

Download Yara Rule

Strings

D^, xrefs: 00518B4B
8U!W, xrefs: 00518945
I\, xrefs: 00518B53
AK, xrefs: 00518B3B
L!_#, xrefs: 005189D4, 005189DD
dE;G, xrefs: 00518965

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID:
String ID: 8U!W$AK$D^$I\$L!_#$dE;G
API String ID: 0-1822214113
Opcode ID: 63ec8e3044ac19b86380273e18d86e639f0e22a612f1d86e46fa0cdfe2cd02d4
Instruction ID: 18690bc522601e6b2a26e65ecd42a0d7374d818ccb03195957eb44a394ad115c
Opcode Fuzzy Hash: 63ec8e3044ac19b86380273e18d86e639f0e22a612f1d86e46fa0cdfe2cd02d4
Instruction Fuzzy Hash: 13E15FB4108340ABE320DF55E980A6BBBF0FF86B48F54491CF5849B261D738D949DBA7

Function 005261D5 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00526253

Strings

-, xrefs: 005261F6
/, xrefs: 005261FE
0, xrefs: 00526414
3, xrefs: 005261EE
1, xrefs: 005261E6
., xrefs: 005261FA

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: AllocString
String ID: -$.$/$0$1$3
API String ID: 2525500382-387867814
Opcode ID: d0890c032e22df8ecc8e41fda34c2cd6b2caaac0e26a2a10cfdaf8dc0a940bfa
Instruction ID: 381943281ae7dcb0ff1e3410791764a58a3295e67d1dc550df626ecc63f44e2c
Opcode Fuzzy Hash: d0890c032e22df8ecc8e41fda34c2cd6b2caaac0e26a2a10cfdaf8dc0a940bfa
Instruction Fuzzy Hash: 03918260508BC38AC326CB3C9888605FFA17B67234B4887D9E5F54F7E7D260D586C7A6

Function 005256F6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 175memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00525778

Strings

9T, xrefs: 005256BD
0, xrefs: 0052593F
9T, xrefs: 005256A9

Memory Dump Source

Source File: 00000003.00000002.2945377054.00000000004F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2945354266.00000000004F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945415334.000000000053D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945433997.0000000000540000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2945454337.0000000000550000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_saLBqUuaxl.jbxd

Similarity

API ID: AllocString
String ID: 9T$ 9T$0
API String ID: 2525500382-1169922966
Opcode ID: 1a10c0b21ce3d728314ece6d49f2d051e4f973d0385166936d32e862ebcd0720
Instruction ID: 81d3994823775d35bcb253a4582f6fc3f3fa448c546f3bd3eb2bae77048cef02
Opcode Fuzzy Hash: 1a10c0b21ce3d728314ece6d49f2d051e4f973d0385166936d32e862ebcd0720
Instruction Fuzzy Hash: 8DA1A760508BC38EC326CB3C9888645FFA17B27224B4887DDE5F54E3E3D7649586C7A6

Analysis Process: aqYlLZ8hwJ.exePID: 6904, Parent PID: 6688COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	88
Total number of Limit Nodes:	9

Executed Functions

Function 05E9A3D8 Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

:\Users\user\AppData\Roaming\Adobe\*, xrefs: 05E9A566

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: :\Users\user\AppData\Roaming\Adobe\*
API String ID: 0-155104036
Opcode ID: 96bd4906e19be35d8cb4f9a10632c1e4541f478c9540fe796e0397e43dab7f6b
Instruction ID: 4106ad9f2450d93e9bffaecc579dfc0b103b13cb441c4764601c38ee7f286631
Opcode Fuzzy Hash: 96bd4906e19be35d8cb4f9a10632c1e4541f478c9540fe796e0397e43dab7f6b
Instruction Fuzzy Hash: 8DD1F670D00318CFDB18EFB4D84869DBBB2FF8A301F5095A9E55AAB295DB315989CF01

Function 05E967D8 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a47e886906b8a77ee6002da2729dd2284d60ace7c754cef0d067b270e7f20d3
Instruction ID: 78df468377aa6e4a2891605ef1f9484c3b9e7a9cc2b3bb32629d4faf453d4d4e
Opcode Fuzzy Hash: 4a47e886906b8a77ee6002da2729dd2284d60ace7c754cef0d067b270e7f20d3
Instruction Fuzzy Hash: 00F1AE31A002199FDB15DF68D880B9EBBF2FF84304F15856AE449EB291DB30ED45CB91

Function 05E81298 Relevance: 10.2, Strings: 8, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05E81455
$^q, xrefs: 05E813AC
$^q, xrefs: 05E8137B
$^q, xrefs: 05E81461
$^q, xrefs: 05E813A0
$^q, xrefs: 05E81430
$^q, xrefs: 05E813EB
$^q, xrefs: 05E81336

Memory Dump Source

Source File: 00000004.00000002.1870053005.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e80000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: df5aae2784b8834d16156c2e3867df9b6c51e31034f8d0230b3724b69a953135
Instruction ID: 3bbc7ec2161980eb2a2e36d8e196ffa506fd226477bfa844fcca4b6fa56e1b4f
Opcode Fuzzy Hash: df5aae2784b8834d16156c2e3867df9b6c51e31034f8d0230b3724b69a953135
Instruction Fuzzy Hash: C061DF707002049FEB59EBA98858A3A77E7BF88705B129419E64E8F396DF71DC02C791

Function 009BD0A8 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 009BD136
GetCurrentThread.KERNEL32 ref: 009BD173
GetCurrentProcess.KERNEL32 ref: 009BD1B0
GetCurrentThreadId.KERNEL32 ref: 009BD209

Memory Dump Source

Source File: 00000004.00000002.1859436627.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9b0000_aqYlLZ8hwJ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 61cc630d4659dfba0188d013f4d3f63a15fd0a8583bfdcdfbbc431035f183df1
Instruction ID: 3c8f6f272c46ea6750bb016b56dff90e0e93561fb18c6e72964da09be4404ab7
Opcode Fuzzy Hash: 61cc630d4659dfba0188d013f4d3f63a15fd0a8583bfdcdfbbc431035f183df1
Instruction Fuzzy Hash: D85167B09013498FDB18DFA9D948BDEBBF1EF88314F248459E019A73A0DB749984CB65

Function 009BD0B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 009BD136
GetCurrentThread.KERNEL32 ref: 009BD173
GetCurrentProcess.KERNEL32 ref: 009BD1B0
GetCurrentThreadId.KERNEL32 ref: 009BD209

Memory Dump Source

Source File: 00000004.00000002.1859436627.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9b0000_aqYlLZ8hwJ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c00a1166fe4fe10f1c10cd33a6c8422f734dcc970be278bf3422a96f7f269a32
Instruction ID: 20e9563d86c3151fb77bf756ee49394e88f376eda55bbe32065d063d47ffac7c
Opcode Fuzzy Hash: c00a1166fe4fe10f1c10cd33a6c8422f734dcc970be278bf3422a96f7f269a32
Instruction Fuzzy Hash: 235178B09013498FDB14DFA9D948BDEBBF1EF48314F208419E019A73A0DB749984CF65

Function 05E810D0 Relevance: 2.7, Strings: 2, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05E813EB
$^q, xrefs: 05E81336

Memory Dump Source

Source File: 00000004.00000002.1870053005.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e80000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: f80483ee915c11c7d3436dc3084a88799378bfd22b931811f4973d2dc85690c8
Instruction ID: 502e66bbcfe10126d2520e1e4a3698787d0abf84def48cc5f7365ad44dfebd9c
Opcode Fuzzy Hash: f80483ee915c11c7d3436dc3084a88799378bfd22b931811f4973d2dc85690c8
Instruction Fuzzy Hash: 9D71C0707002009FDB59ABA8C854B7A7BE7AF89705F11942AE64ECF3A2DE75DC02C751

Function 009BAE30 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009BB086

Memory Dump Source

Source File: 00000004.00000002.1859436627.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9b0000_aqYlLZ8hwJ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b2bcf9bd1841dd64a8b7842e6c4bdd67de839ae080304db5bba0b232ee61595f
Instruction ID: 444ce0432889310bf7e95a2463f8829443df96376d1cf507d859b4ad6e9fc275
Opcode Fuzzy Hash: b2bcf9bd1841dd64a8b7842e6c4bdd67de839ae080304db5bba0b232ee61595f
Instruction Fuzzy Hash: 668166B0A00B058FD724DF29D5457AABBF5FF88310F00892DE48AC7A50DB75E849CB92

Function 05E93F50 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

$^q, xrefs: 05E941E4

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: a826eb5780c469a767eed26c6b0cb0a298561e4aa672b0f8161225292f185811
Instruction ID: 852331fbdb570d0bcb7b3d7eb23bd720b6f6b01ba3d3ff78cf6514087cd86dec
Opcode Fuzzy Hash: a826eb5780c469a767eed26c6b0cb0a298561e4aa672b0f8161225292f185811
Instruction Fuzzy Hash: B3E15D74B002158FDF18DF69C454AAEBBF2FF88604B149569D946EB3A5DB30DC02CBA1

Function 009B5935 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 009B59F1

Memory Dump Source

Source File: 00000004.00000002.1859436627.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9b0000_aqYlLZ8hwJ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2afe47bd9bd61b39950d12cb2e5397723378058c5321c6a53523a1ce4aac6d61
Instruction ID: 9231a95ba3ef3c4e1f28c1a38acdfb3eea84df192173873304bf10f4b6af201f
Opcode Fuzzy Hash: 2afe47bd9bd61b39950d12cb2e5397723378058c5321c6a53523a1ce4aac6d61
Instruction Fuzzy Hash: D641EDB0C00719CFDB24DFA9C884BCDBBB5BF49314F20816AD408AB251DBB5694ACF90

Function 009B4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 009B59F1

Memory Dump Source

Source File: 00000004.00000002.1859436627.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9b0000_aqYlLZ8hwJ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8101e1f782f27f4c762b87a8aa99d8cab0dd7da6c126e9d8c1d26ece04ac2afa
Instruction ID: a6b5837de2b56847bb7f6acc3a864a10e1121c880c622cae14e3185da66deed8
Opcode Fuzzy Hash: 8101e1f782f27f4c762b87a8aa99d8cab0dd7da6c126e9d8c1d26ece04ac2afa
Instruction Fuzzy Hash: 8641D0B0D00719CEDB24DFAAC984BDDBBB5FF48314F20816AD409AB251DB756945CF90

Function 009BD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009BD387

Memory Dump Source

Source File: 00000004.00000002.1859436627.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9b0000_aqYlLZ8hwJ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5fcf77356274f8bfe29e7c0ad7428ece7bcd62666131427be4bd8ccb29136de9
Instruction ID: 54bf6764e6e0a37a1a5e21f48709a6bf61d740253c0e0435829b9517dfd390e9
Opcode Fuzzy Hash: 5fcf77356274f8bfe29e7c0ad7428ece7bcd62666131427be4bd8ccb29136de9
Instruction Fuzzy Hash: BB21E4B59003489FDB10CFAAD984ADEBBF9EB48320F14841AE918A3351D375A954CFA1

Function 009BD2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009BD387

Memory Dump Source

Source File: 00000004.00000002.1859436627.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9b0000_aqYlLZ8hwJ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3a1e90e493390ed79c243efbdc18e56c36e1517d09c4302aa1c8e85aa6a5466b
Instruction ID: 6757f658e0e5e2345061bdf643d4eeae9cf9f0287b5076c9b0a6f4ed42552bfe
Opcode Fuzzy Hash: 3a1e90e493390ed79c243efbdc18e56c36e1517d09c4302aa1c8e85aa6a5466b
Instruction Fuzzy Hash: D52112B59003099FDB10CFA9E584ADEFBF9FB48324F10841AE918B7250D378AA40CF60

Function 073C5B58 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,073C5ABE), ref: 073C5BC6

Memory Dump Source

Source File: 00000004.00000002.1873925691.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73c0000_aqYlLZ8hwJ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 40e23c4fee7ef41332676c9fe0e952fa1fbd3b9e68b1d48af90052d726fbdc9a
Instruction ID: 2ad7ae6acc79b4e541be5a2fa592a6d0371a654d1824a887f315fea5dfd31847
Opcode Fuzzy Hash: 40e23c4fee7ef41332676c9fe0e952fa1fbd3b9e68b1d48af90052d726fbdc9a
Instruction Fuzzy Hash: E21126B5C003498FDB10DF9AD844ADEFBF5EB88324F10841AD459A7650C375A946CFA1

Function 073C55E0 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,073C5ABE), ref: 073C5BC6

Memory Dump Source

Source File: 00000004.00000002.1873925691.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73c0000_aqYlLZ8hwJ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f8fae4f42d91cd536d74b8fbf3bdc12e2f07b2a3b11448013cea4dfff81fffbb
Instruction ID: f720ec62dbcf6cd5d6a377213c9d670bddd460d8e8dc9db753216623e4d7b51d
Opcode Fuzzy Hash: f8fae4f42d91cd536d74b8fbf3bdc12e2f07b2a3b11448013cea4dfff81fffbb
Instruction Fuzzy Hash: 1C1123B5D003498FDB10DF9AD444ADEFBF5EB88320F24841AD419B7610D375A945CFA4

Function 009BB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009BB086

Memory Dump Source

Source File: 00000004.00000002.1859436627.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9b0000_aqYlLZ8hwJ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d0beff512d7c66251ec10a9f496e25a5e301e6d536c6362111e0db815cbf54fa
Instruction ID: cb2860179280aafef7514a64b4d2ba5f3657af85b8547017c869cdc1cc0e3b08
Opcode Fuzzy Hash: d0beff512d7c66251ec10a9f496e25a5e301e6d536c6362111e0db815cbf54fa
Instruction Fuzzy Hash: DC11E0B5C003498FCB20DF9AD944ADEFBF9EB88324F10841AD469B7650C3B5A545CFA1

Function 05E959C8 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

d, xrefs: 05E95C29

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 50a833dd2a599ce96c3200885c44341224a1e3948ebfc4c198dd6b50b2d00835
Instruction ID: a95f37ce29b655e711645503fa2c844c7cda73a9b510222724c25571b880c703
Opcode Fuzzy Hash: 50a833dd2a599ce96c3200885c44341224a1e3948ebfc4c198dd6b50b2d00835
Instruction Fuzzy Hash: 82C15B35600602CFCB29CF19C580D6ABBF2FF89314B26C95AD59A9B665D730FC46CB80

Function 05E81BA0 Relevance: 1.4, Instructions: 1441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870053005.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e80000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19a2e5d8ab3afe6b6915ca2c1dc440b0158cfd5bf555888c0d3b2b8a5802726
Instruction ID: ef40fa962353ae9a90af0ec3f800ade25c4d456c3a2e3db1a5713eff5aeb3d0d
Opcode Fuzzy Hash: c19a2e5d8ab3afe6b6915ca2c1dc440b0158cfd5bf555888c0d3b2b8a5802726
Instruction Fuzzy Hash: F8C26F74B001189FDB14DFA4C955AADBBF6FF88704F108099E60AAB3A1DB31AD45CF91

Function 05E93DE0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05E93F25

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: d0731ab69a9ab7fcef04055f936927a98bd9249fb14602f18b81b81b56f8f18d
Instruction ID: 2631eedab90eb409b331d7fc55bdafa3a5309ee0e30c18b04dcb71c1f8f2107b
Opcode Fuzzy Hash: d0731ab69a9ab7fcef04055f936927a98bd9249fb14602f18b81b81b56f8f18d
Instruction Fuzzy Hash: E03158317043508FD719A73CA4506AE7BE6EFCA31570548AEE489CB341DE35EC0787A2

Function 05E984D8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05E985B1

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 71e1b0d8676e1652034466ffaa1ef6a6df99c440444bb70096f61702c398c0e3
Instruction ID: 4ac5214d3bcdaa0b08061cc7f67be046e6627bac0a8143d67118c425845b2015
Opcode Fuzzy Hash: 71e1b0d8676e1652034466ffaa1ef6a6df99c440444bb70096f61702c398c0e3
Instruction Fuzzy Hash: 58319A317002088BEB09AB79E4946AE77E7AFC8211B508839D51BCB385EE75DD4687D2

Function 05E984C8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05E985B1

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: cdf15cfa63e517b47b9339eebe5f3681af5717efe7bb32e33ae491bb11467afb
Instruction ID: 604b0b5a220af9b388827a6504c9d134d2dbd19918d1d3f09efd4a2948fb1da6
Opcode Fuzzy Hash: cdf15cfa63e517b47b9339eebe5f3681af5717efe7bb32e33ae491bb11467afb
Instruction Fuzzy Hash: CE218B317102148BEB09AB7894A467E37E3AFC8211750483DD51BDB386EE79DD4A87D2

Function 05E9B358 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05E9B399

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 618b1f5ed1f561c1c4d8558bd71d5b1e123ade693e44b9e503c57eed1244dac0
Instruction ID: ccc9b189feaa0c45382855370a873c68064b00d9ce52055b73b18f36119d14dd
Opcode Fuzzy Hash: 618b1f5ed1f561c1c4d8558bd71d5b1e123ade693e44b9e503c57eed1244dac0
Instruction Fuzzy Hash: 2201B130915349EFCB00EFB8E4A458CBFF5FF45301B2048AAD985D7251DB341A89CB92

Function 05E93EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05E93F25

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 35cfa444584f2888357dc64e2f015fc09d9f458218e087f84f6ac43bfac2f661
Instruction ID: 84fe55294bca7abd514947487fab2787adfb42cbe5c0ca57b52d567db9310744
Opcode Fuzzy Hash: 35cfa444584f2888357dc64e2f015fc09d9f458218e087f84f6ac43bfac2f661
Instruction Fuzzy Hash: 77F090313006118BC208EB2DE490AAF77EAEBC92513104D2DE44EDB345EF74AD4A87E2

Function 05E9B368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05E9B399

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 4df96254bab511358ac07b6f3ae148322019fbfdcad06fa7197d961ee862507d
Instruction ID: eb632dcfbb603d9f33473645f74c389f709431048a88ceca3aff7b54a4a967ce
Opcode Fuzzy Hash: 4df96254bab511358ac07b6f3ae148322019fbfdcad06fa7197d961ee862507d
Instruction Fuzzy Hash: 16F08C70E11208EFCB04EFB8E49865CBBF6FB44301F1085A9E90AD7214EE301A488B81

Function 05E800D8 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870053005.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e80000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d60b6a7901c5fb5f1e86e3a14916528099c9c2a28850bac31ff08f8dc888f4e
Instruction ID: f5a4a4219892987179f97de4896d6b5ddf5fe2df399945c890f0cb9eb063d89a
Opcode Fuzzy Hash: 7d60b6a7901c5fb5f1e86e3a14916528099c9c2a28850bac31ff08f8dc888f4e
Instruction Fuzzy Hash: 364298307007288FCB24AF789454A2EB6E2FFC5705B51495CD54B9B392CF79ED098B82

Function 05E80598 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870053005.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e80000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8972224ef3120c39cb724285654fc5ee82b62222c021e30536365aa59d3db4a1
Instruction ID: 127bb95687441b0768c71bb2297c0ea7169a924f7241b96ba1b65ec5a1078c8f
Opcode Fuzzy Hash: 8972224ef3120c39cb724285654fc5ee82b62222c021e30536365aa59d3db4a1
Instruction Fuzzy Hash: D6027A307007148FDB24AB64C858A3E77E6FF85705F519858E54A9B3A2CF79ED098B82

Function 05E800B8 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870053005.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e80000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24ed160d27de52748238cf0effb6ba678756458d74e6965e65bb10eed639c56
Instruction ID: 3a6b33e8ee22ad7067aab058dac1d11c905d0a6083311d35cbdb6436104f55da
Opcode Fuzzy Hash: c24ed160d27de52748238cf0effb6ba678756458d74e6965e65bb10eed639c56
Instruction Fuzzy Hash: D6C1A1307003009FEB04EBA4C859B7A7BEABF89704F119455E60A9B3A2DF75EC45CB91

Function 05E80610 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870053005.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e80000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701f150f951d556d1da809a86770b56f45ec7f833e66e038b2f0864902a63e7e
Instruction ID: b37050e37469d24af59f46baff45b22517932d195d7ace1f256bc604b6a5691d
Opcode Fuzzy Hash: 701f150f951d556d1da809a86770b56f45ec7f833e66e038b2f0864902a63e7e
Instruction Fuzzy Hash: 12C171307003009FEB04ABA4C858B7A77EBBF89705F119455E60A9B3A2CF75ED45CB91

Function 05E94AFF Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ef9d8e7277ffa87309fb5070d0bfd58360ddd21c33dad7088ce6f36d284ce2
Instruction ID: 5cfd95724d12b90564044f880f754c10b8b5e06216a986781c326d6cef6af4ed
Opcode Fuzzy Hash: 45ef9d8e7277ffa87309fb5070d0bfd58360ddd21c33dad7088ce6f36d284ce2
Instruction Fuzzy Hash: A2C14974700605CFDB15DF29C484AAABBF2FF88305B1585A9E546DB3A6DB30EC45CB60

Function 05E83DED Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870053005.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e80000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d6ef2c1fd745d142def6354d234464374eefd8077d3052bba533678e2674e1
Instruction ID: 1e653a23201036546663167c42a1a601f63352d036b89d5a99be348b7eadc3bc
Opcode Fuzzy Hash: 39d6ef2c1fd745d142def6354d234464374eefd8077d3052bba533678e2674e1
Instruction Fuzzy Hash: 41B10974B002148FCB44DF68C894EAABBF6FF89714F118099E54ADB3A2DA71EC45CB50

Function 05E97D58 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb38cfd50fdf7cabd54861c4d60856bfd5d811a8b96fdea899f7f282138d817
Instruction ID: d5108e55d0c20bc903d67e5944ab9114aecac5e7231a76a0d830c9eadb2422b0
Opcode Fuzzy Hash: 5fb38cfd50fdf7cabd54861c4d60856bfd5d811a8b96fdea899f7f282138d817
Instruction Fuzzy Hash: 465127B0E102188BDF18CFA9D885BDEBBB6FF89314F14942DE455AB250DB749846CF80

Function 05E97D4C Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44901b178984e883cbcb643a61c5408ff9188a6310d9df1bdc9c41bca2b64b5
Instruction ID: c9dc34051d3669df406defa06ca45b210cff9494205bf0349a245a5648716648
Opcode Fuzzy Hash: e44901b178984e883cbcb643a61c5408ff9188a6310d9df1bdc9c41bca2b64b5
Instruction Fuzzy Hash: E95125B0D202588BDF18CFA9D985BDEBBF1FB49304F14942DE455AB280DB749849CF80

Function 05E81582 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870053005.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e80000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b727a0076ea8bb3863c0e75a8b1ae18d6d37d48c0830fbdce96dfb252c72bb22
Instruction ID: ad5d91bfbb7a3788b804f4e60070a88d93322e4ee2f42befdbeaea1570ef6abc
Opcode Fuzzy Hash: b727a0076ea8bb3863c0e75a8b1ae18d6d37d48c0830fbdce96dfb252c72bb22
Instruction Fuzzy Hash: 8531C074B042448FDB18AB64C854A7EBBE6EF85304F15942AD58BC73A2EE34CC02CB51

Function 05E95579 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e8556c60a81a7f825e5c9a80b63cd1ee08f73ebdb8cd360822c3ca5ccda566
Instruction ID: 79ebf1855f8af88cc7e9e81b372f41bb92bbd0847ba27bcdd538b8988db5a129
Opcode Fuzzy Hash: 02e8556c60a81a7f825e5c9a80b63cd1ee08f73ebdb8cd360822c3ca5ccda566
Instruction Fuzzy Hash: F0318E757002109FDB15DF38D8849AE7BB6FF89301B048469E949CB356DB34ED05CBA0

Function 05E95588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539adb089af72bf3b6f0874ac7babe77c14b25bf494b2f2130d12fae609d62f9
Instruction ID: ce622f242647fbaf01ba14982cab70799295e50d9357650cc3e0a9b4be8bb71f
Opcode Fuzzy Hash: 539adb089af72bf3b6f0874ac7babe77c14b25bf494b2f2130d12fae609d62f9
Instruction Fuzzy Hash: A6318D75700210AFDB15DF38D8849AEBBB6FF89301B40846AE909CB356DB31ED05CBA0

Function 05E82EC0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870053005.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e80000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93516a550ab3581bb70bdf7c823c7ebca9bf4b299ac8d00cd19d6d6a86d55c94
Instruction ID: 341edb1501c08adc5cc06a7fc223d193b3193acf39bcc1028d09de7daa204b6c
Opcode Fuzzy Hash: 93516a550ab3581bb70bdf7c823c7ebca9bf4b299ac8d00cd19d6d6a86d55c94
Instruction Fuzzy Hash: 47316F35E105199FCB05DFA9D8809EEFBF6FF89314B15806AE919B7310EB31A845CB50

Function 05E987A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a36ba38db15fda5b812776ea111adaf87d7e05ba9710741d2ecdea6eba0b98
Instruction ID: d1d8f924acc00af3fb2070c855f70e42d5bf7128abde685747edec1beff4e9da
Opcode Fuzzy Hash: c7a36ba38db15fda5b812776ea111adaf87d7e05ba9710741d2ecdea6eba0b98
Instruction Fuzzy Hash: 9D4105B1D012489FDF18DFAAD944ADEFBF6AF88314F10802AE415B7250DB35A945CF90

Function 05E82EB4 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870053005.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e80000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108415c995bfbd1a0dff416bc821bfd26701d8b39f140452e0d3b5ecad6fb4fd
Instruction ID: d79f0fdb91137a0bebe7af44f96dc3618e04169e3944a41f6dbb99926eaab854
Opcode Fuzzy Hash: 108415c995bfbd1a0dff416bc821bfd26701d8b39f140452e0d3b5ecad6fb4fd
Instruction Fuzzy Hash: 87316035E106199FCB05DFA9D8848DEFBF6FF89314B15806AE949B7351DB30A805CB50

Function 05E8360B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870053005.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e80000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb520c5831b85ddf065f5231be751ab1afca71603a11a25b0252dd5934e6726
Instruction ID: 36b1d62b6bd196e7ebc958c90d0240bdc137ad96a144ad1fb5fb57955ce0aa7b
Opcode Fuzzy Hash: fcb520c5831b85ddf065f5231be751ab1afca71603a11a25b0252dd5934e6726
Instruction Fuzzy Hash: 7D215E35B000049FDB54DF69C894EAABBB2FF88715F1180A9F9099F3A2DA31EC05CB50

Function 05E98796 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36f2209d608e9b05095e4a0cc2de98cbfa36ffed84b2efe909d45cee32aaef5
Instruction ID: 93dbe2ca36695da487172b9b908d1d094f45f542eaf29d14a8ece48034000d79
Opcode Fuzzy Hash: d36f2209d608e9b05095e4a0cc2de98cbfa36ffed84b2efe909d45cee32aaef5
Instruction Fuzzy Hash: 293124B1D102489FDF28CFA9D994ADEBFF6AF48304F14802AE415B7250DB349945CF50

Function 05E98A98 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13c5510a5b1630a11599b0edcefc9bd82b641ec3cbd96fe044eb628026a81b9
Instruction ID: 4a41cebc46f9414302350f771a8fff194ccddba60626c889760e5ad73ab83a47
Opcode Fuzzy Hash: a13c5510a5b1630a11599b0edcefc9bd82b641ec3cbd96fe044eb628026a81b9
Instruction Fuzzy Hash: E23132B5D052489FCF14CFA9D880ADEBBFAAF48310F14802AE409A7250DB34A846CB90

Function 05E9549F Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd1de6b19286eb2510e0e7710c60e649b99e11bbb66131ea3a38c4674477dc3
Instruction ID: 2b763ea39ff545d83e020c298af71252f9a54dfbb6e41bb5cba45ff4f9a01fb3
Opcode Fuzzy Hash: 5bd1de6b19286eb2510e0e7710c60e649b99e11bbb66131ea3a38c4674477dc3
Instruction Fuzzy Hash: 8B21057160D351CFDF2FCA7958140AA7BE3BF8120A31898AFD4C6C666BE535D885C391

Function 0087D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1859117559.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_87d000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3203949736b1186b4dfcefa37ba58542fc9e4943732535e8cda2bb5a2a6030da
Instruction ID: a7c6432343c608bd31bb234970503b2f6609e4f5a9b032faa295bbc13628312b
Opcode Fuzzy Hash: 3203949736b1186b4dfcefa37ba58542fc9e4943732535e8cda2bb5a2a6030da
Instruction Fuzzy Hash: 2821CF756047049FCB14DF14D984B26BBB5FB94318F24C969D80E8B29AC33AD807CA61

Function 05E98A8C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9f3e60955a181d7527d082de2402b52c562eb4b2792aff951f4f1c59ada0d5
Instruction ID: b032ea96ecf026d58383b6c1f47ea209b531e8088cd80f77b9a9009d79a881c2
Opcode Fuzzy Hash: af9f3e60955a181d7527d082de2402b52c562eb4b2792aff951f4f1c59ada0d5
Instruction Fuzzy Hash: A82144B1D042489FDF18CFA9C895BDEBFFAAF48310F18841AE045B7290DB349946CB50

Function 05E9BC5F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8eb33b17ddc21f9702c93cbd0c29bc4a90ba2806bef7d159b2e163097676683
Instruction ID: f8d84ea2dc10c01cf8a6fc8de842dbfd7ee626601c97a11d79169ac5918594ff
Opcode Fuzzy Hash: a8eb33b17ddc21f9702c93cbd0c29bc4a90ba2806bef7d159b2e163097676683
Instruction Fuzzy Hash: 1F1102302102014FC799AB38A8106AF7BE7EFC1342715182DE686C7A41DF30AA8B87D2

Function 0087D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1859117559.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_87d000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 27c699737864fda83f46b4f6431ccf622e69834ca301892dc3bbe72cff962022
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: C511BE75504780CFCB11CF14D5C4B15BB72FB44314F24C6A9D80D8B65AC33AD80ACB61

Function 05E98350 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c54cf97dbefcbe8968df39e840f7f71e606d3752614eb7f253276c0ba93005
Instruction ID: 9ea70e406ebf01d46ecf794b2418857c6a7e25ef22adedbc142e8fd9aeeccf77
Opcode Fuzzy Hash: d6c54cf97dbefcbe8968df39e840f7f71e606d3752614eb7f253276c0ba93005
Instruction Fuzzy Hash: 6801D431B001199BEF10DEA9EC45ABFBBFAFBC4211B148036F615D3241DF70A90587A1

Function 05E9C499 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a2e0d4f33615b98ee61f7568f18d27405415c1991e01c98d9e9ef7d5cbb27b
Instruction ID: 926004bf4a04c796f93cb284f28cf653e81b3f9fa09ae2933e07576514f0d9de
Opcode Fuzzy Hash: 49a2e0d4f33615b98ee61f7568f18d27405415c1991e01c98d9e9ef7d5cbb27b
Instruction Fuzzy Hash: 5B11A1302043148FD325AF74D41866E7BE3FFC5312F118A2DD58A87685CF74A94ACB92

Function 05E9BC70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf7d186b56db799cbdd9a68f4b80b811e93e295be818a4154224fa221b06fd7
Instruction ID: 541933ce8d3d53f39af3621b93c3469eb958dc1b60c13a5ec3822f69322263c6
Opcode Fuzzy Hash: 9bf7d186b56db799cbdd9a68f4b80b811e93e295be818a4154224fa221b06fd7
Instruction Fuzzy Hash: 32019E352106014B8688A738E45466F7AA7FFC43527455828E20BCBA40DF30BA8A87D6

Function 05E96E90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac02e01e03c7c19288b006e6d28deb54fa08b06a25928e8e1cabba35424bdd20
Instruction ID: ab5f22fe7ebb4dcf72d5150f6df1a04341682f32cf1164414e5b4a4b9bcd52fd
Opcode Fuzzy Hash: ac02e01e03c7c19288b006e6d28deb54fa08b06a25928e8e1cabba35424bdd20
Instruction Fuzzy Hash: 1AF062632041D83FDF554EAA5C11EFB3FEDDB8D161B094096FAD8D2242C429C91197B1

Function 05E9E8B0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e15649172e337f4c6c4a007ac189ede2a16d09979d76c229f331fb676c205f
Instruction ID: 305d90abda4412e7b429d1df5438c2567a2699489391ebbc83805e478601ffce
Opcode Fuzzy Hash: e1e15649172e337f4c6c4a007ac189ede2a16d09979d76c229f331fb676c205f
Instruction Fuzzy Hash: 5F01D6346183489FCB02DF74D81486A7FBAEF9A300B1489EDE685CB362DA36DD11D791

Function 05E9C4A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc242b807c75f1c294b6dd2b2be00ddec0410db90b28d0939daf0f56b4000407
Instruction ID: 965b3af50f7d7b89d0eacee1a5511b33172ba4d1a58b6d4f231bce1d5ef2c478
Opcode Fuzzy Hash: cc242b807c75f1c294b6dd2b2be00ddec0410db90b28d0939daf0f56b4000407
Instruction Fuzzy Hash: 6F019E702007048FD324EF69D01865E77E7FFC5316F118A29E54A87685CF74A90A8B92

Function 05E9FF51 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa1f6d931c1d37a53fab003cc2a4641cedfe98c77283d22e60f67c058923404
Instruction ID: d9d397dffb40513cd6eaf1d97bdda299bb0ab4e5e86c7c6168a149052ebf3b9e
Opcode Fuzzy Hash: 9aa1f6d931c1d37a53fab003cc2a4641cedfe98c77283d22e60f67c058923404
Instruction Fuzzy Hash: 8F018635E002288BCF09CFA8E9046ECBBF5FB8C320F00A06AE404B3240C7305904CFA4

Function 05E98F42 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83bf036c85f0f5fa157b850708ffbfbd6435b76a8e8819aaa9985e87cf0e837e
Instruction ID: cc329d3fe1fad4450f73c0032bf0ed4c964d1453f3f83da2d9565161afcda17f
Opcode Fuzzy Hash: 83bf036c85f0f5fa157b850708ffbfbd6435b76a8e8819aaa9985e87cf0e837e
Instruction Fuzzy Hash: 3301C4B4C08259EFDB04DFA4D9446EEBBF5BB09301F2464A9E895A3351E7744A81CB90

Function 05E9ADE9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a2eb1175e556c95e650f1231c79699fab087b730bd66f6a4bbd9740b273df6
Instruction ID: 12698d84a1c1613430cd9ee1df08e04700a145d670beeb343ea1babd755f8631
Opcode Fuzzy Hash: e3a2eb1175e556c95e650f1231c79699fab087b730bd66f6a4bbd9740b273df6
Instruction Fuzzy Hash: 2EF0E9312093519FD3215B79B858A9A7FEAEFCB311F04046EF549C7253C975184987A3

Function 05E98F50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70185a18f356edf81ee4176db960e6a22463a3612a07f33523aac721754c7c0
Instruction ID: 4af8c1698bc0c49c3bdd7c65c96b144f90395dc48f744cb4c370ac17a34f7ce9
Opcode Fuzzy Hash: b70185a18f356edf81ee4176db960e6a22463a3612a07f33523aac721754c7c0
Instruction Fuzzy Hash: 7B01C4B4D0821DEFCB04DFA9D9446AEBBF5BB49301F10A4A99455A3351E7744A40CF90

Function 05E9C170 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80e517468a5ecaecdae84d85cd8524d88e0b1399cfc9959585851a6cdc832d8
Instruction ID: f32c0de65d6e81d1388ca16fafd2ec15f37b91df5f6644801f9e33d4d6e60291
Opcode Fuzzy Hash: c80e517468a5ecaecdae84d85cd8524d88e0b1399cfc9959585851a6cdc832d8
Instruction Fuzzy Hash: EE01A2318057428FD7229F25E418052BBF6FF89301710CA2ED6C6C2611DB74A589CFC5

Function 05E9FF60 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4253d5033ffe56771caa4e11689858b9ac263f3dfa07a45ff1fb5bc26f96d21
Instruction ID: 2d233be3d2d2abfc2a3c18492e5227dc73ee60f3ee161d63455b4e9b6ed98d3a
Opcode Fuzzy Hash: e4253d5033ffe56771caa4e11689858b9ac263f3dfa07a45ff1fb5bc26f96d21
Instruction Fuzzy Hash: 11F03C35E041289BCF08CFA9E8046DDBBF5FB8D310F00902AE415B3350D7345804CBA4

Function 05E9ACB8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700ba6266b64fbded9b974d06ae9a18667629336c10c0d97f16d982b49449b14
Instruction ID: 8d9dca7383aaca855ad06c84426dce463a29a79f8f1e03f3b293bf0fdd65d9aa
Opcode Fuzzy Hash: 700ba6266b64fbded9b974d06ae9a18667629336c10c0d97f16d982b49449b14
Instruction Fuzzy Hash: 84F0B46260D3A05FC716172868180AE7FA5DADA652348049AE5C7CB253DA54550A87E2

Function 05E96EA0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772c672d2032d22cb7ead1a083e758eef38a41364bd9cfc073a62c97187a45c8
Instruction ID: 0ff171d63a8e980b27ec172f7b0a95414b55691e32ad87e82202764b813ab487
Opcode Fuzzy Hash: 772c672d2032d22cb7ead1a083e758eef38a41364bd9cfc073a62c97187a45c8
Instruction Fuzzy Hash: 5CF012632041E83F8B558E9A5C10DFB7FEDDA8E1617094196FF98D2141C429C925ABB1

Function 05E967C8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0aa116fcbd7430e9abe8f22e1644093d299cd717e6d9e7cb6d9ebf79adc25bf
Instruction ID: 9db05f4928e82fd8f047824ee484c9143c9668d4504539554d171f51f877e6c2
Opcode Fuzzy Hash: c0aa116fcbd7430e9abe8f22e1644093d299cd717e6d9e7cb6d9ebf79adc25bf
Instruction Fuzzy Hash: 37F02431700300AFDB308A28AC00FA13FE9EB41719F04C5A7F294CB1E2D6B1EC058340

Function 05E954F8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6901f7cd97d65ebabbd64c574d64609fa17bfbf2b2aa67f51c9d72bb58b21ac
Instruction ID: f43a63c46b3296a3b26f767b30ce1c385ccb80210716c1745fa48e2f6f2afc1f
Opcode Fuzzy Hash: f6901f7cd97d65ebabbd64c574d64609fa17bfbf2b2aa67f51c9d72bb58b21ac
Instruction Fuzzy Hash: 56F096311057518FDB2ACE61D4007ABBBB3FF80315F04986ED4C646556D675E585CB80

Function 05E9C110 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b90ca6c58ca7ef7c2030f20eee89c6b755a041458a4e17f00067b7b6350641
Instruction ID: c7db43b23f2ebe5bc9ac40ca6d2a3ef66d3272912b95924455cfe9904c019b5a
Opcode Fuzzy Hash: 48b90ca6c58ca7ef7c2030f20eee89c6b755a041458a4e17f00067b7b6350641
Instruction Fuzzy Hash: B9F0F6302057E14FC322DB28E81469A7FF6DF82305B04085EE286C7642C6A56849CBD2

Function 05E98FC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b38859af0558b855fa32124250411f02e6cb50d8995217fd692adcb1159f0a8
Instruction ID: 92c301eeb764dcaa08ca78802084fbf8d984d1d0842265c90f88f17a9d0bd73c
Opcode Fuzzy Hash: 0b38859af0558b855fa32124250411f02e6cb50d8995217fd692adcb1159f0a8
Instruction Fuzzy Hash: 02F0AFB0C0C169AFDB04CFA4C4440ADBFB1EB1A201F04618AE486E7362E6348A41CB00

Function 05E98341 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59753ac22fa7f9105362bf0737d932163cee44cf62f2672718f7717d868f21e0
Instruction ID: 12166b15c567e88af50ea1d6573c945bd82102c7a8f847b7bc14b0588e9aa80b
Opcode Fuzzy Hash: 59753ac22fa7f9105362bf0737d932163cee44cf62f2672718f7717d868f21e0
Instruction Fuzzy Hash: B7F0A032B141195BAF15DAB9AC449FFBBFEEB89660B084436E954C3141EB30981587A1

Function 05E9AC60 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab9ab8292ebcfe1c8bf1550d873ee728a0229531aeb03cd28ef1da7d2ff3002
Instruction ID: 17bd1bdefc408083587b0b20dd3fbb16e02ee4fc83bce972e5c871fd0fc1442d
Opcode Fuzzy Hash: 3ab9ab8292ebcfe1c8bf1550d873ee728a0229531aeb03cd28ef1da7d2ff3002
Instruction Fuzzy Hash: 1CF082626193E51FC3175B2868280EE7F66DBC6611309049BD5C6C7283C9540A49CBEA

Function 05E95508 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8df0f7ec99a3ce08e28ed583607821e01376a53ee13c0ae8c71a7e853ab6f2
Instruction ID: c60be68a31174ca8b30d72358675cecb9592faa5cdb77278ec84f5bfa0b27ca1
Opcode Fuzzy Hash: 6e8df0f7ec99a3ce08e28ed583607821e01376a53ee13c0ae8c71a7e853ab6f2
Instruction Fuzzy Hash: 7DF08230501711CFDB29CA55D400977B3F7FF80219B04A82AD4C642916D671F485CB90

Function 05E9ADF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a68f93464996d4d5b235cf3b53f936d304da0f2cbb4536ad68c321a9201ac4
Instruction ID: d37bcb8a99a75c3910ab2457066339121a917a3cb8f3b1d6601d8be992174428
Opcode Fuzzy Hash: 33a68f93464996d4d5b235cf3b53f936d304da0f2cbb4536ad68c321a9201ac4
Instruction Fuzzy Hash: B0E09231300210ABD3246B5AB449B9F7ADAEBC9351F40452CF60EC3243CA71580947A6

Function 05E9C180 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733c206e0aa10f98bc0fa6c5ef7541b0f9fbafb271ff6e4cabd6126ad926b058
Instruction ID: 7cf385ae9fc3d93ed2225a87863e6c8b033235323b4762acb3d1158aaba30292
Opcode Fuzzy Hash: 733c206e0aa10f98bc0fa6c5ef7541b0f9fbafb271ff6e4cabd6126ad926b058
Instruction Fuzzy Hash: E8F03075901B058FD725DF26E448566FBFAFB88311B00C62EEA4B83A14DB70A549CFC4

Function 05E9B500 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37d090cb3aa27f7cddb883eb6c73862ac24392af470c452e5a0e73cd05e9b2e
Instruction ID: cbd37a7a304ec3c77e89f83667863fe6b9a6141c8e10d91ecae2cef7ea94c979
Opcode Fuzzy Hash: b37d090cb3aa27f7cddb883eb6c73862ac24392af470c452e5a0e73cd05e9b2e
Instruction Fuzzy Hash: 84F03935D0120CEFCB01DFB4D9589CEBBB9EB48300F2042AAD945E3240EA305B45CF91

Function 05E9C120 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9542437a233415f4f8778ef3ea6036da4cb4756aad2686a85819c5a7d9262a8
Instruction ID: 448a88f2a8f9256177159d15d94770cd8513f8289c1946118a1a6538434cc03c
Opcode Fuzzy Hash: e9542437a233415f4f8778ef3ea6036da4cb4756aad2686a85819c5a7d9262a8
Instruction Fuzzy Hash: 3FE065312007A44FC721E72DE41879E7BEAEF85315F04092DE24AC7641DBB568458BD1

Function 05E9CC38 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b970acb74ec00e13e2bc93a82e9b1411148c6665d24b82b370c903696f033ae3
Instruction ID: 039b886234e309b6040dc388cb37db373523e13a4d6a9c449931e2f560f6fad1
Opcode Fuzzy Hash: b970acb74ec00e13e2bc93a82e9b1411148c6665d24b82b370c903696f033ae3
Instruction Fuzzy Hash: 24E09231102250CFC722BF24F8906A97BE1FB92765B019469D084D7605CA7818C6CBD2

Function 05E95698 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a834e46467b85191d5a6e77e447eacd409d9d723f57930f76a0c0edbf8ced0a
Instruction ID: aa682997a2dea5eb37e7dbb9a445fe297f85522ffcc4f22bc568d68c3becb7af
Opcode Fuzzy Hash: 0a834e46467b85191d5a6e77e447eacd409d9d723f57930f76a0c0edbf8ced0a
Instruction Fuzzy Hash: A7E04FB220E3804FE306D664B8085C62B94EB62361F558CAFE144CB097E639D987C65A

Function 05E9E280 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de78e8160f6ec51d17f183bffef86d290459ba6bd9da6a97502d08726e6bb1e
Instruction ID: 183fff51ac33acc19aab0cdad6c631965dabd46f29bfc22988b0dbfa17fb151a
Opcode Fuzzy Hash: 9de78e8160f6ec51d17f183bffef86d290459ba6bd9da6a97502d08726e6bb1e
Instruction Fuzzy Hash: 12E0D872005711CFD716F724FD515443BA6F75BB08B025055E500AB6B9CB382E478BD2

Function 05E9CE88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ad7be02e6d881aa2b0e713b0cc6ba346254a7326317cbf85cbabaad7069844
Instruction ID: b62611396cf9cfbe982d664076c18041655d7e6500560ed075ee42752bfe4a32
Opcode Fuzzy Hash: 61ad7be02e6d881aa2b0e713b0cc6ba346254a7326317cbf85cbabaad7069844
Instruction Fuzzy Hash: FCE068B0001350EFD722FF20F484A943BF1EF4B304B014459D8C1D7905CAB86C81C781

Function 05E9E1FF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c9726dfbbf8ddbfe6fc8bc55d4b8d7997bcf998fbd69afd6c062cfc0c665e8
Instruction ID: f9f1d5d8fba1095f0dd147bb2b43fc874a91e64ee6e33f97462df0dd2c0c17a7
Opcode Fuzzy Hash: 25c9726dfbbf8ddbfe6fc8bc55d4b8d7997bcf998fbd69afd6c062cfc0c665e8
Instruction Fuzzy Hash: DEE0DFB1A05214EFCB01CF68A841AED7BB5DB82301B2041DAE909E7251D5701F14C7D2

Function 05E9AC80 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e858291884ee5155f2cfe91116950e3186dd924ea20e3b86318976f2a84c6ce0
Instruction ID: cec0bd16f6f972fe6bc39ca514efb5cb82c9f3aefbf4b89cf8d472645e103a09
Opcode Fuzzy Hash: e858291884ee5155f2cfe91116950e3186dd924ea20e3b86318976f2a84c6ce0
Instruction Fuzzy Hash: 36D05E317107295B9A05276DB41C4AEBBABEBC9662344052AFA0BC3343CE651D4A8BD6

Function 05E9E8F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e78851c14d331d9e0cef87eb4521df20576eeda010e01ba8e7021e00bfc548
Instruction ID: 725176debc2ce9e9065b60c8b638dea1d656cea1ce001af27083efa74873bb2b
Opcode Fuzzy Hash: e4e78851c14d331d9e0cef87eb4521df20576eeda010e01ba8e7021e00bfc548
Instruction Fuzzy Hash: 39E0EC39158345DFC7129F64D8508547FF5BF5A61131444DEF5C08B2B3D23198A5DB51

Function 05E9B510 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40940b740623e37641c65f6055fdb917bd1ef81a62a377b1063f1bc8f8555c46
Instruction ID: 83c96a10a9ebffc50a7f5dcd422fd3d5e03e854ce0cbc23afe757ca730200288
Opcode Fuzzy Hash: 40940b740623e37641c65f6055fdb917bd1ef81a62a377b1063f1bc8f8555c46
Instruction Fuzzy Hash: 10E09275D0020CEFCB40DFE4E9559DEBBB9EB48300F1082AADA09A3200EB306B55DF80

Function 05E9E210 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3dfb0eb1cad5528324ad96ccca41cd399e0b0484277dd2e1baecd7323344ea
Instruction ID: 0bcd0f119b4ccb9df85bbe2b1128caa2b6e6c6992e5abb88ea3afa72fb80a5d5
Opcode Fuzzy Hash: aa3dfb0eb1cad5528324ad96ccca41cd399e0b0484277dd2e1baecd7323344ea
Instruction Fuzzy Hash: 06D017B2A00218FF8B40EFA8E94199DB7B9EB45315B1095A9E509E3201EA312F009B91

Function 05E9F8EB Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de9fa7d524fcde3971826e5aef29c45ffb9960d91644e222e772d6fdab23769
Instruction ID: 3e8952f40cbc73512eefff14f35c498169a1c5437fcf7c7bb4320b97aa1781e6
Opcode Fuzzy Hash: 7de9fa7d524fcde3971826e5aef29c45ffb9960d91644e222e772d6fdab23769
Instruction Fuzzy Hash: 4DC012327001200B0284BA6C70101AE66DBE3CC3B3786012AE70EC3348CE708C4643C6

Function 05E93721 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31631765f347f9ce19e99bc2016521471e95a34c55edac6dce0363b08667251
Instruction ID: 0347db7afd1864a4d0f8df3b515d1112030107f59aec17a2b8dfff58a3ee5653
Opcode Fuzzy Hash: a31631765f347f9ce19e99bc2016521471e95a34c55edac6dce0363b08667251
Instruction Fuzzy Hash: 07B092AB90908057E70513206C51FF6171393B9458E1F098193D442342A524890B81A4

Function 05E9DFD1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4421c08d8e8d404194a76021e67d421f5438ac7827c5d4b92933abab08aa53
Instruction ID: b6d38ba2cb7de870254eae65dcce36c1c1938e2c3eddf7db73bb91b55da81e7d
Opcode Fuzzy Hash: ba4421c08d8e8d404194a76021e67d421f5438ac7827c5d4b92933abab08aa53
Instruction Fuzzy Hash: 5FC04C3558A3909EEB525F60C8598443F656F4272076614CAD381CA166C6714405CB91

Non-executed Functions

Function 05E9E2C7 Relevance: 46.6, Strings: 37, Instructions: 391COMMON

Download Yara Rule

Strings

DTj, xrefs: 05E9E4A3
DTj, xrefs: 05E9E844
DTj, xrefs: 05E9E5E3
DTj, xrefs: 05E9E658
DTj, xrefs: 05E9E39D
DTj, xrefs: 05E9E6A8
DTj, xrefs: 05E9E7EE
DTj, xrefs: 05E9E378
DTj, xrefs: 05E9E56B
DTj, xrefs: 05E9E748
DTj, xrefs: 05E9E51B
DTj, xrefs: 05E9E309
DTj, xrefs: 05E9E608
DTj, xrefs: 05E9E770
DTj, xrefs: 05E9E3C2
DTj, xrefs: 05E9E32E
DTj, xrefs: 05E9E593
DTj, xrefs: 05E9E2E4
DTj, xrefs: 05E9E4F3
DTj, xrefs: 05E9E6D0
DTj, xrefs: 05E9E4CB
DTj, xrefs: 05E9E456
DTj, xrefs: 05E9E3E7
DTj, xrefs: 05E9E680
DTj, xrefs: 05E9E353
DTj, xrefs: 05E9E40C
DTj, xrefs: 05E9E798
DTj, xrefs: 05E9E47B
DTj, xrefs: 05E9E720
DTj, xrefs: 05E9E5BB
DTj, xrefs: 05E9E7C3
DTj, xrefs: 05E9E543
DTj, xrefs: 05E9E819
DTj, xrefs: 05E9E86F
DTj, xrefs: 05E9E431
DTj, xrefs: 05E9E630
DTj, xrefs: 05E9E6F8

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-3050091760
Opcode ID: 3696e6adad63c8f86db7fa7cbc3c7cdf86a3ae866fe7f2ca577f7662e787c067
Instruction ID: f884e56c548e75d43f6c5ec9f5b7015e5cf87eca158eb75cb9b89a749a992a14
Opcode Fuzzy Hash: 3696e6adad63c8f86db7fa7cbc3c7cdf86a3ae866fe7f2ca577f7662e787c067
Instruction Fuzzy Hash: C8D1B131310B01ABC206F7A99C52BADAAD3FBC6305B828838E6084F795DF753D195797

Function 05E9E2D8 Relevance: 46.6, Strings: 37, Instructions: 383COMMON

Download Yara Rule

Strings

DTj, xrefs: 05E9E4A3
DTj, xrefs: 05E9E844
DTj, xrefs: 05E9E5E3
DTj, xrefs: 05E9E658
DTj, xrefs: 05E9E39D
DTj, xrefs: 05E9E6A8
DTj, xrefs: 05E9E7EE
DTj, xrefs: 05E9E378
DTj, xrefs: 05E9E56B
DTj, xrefs: 05E9E748
DTj, xrefs: 05E9E51B
DTj, xrefs: 05E9E309
DTj, xrefs: 05E9E608
DTj, xrefs: 05E9E770
DTj, xrefs: 05E9E3C2
DTj, xrefs: 05E9E32E
DTj, xrefs: 05E9E593
DTj, xrefs: 05E9E2E4
DTj, xrefs: 05E9E4F3
DTj, xrefs: 05E9E6D0
DTj, xrefs: 05E9E4CB
DTj, xrefs: 05E9E456
DTj, xrefs: 05E9E3E7
DTj, xrefs: 05E9E680
DTj, xrefs: 05E9E353
DTj, xrefs: 05E9E40C
DTj, xrefs: 05E9E798
DTj, xrefs: 05E9E47B
DTj, xrefs: 05E9E720
DTj, xrefs: 05E9E5BB
DTj, xrefs: 05E9E7C3
DTj, xrefs: 05E9E543
DTj, xrefs: 05E9E819
DTj, xrefs: 05E9E86F
DTj, xrefs: 05E9E431
DTj, xrefs: 05E9E630
DTj, xrefs: 05E9E6F8

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-3050091760
Opcode ID: 35c30f4c236b4cdbae0d8880c69c92c145c979205122218dd16a588f170e359e
Instruction ID: 4d374e7f45604c1a3b5e7e916f9b8abc489a8481e429e215ab7fbed7df878344
Opcode Fuzzy Hash: 35c30f4c236b4cdbae0d8880c69c92c145c979205122218dd16a588f170e359e
Instruction Fuzzy Hash: 46D1C231310B01ABC206F7A99C52BADAAD3FBCA305B818838E6084F795DF753D195797

Function 05E9CC7F Relevance: 16.4, Strings: 13, Instructions: 150COMMON

Download Yara Rule

Strings

DTj, xrefs: 05E9CD7A
DTj, xrefs: 05E9CCC1
DTj, xrefs: 05E9CD0B
DTj, xrefs: 05E9CCE6
DTj, xrefs: 05E9CD30
DTj, xrefs: 05E9CE0E
DTj, xrefs: 05E9CDE9
DTj, xrefs: 05E9CE33
DTj, xrefs: 05E9CC9C
DTj, xrefs: 05E9CD55
DTj, xrefs: 05E9CDC4
DTj, xrefs: 05E9CE58
DTj, xrefs: 05E9CD9F

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-1192847946
Opcode ID: 246dcccdb52cb42c9049dfe8b180bcd70b13899aca3549bf0dc177ea5202fa3e
Instruction ID: 222e27f3450f8aa1fd651da4e396c1f3d000a115ff9725da7c58dd3b5b3ccd6a
Opcode Fuzzy Hash: 246dcccdb52cb42c9049dfe8b180bcd70b13899aca3549bf0dc177ea5202fa3e
Instruction Fuzzy Hash: FC41D531310700ABC302EAA9988176D7FD3FBC6301B818838E6084F786CF7A2D594797

Function 05E9CC90 Relevance: 16.4, Strings: 13, Instructions: 143COMMON

Download Yara Rule

Strings

DTj, xrefs: 05E9CD7A
DTj, xrefs: 05E9CCC1
DTj, xrefs: 05E9CD0B
DTj, xrefs: 05E9CCE6
DTj, xrefs: 05E9CD30
DTj, xrefs: 05E9CE0E
DTj, xrefs: 05E9CDE9
DTj, xrefs: 05E9CE33
DTj, xrefs: 05E9CC9C
DTj, xrefs: 05E9CD55
DTj, xrefs: 05E9CDC4
DTj, xrefs: 05E9CE58
DTj, xrefs: 05E9CD9F

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-1192847946
Opcode ID: 5a369649e40df57182a0d7be69241593d53ba92fe1c683cfb66e309a4facfe3e
Instruction ID: 0fc590ed14d7def45ba9d0ea3c27e2bd3f96e4c0aac5345fd38c0600d3985866
Opcode Fuzzy Hash: 5a369649e40df57182a0d7be69241593d53ba92fe1c683cfb66e309a4facfe3e
Instruction Fuzzy Hash: B341C6313107006BD206F6A9988576D6ED3FBC6305B818838E6084F786CF7A3D194397

Function 05E9CED1 Relevance: 10.1, Strings: 8, Instructions: 103COMMON

Download Yara Rule

Strings

DTj, xrefs: 05E9CFEF
DTj, xrefs: 05E9CEEC
DTj, xrefs: 05E9CF80
DTj, xrefs: 05E9CF36
DTj, xrefs: 05E9CF5B
DTj, xrefs: 05E9CF11
DTj, xrefs: 05E9CFA5
DTj, xrefs: 05E9CFCA

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-2670367415
Opcode ID: 72e43d41b43cbea0b3e26d0392f7bf29cb7b85c76194e0e5619d37813bdf9288
Instruction ID: 48bf5d8497f325046e90e79d000c1df897ec803a262dc1afcb329ac7e0e2adce
Opcode Fuzzy Hash: 72e43d41b43cbea0b3e26d0392f7bf29cb7b85c76194e0e5619d37813bdf9288
Instruction Fuzzy Hash: 463194713007116BC702EAA99C91B6DBED3FBC6305B814838E6088F786DF752D598797

Function 05E9CEE0 Relevance: 10.1, Strings: 8, Instructions: 93COMMON

Download Yara Rule

Strings

DTj, xrefs: 05E9CFEF
DTj, xrefs: 05E9CEEC
DTj, xrefs: 05E9CF80
DTj, xrefs: 05E9CF36
DTj, xrefs: 05E9CF5B
DTj, xrefs: 05E9CF11
DTj, xrefs: 05E9CFA5
DTj, xrefs: 05E9CFCA

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-2670367415
Opcode ID: c051e90c1db5470720957a28f9de00a8a9fa32a27e28d310a3df9b48c0bba582
Instruction ID: 11ce1302a3f37f87c550ba45fddf87e11ad7f149d1b87225279d950fef75835c
Opcode Fuzzy Hash: c051e90c1db5470720957a28f9de00a8a9fa32a27e28d310a3df9b48c0bba582
Instruction Fuzzy Hash: 9621B1313107116BC606EAA99881B6DAED3FBC6705B818838E6084FB85CF753D594397

Function 05E9C968 Relevance: 8.8, Strings: 7, Instructions: 88COMMON

Download Yara Rule

Strings

DTj, xrefs: 05E9CA51
DTj, xrefs: 05E9C9FF
DTj, xrefs: 05E9CA7A
DTj, xrefs: 05E9CA28
DTj, xrefs: 05E9C9AD
DTj, xrefs: 05E9C9D6
DTj, xrefs: 05E9C984

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-1309597825
Opcode ID: de76df8ac7ee84f7fbfaa5184513fcef09c81cd5aa83fa4352eec3a568e77f4b
Instruction ID: 6416b12243a8a834702dee11e351a5180f3c0af044d7ec2e63fe2ad8f3e6f613
Opcode Fuzzy Hash: de76df8ac7ee84f7fbfaa5184513fcef09c81cd5aa83fa4352eec3a568e77f4b
Instruction Fuzzy Hash: 8331F6313007526FDB01ABA8AC55AAD7FA3FB86305741482CE609CF695CE741E8AC783

Function 05E9C978 Relevance: 8.8, Strings: 7, Instructions: 83COMMON

Download Yara Rule

Strings

DTj, xrefs: 05E9CA51
DTj, xrefs: 05E9C9FF
DTj, xrefs: 05E9CA7A
DTj, xrefs: 05E9CA28
DTj, xrefs: 05E9C9AD
DTj, xrefs: 05E9C9D6
DTj, xrefs: 05E9C984

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-1309597825
Opcode ID: d7bf45a8d266f20c0c6b84a6cba661c19d06909c6ca85bbd70b9ef7eed8a10ab
Instruction ID: 1b031357f1b1c180a4b86b5d5d56b6c9e0ec2a99395ed216f388c524dcb8c3db
Opcode Fuzzy Hash: d7bf45a8d266f20c0c6b84a6cba661c19d06909c6ca85bbd70b9ef7eed8a10ab
Instruction Fuzzy Hash: 1021D8313006116BDB05BBA9EC55A6D7BA3FB86301741483CF609CF695CE741E8A8783

Function 05E9ED10 Relevance: 7.9, Strings: 6, Instructions: 378COMMON

Download Yara Rule

Strings

(_^q, xrefs: 05E9EDF9
(_^q, xrefs: 05E9F07A
(_^q, xrefs: 05E9ED7A
(_^q, xrefs: 05E9EF79
(_^q, xrefs: 05E9F0F9
(_^q, xrefs: 05E9EEFA

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$(_^q$(_^q$(_^q$(_^q
API String ID: 0-2896069617
Opcode ID: 6eccf3d60bbf5ba02b88af53069fb5055cb9783a292e4093784c9ba2efba8f1a
Instruction ID: 8f2619f8067ca12f160a51fdf40570539c3f77b13f2e26f29d570cd43e3c0378
Opcode Fuzzy Hash: 6eccf3d60bbf5ba02b88af53069fb5055cb9783a292e4093784c9ba2efba8f1a
Instruction Fuzzy Hash: D4D1AD39B042449FDB09DF78C4145AE7BB6FF85300F2485AAEA46DB381DA359E06CBD1

Function 05E9D538 Relevance: 7.6, Strings: 6, Instructions: 81COMMON

Download Yara Rule

Strings

DTj, xrefs: 05E9D554
DTj, xrefs: 05E9D60D
DTj, xrefs: 05E9D5E8
DTj, xrefs: 05E9D5C3
DTj, xrefs: 05E9D59E
DTj, xrefs: 05E9D579

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-23703227
Opcode ID: c80bf16566d93703220a01d2545e4ac853e31f6718dc184d20adbccb55cee8ae
Instruction ID: b27896c1826cff438a5d5849032da6567e0811f15a00109f855ad0fa1015fc67
Opcode Fuzzy Hash: c80bf16566d93703220a01d2545e4ac853e31f6718dc184d20adbccb55cee8ae
Instruction Fuzzy Hash: C621C4313007406FC702EAA99891B5DBFD3FB86704B818938E6088F785CF752D5983A7

Function 05E9D548 Relevance: 7.6, Strings: 6, Instructions: 73COMMON

Download Yara Rule

Strings

DTj, xrefs: 05E9D554
DTj, xrefs: 05E9D60D
DTj, xrefs: 05E9D5E8
DTj, xrefs: 05E9D5C3
DTj, xrefs: 05E9D59E
DTj, xrefs: 05E9D579

Memory Dump Source

Source File: 00000004.00000002.1870081593.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5e90000_aqYlLZ8hwJ.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-23703227
Opcode ID: 7d5b2812ee343278a00a20bc609f1107cf62cc160fa6ed10cfbc141acc5dbec0
Instruction ID: 06b9c2aeea2ce8d0ccb7472583f3c9f6f3d5c976c978519c305df2f629e66483
Opcode Fuzzy Hash: 7d5b2812ee343278a00a20bc609f1107cf62cc160fa6ed10cfbc141acc5dbec0
Instruction Fuzzy Hash: DD11D2313007106BC602EAA99881B6DAED3FBC6704B818938E6084F785CF766E694397

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eovQPjY5wz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aqYlLZ8hwJ.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eovQPjY5wz.exe.log

C:\Users\user\AppData\Local\Temp\Tmp9FD.tmp

C:\Users\user\AppData\Local\Temp\TmpA0E.tmp

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Users\user\AppData\Roaming\aqYlLZ8hwJ.exe

C:\Users\user\AppData\Roaming\saLBqUuaxl.exe

\Device\ConDrv

Static File Info

Windows Analysis Report
eovQPjY5wz.exe

Function 02C92145 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 010F1268 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 010F1270 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 00402320 Relevance: 7.9, Strings: 5, Instructions: 1670
COMMON

Function 0041FEAF Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Function 004038C0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 401
libraryCOMMON

Function 00411432 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00416DAF Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Function 00414A96 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00403EE0 Relevance: 3.0, APIs: 2, Instructions: 22
synchronizationthreadCOMMON

Function 00414D5D Relevance: 2.6, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre