Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
r9RH4Zmt7ycN6yWI.exe

Overview

General Information

Sample name:r9RH4Zmt7ycN6yWI.exe
Analysis ID:1528601
MD5:7819e21421b6342e651bb0e96c5dd6ff
SHA1:7e6020b11bda2846ca636afd27455a88efcc7d19
SHA256:d165b9480d7b128168937ba591b070295fe967d831ec055cad5d458e55d3cbbc
Tags:exeuser-Porcupine
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Detected potential crypto function
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • r9RH4Zmt7ycN6yWI.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exe" MD5: 7819E21421B6342E651BB0E96C5DD6FF)
    • WerFault.exe (PID: 1020 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6468 -s 1472 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: r9RH4Zmt7ycN6yWI.exeReversingLabs: Detection: 23%
Source: r9RH4Zmt7ycN6yWI.exeVirustotal: Detection: 32%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: r9RH4Zmt7ycN6yWI.exeJoe Sandbox ML: detected
Source: r9RH4Zmt7ycN6yWI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: r9RH4Zmt7ycN6yWI.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: ?oC:\Users\user\Desktop\ilgP.pdbp source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008BE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\ilgP.pdbpdblgP.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ilgP.pdb Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files owaa source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008C28000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: ilgP.pdb source: r9RH4Zmt7ycN6yWI.exe, WERBEC4.tmp.dmp.5.dr
Source: Binary string: \??\C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.PDBs source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008BE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ilgP.pdbs\ilgP.pdbpdblgP.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: !!.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\ilgP.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173076269.0000000001132000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\ilgP.pdbdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.Core.ni.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: ilgP.pdb} source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008C28000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\ilgP.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008C28000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb;( source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: mscorlib.ni.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: nDC:\Users\user\Desktop\ilgP.pdb :k source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: asic.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008C28000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: uc.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: @o.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: ilgP.pdbSHA256 source: r9RH4Zmt7ycN6yWI.exe
Source: Binary string: symbols\exe\ilgP.pdbo& source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: n(C:\Windows\ilgP.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.Xml.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: ilgP.pdbX source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173076269.0000000001166000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb(G source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.Windows.Forms.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.Drawing.pdb,Waq(( source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbpq source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008BE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, WERBEC4.tmp.dmp.5.dr
Source: Binary string: \??\C:\Windows\symbols\exe\ilgP.pdbv source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008BE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbes source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008BE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.Core.pdbMZ source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbpqT source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008BE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.PDB source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: ualBasic.pdb! source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008C28000.00000004.00000020.00020000.00000000.sdmp
Source: unknownDNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeCode function: 0_2_010ED55C0_2_010ED55C
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeCode function: 0_2_06FC00400_2_06FC0040
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeCode function: 0_2_06FC29000_2_06FC2900
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6468 -s 1472
Source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000000.2012705828.00000000009B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameilgP.exed" vs r9RH4Zmt7ycN6yWI.exe
Source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173076269.00000000010FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs r9RH4Zmt7ycN6yWI.exe
Source: r9RH4Zmt7ycN6yWI.exeBinary or memory string: OriginalFilenameilgP.exed" vs r9RH4Zmt7ycN6yWI.exe
Source: r9RH4Zmt7ycN6yWI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: r9RH4Zmt7ycN6yWI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173076269.0000000001166000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: classification engineClassification label: mal60.evad.winEXE@2/5@1/0
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeMutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6468
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\43249652-be51-48cf-9755-0e7aea3a716eJump to behavior
Source: r9RH4Zmt7ycN6yWI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: r9RH4Zmt7ycN6yWI.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: r9RH4Zmt7ycN6yWI.exeReversingLabs: Detection: 23%
Source: r9RH4Zmt7ycN6yWI.exeVirustotal: Detection: 32%
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeFile read: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exe:Zone.IdentifierJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exe "C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exe"
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6468 -s 1472
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: r9RH4Zmt7ycN6yWI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: r9RH4Zmt7ycN6yWI.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: r9RH4Zmt7ycN6yWI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ?oC:\Users\user\Desktop\ilgP.pdbp source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008BE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\ilgP.pdbpdblgP.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ilgP.pdb Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files owaa source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008C28000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: ilgP.pdb source: r9RH4Zmt7ycN6yWI.exe, WERBEC4.tmp.dmp.5.dr
Source: Binary string: \??\C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.PDBs source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008BE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ilgP.pdbs\ilgP.pdbpdblgP.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: !!.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\ilgP.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173076269.0000000001132000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\ilgP.pdbdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.Core.ni.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: ilgP.pdb} source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008C28000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\ilgP.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008C28000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb;( source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: mscorlib.ni.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: nDC:\Users\user\Desktop\ilgP.pdb :k source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: asic.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008C28000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: uc.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: @o.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: ilgP.pdbSHA256 source: r9RH4Zmt7ycN6yWI.exe
Source: Binary string: symbols\exe\ilgP.pdbo& source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: n(C:\Windows\ilgP.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.Xml.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: ilgP.pdbX source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173076269.0000000001166000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb(G source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.Windows.Forms.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.Drawing.pdb,Waq(( source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbpq source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008BE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2173309475.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, WERBEC4.tmp.dmp.5.dr
Source: Binary string: \??\C:\Windows\symbols\exe\ilgP.pdbv source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008BE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbes source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008BE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.Core.pdbMZ source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbpqT source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008BE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.PDB source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2172412230.0000000000D57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERBEC4.tmp.dmp.5.dr
Source: Binary string: ualBasic.pdb! source: r9RH4Zmt7ycN6yWI.exe, 00000000.00000002.2177098852.0000000008C28000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: r9RH4Zmt7ycN6yWI.exe, mainForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: r9RH4Zmt7ycN6yWI.exe, mainForm.cs.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.r9RH4Zmt7ycN6yWI.exe.2ce2c90.1.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.r9RH4Zmt7ycN6yWI.exe.6f80000.5.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
Source: r9RH4Zmt7ycN6yWI.exeStatic PE information: 0xACB1A9A7 [Sun Oct 23 20:20:55 2061 UTC]
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeCode function: 0_2_06FC6571 push ebx; retf 0_2_06FC6572
Source: r9RH4Zmt7ycN6yWI.exeStatic PE information: section name: .text entropy: 7.961191075094136
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeMemory allocated: 10E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeMemory allocated: 4C80000 memory reserve | memory write watchJump to behavior
Source: Amcache.hve.5.drBinary or memory string: VMware
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.drBinary or memory string: vmci.sys
Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.drBinary or memory string: VMware20,1
Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeQueries volume information: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		2
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory2
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
r9RH4Zmt7ycN6yWI.exe24%ReversingLabs
r9RH4Zmt7ycN6yWI.exe32%VirustotalBrowse
r9RH4Zmt7ycN6yWI.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
206.23.85.13.in-addr.arpa1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
206.23.85.13.in-addr.arpa
unknown
unknownfalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.5.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1528601
Start date and time:2024-10-08 04:01:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 4s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:r9RH4Zmt7ycN6yWI.exe
Detection:MAL
Classification:mal60.evad.winEXE@2/5@1/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 42
  • Number of non-executed functions: 1
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.168.117.173
  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

TimeTypeDescription
22:01:56API Interceptor1x Sleep call for process: r9RH4Zmt7ycN6yWI.exe modified
22:02:11API Interceptor1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_r9RH4Zmt7ycN6yWI_7077397d61485eeab725ed52e85b8f491a9067_a9578677_09806032-06dd-4c9d-b27a-df0e82bb2810\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):1.1843018697382046
Encrypted:false
SSDEEP:192:NlCUBLz7IHkd0BU/qauOJo1ZrtV3zuiFVZ24IO8D:D9PIEeBU/qapW3zuiFVY4IO8D
MD5:621D22E45AE5184D58102A8571E152FC
SHA1:746DCCAB7D0D48B045D972E9FB11B2402D8419C5
SHA-256:DD57508B861CCB75CFB734FDB10F36C75DC735F46AC20844F57CC599E0E2D863
SHA-512:4EB9D9BD9FB14019C40D0CB8CA1D5D2B9303DBA5FC88A5CD46E24F885A914941DF7D142D46936EB88D58AD32DB0CC6ED7C6AA12DBF71639D4F156D9B3580AE19
Malicious:false
Reputation:low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.2.6.5.1.7.1.0.5.2.8.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.8.2.6.5.1.8.5.2.7.1.5.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.8.0.6.0.3.2.-.0.6.d.d.-.4.c.9.d.-.b.2.7.a.-.d.f.0.e.8.2.b.b.2.8.1.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.f.0.2.4.2.e.-.4.6.f.c.-.4.0.d.7.-.a.d.c.2.-.7.2.5.b.c.a.f.5.9.e.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.9.R.H.4.Z.m.t.7.y.c.N.6.y.W.I...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.i.l.g.P...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.4.-.0.0.0.1.-.0.0.1.4.-.5.6.3.9.-.5.3.0.d.2.6.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.d.2.0.a.0.7.8.5.1.0.9.a.5.a.a.c.3.7.5.d.d.2.8.f.3.e.f.4.7.3.8.0.0.0.0.0.0.0.0.!.0.0.0.0.7.e.6.0.2.0.b.1.1.b.d.a.2.8.4.6.c.a.6.3.6.a.f.d.2.7.4.5.5.a.8.8.e.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEC4.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 15 streams, Tue Oct 8 02:01:57 2024, 0x1205a4 type
Category:dropped
Size (bytes):296537
Entropy (8bit):4.276161738814937
Encrypted:false
SSDEEP:3072:3f9uB4uEqo5LTgBKfaYnyxJUKsCKKKJ0CAwRPhyU4NC2o:3I4jTg4fAraJXRpyUT
MD5:A28C0C29DE6D3F8670BE07FB9B0EEC13
SHA1:FD187C7D8D23037D80B3E6D0B866A14B8ED855F9
SHA-256:6D2E937D296F1147FD50566832A5828DD16653580900E6E6176C5C0D4856307C
SHA-512:5FD8077E9BEF321066CC9BA26AEEE5493C6076CEEFB34C182BAEE71569006F45FA32D7EA32267C3C20425827D40CFB38186B35F1846A98EF707D450B73D80D89
Malicious:false
Reputation:low
Preview:MDMP..a..... ..........g....................................$....&......D....P..........`.......8...........T............9..yL...........&...........(..............................................................................eJ......,)......GenuineIntel............T.......D......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0AA.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8450
Entropy (8bit):3.713846056510561
Encrypted:false
SSDEEP:192:R6l7wVeJBM6Zl6YEI2SU9xnigmfZkYUmprV89b2gsf0oSm:R6lXJq6Zl6YE5SU9xigmfmYUp2zf1
MD5:4545694E4E1D784233AF613401C23CFE
SHA1:FDABB7935AE65FC65A55E230F5EEFB8BDD732A96
SHA-256:719C739B14C781E00B54A3445E540E9C2CE917540D68E593EDB7D397ABB8C1D8
SHA-512:82B2BF8889823C752D84A24E78FB3AE42AE5F79254DA8B2DC643F37D6752AD34B13158C164C8C92599E10E29E51C761D9531EEAC9E1016BDA59DC9BFD4AA2C03
Malicious:false
Reputation:low
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0CA.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4795
Entropy (8bit):4.540089773003421
Encrypted:false
SSDEEP:48:cvIwWl8zs3/Jg77aI9vkWpW8VYXYm8M4Jsr5I2FPI+q8ve5ISceK36E6eUd:uIjfxI7997V/JC3IKMrHzzrd
MD5:1BA8108BBFB0EFBE66E216C4D92F35BD
SHA1:E5E64A45171BC1ACA219BD2219EB23983D6E24C7
SHA-256:1E0997DDD789F3184A0F73DCDE6F52A9E9C2ED2DA8777F794C141B1E69698524
SHA-512:B7C4D65E54B2367726C4163EC2CE332D3528F3F9476B98ED80681B3F9BE3D59665ACC28C2B96AA4485DB194C051D8A65D41C432F266C3ACE9617CB45545E438B
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533824" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.421800695054357
Encrypted:false
SSDEEP:6144:uSvfpi6ceLP/9skLmb0OTdWSPHaJG8nAgeMZMMhA2fX4WABlEnNh0uhiTw6:NvloTdW+EZMM6DFyL03w6
MD5:40655B7DBB1C68A164A16DCA1D997B3B
SHA1:CB613330C328D6E9C0151327E6621A4BB43283E8
SHA-256:6C716D1A3EB18BCFDB98E49D3490FB01342D7BFFFBBBA0DADD93913317D02F5A
SHA-512:55C19EE25F8115CCD72B5DF019356BA7105BDF783A09546881DE8469CDF3DAC849017B04ED0A3C149E952787C19217649875D995EC6181FAED3AD32A090940CD
Malicious:false
Reputation:low
Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....&................................................................................................................................................................................................................................................................................................................................................=.9........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):7.955650773191121
TrID:
  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
  • Win32 Executable (generic) a (10002005/4) 49.75%
  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
  • Windows Screen Saver (13104/52) 0.07%
  • Generic Win/DOS Executable (2004/3) 0.01%
File name:r9RH4Zmt7ycN6yWI.exe
File size:717'312 bytes
MD5:7819e21421b6342e651bb0e96c5dd6ff
SHA1:7e6020b11bda2846ca636afd27455a88efcc7d19
SHA256:d165b9480d7b128168937ba591b070295fe967d831ec055cad5d458e55d3cbbc
SHA512:8fd58778b82c73fb4162e0928dd617c37ff65d4bebeab45832ea0b4cf69858652cae2265b387089559d2c97882e7e8b04bc50b25613d7097c7abb2a6e3feb649
SSDEEP:12288:xD5mU+8zE1NLteB2Cj+hBNmXRJKj6+mLJGAiFrHcynpBUVDTLxEaw:FxfatE5+YJ5JperHcQBUVHL5w
TLSH:A1E4230547E98336E0BEDE74657159E0C777B52A28B2DB0E6FC1642D0BA7B008E64F53
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............^.... ... ....@.. .......................`............@................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x4b075e
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0xACB1A9A7 [Sun Oct 23 20:20:55 2061 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xb070b0x4f.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x5fc.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xade440x70.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000xae7640xae800000098386cd4ef0d9d688fd846d10706False0.9658063216332379data7.961191075094136IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0xb20000x5fc0x6003bb030a355ebe702b69b74aec884a0f1False0.42578125data4.175651520059742IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xb40000xc0x200ca88dedc4ae831a387225a4e5dca0aeeFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0xb20900x36cdata0.4029680365296804
RT_MANIFEST0xb240c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
mscoree.dll_CorExeMain

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 8, 2024 04:02:28.464783907 CEST5352961162.159.36.2192.168.2.5
Oct 8, 2024 04:02:28.965265989 CEST6012753192.168.2.51.1.1.1
Oct 8, 2024 04:02:28.972767115 CEST53601271.1.1.1192.168.2.5

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Oct 8, 2024 04:02:28.965265989 CEST192.168.2.51.1.1.10x480Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Oct 8, 2024 04:02:28.972767115 CEST1.1.1.1192.168.2.50x480Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:22:01:56
Start date:07/10/2024
Path:C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\r9RH4Zmt7ycN6yWI.exe"
Imagebase:0x900000
File size:717'312 bytes
MD5 hash:7819E21421B6342E651BB0E96C5DD6FF
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:5
Start time:22:01:56
Start date:07/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6468 -s 1472
Imagebase:0xa10000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:11%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:39
    Total number of Limit Nodes:1
    execution_graph 22222 10e4668 22223 10e467a 22222->22223 22224 10e4686 22223->22224 22226 10e4778 22223->22226 22227 10e479d 22226->22227 22231 10e4888 22227->22231 22235 10e4879 22227->22235 22228 10e47a7 22228->22224 22232 10e48af 22231->22232 22234 10e498c 22232->22234 22239 10e44c4 22232->22239 22234->22228 22236 10e48af 22235->22236 22237 10e44c4 CreateActCtxA 22236->22237 22238 10e498c 22236->22238 22237->22238 22238->22228 22240 10e5918 CreateActCtxA 22239->22240 22242 10e59db 22240->22242 22242->22242 22243 10eac50 22244 10eac5f 22243->22244 22247 10ead38 22243->22247 22252 10ead48 22243->22252 22248 10ead59 22247->22248 22249 10ead7c 22247->22249 22248->22249 22250 10eaf80 GetModuleHandleW 22248->22250 22249->22244 22251 10eafad 22250->22251 22251->22244 22253 10ead7c 22252->22253 22254 10ead59 22252->22254 22253->22244 22254->22253 22255 10eaf80 GetModuleHandleW 22254->22255 22256 10eafad 22255->22256 22256->22244 22257 10ecfe0 22258 10ed026 22257->22258 22262 10ed5c8 22258->22262 22265 10ed5b9 22258->22265 22259 10ed113 22263 10ed5f6 22262->22263 22268 10ed21c 22262->22268 22263->22259 22266 10ed21c DuplicateHandle 22265->22266 22267 10ed5f6 22266->22267 22267->22259 22269 10ed630 DuplicateHandle 22268->22269 22270 10ed6c6 22269->22270 22270->22263

    Executed Functions

    Function 06FC2900 Relevance: 6.1, Strings: 4, Instructions: 1105COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: (o]q$4']q$4']q$4']q
    • API String ID: 0-875651895
    • Opcode ID: 2ccee2712f47a75a02ab9bbd95a2861544fb02f1949cb72b2e473fadbbfd3d6c
    • Instruction ID: b350565dbbb0c9477c15439fcb21cc0e8ffba9bb39cc2d1b1ee84266d459ae8d
    • Opcode Fuzzy Hash: 2ccee2712f47a75a02ab9bbd95a2861544fb02f1949cb72b2e473fadbbfd3d6c
    • Instruction Fuzzy Hash: 22A2A172A0020ADFCB55CF68CA84AAEBBF6FF88360F158569E405DB351D735E941CB90
    Function 06FC0040 Relevance: 5.3, Strings: 4, Instructions: 329COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1266 6fc0040-6fc0063 1267 6fc006e-6fc008e 1266->1267 1268 6fc0065-6fc006b 1266->1268 1271 6fc0095-6fc009c 1267->1271 1272 6fc0090 1267->1272 1268->1267 1274 6fc009e-6fc00a9 1271->1274 1273 6fc0424-6fc042d 1272->1273 1275 6fc00af-6fc00c2 1274->1275 1276 6fc0435-6fc0443 1274->1276 1279 6fc00d8-6fc00f3 1275->1279 1280 6fc00c4-6fc00d2 1275->1280 1284 6fc00f5-6fc00fb 1279->1284 1285 6fc0117-6fc011a 1279->1285 1280->1279 1283 6fc03ac-6fc03b3 1280->1283 1283->1273 1288 6fc03b5-6fc03b7 1283->1288 1286 6fc00fd 1284->1286 1287 6fc0104-6fc0107 1284->1287 1289 6fc0274-6fc027a 1285->1289 1290 6fc0120-6fc0123 1285->1290 1286->1287 1286->1289 1291 6fc013a-6fc0140 1286->1291 1292 6fc0366-6fc0369 1286->1292 1287->1291 1293 6fc0109-6fc010c 1287->1293 1294 6fc03b9-6fc03be 1288->1294 1295 6fc03c6-6fc03cc 1288->1295 1289->1292 1296 6fc0280-6fc0285 1289->1296 1290->1289 1297 6fc0129-6fc012f 1290->1297 1298 6fc0146-6fc0148 1291->1298 1299 6fc0142-6fc0144 1291->1299 1300 6fc036f-6fc0375 1292->1300 1301 6fc0430 1292->1301 1302 6fc01a6-6fc01ac 1293->1302 1303 6fc0112 1293->1303 1294->1295 1295->1276 1304 6fc03ce-6fc03d3 1295->1304 1296->1292 1297->1289 1305 6fc0135 1297->1305 1307 6fc0152-6fc015b 1298->1307 1299->1307 1308 6fc039a-6fc039e 1300->1308 1309 6fc0377-6fc037f 1300->1309 1301->1276 1302->1292 1306 6fc01b2-6fc01b8 1302->1306 1303->1292 1310 6fc0418-6fc041b 1304->1310 1311 6fc03d5-6fc03da 1304->1311 1305->1292 1312 6fc01be-6fc01c0 1306->1312 1313 6fc01ba-6fc01bc 1306->1313 1315 6fc015d-6fc0168 1307->1315 1316 6fc016e-6fc0196 1307->1316 1308->1283 1317 6fc03a0-6fc03a6 1308->1317 1309->1276 1314 6fc0385-6fc0394 1309->1314 1310->1301 1318 6fc041d-6fc0422 1310->1318 1311->1301 1319 6fc03dc 1311->1319 1320 6fc01ca-6fc01e1 1312->1320 1313->1320 1314->1279 1314->1308 1315->1292 1315->1316 1339 6fc019c-6fc01a1 1316->1339 1340 6fc028a-6fc02c0 1316->1340 1317->1274 1317->1283 1318->1273 1318->1288 1321 6fc03e3-6fc03e8 1319->1321 1332 6fc020c-6fc0233 1320->1332 1333 6fc01e3-6fc01fc 1320->1333 1322 6fc040a-6fc040c 1321->1322 1323 6fc03ea-6fc03ec 1321->1323 1322->1301 1330 6fc040e-6fc0411 1322->1330 1327 6fc03ee-6fc03f3 1323->1327 1328 6fc03fb-6fc0401 1323->1328 1327->1328 1328->1276 1331 6fc0403-6fc0408 1328->1331 1330->1310 1331->1322 1335 6fc03de-6fc03e1 1331->1335 1332->1301 1343 6fc0239-6fc023c 1332->1343 1333->1340 1344 6fc0202-6fc0207 1333->1344 1335->1301 1335->1321 1339->1340 1346 6fc02cd-6fc02d5 1340->1346 1347 6fc02c2-6fc02c6 1340->1347 1343->1301 1348 6fc0242-6fc026b 1343->1348 1344->1340 1346->1301 1351 6fc02db-6fc02e0 1346->1351 1349 6fc02c8-6fc02cb 1347->1349 1350 6fc02e5-6fc02e9 1347->1350 1348->1340 1363 6fc026d-6fc0272 1348->1363 1349->1346 1349->1350 1352 6fc0308-6fc030c 1350->1352 1353 6fc02eb-6fc02f1 1350->1353 1351->1292 1356 6fc030e-6fc0314 1352->1356 1357 6fc0316-6fc0332 1352->1357 1353->1352 1355 6fc02f3-6fc02fb 1353->1355 1355->1301 1358 6fc0301-6fc0306 1355->1358 1356->1357 1360 6fc033b-6fc033f 1356->1360 1364 6fc0335 call 6fc0628 1357->1364 1365 6fc0335 call 6fc061a 1357->1365 1358->1292 1360->1292 1361 6fc0341-6fc035d 1360->1361 1361->1292 1363->1340 1364->1360 1365->1360
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: (o]q$(o]q$,aq$,aq
    • API String ID: 0-1947289240
    • Opcode ID: 87403dc4d60d75d12b888a5fd4cc8529d64756dcc4bdaccf482ef9b0b739c2aa
    • Instruction ID: c8aff11d4d7564e4b633910cc86547ee1d071560a1ee89662c50bf544eed6e18
    • Opcode Fuzzy Hash: 87403dc4d60d75d12b888a5fd4cc8529d64756dcc4bdaccf482ef9b0b739c2aa
    • Instruction Fuzzy Hash: 9AD14F31E1010ACFDB54CF99CA94AAEBBF6FF88314F558159E405A7360DB32E942CB50
    Function 06FC6F9C Relevance: 22.9, Strings: 18, Instructions: 371COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 504 6fc6f9c-6fc6ff3 call 6fc589c 513 6fc6ff8-6fc6ffb 504->513 514 6fc6ffd 513->514 515 6fc7004-6fc7013 513->515 514->515 516 6fc733c-6fc7344 514->516 517 6fc706f-6fc70bc 514->517 518 6fc71f9-6fc720c 514->518 519 6fc701a-6fc701e 514->519 520 6fc7385-6fc7389 514->520 521 6fc7016-6fc7018 514->521 522 6fc7136 514->522 523 6fc70d7-6fc70ea 514->523 524 6fc7121-6fc712e 514->524 525 6fc7102-6fc7111 514->525 515->521 619 6fc70be-6fc70c5 517->619 620 6fc70d0-6fc70d5 517->620 551 6fc720e-6fc7217 518->551 552 6fc722f 518->552 527 6fc7020-6fc7029 519->527 528 6fc7041 519->528 530 6fc73ac 520->530 531 6fc738b-6fc7394 520->531 521->513 542 6fc713e-6fc7141 522->542 529 6fc70f1 523->529 524->522 546 6fc711a-6fc711f 525->546 547 6fc7113 525->547 536 6fc702b-6fc702e 527->536 537 6fc7030-6fc703d 527->537 541 6fc7044-6fc7067 528->541 543 6fc70f6-6fc70f9 529->543 538 6fc73af-6fc73b6 530->538 533 6fc739b-6fc73a8 531->533 534 6fc7396-6fc7399 531->534 545 6fc73aa 533->545 534->545 548 6fc703f 536->548 537->548 549 6fc73cc 538->549 550 6fc73b8-6fc73ca 538->550 541->517 553 6fc7153-6fc7162 542->553 554 6fc7143 542->554 543->525 544 6fc70fb 543->544 544->516 544->518 544->520 544->522 544->524 544->525 544->553 555 6fc747d-6fc7486 544->555 556 6fc7278-6fc72a7 544->556 557 6fc737b-6fc7380 544->557 558 6fc7335-6fc7337 544->558 559 6fc72ac-6fc72bf 544->559 560 6fc7349-6fc735c 544->560 561 6fc7466-6fc747a 544->561 562 6fc7401-6fc7405 544->562 545->538 564 6fc7118 546->564 547->564 548->541 566 6fc73cf-6fc73dc 549->566 550->566 567 6fc721e-6fc722b 551->567 568 6fc7219-6fc721c 551->568 570 6fc7232-6fc7236 552->570 584 6fc717a-6fc7197 553->584 585 6fc7164-6fc716a 553->585 554->516 554->518 554->520 554->553 554->555 554->556 554->557 554->558 554->559 554->560 554->561 554->562 556->542 593 6fc7489-6fc749b 559->593 594 6fc72c5-6fc72cd 559->594 601 6fc735e 560->601 602 6fc7368-6fc736f 560->602 576 6fc7428 562->576 577 6fc7407-6fc7410 562->577 564->543 595 6fc73de-6fc73e4 566->595 596 6fc73f4-6fc73fc 566->596 572 6fc722d 567->572 568->572 573 6fc7238-6fc7241 570->573 574 6fc7257 570->574 572->570 582 6fc7248-6fc724b 573->582 583 6fc7243-6fc7246 573->583 589 6fc725a-6fc7273 574->589 591 6fc742b-6fc7446 576->591 586 6fc7417-6fc7424 577->586 587 6fc7412-6fc7415 577->587 597 6fc7255 582->597 583->597 621 6fc7199-6fc71a2 584->621 622 6fc71ba 584->622 598 6fc716c 585->598 599 6fc716e-6fc7170 585->599 600 6fc7426 586->600 587->600 636 6fc745f-6fc7464 591->636 637 6fc7448-6fc744f 591->637 603 6fc72cf-6fc72d8 594->603 604 6fc72f0 594->604 605 6fc73e8-6fc73ea 595->605 606 6fc73e6 595->606 597->589 598->584 599->584 600->591 611 6fc7363 601->611 602->593 613 6fc7375-6fc7379 602->613 615 6fc72df-6fc72ec 603->615 616 6fc72da-6fc72dd 603->616 618 6fc72f3-6fc72f5 604->618 605->596 606->596 613->611 624 6fc72ee 615->624 616->624 625 6fc7307 618->625 626 6fc72f7-6fc7305 618->626 627 6fc70ec 619->627 628 6fc70c7 619->628 631 6fc70cb 620->631 629 6fc71a9-6fc71b6 621->629 630 6fc71a4-6fc71a7 621->630 623 6fc71bd-6fc71e6 call 6fc7f66 622->623 646 6fc71ec-6fc71f4 623->646 624->618 634 6fc7309-6fc730b 625->634 626->634 627->529 628->631 635 6fc71b8 629->635 630->635 631->513 640 6fc730d-6fc7313 634->640 641 6fc7325-6fc732e 634->641 635->623 639 6fc745a 636->639 637->593 643 6fc7451-6fc7455 637->643 639->542 644 6fc7315 640->644 645 6fc7317-6fc7323 640->645 641->558 643->639 644->641 645->641 646->542
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: fbq$ fbq$ fbq$ fbq$Te]q$Te]q$XX]q$XX]q$XX]q$XX]q$XX]q$XX]q$$]q$$]q$$]q$$]q$$]q$$]q
    • API String ID: 0-1214805740
    • Opcode ID: 960ecfe934d83b113ec6912bc8edf08e18fd258eb3d356410a0a17b0c9d9ee9f
    • Instruction ID: 5b5ec4120e21590318842f880ce1d7f9a0e70052ceb51d0936138c9d7665169e
    • Opcode Fuzzy Hash: 960ecfe934d83b113ec6912bc8edf08e18fd258eb3d356410a0a17b0c9d9ee9f
    • Instruction Fuzzy Hash: 8ED19631F4011ACFDB58AF99CAA57AD77B6BF84720F248419E902AB394C7349D42CF91
    Function 06FC0628 Relevance: 10.5, Strings: 8, Instructions: 480COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 649 6fc0628-6fc064d 650 6fc0a7c-6fc0a80 649->650 651 6fc0653-6fc0676 649->651 652 6fc0a99-6fc0aa7 650->652 653 6fc0a82-6fc0a96 650->653 660 6fc067c-6fc0689 651->660 661 6fc0724-6fc0728 651->661 658 6fc0b18-6fc0b2d 652->658 659 6fc0aa9-6fc0abe 652->659 666 6fc0b2f-6fc0b32 658->666 667 6fc0b34-6fc0b41 658->667 668 6fc0ac5-6fc0ad2 659->668 669 6fc0ac0-6fc0ac3 659->669 677 6fc0698 660->677 678 6fc068b-6fc0696 660->678 664 6fc072a-6fc0738 661->664 665 6fc0770-6fc0779 661->665 664->665 685 6fc073a-6fc0755 664->685 670 6fc0b8f 665->670 671 6fc077f-6fc0789 665->671 673 6fc0b43-6fc0b7e 666->673 667->673 674 6fc0ad4-6fc0b15 668->674 669->674 679 6fc0b94-6fc0b9c 670->679 671->650 675 6fc078f-6fc0798 671->675 729 6fc0b85-6fc0b8c 673->729 683 6fc079a-6fc079f 675->683 684 6fc07a7-6fc07b3 675->684 680 6fc069a-6fc069c 677->680 678->680 695 6fc0b9d-6fc0ba1 679->695 680->661 687 6fc06a2-6fc0704 680->687 683->684 684->679 690 6fc07b9-6fc07bf 684->690 709 6fc0757-6fc0761 685->709 710 6fc0763 685->710 739 6fc070a-6fc0721 687->739 740 6fc0706 687->740 692 6fc07c5-6fc07d5 690->692 693 6fc0a66-6fc0a6a 690->693 707 6fc07e9-6fc07eb 692->707 708 6fc07d7-6fc07e7 692->708 693->670 697 6fc0a70-6fc0a76 693->697 695->695 700 6fc0ba3-6fc0ba4 695->700 697->650 697->675 703 6fc0ba5-6fc0ba9 700->703 703->703 713 6fc0bab-6fc0bc4 703->713 711 6fc07ee-6fc07f4 707->711 708->711 712 6fc0765-6fc0767 709->712 710->712 711->693 716 6fc07fa-6fc0809 711->716 712->665 717 6fc0769 712->717 726 6fc0bdd-6fc0be4 713->726 727 6fc0bc6-6fc0bdc 713->727 721 6fc080f 716->721 722 6fc08b7-6fc08e2 call 6fc0460 * 2 716->722 717->665 725 6fc0812-6fc0823 721->725 743 6fc09cc-6fc09e6 722->743 744 6fc08e8-6fc08ec 722->744 725->679 731 6fc0829-6fc083b 725->731 731->679 733 6fc0841-6fc0859 731->733 796 6fc085b call 6fc0bf8 733->796 797 6fc085b call 6fc0be7 733->797 738 6fc0861-6fc0871 738->693 742 6fc0877-6fc087a 738->742 739->661 740->739 745 6fc087c-6fc0882 742->745 746 6fc0884-6fc0887 742->746 743->650 766 6fc09ec-6fc09f0 743->766 744->693 748 6fc08f2-6fc08f6 744->748 745->746 749 6fc088d-6fc0890 745->749 746->670 746->749 751 6fc091e-6fc0924 748->751 752 6fc08f8-6fc0905 748->752 753 6fc0898-6fc089b 749->753 754 6fc0892-6fc0896 749->754 756 6fc095f-6fc0965 751->756 757 6fc0926-6fc092a 751->757 769 6fc0914 752->769 770 6fc0907-6fc0912 752->770 753->670 755 6fc08a1-6fc08a5 753->755 754->753 754->755 755->670 758 6fc08ab-6fc08b1 755->758 760 6fc0967-6fc096b 756->760 761 6fc0971-6fc0977 756->761 757->756 759 6fc092c-6fc0935 757->759 758->722 758->725 764 6fc0944-6fc095a 759->764 765 6fc0937-6fc093c 759->765 760->729 760->761 767 6fc0979-6fc097d 761->767 768 6fc0983-6fc0985 761->768 764->693 765->764 774 6fc0a2c-6fc0a30 766->774 775 6fc09f2-6fc09fc 766->775 767->693 767->768 771 6fc09ba-6fc09bc 768->771 772 6fc0987-6fc0990 768->772 773 6fc0916-6fc0918 769->773 770->773 771->693 779 6fc09c2-6fc09c9 771->779 777 6fc099f-6fc09b5 772->777 778 6fc0992-6fc0997 772->778 773->693 773->751 774->729 781 6fc0a36-6fc0a3a 774->781 775->774 784 6fc09fe-6fc0a13 775->784 777->693 778->777 781->729 783 6fc0a40-6fc0a4d 781->783 787 6fc0a5c 783->787 788 6fc0a4f-6fc0a5a 783->788 784->774 793 6fc0a15-6fc0a2a 784->793 790 6fc0a5e-6fc0a60 787->790 788->790 790->693 790->729 793->650 793->774 796->738 797->738
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
    • API String ID: 0-1435242062
    • Opcode ID: 89e586b9ab6788eb3a1cabc0acf3340da04ec96e34b4035de9c697e950e24d81
    • Instruction ID: 2891f3f7b7d89e60d594d5d01ca33409ac9a0eb7eaf405875fdc63fef80c0906
    • Opcode Fuzzy Hash: 89e586b9ab6788eb3a1cabc0acf3340da04ec96e34b4035de9c697e950e24d81
    • Instruction Fuzzy Hash: AE124C30A0060ADFCB54CF68DA84A9EBBF6FF88324F148559E449DB261DB31ED46CB50
    Function 06FC7139 Relevance: 10.2, Strings: 8, Instructions: 197COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 798 6fc7139 799 6fc713e-6fc7141 798->799 800 6fc7153-6fc7162 799->800 801 6fc7143 799->801 821 6fc717a-6fc7197 800->821 822 6fc7164-6fc716a 800->822 801->800 802 6fc733c-6fc7344 801->802 803 6fc72ac-6fc72bf 801->803 804 6fc747d-6fc7486 801->804 805 6fc7278-6fc72a7 801->805 806 6fc71f9-6fc720c 801->806 807 6fc7349-6fc735c 801->807 808 6fc737b-6fc7380 801->808 809 6fc7385-6fc7389 801->809 810 6fc7335-6fc7337 801->810 811 6fc7466-6fc747a 801->811 812 6fc7401-6fc7405 801->812 831 6fc7489-6fc749b 803->831 832 6fc72c5-6fc72cd 803->832 805->799 836 6fc720e-6fc7217 806->836 837 6fc722f 806->837 841 6fc735e 807->841 842 6fc7368-6fc736f 807->842 816 6fc73ac 809->816 817 6fc738b-6fc7394 809->817 814 6fc7428 812->814 815 6fc7407-6fc7410 812->815 829 6fc742b-6fc7446 814->829 823 6fc7417-6fc7424 815->823 824 6fc7412-6fc7415 815->824 826 6fc73af-6fc73b6 816->826 819 6fc739b-6fc73a8 817->819 820 6fc7396-6fc7399 817->820 833 6fc73aa 819->833 820->833 863 6fc7199-6fc71a2 821->863 864 6fc71ba 821->864 838 6fc716c 822->838 839 6fc716e-6fc7170 822->839 840 6fc7426 823->840 824->840 834 6fc73cc 826->834 835 6fc73b8-6fc73ca 826->835 883 6fc745f-6fc7464 829->883 884 6fc7448-6fc744f 829->884 843 6fc72cf-6fc72d8 832->843 844 6fc72f0 832->844 833->826 846 6fc73cf-6fc73dc 834->846 835->846 847 6fc721e-6fc722b 836->847 848 6fc7219-6fc721c 836->848 849 6fc7232-6fc7236 837->849 838->821 839->821 840->829 852 6fc7363 841->852 842->831 854 6fc7375-6fc7379 842->854 856 6fc72df-6fc72ec 843->856 857 6fc72da-6fc72dd 843->857 859 6fc72f3-6fc72f5 844->859 879 6fc73de-6fc73e4 846->879 880 6fc73f4-6fc73fc 846->880 860 6fc722d 847->860 848->860 861 6fc7238-6fc7241 849->861 862 6fc7257 849->862 854->852 866 6fc72ee 856->866 857->866 867 6fc7307 859->867 868 6fc72f7-6fc7305 859->868 860->849 871 6fc7248-6fc724b 861->871 872 6fc7243-6fc7246 861->872 873 6fc725a-6fc7273 862->873 874 6fc71a9-6fc71b6 863->874 875 6fc71a4-6fc71a7 863->875 865 6fc71bd-6fc71e6 call 6fc7f66 864->865 896 6fc71ec-6fc71f4 865->896 866->859 878 6fc7309-6fc730b 867->878 868->878 881 6fc7255 871->881 872->881 882 6fc71b8 874->882 875->882 887 6fc730d-6fc7313 878->887 888 6fc7325-6fc732e 878->888 889 6fc73e8-6fc73ea 879->889 890 6fc73e6 879->890 881->873 882->865 886 6fc745a 883->886 884->831 893 6fc7451-6fc7455 884->893 886->799 894 6fc7315 887->894 895 6fc7317-6fc7323 887->895 888->810 889->880 890->880 893->886 894->888 895->888 896->799
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: fbq$ fbq$Te]q$XX]q$$]q$$]q$$]q$$]q
    • API String ID: 0-1505870616
    • Opcode ID: 2248fd922bffa353ea2e3ae2700d0ad0f421cac438cbe5f15222302de79b2166
    • Instruction ID: 9b8cbe6f655c55b4afa86292ef5d1032f5a071028ad2f61889e9c9e83913e396
    • Opcode Fuzzy Hash: 2248fd922bffa353ea2e3ae2700d0ad0f421cac438cbe5f15222302de79b2166
    • Instruction Fuzzy Hash: D6718731E0421ADFEB94EE99D6957ADB7B2FF80720F24441AE502AB294C7309D41CF91
    Function 06FC5B50 Relevance: 7.6, Strings: 6, Instructions: 144COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 899 6fc5b50-6fc5b68 900 6fc5b8a-6fc5baf 899->900 903 6fc5bb4-6fc5bbe 900->903 904 6fc5bb1 900->904 905 6fc5bc7-6fc5bca 903->905 906 6fc5bc0-6fc5bc5 903->906 904->903 907 6fc5bcd-6fc5bdf 905->907 906->907 909 6fc5b6a-6fc5b6d 907->909 910 6fc5b6f 909->910 911 6fc5b76-6fc5b88 909->911 910->900 910->911 912 6fc5c0c-6fc5c0e 910->912 913 6fc5bee-6fc5c01 910->913 914 6fc5cef-6fc5cf5 910->914 915 6fc5be1-6fc5be9 910->915 916 6fc5c91-6fc5caa 910->916 917 6fc5c52-6fc5c7e 910->917 918 6fc5c83-6fc5c8c 910->918 911->909 924 6fc5c2c 912->924 925 6fc5c10-6fc5c16 912->925 929 6fc5c0a 913->929 919 6fc5cf9-6fc5d05 914->919 920 6fc5cf7 914->920 915->909 922 6fc5cb0-6fc5cc0 916->922 923 6fc5d32-6fc5d37 916->923 917->909 918->909 926 6fc5d07-6fc5d12 919->926 920->926 922->923 930 6fc5cc2-6fc5cd3 922->930 927 6fc5c2e-6fc5c4d 924->927 931 6fc5c1c-6fc5c28 925->931 932 6fc5c18-6fc5c1a 925->932 943 6fc5d2a-6fc5d31 926->943 944 6fc5d14-6fc5d1a 926->944 927->909 929->912 930->923 936 6fc5cd5-6fc5cdc 930->936 933 6fc5c2a 931->933 932->933 933->927 937 6fc5cde 936->937 938 6fc5ce8-6fc5ced 936->938 942 6fc5ce3 937->942 938->942 942->909 945 6fc5d1c 944->945 946 6fc5d1e-6fc5d20 944->946 945->943 946->943
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: LR]q$LR]q$$]q$$]q$$]q$$]q
    • API String ID: 0-1969043450
    • Opcode ID: f9a15ba450e913118198348821e2e5adc406a9d42ebd8680e443fb0349dea5cc
    • Instruction ID: 2d6bb1403b825f9990625dd6f5f49c4f85fe0c35ccd602af0ce29e362310563a
    • Opcode Fuzzy Hash: f9a15ba450e913118198348821e2e5adc406a9d42ebd8680e443fb0349dea5cc
    • Instruction Fuzzy Hash: 5C51F531F4420ACFEB588B69C95477EBBF2FB84720F14842EE102EB281DB74A851C791
    Function 06FC061A Relevance: 5.3, Strings: 4, Instructions: 274COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1366 6fc061a-6fc064d 1367 6fc0a7c-6fc0a80 1366->1367 1368 6fc0653-6fc0676 1366->1368 1369 6fc0a99-6fc0aa7 1367->1369 1370 6fc0a82-6fc0a96 1367->1370 1377 6fc067c-6fc0689 1368->1377 1378 6fc0724-6fc0728 1368->1378 1375 6fc0b18-6fc0b2d 1369->1375 1376 6fc0aa9-6fc0abe 1369->1376 1383 6fc0b2f-6fc0b32 1375->1383 1384 6fc0b34-6fc0b41 1375->1384 1385 6fc0ac5-6fc0ad2 1376->1385 1386 6fc0ac0-6fc0ac3 1376->1386 1394 6fc0698 1377->1394 1395 6fc068b-6fc0696 1377->1395 1381 6fc072a-6fc0738 1378->1381 1382 6fc0770-6fc0779 1378->1382 1381->1382 1402 6fc073a-6fc0755 1381->1402 1387 6fc0b8f 1382->1387 1388 6fc077f-6fc0789 1382->1388 1390 6fc0b43-6fc0b7e 1383->1390 1384->1390 1391 6fc0ad4-6fc0b15 1385->1391 1386->1391 1396 6fc0b94-6fc0b9c 1387->1396 1388->1367 1392 6fc078f-6fc0798 1388->1392 1446 6fc0b85-6fc0b8c 1390->1446 1400 6fc079a-6fc079f 1392->1400 1401 6fc07a7-6fc07b3 1392->1401 1397 6fc069a-6fc069c 1394->1397 1395->1397 1412 6fc0b9d-6fc0ba1 1396->1412 1397->1378 1404 6fc06a2-6fc0704 1397->1404 1400->1401 1401->1396 1407 6fc07b9-6fc07bf 1401->1407 1426 6fc0757-6fc0761 1402->1426 1427 6fc0763 1402->1427 1456 6fc070a-6fc0721 1404->1456 1457 6fc0706 1404->1457 1409 6fc07c5-6fc07d5 1407->1409 1410 6fc0a66-6fc0a6a 1407->1410 1424 6fc07e9-6fc07eb 1409->1424 1425 6fc07d7-6fc07e7 1409->1425 1410->1387 1414 6fc0a70-6fc0a76 1410->1414 1412->1412 1417 6fc0ba3-6fc0ba4 1412->1417 1414->1367 1414->1392 1420 6fc0ba5-6fc0ba9 1417->1420 1420->1420 1430 6fc0bab-6fc0bc4 1420->1430 1428 6fc07ee-6fc07f4 1424->1428 1425->1428 1429 6fc0765-6fc0767 1426->1429 1427->1429 1428->1410 1433 6fc07fa-6fc0809 1428->1433 1429->1382 1434 6fc0769 1429->1434 1443 6fc0bdd-6fc0be4 1430->1443 1444 6fc0bc6-6fc0bdc 1430->1444 1438 6fc080f 1433->1438 1439 6fc08b7-6fc08e2 call 6fc0460 * 2 1433->1439 1434->1382 1442 6fc0812-6fc0823 1438->1442 1460 6fc09cc-6fc09e6 1439->1460 1461 6fc08e8-6fc08ec 1439->1461 1442->1396 1448 6fc0829-6fc083b 1442->1448 1448->1396 1450 6fc0841-6fc0859 1448->1450 1513 6fc085b call 6fc0bf8 1450->1513 1514 6fc085b call 6fc0be7 1450->1514 1455 6fc0861-6fc0871 1455->1410 1459 6fc0877-6fc087a 1455->1459 1456->1378 1457->1456 1462 6fc087c-6fc0882 1459->1462 1463 6fc0884-6fc0887 1459->1463 1460->1367 1483 6fc09ec-6fc09f0 1460->1483 1461->1410 1465 6fc08f2-6fc08f6 1461->1465 1462->1463 1466 6fc088d-6fc0890 1462->1466 1463->1387 1463->1466 1468 6fc091e-6fc0924 1465->1468 1469 6fc08f8-6fc0905 1465->1469 1470 6fc0898-6fc089b 1466->1470 1471 6fc0892-6fc0896 1466->1471 1473 6fc095f-6fc0965 1468->1473 1474 6fc0926-6fc092a 1468->1474 1486 6fc0914 1469->1486 1487 6fc0907-6fc0912 1469->1487 1470->1387 1472 6fc08a1-6fc08a5 1470->1472 1471->1470 1471->1472 1472->1387 1475 6fc08ab-6fc08b1 1472->1475 1477 6fc0967-6fc096b 1473->1477 1478 6fc0971-6fc0977 1473->1478 1474->1473 1476 6fc092c-6fc0935 1474->1476 1475->1439 1475->1442 1481 6fc0944-6fc095a 1476->1481 1482 6fc0937-6fc093c 1476->1482 1477->1446 1477->1478 1484 6fc0979-6fc097d 1478->1484 1485 6fc0983-6fc0985 1478->1485 1481->1410 1482->1481 1491 6fc0a2c-6fc0a30 1483->1491 1492 6fc09f2-6fc09fc 1483->1492 1484->1410 1484->1485 1488 6fc09ba-6fc09bc 1485->1488 1489 6fc0987-6fc0990 1485->1489 1490 6fc0916-6fc0918 1486->1490 1487->1490 1488->1410 1496 6fc09c2-6fc09c9 1488->1496 1494 6fc099f-6fc09b5 1489->1494 1495 6fc0992-6fc0997 1489->1495 1490->1410 1490->1468 1491->1446 1498 6fc0a36-6fc0a3a 1491->1498 1492->1491 1501 6fc09fe-6fc0a13 1492->1501 1494->1410 1495->1494 1498->1446 1500 6fc0a40-6fc0a4d 1498->1500 1504 6fc0a5c 1500->1504 1505 6fc0a4f-6fc0a5a 1500->1505 1501->1491 1510 6fc0a15-6fc0a2a 1501->1510 1507 6fc0a5e-6fc0a60 1504->1507 1505->1507 1507->1410 1507->1446 1510->1367 1510->1491 1513->1455 1514->1455
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: (o]q$(o]q$(o]q$(o]q
    • API String ID: 0-1261621458
    • Opcode ID: 668cc8065c27a6e4ee988bbf9e6572122665cf64cc6f27d370e49158b4f0086a
    • Instruction ID: 4bfbc15be96e6c7a5e9a4b7df8ee7bb57c3ff44643df462f048929334f804d39
    • Opcode Fuzzy Hash: 668cc8065c27a6e4ee988bbf9e6572122665cf64cc6f27d370e49158b4f0086a
    • Instruction Fuzzy Hash: 0FC14D30E0020ADFCB54CF69CA84A9EBBF6BF48324F148559E455DB261DB36E942CF90
    Function 06FC58E0 Relevance: 4.2, Strings: 3, Instructions: 439COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1515 6fc58e0-6fc5b68 1518 6fc5b8a-6fc5baf 1515->1518 1521 6fc5bb4-6fc5bbe 1518->1521 1522 6fc5bb1 1518->1522 1523 6fc5bc7-6fc5bca 1521->1523 1524 6fc5bc0-6fc5bc5 1521->1524 1522->1521 1525 6fc5bcd-6fc5bdf 1523->1525 1524->1525 1527 6fc5b6a-6fc5b6d 1525->1527 1528 6fc5b6f 1527->1528 1529 6fc5b76-6fc5b88 1527->1529 1528->1518 1528->1529 1530 6fc5c0c-6fc5c0e 1528->1530 1531 6fc5bee-6fc5c01 1528->1531 1532 6fc5cef-6fc5cf5 1528->1532 1533 6fc5be1-6fc5be9 1528->1533 1534 6fc5c91-6fc5caa 1528->1534 1535 6fc5c52-6fc5c7e 1528->1535 1536 6fc5c83-6fc5c8c 1528->1536 1529->1527 1542 6fc5c2c 1530->1542 1543 6fc5c10-6fc5c16 1530->1543 1547 6fc5c0a 1531->1547 1537 6fc5cf9-6fc5d05 1532->1537 1538 6fc5cf7 1532->1538 1533->1527 1540 6fc5cb0-6fc5cc0 1534->1540 1541 6fc5d32-6fc5d37 1534->1541 1535->1527 1536->1527 1544 6fc5d07-6fc5d12 1537->1544 1538->1544 1540->1541 1548 6fc5cc2-6fc5cd3 1540->1548 1545 6fc5c2e-6fc5c4d 1542->1545 1549 6fc5c1c-6fc5c28 1543->1549 1550 6fc5c18-6fc5c1a 1543->1550 1561 6fc5d2a-6fc5d31 1544->1561 1562 6fc5d14-6fc5d1a 1544->1562 1545->1527 1547->1530 1548->1541 1554 6fc5cd5-6fc5cdc 1548->1554 1551 6fc5c2a 1549->1551 1550->1551 1551->1545 1555 6fc5cde 1554->1555 1556 6fc5ce8-6fc5ced 1554->1556 1560 6fc5ce3 1555->1560 1556->1560 1560->1527 1563 6fc5d1c 1562->1563 1564 6fc5d1e-6fc5d20 1562->1564 1563->1561 1564->1561
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: LR]q$$]q$$]q
    • API String ID: 0-4258901230
    • Opcode ID: d06a19b01ead93ba7ac0b625ced5baa8b5e8ab52d5b32347664adee2b1f2395b
    • Instruction ID: 95451981bea37cdcafda04363aece76218eef9ea4c02ef02f9792b3eee388ffa
    • Opcode Fuzzy Hash: d06a19b01ead93ba7ac0b625ced5baa8b5e8ab52d5b32347664adee2b1f2395b
    • Instruction Fuzzy Hash: 32412631E04306DFDB548F69CD54BBABBF2FB84721F14846EE141AB281D770A951CB91
    Function 06FC3E58 Relevance: 2.9, Strings: 2, Instructions: 370COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1594 6fc3e58-6fc3e8c call 6fc0bb0 1597 6fc3e8e-6fc3e9e 1594->1597 1598 6fc3ea0-6fc3ea2 1594->1598 1599 6fc3ea5-6fc3eb0 call 6fc0bb0 1597->1599 1598->1599 1603 6fc3ec4-6fc3ec6 1599->1603 1604 6fc3eb2-6fc3ec2 1599->1604 1605 6fc3ec9-6fc3edd 1603->1605 1604->1605 1607 6fc40c2-6fc40cb 1605->1607 1608 6fc3ee3 1605->1608 1610 6fc428e-6fc4294 1607->1610 1611 6fc40d1-6fc4100 1607->1611 1609 6fc3ee6-6fc3eec 1608->1609 1614 6fc42f2-6fc42f7 1609->1614 1615 6fc3ef2-6fc3f03 call 6fc3728 1609->1615 1612 6fc429a-6fc42a0 1610->1612 1613 6fc4296-6fc4298 1610->1613 1628 6fc4106-6fc4108 1611->1628 1629 6fc42b7-6fc42eb 1611->1629 1618 6fc42a6 1612->1618 1619 6fc42a2-6fc42a4 1612->1619 1617 6fc42a8-6fc42af 1613->1617 1624 6fc4058-6fc405e 1615->1624 1625 6fc3f09 1615->1625 1618->1617 1619->1617 1626 6fc4068-6fc406e 1624->1626 1627 6fc4060-6fc4066 1624->1627 1630 6fc400c-6fc4015 1625->1630 1631 6fc4138-6fc4141 1625->1631 1632 6fc3f8a-6fc3f93 1625->1632 1633 6fc41a7-6fc41b0 1625->1633 1634 6fc3f10-6fc3f19 1625->1634 1635 6fc4213-6fc421c 1625->1635 1639 6fc407f-6fc4085 1626->1639 1640 6fc4070-6fc4076 1626->1640 1627->1626 1637 6fc4078-6fc407a 1627->1637 1628->1629 1641 6fc410e-6fc4114 1628->1641 1629->1614 1630->1614 1645 6fc401b-6fc4033 1630->1645 1631->1614 1643 6fc4147-6fc4154 1631->1643 1632->1614 1638 6fc3f99-6fc3fae 1632->1638 1633->1614 1636 6fc41b6-6fc41c3 1633->1636 1634->1614 1644 6fc3f1f-6fc3f2c 1634->1644 1635->1614 1642 6fc4222-6fc4237 1635->1642 1636->1614 1646 6fc41c9-6fc41d9 1636->1646 1637->1617 1638->1614 1667 6fc3fb4-6fc3fc8 1638->1667 1648 6fc4096-6fc409c 1639->1648 1649 6fc4087-6fc408d 1639->1649 1640->1637 1640->1639 1641->1614 1647 6fc411a-6fc412b call 6fc3728 1641->1647 1642->1614 1650 6fc423d-6fc4254 call 6fc0bf8 1642->1650 1643->1614 1651 6fc415a-6fc416a 1643->1651 1644->1614 1653 6fc3f32-6fc3f49 1644->1653 1645->1614 1654 6fc4039-6fc4053 call 6fc0bf8 1645->1654 1646->1614 1656 6fc41df-6fc41f0 1646->1656 1670 6fc4259-6fc425f 1647->1670 1676 6fc4131 1647->1676 1661 6fc40ad-6fc40b0 1648->1661 1662 6fc409e-6fc40a4 1648->1662 1659 6fc42b2 1649->1659 1660 6fc4093 1649->1660 1650->1670 1651->1614 1664 6fc4170-6fc4181 1651->1664 1653->1614 1665 6fc3f4f-6fc3f61 1653->1665 1654->1624 1656->1614 1666 6fc41f6-6fc4211 1656->1666 1659->1629 1660->1648 1661->1659 1671 6fc40b6-6fc40bc 1661->1671 1662->1659 1669 6fc40aa 1662->1669 1664->1614 1672 6fc4187-6fc41a2 1664->1672 1665->1614 1674 6fc3f67-6fc3f85 1665->1674 1666->1670 1667->1614 1675 6fc3fce-6fc3fe3 1667->1675 1669->1661 1677 6fc4269-6fc426f 1670->1677 1678 6fc4261-6fc4267 1670->1678 1671->1607 1671->1609 1672->1670 1674->1624 1675->1614 1689 6fc3fe9-6fc400a 1675->1689 1676->1631 1676->1633 1676->1635 1684 6fc427d-6fc4280 1677->1684 1685 6fc4271-6fc4277 1677->1685 1678->1677 1683 6fc4279-6fc427b 1678->1683 1683->1617 1684->1659 1686 6fc4282-6fc4288 1684->1686 1685->1683 1685->1684 1686->1610 1686->1611 1689->1624
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: (o]q$(o]q
    • API String ID: 0-1858875562
    • Opcode ID: b41a8363846b08d57c0416dfbbc1ab358b83488cc8052f33d305f7892976e958
    • Instruction ID: 774adbba78a91c5ab71946ee79cc1df7f17b24e21ab38b918ede4930c5ffdcb0
    • Opcode Fuzzy Hash: b41a8363846b08d57c0416dfbbc1ab358b83488cc8052f33d305f7892976e958
    • Instruction Fuzzy Hash: 38F14831A0011A9FCB51CF98CAA1DEEBBF6FF88320B15C519E955DB294C734E841CBA0
    Function 06FC1BB8 Relevance: 2.8, Strings: 2, Instructions: 336COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: 4']q$4']q
    • API String ID: 0-3120983240
    • Opcode ID: 183c895d47f2768d665a06907856e9a44a4fc589569972a9436e7d4205af252a
    • Instruction ID: 2cfcd4bb3e155abf41367c216365f8049d8dba5ed06eb075801adbef36ba95e6
    • Opcode Fuzzy Hash: 183c895d47f2768d665a06907856e9a44a4fc589569972a9436e7d4205af252a
    • Instruction Fuzzy Hash: 4FB15231B14103CFEB99DA29CA5473D369AEF85720F14406EF506CB3A2EB29DC62C791
    Function 06FC1A18 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1901 6fc1a18-6fc1a25 1902 6fc1a27-6fc1a2c 1901->1902 1903 6fc1a31-6fc1a4f 1901->1903 1904 6fc1b16-6fc1b1b 1902->1904 1908 6fc1ac6-6fc1ad2 1903->1908 1909 6fc1a51-6fc1a5b 1903->1909 1913 6fc1ae9-6fc1af5 1908->1913 1914 6fc1ad4-6fc1ae0 1908->1914 1909->1908 1912 6fc1a5d-6fc1a69 1909->1912 1918 6fc1a8e-6fc1a91 1912->1918 1919 6fc1a6b-6fc1a76 1912->1919 1921 6fc1b0c-6fc1b10 call 6fc1bb8 1913->1921 1922 6fc1af7-6fc1b03 1913->1922 1914->1913 1920 6fc1ae2-6fc1ae7 1914->1920 1923 6fc1aa8-6fc1ab4 1918->1923 1924 6fc1a93-6fc1a9f 1918->1924 1919->1918 1931 6fc1a78-6fc1a82 1919->1931 1920->1904 1921->1904 1922->1921 1929 6fc1b05-6fc1b0a 1922->1929 1925 6fc1b1c-6fc1b24 1923->1925 1926 6fc1ab6-6fc1abd 1923->1926 1924->1923 1934 6fc1aa1-6fc1aa6 1924->1934 1935 6fc1b25-6fc1b29 1925->1935 1926->1925 1930 6fc1abf-6fc1ac4 1926->1930 1929->1904 1930->1904 1931->1918 1938 6fc1a84-6fc1a89 1931->1938 1934->1904 1935->1935 1937 6fc1b2b-6fc1b2c 1935->1937 1939 6fc1b2d-6fc1b31 1937->1939 1938->1904 1939->1939 1940 6fc1b33-6fc1b40 1939->1940 1941 6fc1b4e 1940->1941 1942 6fc1b47-6fc1b4c 1940->1942 1943 6fc1b50-6fc1b51 1941->1943 1942->1943
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: $]q$$]q
    • API String ID: 0-127220927
    • Opcode ID: 1043a99f828f8bbe9296da2b12e09d2716f8eda88813446381de27e031af7bbd
    • Instruction ID: 49abbbb261310e82bc71987f43b3514ff93335103bf98ca44f8fd9fb2325ea14
    • Opcode Fuzzy Hash: 1043a99f828f8bbe9296da2b12e09d2716f8eda88813446381de27e031af7bbd
    • Instruction Fuzzy Hash: 6931D830B082438FD756CB64CE9163E7BA5AF85360715449ED016CB353EA28DC55CBA1
    Function 010EAD48 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1945 10ead48-10ead57 1946 10ead59-10ead66 call 10ea06c 1945->1946 1947 10ead83-10ead87 1945->1947 1953 10ead7c 1946->1953 1954 10ead68 1946->1954 1949 10ead9b-10eaddc 1947->1949 1950 10ead89-10ead93 1947->1950 1956 10eadde-10eade6 1949->1956 1957 10eade9-10eadf7 1949->1957 1950->1949 1953->1947 2001 10ead6e call 10eafd0 1954->2001 2002 10ead6e call 10eafe0 1954->2002 1956->1957 1958 10eae1b-10eae1d 1957->1958 1959 10eadf9-10eadfe 1957->1959 1964 10eae20-10eae27 1958->1964 1961 10eae09 1959->1961 1962 10eae00-10eae07 call 10ea078 1959->1962 1960 10ead74-10ead76 1960->1953 1963 10eaeb8-10eaf78 1960->1963 1966 10eae0b-10eae19 1961->1966 1962->1966 1996 10eaf7a-10eaf7d 1963->1996 1997 10eaf80-10eafab GetModuleHandleW 1963->1997 1967 10eae29-10eae31 1964->1967 1968 10eae34-10eae3b 1964->1968 1966->1964 1967->1968 1971 10eae3d-10eae45 1968->1971 1972 10eae48-10eae51 call 10ea088 1968->1972 1971->1972 1976 10eae5e-10eae63 1972->1976 1977 10eae53-10eae5b 1972->1977 1978 10eae65-10eae6c 1976->1978 1979 10eae81-10eae85 1976->1979 1977->1976 1978->1979 1981 10eae6e-10eae7e call 10ea098 call 10ea0a8 1978->1981 1984 10eae8b-10eae8e 1979->1984 1981->1979 1986 10eae90-10eaeae 1984->1986 1987 10eaeb1-10eaeb7 1984->1987 1986->1987 1996->1997 1998 10eafad-10eafb3 1997->1998 1999 10eafb4-10eafc8 1997->1999 1998->1999 2001->1960 2002->1960
    APIs
    • GetModuleHandleW.KERNELBASE(00000000), ref: 010EAF9E
    Memory Dump Source
    • Source File: 00000000.00000002.2173047509.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10e0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID: HandleModule
    • String ID:
    • API String ID: 4139908857-0
    • Opcode ID: eaa697011210cdb139f9e8236c4726fbe5c658084d067559884d0a1271f21b6a
    • Instruction ID: 0547f0cb1c01f1f2e25ab553e2236d03707fb0487867b713c8b77e7729eef488
    • Opcode Fuzzy Hash: eaa697011210cdb139f9e8236c4726fbe5c658084d067559884d0a1271f21b6a
    • Instruction Fuzzy Hash: 21711170A00B05CFDB65DF2AD44879ABBF5BF88304F00896DE48A97B50DB75E949CB90
    Function 010E590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2003 10e590d-10e59d9 CreateActCtxA 2005 10e59db-10e59e1 2003->2005 2006 10e59e2-10e5a3c 2003->2006 2005->2006 2013 10e5a3e-10e5a41 2006->2013 2014 10e5a4b-10e5a4f 2006->2014 2013->2014 2015 10e5a60 2014->2015 2016 10e5a51-10e5a5d 2014->2016 2018 10e5a61 2015->2018 2016->2015 2018->2018
    APIs
    • CreateActCtxA.KERNEL32(?), ref: 010E59C9
    Memory Dump Source
    • Source File: 00000000.00000002.2173047509.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10e0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID: Create
    • String ID:
    • API String ID: 2289755597-0
    • Opcode ID: 99ed00c72f90faac01c067f9fc6a7e83f01ef096c68a1b21d71a4f562c9737a2
    • Instruction ID: 8f7a7d180ebda3f7b687730527eea45a427cc1ca1afc919e575a6fb0ec275ddd
    • Opcode Fuzzy Hash: 99ed00c72f90faac01c067f9fc6a7e83f01ef096c68a1b21d71a4f562c9737a2
    • Instruction Fuzzy Hash: 8341E1B5C00319CFDB24CFA9C888A9DBBF5BF44308F24846AD448AB254DB756946CF90
    Function 010E44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2019 10e44c4-10e59d9 CreateActCtxA 2022 10e59db-10e59e1 2019->2022 2023 10e59e2-10e5a3c 2019->2023 2022->2023 2030 10e5a3e-10e5a41 2023->2030 2031 10e5a4b-10e5a4f 2023->2031 2030->2031 2032 10e5a60 2031->2032 2033 10e5a51-10e5a5d 2031->2033 2035 10e5a61 2032->2035 2033->2032 2035->2035
    APIs
    • CreateActCtxA.KERNEL32(?), ref: 010E59C9
    Memory Dump Source
    • Source File: 00000000.00000002.2173047509.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10e0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID: Create
    • String ID:
    • API String ID: 2289755597-0
    • Opcode ID: 00229523873ed8419afb786e3245b20e5b35fb1247c27d426014e4b334250020
    • Instruction ID: c11814dc75ef2405deabf63886f901bf605ea0780b63ca504135fc87d07bb8da
    • Opcode Fuzzy Hash: 00229523873ed8419afb786e3245b20e5b35fb1247c27d426014e4b334250020
    • Instruction Fuzzy Hash: 7B41F1B4C00719CFDB24CFAAC888B8EBBF1BF49304F24846AD448AB251DB755946CF90
    Function 010ED21C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010ED5F6,?,?,?,?,?), ref: 010ED6B7
    Memory Dump Source
    • Source File: 00000000.00000002.2173047509.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10e0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: a33bc553d1fd691de0c285c30b1b08314a9bc9fca921f7893b26fe3d4c51bd7b
    • Instruction ID: 2ab54f634c2a63a02fc35c7cfff69d06212a2df857a05ba347aca4814d92a331
    • Opcode Fuzzy Hash: a33bc553d1fd691de0c285c30b1b08314a9bc9fca921f7893b26fe3d4c51bd7b
    • Instruction Fuzzy Hash: 8F21E5B5910208AFDB10CF9AD584ADEBFF8EB48320F14841AE958A3310D378A944CFA4
    Function 010ED628 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010ED5F6,?,?,?,?,?), ref: 010ED6B7
    Memory Dump Source
    • Source File: 00000000.00000002.2173047509.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10e0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: 90a284020b5a657471b9cf669923a34344070eafae110f4a2ea97cfa9b22d143
    • Instruction ID: ccead15a52407fdc45e2f27b554d42190a1eb81d8f6cda4666e3e3d0daf44122
    • Opcode Fuzzy Hash: 90a284020b5a657471b9cf669923a34344070eafae110f4a2ea97cfa9b22d143
    • Instruction Fuzzy Hash: A321E6B5900208AFDB10CF9AD984ADEFFF9FB48310F14841AE958A7310D378A944CFA4
    Function 010EAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNELBASE(00000000), ref: 010EAF9E
    Memory Dump Source
    • Source File: 00000000.00000002.2173047509.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10e0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID: HandleModule
    • String ID:
    • API String ID: 4139908857-0
    • Opcode ID: 70b82c358f5d736cfacf0d33dba48ee924090b86f90526d44281fc1a8f82716b
    • Instruction ID: 1394b079de86fca44f274787e5e080712916a100b88efcf730a492eea9f8d4dd
    • Opcode Fuzzy Hash: 70b82c358f5d736cfacf0d33dba48ee924090b86f90526d44281fc1a8f82716b
    • Instruction Fuzzy Hash: 4E110FB6D002498FDB20CF9AD448ADEFBF4AB88324F10845AD958A7240C379A545CFA1
    Function 06FC50E9 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: %*&/)(#$^@!~-_
    • API String ID: 0-3325533558
    • Opcode ID: 18835257bf4bebde95c45e7f630d69dd4246b3b52803df7201ba10282e349ed2
    • Instruction ID: 2a26a65e203a371ae11bbd66992d05c11c94bf560b021315fa9983e26399c75f
    • Opcode Fuzzy Hash: 18835257bf4bebde95c45e7f630d69dd4246b3b52803df7201ba10282e349ed2
    • Instruction Fuzzy Hash: 1251C031F002049FC704AB78D955AAEBBB3AF89310F04C4A9E995AB399CF356D49C7D1
    Function 06FC50F8 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID: %*&/)(#$^@!~-_
    • API String ID: 0-3325533558
    • Opcode ID: 2539b7b1702cfcd1c5332ce8a733544255d4302a5f022c28bc62aa767782e7bf
    • Instruction ID: 24bcc99a3145e728a3aa9287d1abf577945093dfa04f46b898947c4ccced4108
    • Opcode Fuzzy Hash: 2539b7b1702cfcd1c5332ce8a733544255d4302a5f022c28bc62aa767782e7bf
    • Instruction Fuzzy Hash: D351CD31F002089BC704AB78D545AAEBBB3BF88310F14C4A9E985AB399CF356949C7D1
    Function 06FC0BF8 Relevance: .2, Instructions: 201COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 447067ce35b3c617ed4d2727243ea0df8861ba44dbd87931836b3192902bb249
    • Instruction ID: 2f8621a2e44c5d6cccc497e8d06deef7afaaf874c554c8e0d731886df753d15a
    • Opcode Fuzzy Hash: 447067ce35b3c617ed4d2727243ea0df8861ba44dbd87931836b3192902bb249
    • Instruction Fuzzy Hash: 30714C34B40206CFDB94DF28C984A6E7BE6AF49260F1540A9E906CB371DF76EC42CB51
    Function 06FC3C00 Relevance: .2, Instructions: 162COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e1b9e26b8f2ef2f57ba75fb0f5228e511e38c0e89ef7ebebfa625c2ae2849647
    • Instruction ID: 10b5594e50514ba6a92abb96d733063d9dde6c9d32d1ceb8905c16f45be737ba
    • Opcode Fuzzy Hash: e1b9e26b8f2ef2f57ba75fb0f5228e511e38c0e89ef7ebebfa625c2ae2849647
    • Instruction Fuzzy Hash: 5C617D72E0034E9FDF51CFA9C6406DEBBF2AF8A350F248619E845AB241D770A981CF40
    Function 06FC3BF1 Relevance: .1, Instructions: 140COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 92dee6f1d08768d3e9f4a5449b71578511c1b2abe466eb132e976174fdebb144
    • Instruction ID: 3f8dd7417b514a19a483bb8500bb739e24c8c2df8540092d09cfc785b47c192f
    • Opcode Fuzzy Hash: 92dee6f1d08768d3e9f4a5449b71578511c1b2abe466eb132e976174fdebb144
    • Instruction Fuzzy Hash: EB516B72E0074E9FDF51CFA5C6406DDBBF2AF8A350F24861AE849AB241D770A985CF50
    Function 06FC2DD3 Relevance: .1, Instructions: 122COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f42a503e57a93f13a5fe8710054749d4b37b60d070ade0e14a1a9dd551f1b3b8
    • Instruction ID: e8d2b56825c6c3e1c762a9b5914c340022c7fc2c144d6c9ff8138d54a12d6d70
    • Opcode Fuzzy Hash: f42a503e57a93f13a5fe8710054749d4b37b60d070ade0e14a1a9dd551f1b3b8
    • Instruction Fuzzy Hash: 0F41A031A0424ADFDF51CFA8C944ADEBFB2FF49320F048159E815AB291D371EA14DB90
    Function 06FC54A8 Relevance: .1, Instructions: 109COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4d93dc50efec1237cea2ccebcc7110bc3e308d0255913875bf96d9e918413d7f
    • Instruction ID: 1ac448d3fa83d70ce9897792d21e5cf558ad90a798e1dabd6529f29ac8d0d828
    • Opcode Fuzzy Hash: 4d93dc50efec1237cea2ccebcc7110bc3e308d0255913875bf96d9e918413d7f
    • Instruction Fuzzy Hash: 5F416770D01209DFCB08DFA4C695A5EBBB2FF81700F24C49AC02B6B325D7309A45CB92
    Function 06FC4F58 Relevance: .1, Instructions: 103COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e740b56581a755d3d2b2f06abb437d55af6045289d37bf26325e947f03ae45de
    • Instruction ID: 77ade5bbfdd180063f3fb19d30c406d2533b4805ec0061901a293e9ddd4ee477
    • Opcode Fuzzy Hash: e740b56581a755d3d2b2f06abb437d55af6045289d37bf26325e947f03ae45de
    • Instruction Fuzzy Hash: 6131083194410ACFD7449F68E6517AE7BF2EB88325F10086EE106D7340DB75AD58CBD1
    Function 06FC531E Relevance: .1, Instructions: 102COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a254192ed95a0c330b7a3d1d9cbf5d558096864ca7c320e421692727865e9cda
    • Instruction ID: ab12d47bfaf7771b08dc15382dc16b24b47d14877714a788859f991478d44edc
    • Opcode Fuzzy Hash: a254192ed95a0c330b7a3d1d9cbf5d558096864ca7c320e421692727865e9cda
    • Instruction Fuzzy Hash: DF31C52571D3804FD7064778996536A3FF69B46221F1944ABE446CB3D3CE788C19C762
    Function 06FC0EA0 Relevance: .1, Instructions: 87COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8c02675727d434a56a00434c82405566e8b50c8c5692359b03a57ccc9b6d7e01
    • Instruction ID: 1a565bc6ed0618ed7509b164fcfd1d81ed741e70aa696aca394fe87257b06a26
    • Opcode Fuzzy Hash: 8c02675727d434a56a00434c82405566e8b50c8c5692359b03a57ccc9b6d7e01
    • Instruction Fuzzy Hash: 84219231B14212CFDB541A25D55463A369BEFC5668F14803DF506CB398EE2BCC83D385
    Function 06FC5360 Relevance: .1, Instructions: 85COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 57af013b01dcc592fd6fe7213bc82d57b86ce51304a72f670daef6a2e1c7e5d7
    • Instruction ID: a6fa778aa7a9c02251f228681ca062ad1e90f972d3c4a67b86c8e45dab5f8329
    • Opcode Fuzzy Hash: 57af013b01dcc592fd6fe7213bc82d57b86ce51304a72f670daef6a2e1c7e5d7
    • Instruction Fuzzy Hash: 2821F334B182058FD7445BB8956A32A3FE7EB88221F14847BF50AC7391DE749C1AC791
    Function 06FC4EB2 Relevance: .1, Instructions: 75COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 97aa3fdb7eeb35b87c6975e774baebf15c4801a35a1b07ea5a182a100fb88bc2
    • Instruction ID: 17079f49515bdf80a75fd4cf352bf78bdfab6d8b75a660be62f5dc34604eabae
    • Opcode Fuzzy Hash: 97aa3fdb7eeb35b87c6975e774baebf15c4801a35a1b07ea5a182a100fb88bc2
    • Instruction Fuzzy Hash: E5218E71E002199FCB45EFA8CA9199E7FF5FF44701B1045AAE016DB361EB349E45CB80
    Function 00F6D3D8 Relevance: .1, Instructions: 75COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2172683647.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f6d000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a253cae11d6f08524d886bfebb8af82313139bd19e14742315a2de832f5413a9
    • Instruction ID: 882ea337f07d46bf3aad1f9b840d4700f99e589ed844fec4f8b931753b61982d
    • Opcode Fuzzy Hash: a253cae11d6f08524d886bfebb8af82313139bd19e14742315a2de832f5413a9
    • Instruction Fuzzy Hash: 00213A72A00244DFDB05DF14D9C0F16BF65FB98324F24C569D9090B256C73AEC56E7A2
    Function 0108D1EC Relevance: .1, Instructions: 72COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2172824377.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_108d000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 74976f866da8fe9cacbdb11471d8ed34eac72ffcd2199168567756ac149014ab
    • Instruction ID: b9695161869414562934a897b2fdcab9a169fa2803070f310c2aec36a27588c9
    • Opcode Fuzzy Hash: 74976f866da8fe9cacbdb11471d8ed34eac72ffcd2199168567756ac149014ab
    • Instruction Fuzzy Hash: 2121F871548204DFDB05EF98D5C0B1ABFA5FB64324F20C6ADD9894B396C37AD406CBA1
    Function 0108D01C Relevance: .1, Instructions: 72COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2172824377.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_108d000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 630fdb4d729e5fe0f464b0ac88c7c1f03b972ba69d677789ce7c554fc0decb00
    • Instruction ID: 07c588fe785d588dccdb2d089baaa6054a8973afc15624a399ef5a29bce41cb7
    • Opcode Fuzzy Hash: 630fdb4d729e5fe0f464b0ac88c7c1f03b972ba69d677789ce7c554fc0decb00
    • Instruction Fuzzy Hash: 4821D371508204DFDB15EFA8D984B16BFA5EB84354F20C6A9E9C94B396C33AD407CB61
    Function 06FC2EB8 Relevance: .1, Instructions: 59COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 87f5dd8a19e6081bd379af1f916ee4fd8d6d8f58c62c5cfb083ee71c5d2ad3e8
    • Instruction ID: acd77978fdb0e92946a63413a7cbe039268e99be7d43c2685900af41f6e42c4a
    • Opcode Fuzzy Hash: 87f5dd8a19e6081bd379af1f916ee4fd8d6d8f58c62c5cfb083ee71c5d2ad3e8
    • Instruction Fuzzy Hash: FA119632B0024ADFDB54CFACC945B5FBBA2EF85320F048559E8546B295D371E910C795
    Function 06FC7F66 Relevance: .1, Instructions: 59COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8dfcfe792ddd0f6a9b2890da633a5729bf9ad21045c6dac1d5bef3d2b833bfdb
    • Instruction ID: b16cde59f76c1e16e84f3786fb1788ce08abb3fc34bacb60c290e198cd64d3fa
    • Opcode Fuzzy Hash: 8dfcfe792ddd0f6a9b2890da633a5729bf9ad21045c6dac1d5bef3d2b833bfdb
    • Instruction Fuzzy Hash: 8511B231E0810ACFDB409F58D6C0ABEB7F1AB44321F11846AE115DB282DB34C805CFD1
    Function 00F6D3D3 Relevance: .1, Instructions: 56COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2172683647.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f6d000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
    • Instruction ID: 665d23af2323171d5df781a37b818eda0d21559a3aaed1dd021ab77e4e8704d3
    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
    • Instruction Fuzzy Hash: EE112672904240CFCB06CF00D5C4B16BF71FB98324F24C6A9D9090B257C33AE85ADBA2
    Function 0108D1E7 Relevance: .1, Instructions: 53COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2172824377.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_108d000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
    • Instruction ID: d254b8d34349b0749836ef2524f73da337d21f2d7038282ccb3e9c7859af6395
    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
    • Instruction Fuzzy Hash: C711D075508240DFDB02DF54D5C4B15BFA1FB44324F24C6A9D8894B696C33AD40ACBA1
    Function 0108D017 Relevance: .1, Instructions: 53COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2172824377.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_108d000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
    • Instruction ID: baf7b6da5eb13098359fce744d2c2efd953930ca279e52789d63e28ca9dcbc7f
    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
    • Instruction Fuzzy Hash: B611BE75508280CFDB12DF54D5C4B15BFA2FB44314F24C6AAE8894B696C33AD40BCF62
    Function 06FC5698 Relevance: .0, Instructions: 43COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f40a6f387ac392d1f74506c75f66a4a2c0e318ec4523af8cec8fc00b8ab77ba7
    • Instruction ID: c40994a90b0d6b1044c63c5529cb2b9c15846dfa703c71f2a4854ae4e02ac1b9
    • Opcode Fuzzy Hash: f40a6f387ac392d1f74506c75f66a4a2c0e318ec4523af8cec8fc00b8ab77ba7
    • Instruction Fuzzy Hash: 44F0F6326195398FE350866CD94067BB6E9FB4A230F05862BF55AC7381D674E8A0A2D0
    Function 06FC4EC0 Relevance: .0, Instructions: 40COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 071d11d4fc730864f4c93d31e55ba34607250ca745ee37c3402975577e915d88
    • Instruction ID: 3c82ba2c437710cadfce1801151498c3f7e231effce6a7d9ff233ba24610df63
    • Opcode Fuzzy Hash: 071d11d4fc730864f4c93d31e55ba34607250ca745ee37c3402975577e915d88
    • Instruction Fuzzy Hash: 4B012570D0020D9FCB45EFE8C991A9EBBF6FF44300F5085AAD115A7355EB345A099B80
    Function 06FC6C68 Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8071852598f8b79b5b69c7c22041daa4a1e49e803ccdc316c24f4e045ac65bbb
    • Instruction ID: 7542f81c0e4ef7e69f78b829092ba772d66d1bbbf545561cb477ac8a8005dd7b
    • Opcode Fuzzy Hash: 8071852598f8b79b5b69c7c22041daa4a1e49e803ccdc316c24f4e045ac65bbb
    • Instruction Fuzzy Hash: A6E0C260FA830D6FEFA489656D02F32364EF7C0B12F108029B209D92C4CE625801CB24
    Function 06FC6C59 Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 33ac128cb8c041f01395bc8f88b707abb6f3e92bc156da2785423893232990e5
    • Instruction ID: aae8739c78cd8b7669ceefb9fe1836572e14bd5af605b1c256a3261cd13f9587
    • Opcode Fuzzy Hash: 33ac128cb8c041f01395bc8f88b707abb6f3e92bc156da2785423893232990e5
    • Instruction Fuzzy Hash: 6BE026E1E5D3895FEB428620AE097223F16DB91222F0984FFA057CF0C2DA685800C725
    Function 06FC2410 Relevance: .0, Instructions: 14COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2176671502.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_6fc0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 655ba5abb96ff962ce6ad61371b6a59d23275c14562dc64d3a44b19c78004c5e
    • Instruction ID: a67bcbb0abca271f3b98fdbff0b7545a196f644add0afd3f54e1324f951f0eed
    • Opcode Fuzzy Hash: 655ba5abb96ff962ce6ad61371b6a59d23275c14562dc64d3a44b19c78004c5e
    • Instruction Fuzzy Hash: B4C04C6518B3805FCA0612A068555D33B2ACB8714971544CBE28A8719346254A2ACE72

    Non-executed Functions

    Function 010ED55C Relevance: .3, Instructions: 264COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173047509.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10e0000_r9RH4Zmt7ycN6yWI.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2614690f5395b3d82674ad48cf1302da0ad2a46fc31bc99cc5ea42c3face4e4e
    • Instruction ID: f4e6fc555cf4003b57f03b2b7baee9789de95c16cb67b34d097631424d0c26b7
    • Opcode Fuzzy Hash: 2614690f5395b3d82674ad48cf1302da0ad2a46fc31bc99cc5ea42c3face4e4e
    • Instruction Fuzzy Hash: A6A19032E0021A8FCF19DFB5C9484DEBBF2FF85300B1585AAE946AB265DB31D905CB40