Edit tour

Windows Analysis Report
Roahhi.exe

Overview

General Information

Sample name:	Roahhi.exe
Analysis ID:	1592538
MD5:	395402b9823f71c7eb5dd07ed8f520d6
SHA1:	7fbe726d1b013c8343017cec30eb6900e3194f0c
SHA256:	e5ddb80cb8eb3db1d9bc15026bb7c469e4d7898ae857ee7dfc166aa1244086e4
Tags:	exeuser-lowmal3
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

AI detected suspicious sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Roahhi.exe (PID: 5604 cmdline: "C:\Users\user\Desktop\Roahhi.exe" MD5: 395402B9823F71C7EB5DD07ED8F520D6)

InstallUtil.exe (PID: 5168 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

WerFault.exe (PID: 5780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1144 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2088150675.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2105474906.0000000005FB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Roahhi.exe PID: 5604	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Roahhi.exe PID: 5604	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 5168	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.Roahhi.exe.43392bb.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Roahhi.exe.42f929b.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Roahhi.exe.44b8ad0.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Roahhi.exe.5fb0000.13.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Roahhi.exe.44b8ad0.7.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Roahhi.exe.5fb0000.13.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Roahhi.exe.42d927b.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 2 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Roahhi.exe, ProcessId: 5604, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\IsClosed.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\IsClosed.exe	Virustotal: Detection: 38%			Perma Link

Multi AV Scanner detection for submitted file

Source: Roahhi.exe	Virustotal: Detection: 38%			Perma Link
Source: Roahhi.exe	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\IsClosed.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Roahhi.exe

Joe Sandbox ML: detected

Source: Roahhi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Roahhi.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbQ\ source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb)\| source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbnS source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Roahhi.exe, 00000000.00000002.2107417614.0000000006432000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106840572.00000000062C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdbod source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Roahhi.exe, 00000000.00000002.2107417614.0000000006432000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106840572.00000000062C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb@= source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n8C:\Windows\InstallUtil.pdb$ source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_06089740
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 4x nop then jmp 06083ABEh	0_2_060838F0
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_06089738
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 4x nop then jmp 06083ABEh	0_2_060838E1
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_060AD840
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 4x nop then jmp 06353C10h	0_2_06353B50
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 4x nop then jmp 06353C10h	0_2_06353B58

Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06355490 NtProtectVirtualMemory,	0_2_06355490
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06358D08 NtResumeThread,	0_2_06358D08
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06355488 NtProtectVirtualMemory,	0_2_06355488
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06358D03 NtResumeThread,	0_2_06358D03

Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_00C0D070	0_2_00C0D070
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05824D28	0_2_05824D28
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0582AC70	0_2_0582AC70
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0582668B	0_2_0582668B
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05824D1B	0_2_05824D1B
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0582AC5F	0_2_0582AC5F
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05820007	0_2_05820007
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05820040	0_2_05820040
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05823A41	0_2_05823A41
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05823A50	0_2_05823A50
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05FAE148	0_2_05FAE148
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05FAAE68	0_2_05FAAE68
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05FA8CE0	0_2_05FA8CE0
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05FA8CD0	0_2_05FA8CD0
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05FA7850	0_2_05FA7850
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05FA0040	0_2_05FA0040
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05FA7840	0_2_05FA7840
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05FA0006	0_2_05FA0006
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05FA6BCB	0_2_05FA6BCB
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_05FAAE58	0_2_05FAAE58
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0608DEB8	0_2_0608DEB8
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06086B58	0_2_06086B58
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0608D088	0_2_0608D088
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06088EB8	0_2_06088EB8
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06088EC8	0_2_06088EC8
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0608CB38	0_2_0608CB38
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06080040	0_2_06080040
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_060AF3E0	0_2_060AF3E0
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_060A0006	0_2_060A0006
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_060A0040	0_2_060A0040
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06110040	0_2_06110040
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06111248	0_2_06111248
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06110367	0_2_06110367
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0628AAE0	0_2_0628AAE0
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06287570	0_2_06287570
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06287545	0_2_06287545
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0628AAD1	0_2_0628AAD1
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0634FAB0	0_2_0634FAB0
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0634F788	0_2_0634F788
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0634E730	0_2_0634E730
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0633001E	0_2_0633001E
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06330040	0_2_06330040
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0634E190	0_2_0634E190
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06352038	0_2_06352038
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_063536A9	0_2_063536A9
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06352028	0_2_06352028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_02724F90	2_2_02724F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_02725AD8	2_2_02725AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_02725AC8	2_2_02725AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_027222B0	2_2_027222B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_027222A0	2_2_027222A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_02724F90	2_2_02724F90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1144

Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2098685640.0000000005100000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHykzini.dll" vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2067024816.0000000002B06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNuzfblcfzx.exe" vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2065169030.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2107417614.0000000006432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Roahhi.exe
Source: Roahhi.exe, 00000000.00000002.2106840572.00000000062C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Roahhi.exe

Source: Roahhi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Roahhi.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IsClosed.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.expl.evad.winEXE@4/3@0/0

Source: C:\Users\user\Desktop\Roahhi.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3eadd90e-8281-47ef-8936-5aea80d618f3

Jump to behavior

Source: Roahhi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Roahhi.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Roahhi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Roahhi.exe	Virustotal: Detection: 38%
Source: Roahhi.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\Roahhi.exe

File read: C:\Users\user\Desktop\Roahhi.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Roahhi.exe "C:\Users\user\Desktop\Roahhi.exe"
Source: C:\Users\user\Desktop\Roahhi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1144
Source: C:\Users\user\Desktop\Roahhi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Roahhi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Roahhi.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Roahhi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Roahhi.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Roahhi.exe

Static file information: File size 1647616 > 1048576

Source: Roahhi.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x191a00

Source: Roahhi.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbQ\ source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb)\| source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbnS source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Roahhi.exe, 00000000.00000002.2107417614.0000000006432000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106840572.00000000062C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdbod source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Roahhi.exe, 00000000.00000002.2107417614.0000000006432000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106840572.00000000062C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb@= source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3313734367.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n8C:\Windows\InstallUtil.pdb$ source: InstallUtil.exe, 00000002.00000002.3313587321.0000000000968000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.Roahhi.exe.43392bb.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Roahhi.exe.42f929b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Roahhi.exe.44b8ad0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Roahhi.exe.5fb0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Roahhi.exe.44b8ad0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Roahhi.exe.5fb0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Roahhi.exe.42d927b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2088150675.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2105474906.0000000005FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Roahhi.exe PID: 5604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5168, type: MEMORYSTR

Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06083B63 push eax; iretd	0_2_06083B69
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06083BA8 pushfd ; iretd	0_2_06083BA9
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0611EEC0 push 5D00BC01h; ret	0_2_0611EEDD
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_062892A3 push es; retf	0_2_062892A4
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_062861D9 push es; iretd	0_2_062861F4
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_0635771A push es; iretd	0_2_06357720
Source: C:\Users\user\Desktop\Roahhi.exe	Code function: 0_2_06354C28 push es; retf	0_2_06354C58

Source: Roahhi.exe	Static PE information: section name: .text entropy: 7.893702508411447
Source: IsClosed.exe.0.dr	Static PE information: section name: .text entropy: 7.893702508411447

Source: C:\Users\user\Desktop\Roahhi.exe

File created: C:\Users\user\AppData\Roaming\IsClosed.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\Roahhi.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\Roahhi.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Roahhi.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Roahhi.exe PID: 5604, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Roahhi.exe	Memory allocated: C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Memory allocated: 6390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Roahhi.exe

Code function: 0_2_06282D97 rdtsc

0_2_06282D97

Source: C:\Users\user\Desktop\Roahhi.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\Roahhi.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q 1:en-CH:Microsoft\|VMWare\|Virtual
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\Roahhi.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\Roahhi.exe

Code function: 0_2_06089740 CheckRemoteDebuggerPresent,

0_2_06089740

Source: C:\Users\user\Desktop\Roahhi.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Roahhi.exe

Code function: 0_2_06282D97 rdtsc

0_2_06282D97

Source: C:\Users\user\Desktop\Roahhi.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Roahhi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Roahhi.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Roahhi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 46E000	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 470000	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 611008	Jump to behavior

Source: C:\Users\user\Desktop\Roahhi.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Roahhi.exe	Queries volume information: C:\Users\user\Desktop\Roahhi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Roahhi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Roahhi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Windows Management Instrumentation	1 Scripting	211 Process Injection	1 Masquerading	OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	3 Virtualization/Sandbox Evasion	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	32 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Roahhi.exe	39%	Virustotal		Browse
Roahhi.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
Roahhi.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\IsClosed.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\IsClosed.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
C:\Users\user\AppData\Roaming\IsClosed.exe	39%	Virustotal		Browse

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Roahhi.exe, 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	Roahhi.exe, 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Roahhi.exe, 00000000.00000002.2106289684.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592538
Start date and time:	2025-01-16 09:12:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Roahhi.exe
Detection:	MAL
Classification:	mal100.expl.evad.winEXE@4/3@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 277 Number of non-executed functions: 35
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 5168 because it is empty
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:13:00	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs

Process:	C:\Users\user\Desktop\Roahhi.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1647616
Entropy (8bit):	7.890643861348459
Encrypted:	false
SSDEEP:	24576:qVcVbMPWjh+CPpgYAm+adY108rrhQRihdOOEw323g8ROYvW6e8CV9wMS9UdATfz:ecO6+6Aao08JQRihdONwmQ46V9+iCLz
MD5:	395402B9823F71C7EB5DD07ED8F520D6
SHA1:	7FBE726D1B013C8343017CEC30EB6900E3194F0C
SHA-256:	E5DDB80CB8EB3DB1D9BC15026BB7C469E4D7898AE857EE7DFC166AA1244086E4
SHA-512:	D262BABDD10D1872351A16B62FC23C4A7A6D99A2DBA1A37F437477A4A2685422D81605EDDDC5E2F2CE82488F7233BD0FC3F3B730F0153D5849E6D2CD066B9719
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39% Antivirus: Virustotal, Detection: 39%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g............................29... ...@....@.. ....................................`..................................8..J....@.......................`....................................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H........+..,{......?.......(............................................(....(p....0..........8....u....8....8....-.8....8....8....8....8.....8....-..o]...o^...-..o_...(...+oa....+=..(b.....oc...-(.S...(d....r...poe...(f.........og...&....&....(h...-...........o.....(D...8K....8O....8N...(i...8L....8K...oj...8F....8E....8D...(k...8@...........a.2.........W.J.........(l....~....-.r...p.....+.+.+......~....(d...+.om...+.sn...+..~......+.......+..+.rQ..p~....+.t....*(..

C:\Users\user\AppData\Roaming\IsClosed.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Roahhi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs

Download File

Process:	C:\Users\user\Desktop\Roahhi.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.780909727108627
Encrypted:	false
SSDEEP:	3:FER/n0eFHHoUkh4EaKC5lCIn:FER/lFHI9aZ5EI
MD5:	F48A7063A56D5EE34F5C85639E5206A3
SHA1:	CD4B1C7575D5CF404524B15C2606CCC5D46EF0B6
SHA-256:	533EEC8FCAD856A8F0E1A1CBA2DF2B5C53D3670980C4D34E290839BF7A7EF2E2
SHA-512:	1C0D463248D256272B08266712B13AD26146231E4680F94578FC89B233A1E53B31A75D520D620E484A7377C1229A1552DC6F7ACBBE423E4435598D75BB1D84DC
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\IsClosed.exe"""

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.890643861348459
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Roahhi.exe
File size:	1'647'616 bytes
MD5:	395402b9823f71c7eb5dd07ed8f520d6
SHA1:	7fbe726d1b013c8343017cec30eb6900e3194f0c
SHA256:	e5ddb80cb8eb3db1d9bc15026bb7c469e4d7898ae857ee7dfc166aa1244086e4
SHA512:	d262babdd10d1872351a16b62fc23c4a7a6d99a2dba1a37f437477a4a2685422d81605edddc5e2f2ce82488f7233bd0fc3f3b730f0153d5849e6d2cd066b9719
SSDEEP:	24576:qVcVbMPWjh+CPpgYAm+adY108rrhQRihdOOEw323g8ROYvW6e8CV9wMS9UdATfz:ecO6+6Aao08JQRihdONwmQ46V9+iCLz
TLSH:	E775128903F91661F2DFA73694F2AA05CB70F552AF6FC30E148858EB0C06B96D851B1F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................29... ...@....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x593932
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6788A5CA [Thu Jan 16 06:23:06 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1938e8	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x194000	0x58e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x196000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x191938	0x191a00	31daebafe5b22f094f9d316370df6c26	False	0.9246116849517585	data	7.893702508411447	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x194000	0x58e	0x600	5def1ff7df3b610bac0f7aed4447520c	False	0.4212239583333333	data	4.06098316984783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x196000	0xc	0x200	6117c4e5fd9f95412dfa7f00d2793232	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x19405c	0x30c	data			0.42948717948717946
RT_MANIFEST	0x1943a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	03:12:57
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\Roahhi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Roahhi.exe"
Imagebase:	0x330000
File size:	1'647'616 bytes
MD5 hash:	395402B9823F71C7EB5DD07ED8F520D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2088150675.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2105474906.0000000005FB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2088150675.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2067024816.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:12:58
Start date:	16/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x5d0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:13:00
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1144
Imagebase:	0xb10000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	94.5%
Signature Coverage:	8.5%
Total number of Nodes:	272
Total number of Limit Nodes:	20

Executed Functions

Function 06110040 Relevance: 16.1, Strings: 12, Instructions: 1097COMMON

Download Yara Rule

Strings

$]q, xrefs: 06110547
$]q, xrefs: 06110497
$]q, xrefs: 061102D3
$]q, xrefs: 061102C3
$]q, xrefs: 0611097A
4, xrefs: 06110A15
$]q, xrefs: 06110537
$]q, xrefs: 06110487
,aq, xrefs: 06110AFA
$]q, xrefs: 0611096A
$]q, xrefs: 06110911
$]q, xrefs: 06110921

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: ,aq$4$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3443518476
Opcode ID: f1c9baa548274e80e00812a45148a62909828c79b28edf35791103aacd972e35
Instruction ID: e08306ab70b59c67c2d4e2ac432207d1c2d2e1b06615f17c3a540f8c53fcfc4e
Opcode Fuzzy Hash: f1c9baa548274e80e00812a45148a62909828c79b28edf35791103aacd972e35
Instruction Fuzzy Hash: F7B20734E00218CFDB54CFA8C994BADBBB6BF48701F1585A9E505AB3A5DB70AD81CF50

Function 06110367 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 06110A15
$]q, xrefs: 06110537
,aq, xrefs: 06110AFA
$]q, xrefs: 06110487
$]q, xrefs: 0611096A
$]q, xrefs: 06110911

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: ,aq$4$$]q$$]q$$]q$$]q
API String ID: 0-324474496
Opcode ID: e16c1239e6ca136e4967582a6b17d0992c807fe564886674197b1db25468e557
Instruction ID: 8f4ef070f23a4ce354179a6c2a885196e8d00bbe0198ddf4c2438b98c2485198
Opcode Fuzzy Hash: e16c1239e6ca136e4967582a6b17d0992c807fe564886674197b1db25468e557
Instruction Fuzzy Hash: 0122F634E00219CFDB64DF65C994BADBBB6BF48301F1485A9E509AB2A5DB30AD81CF50

Function 05824D28 Relevance: 3.8, Strings: 2, Instructions: 1335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 05825D06
$]q, xrefs: 0582538A

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID: 2$$]q
API String ID: 0-351713980
Opcode ID: 365bf007cf8854ebf09d117b3531f1c84402ab262e0d01d63dcc53322fc839d1
Instruction ID: b0b14351c5f79a11722a8982ed71ef188673a9b4b19bca2305028247860366ba
Opcode Fuzzy Hash: 365bf007cf8854ebf09d117b3531f1c84402ab262e0d01d63dcc53322fc839d1
Instruction Fuzzy Hash: 76E2E474A056298FCB64DF69E884B9ABBF2FF49301F1081E9E449A7355EB705E81CF40

Function 06352038 Relevance: 3.1, Strings: 2, Instructions: 610
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 06352142
fbq, xrefs: 06352155

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID:
String ID: fbq$8
API String ID: 0-3186246319
Opcode ID: 8725e5233ff79a457a19882b17c5a6b18224e7e5ccfaab6b04192fa8d371dc18
Instruction ID: 04af0e7f09b78727a4776cff8f2294d45504458609cfc734cb82393070e38eca
Opcode Fuzzy Hash: 8725e5233ff79a457a19882b17c5a6b18224e7e5ccfaab6b04192fa8d371dc18
Instruction Fuzzy Hash: 8252E775E006298FDB64DF69C850AD9B7B1FF89300F1585EAD809A7355EB70AE81CF80

Function 06352028 Relevance: 2.7, Strings: 2, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 06352155
h, xrefs: 06352136

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID:
String ID: fbq$h
API String ID: 0-3598783323
Opcode ID: e367592f76c66e0941605cf9df4a6883217a260d24737e29ed0e2219f2573caf
Instruction ID: 58b300cfb7f39c30e3c317f1e01ed790089528bedb69fb97f0cdec46256d6e98
Opcode Fuzzy Hash: e367592f76c66e0941605cf9df4a6883217a260d24737e29ed0e2219f2573caf
Instruction Fuzzy Hash: 27911771D016199FDB64DF69D850ADABBF2FF89300F1481EAD808A7251EB706E85CF90

Function 06355488 Relevance: 1.6, APIs: 1, Instructions: 110nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 06355545

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4f8f6b6a051efa7226157c5a6bdbb7a053e41c4d882e82b6a40f1503ae1e9998
Instruction ID: ed1bfc3d0b53a1ec4fb2d93e87b62a7ea0de258208686404907801b1ccb83159
Opcode Fuzzy Hash: 4f8f6b6a051efa7226157c5a6bdbb7a053e41c4d882e82b6a40f1503ae1e9998
Instruction Fuzzy Hash: 7E417AB4D002589FCF10CFAAD984AEEFBB5BF59310F10942AE815B7210D735A946CFA5

Function 06355490 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 06355545

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f155ef4955c59d86f3d11b2d8398bac25fe82146041cb2deb38a84b86a7112ce
Instruction ID: cadc3e9b85b06f9ca1e92e9c0ac005a1aa2fed624b652d4f9f31ae6a2df09e98
Opcode Fuzzy Hash: f155ef4955c59d86f3d11b2d8398bac25fe82146041cb2deb38a84b86a7112ce
Instruction Fuzzy Hash: 7B417AB8D002589FCF10CFAAD980ADEFBB5BF49310F10942AE819B7210D735A945CFA5

Function 06089738 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 060897DA

Memory Dump Source

Source File: 00000000.00000002.2106150181.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_Roahhi.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 707d881311c44816f8224681da6e7ea6b6b6a3c1c50c4d02b63cfc771d591a3c
Instruction ID: c1ad3eabc0fa53557c79b13f10f3237b80fac9f4660f5e13f92cf0acd9df4a9a
Opcode Fuzzy Hash: 707d881311c44816f8224681da6e7ea6b6b6a3c1c50c4d02b63cfc771d591a3c
Instruction Fuzzy Hash: 8E41EEB5C052589FCB00DFA9D485AEEFFF0AF09310F14802AE455B7240C738AA85CFA4

Function 06089740 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 060897DA

Memory Dump Source

Source File: 00000000.00000002.2106150181.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_Roahhi.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 1f8499f3d38e7c78d3b56a8f01ae00e9e12aa1e1f8e3d4de5b9cd7976711b8f8
Instruction ID: 11a044ee9c78867a6cbe7523c692ad74f704d86da504dad5f23f685f7f88f837
Opcode Fuzzy Hash: 1f8499f3d38e7c78d3b56a8f01ae00e9e12aa1e1f8e3d4de5b9cd7976711b8f8
Instruction Fuzzy Hash: 1C41DCB5C042589FCB10DFA9D484AEEFBF4AF09310F14902AE455B7240C738AA85CFA4

Function 06358D03 Relevance: 1.6, APIs: 1, Instructions: 86nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 06358D96

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 609f912bfae90f8cffac6afda10c4034159f40195b0bd9c32c5f5f3dbcf2f727
Instruction ID: 7a0bee5b2e0216ff73fa937e7ba0070e53c41090d36b3466a51b5187d0e6db3d
Opcode Fuzzy Hash: 609f912bfae90f8cffac6afda10c4034159f40195b0bd9c32c5f5f3dbcf2f727
Instruction Fuzzy Hash: 88319BB4D012189FCB14CFA9D981A9EFBF5FF59310F20942AE819B7240C735A945CF94

Function 06358D08 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 06358D96

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7f8542d44c8068bddbc14a6a2dabcaa8e3d80af119120df0213d5beedc9bc342
Instruction ID: ab5e22fe83263f610746836f29c0599307a155157921adec4afc9899052edc01
Opcode Fuzzy Hash: 7f8542d44c8068bddbc14a6a2dabcaa8e3d80af119120df0213d5beedc9bc342
Instruction Fuzzy Hash: AF31AAB4D012189FCB10CFAAD980A9EFBF5BF49310F20942AE819B7200C735A945CF94

Function 06086B58 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06086E93

Memory Dump Source

Source File: 00000000.00000002.2106150181.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_Roahhi.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: f31426fb4dad21d9114a84db936693de77df23bdc6d18b5d4c5685e1e3534c8c
Instruction ID: 607d463a6a72f1ee790237121513f1c306dbc6dc8bd036fdc0951832be833902
Opcode Fuzzy Hash: f31426fb4dad21d9114a84db936693de77df23bdc6d18b5d4c5685e1e3534c8c
Instruction Fuzzy Hash: FBD14670E54218CFEB94EFA9D844BADBBF2FB49300F2180A9D449A7346EB755984CF41

Function 0634FAB0 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Ddq, xrefs: 0634FBB5

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID: Ddq
API String ID: 0-562783569
Opcode ID: c0bbf8887f9f1c56fb04c25cd71c1cca2ca248372e7c18bccb32f7b31f62f00b
Instruction ID: c26c2bef36381d0b95751762b0690978cf2725247b0121d40a04d7693b34b561
Opcode Fuzzy Hash: c0bbf8887f9f1c56fb04c25cd71c1cca2ca248372e7c18bccb32f7b31f62f00b
Instruction Fuzzy Hash: 02D1DF74E01219CFDB54DFA9D880A9DBBF2BF89300F2481A9D409AB365DB31AD85CF50

Function 05FAE148 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

", xrefs: 05FAE416

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 2034f453cc5f0c3ae0f1b49a01050c259a2f1ca9d63eb6631066e194209d71c8
Instruction ID: f3f48763fdfee6426bf4d5e909c38012a5f8af3143e432f12eae5ac969aab8ad
Opcode Fuzzy Hash: 2034f453cc5f0c3ae0f1b49a01050c259a2f1ca9d63eb6631066e194209d71c8
Instruction Fuzzy Hash: D0B123B2E04219CBDB00CFAAC444BEEBBBEBB49300F11E019D615BB385D7B859458F56

Function 0582668B Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fe0aa0e7ba03526c7c544da97e8754642a3a0a307ffc5db1e4f13aeae65247
Instruction ID: a7da3cbe0ba7375cb2cfdecc33fdd1dcf9e1ea46dbbffff162200a36f7d02a64
Opcode Fuzzy Hash: e1fe0aa0e7ba03526c7c544da97e8754642a3a0a307ffc5db1e4f13aeae65247
Instruction Fuzzy Hash: BB52B274A046288FCB64DF28D984A9ABBF6FF49301F1081E5E94DA7355DB30AE80CF51

Function 0608D088 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106150181.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3005eef0133e74a285a2aa41fe956957f43e685736d95f9e949ecdc3300ecf
Instruction ID: bc137ac88f55e790294deef39eea0cd1bf3a33c1d71f21311efe4509240f94d3
Opcode Fuzzy Hash: 0f3005eef0133e74a285a2aa41fe956957f43e685736d95f9e949ecdc3300ecf
Instruction Fuzzy Hash: 1E02E770D40219CFDBA0DFA8C881B9DBBF1BF49304F1086AAD449B7290EB749A85CF55

Function 0608DEB8 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106150181.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f16814f6b66c323ac14d5c9c5b33ba0950623d452a59f8392f67ef1ceed2d38
Instruction ID: 1e9772f03b6df16de474f45bd339cc48227079908fec9fc9fb5ca59de9da93b0
Opcode Fuzzy Hash: 3f16814f6b66c323ac14d5c9c5b33ba0950623d452a59f8392f67ef1ceed2d38
Instruction Fuzzy Hash: 99F10470D40229CFDBA0DFA8C885B9DBBF1BF49304F1085AAD449B7290EB349A85CF55

Function 05FAAE68 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a158070138dfb132c0c4d3f705276660e2217467d9a0228f4952edd8c2940935
Instruction ID: d6431f429cf6d36c352ca77f18c7e7a810a23800cf1b6ee26fedccbdf943344a
Opcode Fuzzy Hash: a158070138dfb132c0c4d3f705276660e2217467d9a0228f4952edd8c2940935
Instruction Fuzzy Hash: 35C1F7F2D09209CFDB10CF9AD488BEEBBF6BB49304F009069D455A7295D378598ACF42

Function 05FAAE58 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65026e83f7360fe6d553e70bf1c52112e98714418b3d7ef1f58d93356be4a6c5
Instruction ID: 629065b50a46800f3a1d8f3b5ed9b5c44ddb3d9afd8be02dfc6bc6b3469b8a84
Opcode Fuzzy Hash: 65026e83f7360fe6d553e70bf1c52112e98714418b3d7ef1f58d93356be4a6c5
Instruction Fuzzy Hash: 84C108B2D09209CFDB14CF9AD488BEEBBF6BB49304F009069D455A7292D37C5949CF42

Function 0628AAD1 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106679184.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6280000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04585bafd0104364aa479f5f4e864b4d439d149097d0ee17fe86828e6c05462a
Instruction ID: 5c0db20719a55b44ce5cafb621d36f43aacab987570613d1811d917e422f9ef8
Opcode Fuzzy Hash: 04585bafd0104364aa479f5f4e864b4d439d149097d0ee17fe86828e6c05462a
Instruction Fuzzy Hash: E8810674D16608CFEB54EFA9E9447EDBBF2FB48300F20806AD819A7295DB745985CF40

Function 0628AAE0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106679184.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6280000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57fea19a93ec22e621029dc1c4eb8673cb70a71a09097d3e0f5b97c90b15c0d
Instruction ID: 61b56e3af4c05b3a6a53d0ea1ece67da42432f375b2e890530040ae20b72c197
Opcode Fuzzy Hash: e57fea19a93ec22e621029dc1c4eb8673cb70a71a09097d3e0f5b97c90b15c0d
Instruction Fuzzy Hash: 26810574D1660CCFEB94EFA9D9447ADBBF2BB48300F20806AD819A7295DB745945CF40

Function 0634F788 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2aa1f044a60588b32cb678f5190c2b4dd5cb2e5ad7dead2bc5b26da7392a90
Instruction ID: cfe319f2d0eaa3c27ee0f5a6071e09131648c19e038ba49c79e7a3fdb859639b
Opcode Fuzzy Hash: ef2aa1f044a60588b32cb678f5190c2b4dd5cb2e5ad7dead2bc5b26da7392a90
Instruction Fuzzy Hash: B7615974E051098FDB44DFA9D4856EEBBF6FF88300F68816AE105E7744D738A982CB90

Function 0582AC70 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4c23373db38e1212dcf22f3c9a0d160b6c1d98a6aa43900e39849de99fe8bc
Instruction ID: 1a9a66d3726b24607742526171728e4aa351cb52e7c853669da254718be97ad9
Opcode Fuzzy Hash: 2d4c23373db38e1212dcf22f3c9a0d160b6c1d98a6aa43900e39849de99fe8bc
Instruction Fuzzy Hash: 9361F9B0D052688FDB28CF66C8447EDBBF6AF89305F10D0AAD809AB255D7B45D85CF40

Function 0582AC5F Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9089ffe405fb95de8bb622231c10df288b13d5e26eb6dbf085e76c30450763be
Instruction ID: 5c87ad3f60a7a4a9de5e85da9665373749aba03ed7b46ff16f738cf420b173b6
Opcode Fuzzy Hash: 9089ffe405fb95de8bb622231c10df288b13d5e26eb6dbf085e76c30450763be
Instruction Fuzzy Hash: CB5129B0D052688BDB18CFAAC9447EDBBF2AF89305F10D0AAC809AB215D7745E85CF41

Function 060838F0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106150181.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ea45a25959352735a79e9c585af43756e7fbc954bfc51fe16fa48512267e9b
Instruction ID: 21b3671de170ef366848fa5bc894433c1fae51b79077169a58244666e78c78c8
Opcode Fuzzy Hash: 79ea45a25959352735a79e9c585af43756e7fbc954bfc51fe16fa48512267e9b
Instruction Fuzzy Hash: E5510F70D45208CFDB88EF99E4487EDBBF1EB8A711F10506AE489A7385DB745986CB40

Function 060838E1 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106150181.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48838f4e1d4f8702bf30718f4479f3953c6a833ec445c8db153dbe517689996
Instruction ID: 5a5dc85ac1189318915302e99d7558485b93f4b555f8932a6cbf78db41578dba
Opcode Fuzzy Hash: a48838f4e1d4f8702bf30718f4479f3953c6a833ec445c8db153dbe517689996
Instruction Fuzzy Hash: 82512270D45208CFDB48EFA9E4487EDBFF2EB8A711F10506AE489A7394DB745986CB40

Function 06115E00 Relevance: 4.2, Strings: 3, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 06116304
Haq, xrefs: 06116354
Haq, xrefs: 061162D5

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: Haq$Haq$Haq
API String ID: 0-3013282719
Opcode ID: e24a878bb1a4bc91316b91ccc1d13b9027c01fc3df37c0f72d98b951a21cea2a
Instruction ID: 973d6796c153431a9b46e121100b56595a941bafb4a07460c05c920cb21b89ba
Opcode Fuzzy Hash: e24a878bb1a4bc91316b91ccc1d13b9027c01fc3df37c0f72d98b951a21cea2a
Instruction Fuzzy Hash: 04126C31A002059FCB65DFA5C884A6EBBF6FF88300F14896DE50A9B355DB35ED46CB90

Function 06117AC0 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 06117DB9
4']q, xrefs: 06117E39
4']q, xrefs: 06117CDA

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q
API String ID: 0-705557208
Opcode ID: 0c6e67ae734689721aa8ee25215859710be2054df6271b0408afdff22b3dd8d9
Instruction ID: 5ce2b5db68d0b3fdf283d9977e827e6d3967d772eb0dc9bf29fc80aca41381ab
Opcode Fuzzy Hash: 0c6e67ae734689721aa8ee25215859710be2054df6271b0408afdff22b3dd8d9
Instruction Fuzzy Hash: 20F1CA34A10219DFDB44DFA4D998E9DBBB2FF88300F158564E916AB3A5DB70EC42CB50

Function 0611C4A0 Relevance: 4.1, Strings: 3, Instructions: 356
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 0611C61F
(aq, xrefs: 0611C5F4
(aq, xrefs: 0611C5C9

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: (aq$(aq$Haq
API String ID: 0-2456560092
Opcode ID: c947f6d2b10fb24ccb1d99092f57f07bcf273b189b7d93cd2ffaeba6a3601d7e
Instruction ID: 6dc7856bada6cd677af7a8e0389d32c3251223b5a7c1c03896b5b6862f5663aa
Opcode Fuzzy Hash: c947f6d2b10fb24ccb1d99092f57f07bcf273b189b7d93cd2ffaeba6a3601d7e
Instruction Fuzzy Hash: DDE13134A10209DFCB44EF64D4949AEBBB6FF89300F148569E815AB3A4DF34ED46CB91

Function 061158B8 Relevance: 2.8, Strings: 2, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 061158CC
d, xrefs: 06115B18

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: (aq$d
API String ID: 0-3557608343
Opcode ID: 514309a8126cbb4fe3dc6241101c74171594c18c4628dba9f79574a4d537a77f
Instruction ID: 00ddaef41143b38a99d6b4daae6286f10c5b57ee5c1f40053089a6f99c6b5191
Opcode Fuzzy Hash: 514309a8126cbb4fe3dc6241101c74171594c18c4628dba9f79574a4d537a77f
Instruction Fuzzy Hash: F7D15A70600A068FCB14CF18C494A6ABBF7FFC8314B59C969D45A8B3A5DB34F846CB94

Function 06111930 Relevance: 2.7, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 06111A36
Haq, xrefs: 06111AC4

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: (aq$Haq
API String ID: 0-3785302501
Opcode ID: 8c1607491b113400b8c635f8ff37d6f0837d74a18033269666b74d26e29850fc
Instruction ID: c1d96502a4f60d7309090b54796e2d76d720728b6066516fdaa8876d86819bfb
Opcode Fuzzy Hash: 8c1607491b113400b8c635f8ff37d6f0837d74a18033269666b74d26e29850fc
Instruction Fuzzy Hash: 3951AE30B002449FC769AF38C45562EBBB6AFC5301B1484BDE9068B3A5CF35ED06CB91

Function 061189A0 Relevance: 1.9, Strings: 1, Instructions: 677
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 06118D1B

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: ,aq
API String ID: 0-3092978723
Opcode ID: 95b186bdde7b70b8c9f797d0162fd4d4478447d3a033567a1800e16bc0855750
Instruction ID: 8c1ca053e6427707e1203f5c2b8c7083f8845b24e93573fb28a7c67e01017197
Opcode Fuzzy Hash: 95b186bdde7b70b8c9f797d0162fd4d4478447d3a033567a1800e16bc0855750
Instruction Fuzzy Hash: 69521B75A002288FDB64CF69C985BDDBBF6BF88700F1544E9E909AB351DA309D81CF61

Function 06112EE0 Relevance: 1.8, Strings: 1, Instructions: 534
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_]q, xrefs: 06113170

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: (_]q
API String ID: 0-188044275
Opcode ID: 7cf06fdf55d9f17c39b276a937c31deb71af7c418d1d69ec7c7925116a0aec60
Instruction ID: 44ea49707b590cbc0c40f73dc7d59204974a4d64447d1125e9d1339f50b38f23
Opcode Fuzzy Hash: 7cf06fdf55d9f17c39b276a937c31deb71af7c418d1d69ec7c7925116a0aec60
Instruction Fuzzy Hash: 86228C31B002049FDB54DFA8D490A6DBBF2BF88700F1584A9E9159F3A5DB71ED81CB90

Function 06355FE4 Relevance: 1.8, APIs: 1, Instructions: 265processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06356257

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 47bcd2c1642bbd05e3ab93af5c235408aac71f68f6d9361ba32e9ce9cca46f05
Instruction ID: d1bb535eea7c7335cf6b5369a1fca1177d879af417a8e9a916037eb71108e3a4
Opcode Fuzzy Hash: 47bcd2c1642bbd05e3ab93af5c235408aac71f68f6d9361ba32e9ce9cca46f05
Instruction Fuzzy Hash: 68A11570D00218CFDB60CFA9C846BEDBBF1BF0A314F54916AE859A7290DB749985CF85

Function 06355FF0 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06356257

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7e85edd172bff6a56651f214c50388e9a2d92c4a36e66758de8284ad73398d9c
Instruction ID: 21c66e2390f7663e73fbd8bbda7f84d76072d3be08d9166668d9b6336188ae72
Opcode Fuzzy Hash: 7e85edd172bff6a56651f214c50388e9a2d92c4a36e66758de8284ad73398d9c
Instruction Fuzzy Hash: 45A11670D00218CFDB50CFA9C846BEDBBF1BF0A310F54916AE859A7250DB749985CF85

Function 0628B4A4 Relevance: 1.7, APIs: 1, Instructions: 177fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 0628B62B

Memory Dump Source

Source File: 00000000.00000002.2106679184.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6280000_Roahhi.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 520dae07130f85e6b185ce95f6f56a2b9ed6903d13a5253c3a1059bf736665dd
Instruction ID: aa24bd32c2068e1e7051182ccd34d8faca1ce677eaf987e02e220501e88a612b
Opcode Fuzzy Hash: 520dae07130f85e6b185ce95f6f56a2b9ed6903d13a5253c3a1059bf736665dd
Instruction Fuzzy Hash: DA6122B0D1131A8FDB50DFA9C8857EEBBB1FF09311F249129E815A7280DB789985CF81

Function 0628B4B0 Relevance: 1.7, APIs: 1, Instructions: 169fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 0628B62B

Memory Dump Source

Source File: 00000000.00000002.2106679184.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6280000_Roahhi.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 26066ec6d49e97bceac3efc387358a9016ee322d6eb4478ee68405418dd5143d
Instruction ID: bf966b1385c5433f7f87dacf9a17cc3c5a013b279210a2ae009943f068d01b53
Opcode Fuzzy Hash: 26066ec6d49e97bceac3efc387358a9016ee322d6eb4478ee68405418dd5143d
Instruction Fuzzy Hash: 9E6112B0D113198FDB50DFA9C8857EDBBB1FF09311F249129E815A7280DB789985CF81

Function 06358678 Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06358753

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0c3e50964b3b7a6a752e167f8edea12b0a78f4a3b139abf1428ee7a5e6059ebc
Instruction ID: 627f5b3d51b5bae717461d746aa6d6388ae254d594c782f8fa8d19764d7227c6
Opcode Fuzzy Hash: 0c3e50964b3b7a6a752e167f8edea12b0a78f4a3b139abf1428ee7a5e6059ebc
Instruction Fuzzy Hash: 2F41ABB5D012589FCB10CFA9D984AEEFBF1BB49310F10942AE819B7250D735A945CF94

Function 00C014C8 Relevance: 1.6, Strings: 1, Instructions: 371COMMON

Download Yara Rule

Strings

`Q]q, xrefs: 00C019B4

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID: `Q]q
API String ID: 0-1594560043
Opcode ID: c7bde97d17ad1e51c05ed98c7f41164f238c839393da4c879711ee7874cb52a4
Instruction ID: 89c604703169bc2887faae7a3f2d7e69f876bb8103d0189fc4bcd4bba48e8bcb
Opcode Fuzzy Hash: c7bde97d17ad1e51c05ed98c7f41164f238c839393da4c879711ee7874cb52a4
Instruction Fuzzy Hash: 2AE17031A002169FDB04DFA9C894B6DFBF2BF84700F198569E4169B2E5DB70DD42CB81

Function 06358680 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06358753

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: db94aacd510474b6b615a92eb3d50899964b635f08a13df618e157d50bd9a930
Instruction ID: 1f7736e309e12b01372594d2657e1d8287d38d03f1b7111ca8a14ab134c3194c
Opcode Fuzzy Hash: db94aacd510474b6b615a92eb3d50899964b635f08a13df618e157d50bd9a930
Instruction Fuzzy Hash: 2B419CB5D012589FCF00CFA9D984ADEFBF1BB49310F10902AE819B7250D735A945CFA4

Function 063583A8 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0635845A

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c4dc12fea0ad22d9233fec25fc949d3d0cdf6af0b6690495174cc9e68edefb42
Instruction ID: a4432f8ed81e6c8a9f7f67f9a97640bce12c4d2d747d6547f2043ca80116991c
Opcode Fuzzy Hash: c4dc12fea0ad22d9233fec25fc949d3d0cdf6af0b6690495174cc9e68edefb42
Instruction Fuzzy Hash: 5F4199B8D002589FCF10CFA9D985ADEFBB5FB49310F10942AE815B7210D735A946CFA5

Function 063583B0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0635845A

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ac197097ab8c172d0b150c857c959d08dfcdf4b68d3c600ce5d0658ea36396b1
Instruction ID: de85c75ca6e68761e328f55a0c06005e691724a896f748d31555e4f1ca026e1c
Opcode Fuzzy Hash: ac197097ab8c172d0b150c857c959d08dfcdf4b68d3c600ce5d0658ea36396b1
Instruction Fuzzy Hash: 523187B8D002589FCF10CFA9D985ADEFBB5BB49310F10942AE819B7210D735A946CFA5

Function 06357D50 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 06357E07

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7edfdd5c71db34d617df742a8bc2469c6e411cd2eff709db06724d2e5e174c28
Instruction ID: 1cf115efbaf4aebef001274941ee95628b02039792fdfbab16d3a37c362cd178
Opcode Fuzzy Hash: 7edfdd5c71db34d617df742a8bc2469c6e411cd2eff709db06724d2e5e174c28
Instruction Fuzzy Hash: E341BEB5D002589FCB10CFA9D485AEEFBF1BF49310F14842AE415B7240D738A945CF94

Function 06282E20 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06282ECC

Memory Dump Source

Source File: 00000000.00000002.2106679184.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6280000_Roahhi.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 447bea2b761b80ea4a918066793e48928fc1b25d7328d05d8a80c0f0d2155869
Instruction ID: 476c6505717f476350663947e66a940fa92535d541ff9683b49de33aa2d94e7a
Opcode Fuzzy Hash: 447bea2b761b80ea4a918066793e48928fc1b25d7328d05d8a80c0f0d2155869
Instruction Fuzzy Hash: D831ABB9D01258DFCB10CFA9D981AEEFBB1BF09310F14A42AE815B7250C739A945CF94

Function 06282E28 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06282ECC

Memory Dump Source

Source File: 00000000.00000002.2106679184.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6280000_Roahhi.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f070ce953c819f6739fbcc3f0566dd2edacf0d038f903debbc979790878fa294
Instruction ID: 65aa3d02d01914a38e16fea173677b88a6d4ae234cad93313652d220ac0a7afe
Opcode Fuzzy Hash: f070ce953c819f6739fbcc3f0566dd2edacf0d038f903debbc979790878fa294
Instruction Fuzzy Hash: F731CBB4D01258DFCB10DFA9D884AEEFBB1BF09310F14942AE815B7250C735A945CFA4

Function 060AD9F8 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 060ADA9C

Memory Dump Source

Source File: 00000000.00000002.2106220576.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60a0000_Roahhi.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 77fa3b6b008accf2b52d1ac940910db3271780fbf531f10aa8cca2526d902d34
Instruction ID: 9f8b59af27c3b5dcbbb2126a96f013fbc8531bae98fd6bb8961213f8fcd0aaa3
Opcode Fuzzy Hash: 77fa3b6b008accf2b52d1ac940910db3271780fbf531f10aa8cca2526d902d34
Instruction Fuzzy Hash: C831A8B8D012089FCB10CFA9D980A9EFBB1BF49310F10942AE819B7250D735A945CF94

Function 06357D58 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 06357E07

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c48665003524f948864b38b737a81c2f1446abdcf16a3ce4794d64ae4099bc2d
Instruction ID: dcae77b4d5bdb816dd38199ea23177c319af3b83c50d12a926f734bafa9ba4b6
Opcode Fuzzy Hash: c48665003524f948864b38b737a81c2f1446abdcf16a3ce4794d64ae4099bc2d
Instruction Fuzzy Hash: 2331BCB5D002589FCB10DFAAD884AEEFBF1BF49310F24802AE419B7240D738A945CF94

Function 06280C21 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000), ref: 06280C9E

Memory Dump Source

Source File: 00000000.00000002.2106679184.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6280000_Roahhi.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 96a60aad48a1b88584c7f5097bc7bf283f0422e825354f2252dd16b336581d76
Instruction ID: a81025c0b1b1bf95c437f2ee3fb38a4eda238e76f06cc4cb6ac8618a726bfbec
Opcode Fuzzy Hash: 96a60aad48a1b88584c7f5097bc7bf283f0422e825354f2252dd16b336581d76
Instruction Fuzzy Hash: 0831BDB1C053898FCB51DFA9C8497DEBFF4EF09314F14844AD849A7292C7786488CBA1

Function 06280C50 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000), ref: 06280C9E

Memory Dump Source

Source File: 00000000.00000002.2106679184.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6280000_Roahhi.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7fc21f9fd06a0ad68cdccec9b795104173988c52c417cc4b4e1e72f3afd7bbb1
Instruction ID: 1cce5749fbbc75fda9d2bb310f4167dedbc65446e9f9afd37a068069a05c24f9
Opcode Fuzzy Hash: 7fc21f9fd06a0ad68cdccec9b795104173988c52c417cc4b4e1e72f3afd7bbb1
Instruction Fuzzy Hash: 3C2144B08003498FDB60DF9AC5497EEBFF8EB09314F208419D919A7381C7796588CFA5

Function 06118990 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

,aq, xrefs: 06118D1B

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: ,aq
API String ID: 0-3092978723
Opcode ID: a8af564afbf74fd3148e880348e3381d6a0bc73ba0cd6a8c4c8fecfe79ea0452
Instruction ID: 09671c39c05f9ae1ece96e34ef1129dc11e08ad1b7b9c735c383cf1813a79487
Opcode Fuzzy Hash: a8af564afbf74fd3148e880348e3381d6a0bc73ba0cd6a8c4c8fecfe79ea0452
Instruction Fuzzy Hash: 43C16174A002189FDB54DF69C945BDDBBF6AF88700F1580A9E909AB3A1CB34DD41CF61

Function 0611CA30 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

(aq, xrefs: 0611CCE4

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 0e8020d20fccac606aed3385250a22d0480d8652c6d58dfb240ccf0c7e33892d
Instruction ID: 0c01d7dacc18b9f1471bf71689084383e8e28eba79c18bb8b55a6ac81fcc819d
Opcode Fuzzy Hash: 0e8020d20fccac606aed3385250a22d0480d8652c6d58dfb240ccf0c7e33892d
Instruction Fuzzy Hash: 66A1AF357402009FDB599F64D854E2A7BB3FFC9310F1585A9E6068F2A1DB36EC42DB81

Function 06113668 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

Pl]q, xrefs: 06113850

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: Pl]q
API String ID: 0-2207481929
Opcode ID: 76a8772e8ea61a70bcc8ab840f11f1f16421130b1aa4bee705f7be460dc442cf
Instruction ID: 78abdc037c4f7d3983c576d22fc6ce54a5c255178775337ff50e49d50f8efa99
Opcode Fuzzy Hash: 76a8772e8ea61a70bcc8ab840f11f1f16421130b1aa4bee705f7be460dc442cf
Instruction Fuzzy Hash: BF912374B001088FDB48DF28C884A6A7BF6BF89710B1185A9E515CF3B9DB71ED41CBA1

Function 06117AB0 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

4']q, xrefs: 06117CDA

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 204dfedfe98a2d9991b25f350cdc239f50f59bd21fac75cf6021a17dfd2468b6
Instruction ID: 0197eef5ebfb964003d5038ec34dafcbe36c8123be39d5ce437dd8224acdaebd
Opcode Fuzzy Hash: 204dfedfe98a2d9991b25f350cdc239f50f59bd21fac75cf6021a17dfd2468b6
Instruction Fuzzy Hash: CDA1ED34A10218DFCB44EFA4D998E9DBBB2FF88300F158165E915AB3A5DF70AC46CB50

Function 05FA7C62 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

@, xrefs: 05FA7D18

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49e427cd2e77c8c133b433105193c83b956c289bde0a3e528d8efc4f5aaccf02
Instruction ID: 92435e23a38d2365e7479e9fe038e14b3b4d367f1308d2a128aa79c2848f73b0
Opcode Fuzzy Hash: 49e427cd2e77c8c133b433105193c83b956c289bde0a3e528d8efc4f5aaccf02
Instruction Fuzzy Hash: 49B1D075A05629DFDB60EF58D884BD9BBB2FB4A300F0081E9E549A7344EB705EC18F51

Function 058278F0 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

TJbq, xrefs: 05827A44

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID: TJbq
API String ID: 0-1760495472
Opcode ID: 0259fcc9785d6987f56b89c7965d714c0875376b48653541338a377fcbc817dc
Instruction ID: eeff967e2f442aece465a5f39ba6055e2fe0c51407ac249e8b03732b79d83913
Opcode Fuzzy Hash: 0259fcc9785d6987f56b89c7965d714c0875376b48653541338a377fcbc817dc
Instruction Fuzzy Hash: C871E474E042189FCB04EFA9E449AADBBF2FF89304F108469E815E7389EB745985CF51

Function 05827B8B Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

TJbq, xrefs: 05827A44

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID: TJbq
API String ID: 0-1760495472
Opcode ID: 253fc8d90869c40c1f81b26e6d484dde0a64edf487c3ea156cee69ab4e260ccd
Instruction ID: 4e234464c0189b0761e997771bd203517e1459037d3a5684f1fd4ba11652d02d
Opcode Fuzzy Hash: 253fc8d90869c40c1f81b26e6d484dde0a64edf487c3ea156cee69ab4e260ccd
Instruction Fuzzy Hash: 0071F474E042189FCB04EFA9E4896ADBBF2FF49304F10846AE815E7385EB746981CF51

Function 058278E3 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

TJbq, xrefs: 05827A44

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID: TJbq
API String ID: 0-1760495472
Opcode ID: 0e6f7be7e93917d55ebbf2c6cd286ab274d214c99e2ce54d0f6b5e98bb87e6ab
Instruction ID: 64ce0dde47cb14a26258f59a7ff9de63d046382f6bfac83467f1f9259bd94348
Opcode Fuzzy Hash: 0e6f7be7e93917d55ebbf2c6cd286ab274d214c99e2ce54d0f6b5e98bb87e6ab
Instruction Fuzzy Hash: 4471D274E002189FCB04EFA9E4896ADBBF2FF89304F108469E815E7389EB745985CF51

Function 0611B768 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

4']q, xrefs: 0611B7A2

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: f83bebac8d094f09cd8a90df6616fcf1467dc9dfcf8a6d4034adfcb3925cf959
Instruction ID: a9b469f28b1248f7681d1b5ffefe9bc71dc46d41fcc1a99b42bcf3ef8b42a29c
Opcode Fuzzy Hash: f83bebac8d094f09cd8a90df6616fcf1467dc9dfcf8a6d4034adfcb3925cf959
Instruction Fuzzy Hash: 0D414234B206188FCB94AB64C854A6EB7BAEFC9700F104529E5169F3A4DF749C46CB91

Function 00C02D32 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

, xrefs: 00C02EBA

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1cf23d3fcee09e44ebd3f0b14cc37276a643b95f9e32215b4a44e877f1bbe2ad
Instruction ID: d77241c64f6bf2d6c47c19c8aa96501b61b75c59d6c19abf7bbb44d488f9b78e
Opcode Fuzzy Hash: 1cf23d3fcee09e44ebd3f0b14cc37276a643b95f9e32215b4a44e877f1bbe2ad
Instruction Fuzzy Hash: FF415730E042098FCB04DFA8C8885ADBBF1FF45300F2085A6D452EB296DB749E46CB51

Function 05FA60D8 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

hb%M, xrefs: 05FA6133

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID: hb%M
API String ID: 0-1947988596
Opcode ID: 44e9e661fb9c57ae7b6c25cdf4d6ca7b0230abbac3abc34af2ae004e167bab6b
Instruction ID: f40d2b3c4ce2a237106b26309fb6acdf1519e4121201279837dd51823b5e0669
Opcode Fuzzy Hash: 44e9e661fb9c57ae7b6c25cdf4d6ca7b0230abbac3abc34af2ae004e167bab6b
Instruction Fuzzy Hash: 584159B1E002089FCB05DFA8D8516EEBBF6FF48710F14806AE405A73A5EB359941CB91

Function 060AEB30 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 060AEBCF

Memory Dump Source

Source File: 00000000.00000002.2106220576.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60a0000_Roahhi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 98e6fd43f6a791c2401563b2acb275cb4263e3e2243fad813f1c9eb170d08b26
Instruction ID: a2251fc2aedce07fb90776d45725fb5ff7c966ab9e05ee03684a7d6f13198677
Opcode Fuzzy Hash: 98e6fd43f6a791c2401563b2acb275cb4263e3e2243fad813f1c9eb170d08b26
Instruction Fuzzy Hash: 4B3198B8D002489FCF10CFA9D884AEEFBB1BF49310F14942AE815B7210D735A945CF94

Function 06116F30 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

4']q, xrefs: 06116F79

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 50fed10654ef4bab163ff84d2975197055c51a452eb16583987adcd1870e02f6
Instruction ID: 4d80cc187adfe681694f21efe3414faf41474dd16dd7e5f41e1d26e2b850b583
Opcode Fuzzy Hash: 50fed10654ef4bab163ff84d2975197055c51a452eb16583987adcd1870e02f6
Instruction Fuzzy Hash: F921A2366102049FCF059FA4D898DA97FB6FF8D310B0541A9EA059B3A1CF72EC42CB50

Function 06116F40 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

4']q, xrefs: 06116F79

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: c463b2caa4b90c6bfd06934ca6e433550a77222af479d9dd41312aa69a9b4a5f
Instruction ID: 54a3c10ac133693bbc127a64a0d4d25ec686804c4d2441d3c4d2af0a0818b89b
Opcode Fuzzy Hash: c463b2caa4b90c6bfd06934ca6e433550a77222af479d9dd41312aa69a9b4a5f
Instruction Fuzzy Hash: 9B2194357002049FCF589F94D998DA97BBAFF8D310B0540A9EA069B365CF72EC06CB54

Function 0611B757 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

4']q, xrefs: 0611B7A2

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: c170e1c0c85480dbff28311ab3d9d541ae28f44e3fd13bab8570fc27627096f1
Instruction ID: fc4024971d38a701d356e8be67dbcd7f934e1495b4a9c0b5ea7b6388719f45f8
Opcode Fuzzy Hash: c170e1c0c85480dbff28311ab3d9d541ae28f44e3fd13bab8570fc27627096f1
Instruction Fuzzy Hash: 73215330B102598BCB94AB65C868B6EB6B7AFC8700F14403EE516EF394CF745C06C795

Function 00C00E64 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

tobq, xrefs: 00C00EBD

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID: tobq
API String ID: 0-4133170245
Opcode ID: be92f379728e796b8aaaedb283298ef960142f2d14a4c2cda0044ec15f9ebfc4
Instruction ID: 9337107a9124040f74f5c7530f7717e5a83106b5936315c91c7628be81ef3457
Opcode Fuzzy Hash: be92f379728e796b8aaaedb283298ef960142f2d14a4c2cda0044ec15f9ebfc4
Instruction Fuzzy Hash: 8D219F34A08206CFCB219BA5C854BAD7BB1EB4C310F3209AAD457AB3F1DB705D01EB61

Function 0611222F Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<]q, xrefs: 0611227A

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: p<]q
API String ID: 0-1327301063
Opcode ID: 2a832c536c97c09890dda759a477fbb931b7099bfd2fe08136119c6475bfc76e
Instruction ID: 7153051b77a7473b20bd5a8c37c0513c5318674acf2d599ae25169d83c975ec2
Opcode Fuzzy Hash: 2a832c536c97c09890dda759a477fbb931b7099bfd2fe08136119c6475bfc76e
Instruction Fuzzy Hash: 3B213771314154AFCB55CF6AD894AAA7BEAAF8D200B1540A5FC45CB270DB35DD90DB20

Function 06112240 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<]q, xrefs: 0611227A

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: p<]q
API String ID: 0-1327301063
Opcode ID: ccb47aa2919bc61b3ec59fd909b9c803f22ddb76b19ee164e9fa0328b774bb56
Instruction ID: 03c6d505c8bac71cb0ab3fe2fdedf2752c47c1ba8b6f70d23ef065aacbb47e24
Opcode Fuzzy Hash: ccb47aa2919bc61b3ec59fd909b9c803f22ddb76b19ee164e9fa0328b774bb56
Instruction Fuzzy Hash: 8F214971304194AFDB55CF6AD884AAA7BEABF8E240B0940A5FC44CB371CB35DD90DB60

Function 00C00FB7 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

8aq, xrefs: 00C0101E

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: c3e22dc269373c59429cbf9f58c15debd70547d3287ce5a1b0426fd39ccc9783
Instruction ID: 156dabca59c85b5fa6ff1c9ba28107c5b8858d49e38414844fe56e8ca219dd6b
Opcode Fuzzy Hash: c3e22dc269373c59429cbf9f58c15debd70547d3287ce5a1b0426fd39ccc9783
Instruction Fuzzy Hash: 5511E234A44102DFC755EFA9D444AAC7BE5BF88300F3181E6E446873A9EB74DD05EB41

Function 00C00F46 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

tobq, xrefs: 00C00EBD

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID: tobq
API String ID: 0-4133170245
Opcode ID: 8f20b4a2d586faae253ad55d70014d7f9a81370cc0985afb0d22947cd204837f
Instruction ID: 7da2785c104e01ea15599979f5423506a4ba3ddf6448d6d579f1911449679a7c
Opcode Fuzzy Hash: 8f20b4a2d586faae253ad55d70014d7f9a81370cc0985afb0d22947cd204837f
Instruction Fuzzy Hash: 3111373464810ACFCB20DFA5D454B6DBBB2AB4C710F32486AE457BB3A0CB709C01EB52

Function 00C00F63 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

tobq, xrefs: 00C00EBD

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID: tobq
API String ID: 0-4133170245
Opcode ID: 361a065b8e18ee6895cffe8c79db5c24936cafb817070d28025309a303eacf87
Instruction ID: 36512de9692af46f52cd2951f737cec34691f2bb06a45a861ec339d645fb35cd
Opcode Fuzzy Hash: 361a065b8e18ee6895cffe8c79db5c24936cafb817070d28025309a303eacf87
Instruction Fuzzy Hash: 0811373464810ACFCB60DB65D454B6DBBB2AB4C710F32486AE457BB3A0CB709D01EB51

Function 00C01E50 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

()5, xrefs: 00C01E8D

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID: ()5
API String ID: 0-3689584002
Opcode ID: 256b4bf4026fbffec6d8083900939a62ddbf64cf63ab693a74e5aa5ad8d49598
Instruction ID: e8226144836cddd74a4a83f7cb29e7e9528b0c125782342609e2342d52feddff
Opcode Fuzzy Hash: 256b4bf4026fbffec6d8083900939a62ddbf64cf63ab693a74e5aa5ad8d49598
Instruction Fuzzy Hash: 7D115134E0060ADBDB149FA5D454799F7F1BF89300F20CA19E859A73A0DF709981CB90

Function 05FAB626 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

RQ, xrefs: 05FAB65B

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID: RQ
API String ID: 0-422413279
Opcode ID: e97b7bdf798f98474333c9c7684b3a1ce8e98926815ae8d9fed2c18c953e315d
Instruction ID: dbe85d6532e57850da9828db3277ed97fc4efc8b9c5a32bedc065af714a0974c
Opcode Fuzzy Hash: e97b7bdf798f98474333c9c7684b3a1ce8e98926815ae8d9fed2c18c953e315d
Instruction Fuzzy Hash: 89F06D79B102198FEB54DF68D884A9DBBB2FB88300F1080A5E849E7348DB30AD418B11

Function 063329C4 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

,, xrefs: 06332A28

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 0a7c77973aef54075d8e93df44176fb2546afc82148ed97efd52efb01f9b3ef1
Instruction ID: c1d883ac0f03700bbe05cffee593e38cb73f024cb4c43aac6cdada1a67ea4d96
Opcode Fuzzy Hash: 0a7c77973aef54075d8e93df44176fb2546afc82148ed97efd52efb01f9b3ef1
Instruction Fuzzy Hash: AAF03A70E4021ACFC799DF18E988AA9B7F9EB8D700F0080E4A419A7344DB705E808F50

Function 05FA7009 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

&, xrefs: 05FA705A

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 3f82cf5e00be44a1060a8ea87c506d1043780ea60d2fb4f79a99560aafa3f4bb
Instruction ID: 542237e2c06774468e93938310c0c9d17b878bdcd44436480f8d8e2b15d947a6
Opcode Fuzzy Hash: 3f82cf5e00be44a1060a8ea87c506d1043780ea60d2fb4f79a99560aafa3f4bb
Instruction Fuzzy Hash: A8F0F8B990922A8FDB55CF64C9847CABBF1FF4A304F104095D54AA7342DB716E4ACF41

Function 05FA7193 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

TJbq, xrefs: 05FA71C4

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID: TJbq
API String ID: 0-1760495472
Opcode ID: 23d0cbbd04815087c553d8aac5259ef1bfc8a9e672364c9b34058fa133667f2e
Instruction ID: ed0c6fd5c5343070a15b726003d20f3dc6387c742bc59a8af14b5118200cc8fb
Opcode Fuzzy Hash: 23d0cbbd04815087c553d8aac5259ef1bfc8a9e672364c9b34058fa133667f2e
Instruction Fuzzy Hash: D0F0B278A052588FCB20DF64D958B8EBBF1BF4A701F1402E99449A7246DB701E81CF56

Function 05FA7917 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

#, xrefs: 05FA793F

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3f3af6b2879f2284950e3258b54f996a31aa355b01cfecd26e43df35aeb0f353
Instruction ID: 240463e567a7c252b62fee4d587dbfedaa0d2ba732af3741406ac599b2e41b4f
Opcode Fuzzy Hash: 3f3af6b2879f2284950e3258b54f996a31aa355b01cfecd26e43df35aeb0f353
Instruction Fuzzy Hash: 05E08CB2919148DFC701EF84E4589AE7BB2EB4A310F108092F001AB344CB78AA41CF46

Function 0611BDA8 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8173cb2a96238093448bd7c373afc3373ab5ce983e6985a2d60768c47e569e74
Instruction ID: d8e0c23ffd52739fffbbf25d2843f8902eefa39eb47fc25d521fe5abe696cf09
Opcode Fuzzy Hash: 8173cb2a96238093448bd7c373afc3373ab5ce983e6985a2d60768c47e569e74
Instruction Fuzzy Hash: 7312FA34A102198FCB54EF64C894A9DBBB2FF89300F5185A8E54AAB365DF34ED85CF50

Function 0611BCED Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7985c8a8d1e10a1ffb4d556fa20658173982bb1ed1a811225cd5a77f8ffbc3
Instruction ID: 4c3c27fb43f015686865d3e363f380c9d304f88c094cc5015e9b229ea6c339e1
Opcode Fuzzy Hash: bb7985c8a8d1e10a1ffb4d556fa20658173982bb1ed1a811225cd5a77f8ffbc3
Instruction Fuzzy Hash: 65C14D34A142148FDB54DF68CC94B99BBB2BF89300F1585A9E44AAB3A5DF34DD85CF40

Function 0611BD50 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d6a63ee827a70d710d4fecffe1c3ce8855a86c4b09792cd92b3c0438adbb72
Instruction ID: 88b2e2f9495f715966e63cb1d3ac8d097001367f3b6f31086857db513984f6a5
Opcode Fuzzy Hash: 53d6a63ee827a70d710d4fecffe1c3ce8855a86c4b09792cd92b3c0438adbb72
Instruction Fuzzy Hash: 64B13D34A102158FDB54EF68C894B9DBBB2BF89300F1585A9E54AAB3A1DF34DD85CF40

Function 0611CD48 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb2c4770ad64f1035b2c2dbb92ecf5761740ac34ab4bd004a1f62698cd9a445
Instruction ID: 2fad7cc2360b3c8f560be132edd8dcf1cf1f93ec7eeca9d1471d8f309266b979
Opcode Fuzzy Hash: 1cb2c4770ad64f1035b2c2dbb92ecf5761740ac34ab4bd004a1f62698cd9a445
Instruction Fuzzy Hash: F8812B34B50214DFCB44DF68D894A6DBBB6AF89710F1481A9E516DF3A1DB34EC41CB90

Function 0582B05A Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1062799e6ed640e36b69967a7967998c6e699ee06ac421c3b212bbc3eb08cb03
Instruction ID: 26f93e3c00a3e62253a68cc5ee026c4e34940932b44fa17732f5053dca303c89
Opcode Fuzzy Hash: 1062799e6ed640e36b69967a7967998c6e699ee06ac421c3b212bbc3eb08cb03
Instruction Fuzzy Hash: 1F91D4B4905268CFDB14CFA8C584BECBBF1AF49305F208195D909AB355D7B89E88CF50

Function 061147C8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b9ffe3da94bee69f040540c8664b3d67d212c2a811de1c190b3b039d5d8f39
Instruction ID: b039d08fca1b3bdf75c0b65a05d5cf9a6ed00a6938227dd8d2aa9a9776106359
Opcode Fuzzy Hash: 74b9ffe3da94bee69f040540c8664b3d67d212c2a811de1c190b3b039d5d8f39
Instruction Fuzzy Hash: 21810335A00618CFCB54DFA8C584D9EBBF5BF88751B1685A9E8069B370DB70ED42CB90

Function 00C02A50 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110d00607e935b75cb7d517b55a3685cea567d19c8817cf01e330c9bb77d1ecd
Instruction ID: 5784f5e11f049f91c37f6797e660d43091aab6b8e88c0e7fcec32d64966e821a
Opcode Fuzzy Hash: 110d00607e935b75cb7d517b55a3685cea567d19c8817cf01e330c9bb77d1ecd
Instruction Fuzzy Hash: CB615134204B018FE724DF2AC49862BB7F2AF98310F148A6DD49B87B96D774F846DB50

Function 0634BC08 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c2084dbefd1e97f0a48ca0f35f6770c261c5da5d8a58f3ccdbee51e654be0d
Instruction ID: 7760dec8a3baf105e32f0973ff0b63e6aac853e0adf120ddebec429ae354ee6a
Opcode Fuzzy Hash: 83c2084dbefd1e97f0a48ca0f35f6770c261c5da5d8a58f3ccdbee51e654be0d
Instruction Fuzzy Hash: 7A71B374D05208DFDB44EFA8E4986ADFBF9EF49300F108469E416A7354DB70AD49CB91

Function 0611CD39 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e040affc82ff3f45d0424e31a20366d349a224a657132af5450193d9fc2cd757
Instruction ID: a7e09f139996b6785103ee1b70f172608163596f62176fb07a886858e827cd5d
Opcode Fuzzy Hash: e040affc82ff3f45d0424e31a20366d349a224a657132af5450193d9fc2cd757
Instruction Fuzzy Hash: 6E612834B50614DFCB44DF68D898AADBBB6BF89710F148169E9169F3A1CB34EC41CB90

Function 00C03CBC Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0e2381535bd5a45fb1a2b5282bc9f802abbdd9d1012c450640007f452e6c6d
Instruction ID: f4dce5cf80926d0b52399c492a6e4900cc46b458af292315fbd866413ef22a20
Opcode Fuzzy Hash: 2c0e2381535bd5a45fb1a2b5282bc9f802abbdd9d1012c450640007f452e6c6d
Instruction Fuzzy Hash: 5B518135608A82EFC701CF26C584626F7B9BF45310B25C766D02A87AD2D731FA92DBD0

Function 00C02240 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ebbb0c7dd6c1c063dff067628d6defbde6eafd0b1308c669daf4595dbb8a6e
Instruction ID: 0b0dc595a21df6cc0840f6be5f3ca75e4d943ab8a36c822e355b14b824c34aea
Opcode Fuzzy Hash: 70ebbb0c7dd6c1c063dff067628d6defbde6eafd0b1308c669daf4595dbb8a6e
Instruction Fuzzy Hash: 0251D53160C715CFC7258F96D88CA6EB7B9FB84320B20892AE557C76E1C734E905DB92

Function 00C014D7 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947a54d781b643b32df3f2ec124fcaa22fe75c8e2a99801faa8daa8e8976489a
Instruction ID: 8f4d6916f39c7b3b0e10e0d1b6e8d67f552212cc6e64f0707acbe70ba1971284
Opcode Fuzzy Hash: 947a54d781b643b32df3f2ec124fcaa22fe75c8e2a99801faa8daa8e8976489a
Instruction Fuzzy Hash: 57513E71A002169FDB00DFA8C981B6DF7F6BF44300F19866AE8569B2D5DB70ED42CB81

Function 05FAA60F Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b49a1594a777644f0338bb2f6dc7945560bdd6c777bc1fafbc5479994ad178
Instruction ID: bc07627e39982bf19e67e6c47f95459f6aad7ed2e760d8b378558102bfdd02a5
Opcode Fuzzy Hash: 44b49a1594a777644f0338bb2f6dc7945560bdd6c777bc1fafbc5479994ad178
Instruction Fuzzy Hash: 495134B6D09209DFDB04CF99D4457EEBBFABB8A300F508029E545A3350D7784989CF82

Function 05FAA620 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a37a5ad571b78c6cf82053144012bd0a87ad95e983674e0a84be3f566da6719
Instruction ID: 1ea0df20146bf7a74d002a0a37ec515c69509583f8c332837af9f2a033ebb0bd
Opcode Fuzzy Hash: 6a37a5ad571b78c6cf82053144012bd0a87ad95e983674e0a84be3f566da6719
Instruction Fuzzy Hash: 995113B2D19209DFDB04CF99D4557EEBBFABB8A300F508029E545A7350D7781989CF82

Function 06117690 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17e9b3814f7931ba90a79bbb210b8dc07cdf6b3a3ec7f246d9d263bad981461
Instruction ID: a954f81547f66d34f9ea672dbe2eeecefaf81e930b4204dc4c0811751c500c56
Opcode Fuzzy Hash: f17e9b3814f7931ba90a79bbb210b8dc07cdf6b3a3ec7f246d9d263bad981461
Instruction Fuzzy Hash: 02514234B10609DFCB04EF64E459AAD7BB6FF89701F008129F9029B3A4DF74A946CB81

Function 0634F4E0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a679923d2487cb1ad95b3e53791e24205f7dff8cfb0edad127affd96336e2c5
Instruction ID: d5affa0056846aa5a8791d84a6a8426a23e7ad3d43ec9c737dfc70d8b380b010
Opcode Fuzzy Hash: 5a679923d2487cb1ad95b3e53791e24205f7dff8cfb0edad127affd96336e2c5
Instruction Fuzzy Hash: CA516D70E012089FDB44EFA9E484AADBBF6FF89300F10C1A9E505A7355EB34A941CF91

Function 06113F34 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8107f2b688c6300be6a0ba010bd13b314c32333305b7b27dc023c1c8a49a75fc
Instruction ID: e09b4eaee3d79aa20b5c8533f71bd8bbda2dc7f71163420dd80cf3a74474b720
Opcode Fuzzy Hash: 8107f2b688c6300be6a0ba010bd13b314c32333305b7b27dc023c1c8a49a75fc
Instruction Fuzzy Hash: B741B2316042458FCB56DF28D881AAA3FB9EF85351F1481BAE801CF2A6CB75DC46C7A1

Function 06110007 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f8f53fa543b0d988b676486604cad9c6e3ac9264d7f104b84afd6f486ae8d0
Instruction ID: 7267e0689dffca400cc9048050db262f4f181a0a9327c0f0ecc3edac8334508c
Opcode Fuzzy Hash: 46f8f53fa543b0d988b676486604cad9c6e3ac9264d7f104b84afd6f486ae8d0
Instruction Fuzzy Hash: 99413934A012548FEB61CF24CC94F99BBB1BF4A311F1501E5E945EB3A2CA35AD81CF60

Function 061183D8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a3a86c4a09f89f4d0d50ab6fb892d41afbb00d1cbed7fdc15bf88f1ac39c8a
Instruction ID: eb89f6a613badc631485c2d032821b9e70ecffcefd531d254abef37aa2ca50f7
Opcode Fuzzy Hash: 91a3a86c4a09f89f4d0d50ab6fb892d41afbb00d1cbed7fdc15bf88f1ac39c8a
Instruction Fuzzy Hash: 7331E1327046008FD794DB69E894B5ABBE9EF81321F1580BAE10DCB6A2DF34EC41C750

Function 05FA9158 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a807f75eb1a79bc8660fc534330a9c113cfa79799afeeba0061c1c824951f50
Instruction ID: 4937868e423a9474394f1baa22568a7e194e04ec53aaa3eb5c8bcaae3c3407be
Opcode Fuzzy Hash: 3a807f75eb1a79bc8660fc534330a9c113cfa79799afeeba0061c1c824951f50
Instruction Fuzzy Hash: 74415CB6E0420CDFDB18CF99D644BAEB7BAFB84300F108435E415AB290DBB85945CF92

Function 0582AFD8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7636fdbd1cca4e559521bdd29d761ddaf81f7f4ab37a10d8f008c33000e67d90
Instruction ID: 96c8802bda9c74f077224f6b073a5c125e522b3173afffc114a5d031f7d6cb51
Opcode Fuzzy Hash: 7636fdbd1cca4e559521bdd29d761ddaf81f7f4ab37a10d8f008c33000e67d90
Instruction Fuzzy Hash: EF41E7B090526CCFDB18CFA4C544BEDBBB1AF4A305F209199D809AB241C7B85E88CF51

Function 0611A270 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ddaf1468bfef68a03e22c54f21a87d1b62f96cca852a3342134cc72ef19caba
Instruction ID: bb89d3c40f2818a7d68f73630ec611ad9d4e610647116eb9f456c48a0f1dd215
Opcode Fuzzy Hash: 3ddaf1468bfef68a03e22c54f21a87d1b62f96cca852a3342134cc72ef19caba
Instruction Fuzzy Hash: 4D31F536A111049FCB45DFA9D898E99BBB6FF48321B1640B8E6099F372C731EC56CB40

Function 00C00CFC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8146601ccb82552dd464524c583438f59d9aa6dbf76bbc53993c6459a553323
Instruction ID: 7ffa7f72b92e16537d7db242463e7126547841495156804b298443526ec2f197
Opcode Fuzzy Hash: e8146601ccb82552dd464524c583438f59d9aa6dbf76bbc53993c6459a553323
Instruction Fuzzy Hash: DA31A030A0020A8FCB44CFA9C05069EB7F2FF89714F2285A9E415EB7A0DB749D41CB91

Function 0611D068 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0a6bb34618c3807d183a7d0ae69828cb86361c30c951cdb1b1e629465dbf5d
Instruction ID: 6b179ae4c84f70006735ff60dc9e1fafafb5598fa348e1fc157e495730a223d7
Opcode Fuzzy Hash: ae0a6bb34618c3807d183a7d0ae69828cb86361c30c951cdb1b1e629465dbf5d
Instruction Fuzzy Hash: 0E310A35A00119DBDB54EFA5E855AEEB7B6FF8C310F148065E815BB2A0CB35AD05CBA0

Function 00C0CEF0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6754d1ebdeb4c09bada250aa2a88d146241ed32fa2117e9a3025c36a3ee9dc6d
Instruction ID: c2200df2659cfab5e1160bf2e7faf27ae04ef1f582a8683d471b3d23b604a373
Opcode Fuzzy Hash: 6754d1ebdeb4c09bada250aa2a88d146241ed32fa2117e9a3025c36a3ee9dc6d
Instruction Fuzzy Hash: 6F314670D0410A9FEB00DFAAE4897ADBBF2EB89301F10C1A5E615A3295DB784A45CF52

Function 06111920 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bed0ae0b362b4c1aa05a3b12f22bb83c9c2a00fc178585207e0786b5211fca9
Instruction ID: ff7f90671c7a99293913772b83ebbd1d9d7e5537c3e79a69286554c6a688e1eb
Opcode Fuzzy Hash: 0bed0ae0b362b4c1aa05a3b12f22bb83c9c2a00fc178585207e0786b5211fca9
Instruction Fuzzy Hash: DD3169346106049FC725AF24D849A6ABFB6FF85305B14897CE9468B3A1CF75E906CB80

Function 05FA7A58 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed9c260d093fc66d96ade5708b88b3a81357a6a535f423ac8ebeeadb98e73d0
Instruction ID: 9171dd5b15247bd856c046e8c6158ba96a66f77e00398054a90fefffc41fd601
Opcode Fuzzy Hash: 3ed9c260d093fc66d96ade5708b88b3a81357a6a535f423ac8ebeeadb98e73d0
Instruction Fuzzy Hash: E04127B6906618DFEB20EF54D858B99BBB2FB4A301F0081E5E109A7395D7385E81CF01

Function 00C043F0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc829336e1054fd6d3a9a31c7d341b77c354e21391ccc86bf52e23a5762fd256
Instruction ID: 44354288950b156a5f78d9cd7f64363a8dd686f1c09798941a9dadd6e4fa57d1
Opcode Fuzzy Hash: cc829336e1054fd6d3a9a31c7d341b77c354e21391ccc86bf52e23a5762fd256
Instruction Fuzzy Hash: 1C2162F1A08510CFC758DBEAC440B2B77F5EF84711B6140AAE70ADB6A1D730AD41EB91

Function 00C01C30 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0744f9c264b71bc9143d971b740abd512fb8e882b9db1e9b94d59eabd8d70685
Instruction ID: e6fd4d26eb93568c9a32288a9a4c88e0ac2eda2776a093edca9bac113cb42c58
Opcode Fuzzy Hash: 0744f9c264b71bc9143d971b740abd512fb8e882b9db1e9b94d59eabd8d70685
Instruction Fuzzy Hash: D621D634A84605CBDB06EFA6E4446EEF7F4FB40310F2805A6D906972D0EB709E00EB91

Function 05FA82AE Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e8a57ab0b521914fd2b7a5d375d71c2bd28898a9844d6e4b6d588f24f94fce
Instruction ID: 3179aadccdf839c6e54ed5028dc44837e4c3610c707a4c7685640e559e418957
Opcode Fuzzy Hash: a2e8a57ab0b521914fd2b7a5d375d71c2bd28898a9844d6e4b6d588f24f94fce
Instruction Fuzzy Hash: 16311CB2D48309CFEB24DF65D4847AEBBF6FB49345F608069D009A7251DBB85985CF02

Function 0611DE20 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e1bd15fd390d891e6c11bdd2cc999e44f4ebf01e1e2f3d34ff5f16fe625bac
Instruction ID: d35f59416754d314296176d1b7e9b2b101b461e0d4e27ef6694ccf83f086b928
Opcode Fuzzy Hash: d4e1bd15fd390d891e6c11bdd2cc999e44f4ebf01e1e2f3d34ff5f16fe625bac
Instruction Fuzzy Hash: 66216534B10A09CFCB40EF69D5548AEF7B5FFC9700B50452AE516AB360EF70AA06CB91

Function 06110FA8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95585303c10d6e08cb0235aa96a2ee01e10c47b80a6ad2cdc95bb3b4f570dcf2
Instruction ID: 1a3d43c99fd6bc0dc1cd1beac88abab9bb5ba92e8baf2a78ae6f3f0920cf36c7
Opcode Fuzzy Hash: 95585303c10d6e08cb0235aa96a2ee01e10c47b80a6ad2cdc95bb3b4f570dcf2
Instruction Fuzzy Hash: DD21D231F102168F8B509E69D8828AEF7F9FF84262711487AE925DB240DF35DD51C760

Function 0582AAB0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2274cfbe54b9969278cf31a76bf41862c7eca15fea509b790a8f8a3dd568d7
Instruction ID: ea68bb9a24c54c8c6a1642fadc36fb362f2c4674e740c14db1174c43b6f87884
Opcode Fuzzy Hash: 0c2274cfbe54b9969278cf31a76bf41862c7eca15fea509b790a8f8a3dd568d7
Instruction Fuzzy Hash: B0213C74E052199FDB08DFA9D5492EEBFF6BF89300F04846AD806F3240DBB55984CB61

Function 0634B640 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee168d38b6d1f50b6f0cac9db4d0ce601cf74b24adcfb281595ba8bff3c9d2c
Instruction ID: f068d15641faa1afed7a127db3913b0b77620769bfc3de28c694cdd74057c0f4
Opcode Fuzzy Hash: dee168d38b6d1f50b6f0cac9db4d0ce601cf74b24adcfb281595ba8bff3c9d2c
Instruction Fuzzy Hash: 8F2126B0E14209CBDF44EFA9C844AEEFBF9EB89304F108069C506A3250D779E944CBD1

Function 06111700 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c1af20508e179d2a925ee92e7598b694acaef8ae75b3a5c7a500db1443255a
Instruction ID: 42610409f92abc4be1a1483ee507f0a4c8a853a5fa6c17251fb4b628bc1a5049
Opcode Fuzzy Hash: c2c1af20508e179d2a925ee92e7598b694acaef8ae75b3a5c7a500db1443255a
Instruction Fuzzy Hash: C3215975E00209EFEB94DBB8C906BAEBBF4AB04340F108476D619DB390E734CA45CB91

Function 00BAD5B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064736060.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bad000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97710ececeb4f4c6ab78e86e403843ff23ff46ff690f6951ce8111d226fbea38
Instruction ID: 5ab6b54fd765eea44c670d81eca782f40a6f90d1bbb077b17174ef719b6feebd
Opcode Fuzzy Hash: 97710ececeb4f4c6ab78e86e403843ff23ff46ff690f6951ce8111d226fbea38
Instruction Fuzzy Hash: FF2137B1508244DFCB05DF18D9C0F26BFA5FB99314F20C5A9E90E0B656C33AD856D7A1

Function 00BAD6A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064736060.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bad000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e8c11f36d778cbb7d6df4d9c76a3f9f854f9f71113cffd4fe1f6b67b74aa98
Instruction ID: a6a9878a4dfe619dcb289fa3a7ed72872b34a5ef86ab56a8001081ad51b4c12a
Opcode Fuzzy Hash: 65e8c11f36d778cbb7d6df4d9c76a3f9f854f9f71113cffd4fe1f6b67b74aa98
Instruction Fuzzy Hash: 952137B5548240DFDB09DF14D9C0F26BFA5FB99310F20C5A9E90A0B656C33ADC16DBA2

Function 00BBD01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064809384.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e4181b1f83cd4748eb424370e86a8d3f8779e1c5f4b1b1b4fdb9e0965016d2
Instruction ID: bf48994f6429278d966063952736e01047b95967336ed89d4772ec361e6f47fa
Opcode Fuzzy Hash: a2e4181b1f83cd4748eb424370e86a8d3f8779e1c5f4b1b1b4fdb9e0965016d2
Instruction Fuzzy Hash: 17213071104204DFCB14EF14D9D4B66BFA5FB88320F6085A9E9090B242D3BAC80ACBA2

Function 0611A263 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12170b6c8092b3db65405611e7f8e2c3d531ef899ccc72c569d6fdddf38155e7
Instruction ID: 0ac18da3ebc4c4e11ec29f5c0d13103360027fb867c5aaeb3f5c430294daa239
Opcode Fuzzy Hash: 12170b6c8092b3db65405611e7f8e2c3d531ef899ccc72c569d6fdddf38155e7
Instruction Fuzzy Hash: D421EA36611114AFCB05DF99D988E59BBB6FF48320F0640A9E6059B372D731E815DB50

Function 00C01D76 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14504483341dcbc3cf7dd2ae9c9afdd92d1909678d45ddd8b886e424dfaabba1
Instruction ID: 42ebb471930f2c6dc05cba5f47ee294e57dda16b72a395ef8b83e1b8c80d517b
Opcode Fuzzy Hash: 14504483341dcbc3cf7dd2ae9c9afdd92d1909678d45ddd8b886e424dfaabba1
Instruction Fuzzy Hash: 72218135B04604DFCB01DFA9D8546ACBBF2FF89710B68419AE406D7361CA709D42DB51

Function 05FA9362 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e74fa53ba274e9aef143a24b829fdb6235b3da67263091c4bd87d72f42ec23
Instruction ID: 3d5d3b289e2f21c133784a273e24adce8f48876392344170f0101578e3b5f1e4
Opcode Fuzzy Hash: e3e74fa53ba274e9aef143a24b829fdb6235b3da67263091c4bd87d72f42ec23
Instruction Fuzzy Hash: 1D214871E04208DFDB48EFA8E585BADB7F2FF49700F208069E116AB394DA70AC41CB41

Function 06115CD0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125357d0e9294162d6e39a39c6b447de5d453b3bb8100fcbb5c746f80785f3a7
Instruction ID: f14224f46e476209a79bd93dd0a0d8cf75453e28ecc1857b63b8337ae5ce2e2a
Opcode Fuzzy Hash: 125357d0e9294162d6e39a39c6b447de5d453b3bb8100fcbb5c746f80785f3a7
Instruction Fuzzy Hash: 2C21E675A001098FDB04DFA8C595ADDB7F6FF88300F1041A5E505AB361DB75AD45CBA0

Function 0582AAC0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfa0f522064283ab52633da11ad3b8998a0b546c0780a5b0960d5f54fc37d1a
Instruction ID: e155f78fbe574d0c0c050e70bd3c63a247e915dda7026a29dead76ee13cce16c
Opcode Fuzzy Hash: ddfa0f522064283ab52633da11ad3b8998a0b546c0780a5b0960d5f54fc37d1a
Instruction Fuzzy Hash: C2211970E05219CFDB08CFA9D5492EEBBF6FF89305F008429D906F2240DBB55A84CB91

Function 0611DE10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80dfa2b6c5d64f86a3cb0de8106370d9a9fd7c309737ec716cd39eefdcfad6a6
Instruction ID: 4459ff45e58b719727d718e225d457e4e6829b4b37d85905732baf6da0aaf110
Opcode Fuzzy Hash: 80dfa2b6c5d64f86a3cb0de8106370d9a9fd7c309737ec716cd39eefdcfad6a6
Instruction Fuzzy Hash: AF21CC74E10609CFC740EF69D4549AEB7B5FF89310F10456AD5169B360EB309A06CBD1

Function 06115CC0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9e2df90aac57642971dc519d3bd0b266685d413d98d68fe7f35f9a0a406de0
Instruction ID: 5a8a30acd3812e38ad388de55938d05206051c6ed17d2d091d1761c92627177b
Opcode Fuzzy Hash: 8f9e2df90aac57642971dc519d3bd0b266685d413d98d68fe7f35f9a0a406de0
Instruction Fuzzy Hash: AF213971A102498FDB05DF64C999ADDBBF2FF88300F1045A9E405BB3A1CB75AD45CBA0

Function 00C020F8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bda2cac67847657c987b48be450a5b41ed5274cf4b007f26299e979163289ed
Instruction ID: 6b2cef81d955fed69d36813ef1b071df935532ce3c7e75c399a05049e5412d44
Opcode Fuzzy Hash: 1bda2cac67847657c987b48be450a5b41ed5274cf4b007f26299e979163289ed
Instruction Fuzzy Hash: FC114F34648214DFC7159A57C85CABE7AFAAB4C710F34406AE703A73D0CA719D05EB91

Function 061180C8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14267e62022371da1064b48afd40a10bb65112a8d8e183113e586939db93c9a7
Instruction ID: 583c8e5d854ec2d00671ad4e27497bc8f9ec1dead086eea1543c67c38d76c550
Opcode Fuzzy Hash: 14267e62022371da1064b48afd40a10bb65112a8d8e183113e586939db93c9a7
Instruction Fuzzy Hash: 76114C36B002158FCB54DF68D9858AAB7B5FF8861171180B5E915DF365DB31EC42CBA0

Function 00BBD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064809384.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e7dbe820dafa54d74991805a83a1ca2dc465ae5d6fc18c2a59047031f377ab
Instruction ID: 09df05688d2727421041ac73dc28c6cf6664607d388303724470936e042cf4ac
Opcode Fuzzy Hash: 18e7dbe820dafa54d74991805a83a1ca2dc465ae5d6fc18c2a59047031f377ab
Instruction Fuzzy Hash: F821D1765093808FCB02DF10D994B25BFB1FB86314F2881EAD8448B653C33AD80ACB62

Function 00C020E8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3f1f4255da7b797659b9bbdc45ff66d17a477d6f44d111c2fb1506b32783c0
Instruction ID: 75399bd4149a08c531c7a969f93a16c51181cbb048b8b847919012cebe5bda89
Opcode Fuzzy Hash: 7e3f1f4255da7b797659b9bbdc45ff66d17a477d6f44d111c2fb1506b32783c0
Instruction Fuzzy Hash: A811C230A08214DFC7158A5AC85CBBE7AF6BB4C701F71016AE703EB2E0CA704D05EBA1

Function 0611C971 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d064393dd6758b15393c47b9dcf4933b199b2f921559b3060f68ba0794fadb26
Instruction ID: 21c106d0cd15b587d344994e35d63b6cc430730f51e63fd250eab3fbec09b850
Opcode Fuzzy Hash: d064393dd6758b15393c47b9dcf4933b199b2f921559b3060f68ba0794fadb26
Instruction Fuzzy Hash: FC21C030B106048FC750EF28D884A6EBBF6EFC9300F144079E5119B3A0DB30AC45CB91

Function 0611AA00 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ba68ca050ff2ed21cd798d920bb8f6e3d757f035c52f74924866accaf6d2b5
Instruction ID: 10c7d464b48dbbe4c40678cebb072f1262384fe3031efdaecc1be79e7c1d38ca
Opcode Fuzzy Hash: 35ba68ca050ff2ed21cd798d920bb8f6e3d757f035c52f74924866accaf6d2b5
Instruction Fuzzy Hash: D301E537900619EFCF46CF94D844D99BB76FF48324B0684A1E6096F232D332E965DB90

Function 05FA9149 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ff2b449b2ed6c0b173975397bbb264fbdf13c1d19f306b6e045ee8e0731f54
Instruction ID: bb9027d12f28b52e71363f26ce3a06b91226c31264bd9d9cf8b661c9bed5b004
Opcode Fuzzy Hash: c6ff2b449b2ed6c0b173975397bbb264fbdf13c1d19f306b6e045ee8e0731f54
Instruction Fuzzy Hash: 1D1154B6D142089BDB48CFA9D9442ADBBF6FF85301F04C47AD418A7351EBB54905CF41

Function 0611C980 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a2d3c8a0465e542abbcbf8659c4416a60b9e71e400165d1e7b64eece541f3e
Instruction ID: 1e1c02b47306253b562e8ee0e59d72b0f15cb8142576e882653e2b193d8344f4
Opcode Fuzzy Hash: f1a2d3c8a0465e542abbcbf8659c4416a60b9e71e400165d1e7b64eece541f3e
Instruction Fuzzy Hash: C2114C34B106088FC754EF28D884A6EB7B6EFC9310F148579E516AB360DB70ED45CBA1

Function 05FADE98 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c4b4c4e3e9e789630ec3df9d3e3134d539ddd35c4e346a3414e6ff124c8430b
Instruction ID: 6d4db80fa0ea9c911b62e55ae482537b803461c26bb134812f13e8c7c0bb01c8
Opcode Fuzzy Hash: 5c4b4c4e3e9e789630ec3df9d3e3134d539ddd35c4e346a3414e6ff124c8430b
Instruction Fuzzy Hash: 61213B34A0410A8BCB04EF98E5459EEBBF6FF89300F5085A9E405B7345EFB46E45CBA1

Function 00BAD5AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064736060.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bad000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: ce89347c5be61dfa02a804b6305fb8c344fec172d449a32a57a24d09f7b20194
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: B511D376504280CFCB16CF14D5C4B16BFB1FB99314F24C5E9D9490B656C336D85ACBA2

Function 00BAD69B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064736060.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bad000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 177aeb7468c6384e35fb0eba8f816759e1b4ee91111e1703c5f19e8d8585f515
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: AC11E676508240CFCB16CF14D5C4B16BFB1FB95314F24C5E9D9090B656C336D85ACBA2

Function 0582BD48 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63eab5dac9b2bcfe26500e701d2fbe0b4faa1f1c0302d808429570181b6a0eb8
Instruction ID: 20b1fdab346f55665e202a79cc1fcc6b6eb1dea1e7bdd302f8790f0c8e15b7d5
Opcode Fuzzy Hash: 63eab5dac9b2bcfe26500e701d2fbe0b4faa1f1c0302d808429570181b6a0eb8
Instruction Fuzzy Hash: 9B11043194A208AFC705DFA4DC41AE97FB5EF15306F1485AA9804D7292DA365E41D782

Function 05FA7AC2 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226698f176505ebf432f4fb11d11316b34bba77bb705521868d20ba7b3071c94
Instruction ID: 4c5d14ec35ec7e0b1bf2491a679fb09d06cd556627db4e61fd460c18b02497c8
Opcode Fuzzy Hash: 226698f176505ebf432f4fb11d11316b34bba77bb705521868d20ba7b3071c94
Instruction Fuzzy Hash: 54213BB6A06618DFDB10EF54E854F9ABBF6FB4A301F0045D4E109A7384DB799E818F02

Function 05FAADC0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b029a97e5a44d35df631a7ad8849d36bd1578e093dcc43c126c5c2856f854de9
Instruction ID: 4cbd161e78e3b20851d5969485123c0e7e9ace98a96792711c91eba73b6cd39d
Opcode Fuzzy Hash: b029a97e5a44d35df631a7ad8849d36bd1578e093dcc43c126c5c2856f854de9
Instruction Fuzzy Hash: A1110431945208EFCB01CFA4CE41A9DBBB4FF05301F0085EAD85A87262DB368E25DB62

Function 05FA7C60 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d999774b3518856af109190bc4668f8b7d5e56b612fc302c395fa3b7e5a95a
Instruction ID: d8389fa48a6559caeb9659620338f751402a450de1327243e3e7eace7b849acb
Opcode Fuzzy Hash: e6d999774b3518856af109190bc4668f8b7d5e56b612fc302c395fa3b7e5a95a
Instruction Fuzzy Hash: E5215EB6A06618DFDB10EF54E854F9ABBF6FB4A301F0045D4E109A7384DB795E818F02

Function 05FA7BC0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6e80d3b461209d6f5d84332bcfec8c02f59b4f28ae24f8f0a91c532bf00db9
Instruction ID: 65b8796e07d80abce4aac013e6d4d63e9cc7e036c6424c199df3b87d0482cb4b
Opcode Fuzzy Hash: ab6e80d3b461209d6f5d84332bcfec8c02f59b4f28ae24f8f0a91c532bf00db9
Instruction Fuzzy Hash: A7215EB6906518EFDB10EF54E854F9ABBF6FB4A301F0041D4E109A7385DB795E818F02

Function 05FA7AE4 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b777b95d3842705bd61de2c4330738a403ccde70fde4f48f516e6f5654d284b
Instruction ID: d99b73ab2b80813a634a244dacc03bd56aebbf6e69fb105c61d39a84e501b676
Opcode Fuzzy Hash: 6b777b95d3842705bd61de2c4330738a403ccde70fde4f48f516e6f5654d284b
Instruction Fuzzy Hash: EA215EB6906518DFDB10EF54E854F9ABBF6FB4A301F0045D4E109A7384DB795E818F02

Function 00C01C20 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d137e980d10c1814d23721b0ea7413cb397bf0c7f0ff31f89c8b63dd7af25f
Instruction ID: bb82f3d6122f9995d514fd1743e3aa8bc0de92303e8d3c8b2d44cf2ecba41b61
Opcode Fuzzy Hash: c5d137e980d10c1814d23721b0ea7413cb397bf0c7f0ff31f89c8b63dd7af25f
Instruction Fuzzy Hash: BA11EC30984A02CFD706DF58D554B6AB7F0BB45310F1406A5C4129F3E4D7719D04EB95

Function 061147B8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5851ac0063ee88432f97e451cefdf7b18c36c16a93fe11dc20326413befe002
Instruction ID: 90d154a732c2bfa7cfe795597a9c0a04bf0c0d1328e0c167c136fdedab0be53d
Opcode Fuzzy Hash: f5851ac0063ee88432f97e451cefdf7b18c36c16a93fe11dc20326413befe002
Instruction Fuzzy Hash: FF110CB6E00218DFDB15DF95D940DDEBBF9EF48320B058166E915E7320EB30A945CBA0

Function 0611B90A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e141c9ce409fbce11d2586746e1c361c3c57ff58e9e753e44e8781f8c2c4bab
Instruction ID: 25753921f1084a06a723be99880d767e159b5bab77c547460380007887293b06
Opcode Fuzzy Hash: 5e141c9ce409fbce11d2586746e1c361c3c57ff58e9e753e44e8781f8c2c4bab
Instruction Fuzzy Hash: 54010436A00104DFCB459FD8D958C58BBF6FF8831070684A5EA09AF236D736EC16DB54

Function 061180B8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6919ecf34ae39ba0571e8cdc5ea2f67e9b6a4b5434de77c65f931273077c2a
Instruction ID: 1672850b32e59ff25b0a77c65ff0595c86367bcb465758920d8ef32ec0be3d14
Opcode Fuzzy Hash: fb6919ecf34ae39ba0571e8cdc5ea2f67e9b6a4b5434de77c65f931273077c2a
Instruction Fuzzy Hash: C811CC7AB00201CFC754CF28D985A5ABBF1BF49220B1581A9E814DF365D730DC41CBA0

Function 05FABEA9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9aeeed4abd6bd5f016cb95fe1c77aaead2e1ec612f9542c792c110c87c7faf6
Instruction ID: 8fd5ce7a7359c5f5efc407f69414299bb2c57c6a2d2ebee77125b50a1dbede6a
Opcode Fuzzy Hash: b9aeeed4abd6bd5f016cb95fe1c77aaead2e1ec612f9542c792c110c87c7faf6
Instruction Fuzzy Hash: B70176F79062085FCB01D6F8EC827997BB9EB15200F0886AAD506C3242EA798C00C793

Function 0611D198 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aca3858224e0ca9cffcb8766a52c0288cbd81b49b27e52aa01d5d912ba5bcfa
Instruction ID: 299ead94a4d87b8d79504510c65f4d1c7f9b5719a53721e8b33bac0eaf47b8a5
Opcode Fuzzy Hash: 7aca3858224e0ca9cffcb8766a52c0288cbd81b49b27e52aa01d5d912ba5bcfa
Instruction Fuzzy Hash: CC01D230B043408FC7659B74D884A2A7BB2AFCA320F04867DD9668F6A1CF75EC06D790

Function 00C0263F Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3330bc8941f4d376872d03cc463cabe55722c9c6f2f5feb8057c7f7a3c2ab161
Instruction ID: 29aa504d592b9819b3f1e97887944e4cc820af2bdab81daf6f8cd3f7ab8e2055
Opcode Fuzzy Hash: 3330bc8941f4d376872d03cc463cabe55722c9c6f2f5feb8057c7f7a3c2ab161
Instruction Fuzzy Hash: 6911A130504B01CFCB349F25E94C76A77A4EF40319F104B69E0978A5E2DB79A585DB41

Function 0611D1A8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0328d868ad29fa65dff32fb3d2c896cf38f6cd4731c7765a6173373f1885666a
Instruction ID: 616429a99ac2fb232a45b6fb090daab140e6dac3461cf80c22940c35904b4da6
Opcode Fuzzy Hash: 0328d868ad29fa65dff32fb3d2c896cf38f6cd4731c7765a6173373f1885666a
Instruction Fuzzy Hash: 37015E34B006049FC764AB74D844A2A7BA2AFC9324F148A7CE5664F6A4CB75EC42DB90

Function 06335E41 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b2e13a5dbc8129b1983771e5c944f48c5f0410907f8a32331e00cd124681e39
Instruction ID: dd12c06a80f2040e1978046ceb9fe53d7b91079e077d2106e2f86d09955ff624
Opcode Fuzzy Hash: 0b2e13a5dbc8129b1983771e5c944f48c5f0410907f8a32331e00cd124681e39
Instruction Fuzzy Hash: BE11F974E01A29CFCB64DF18ED9479ABBF1EB49306F1044E5E409A3344DB745E858F41

Function 06116E6F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac183b0251200cce26a373895ea3a270a0278d221043f86b9676541286234f7b
Instruction ID: 3dff447384c8a7da4828a76610e1a9309264fca69251e8130dd47129ce522f75
Opcode Fuzzy Hash: ac183b0251200cce26a373895ea3a270a0278d221043f86b9676541286234f7b
Instruction Fuzzy Hash: 26F0591131E3914FE761422DAC597A6AF8CD782220F04037EFC85C62C1CF106D4783EA

Function 0611ACA0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04991f21049e6d31dfec79b187e7b2efb45c398623c38c68976c6052b4b4507
Instruction ID: 843224931412b298e342b7c291c4e6c07442047d9b58901d7acbede1871d46b5
Opcode Fuzzy Hash: e04991f21049e6d31dfec79b187e7b2efb45c398623c38c68976c6052b4b4507
Instruction Fuzzy Hash: 5501A735301600DFC7059B34D81891A7FA6EFCD712B108169EE4A8B7A0CF75EC46CB95

Function 05FAA4E8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0889018ff97d41453eb3c8e963d0d42148aad0804484383dee1d3bc041545a58
Instruction ID: 6fb0d11f4a839a1d94f30880eef4217d8f15ba619c14f846512c1a443cc29f00
Opcode Fuzzy Hash: 0889018ff97d41453eb3c8e963d0d42148aad0804484383dee1d3bc041545a58
Instruction Fuzzy Hash: 34F0A9769452089FCB01DFF8C9545ACBFBADF49100F0085DAD849D7261EA365E05CB52

Function 05FAA49B Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38ca27f1effb08e762791e45314a07644cd471bca815f99676086f92b2f20c6
Instruction ID: 1ad7a9eac5204554125c3674bbb7e1f18433a2c5a88b9ae66e59f04ef556207f
Opcode Fuzzy Hash: d38ca27f1effb08e762791e45314a07644cd471bca815f99676086f92b2f20c6
Instruction Fuzzy Hash: 14014F71D45208DFCB40DFF8D9047ACBBB5EF48311F1085EA984993261EA7A4E05DB42

Function 06111670 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e667e7e779d69d799264f8b63ece960bd6c7f15ae4a17a9a7415efdcce4f6812
Instruction ID: dc52bb0f8a30e50d599b6b05dd8db8459f69929627c674b59d3e66f69c150194
Opcode Fuzzy Hash: e667e7e779d69d799264f8b63ece960bd6c7f15ae4a17a9a7415efdcce4f6812
Instruction Fuzzy Hash: 52F0BD624292848FC7519F3CCC55F813FA0AF37625F0A46E59150CA1EBD315A11A8716

Function 06117680 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ced03906b1f585cf3f0affa9318b6794af20afff68cc7060cd2c96b9c320d1a
Instruction ID: 72a84ad05f3df42bb7d8eb8a5c94805f1cea8e1e6dc42bbf1fa56e5391f6a23b
Opcode Fuzzy Hash: 9ced03906b1f585cf3f0affa9318b6794af20afff68cc7060cd2c96b9c320d1a
Instruction Fuzzy Hash: ACF0F6367241085BDB549629EC589BABB69DBC4330F044137ED29CB3A1DF319D0BCB95

Function 0611ACB0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c909a7c35bfef08fca0d03cd4e001bcfe2df995672cd45336431d2e7194672
Instruction ID: 831d3a0067b8b1d3cb22b383863c9065f572a1b120278b6ad5525ba3467e4339
Opcode Fuzzy Hash: 72c909a7c35bfef08fca0d03cd4e001bcfe2df995672cd45336431d2e7194672
Instruction Fuzzy Hash: 7A018139300614DFC7089B65D81891ABBAAEFCC7217108129EA0A8B760CF75EC42CBD5

Function 05FA6239 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7022802993731b1deca0e5f2430d882ab459ee72eea141b0169fe125a575638c
Instruction ID: 4886cedbc4af710a8f0d09d6e7b09e742c769f439cdf25ddf031787e374b649d
Opcode Fuzzy Hash: 7022802993731b1deca0e5f2430d882ab459ee72eea141b0169fe125a575638c
Instruction Fuzzy Hash: 82115BB0D082098FCB40DFA8E4456AEBFF0FF0A310F1041A9E459A3395EB305A41CB91

Function 05FA6248 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9be6005291e5b396f0401dd4f08cb515fc61f08ab4a95d87a12a7fb10996b31
Instruction ID: 71a76e27393bb66122048e07c4c2a4e9f726b64e0b640977f3cc9e8fd4617ca6
Opcode Fuzzy Hash: a9be6005291e5b396f0401dd4f08cb515fc61f08ab4a95d87a12a7fb10996b31
Instruction Fuzzy Hash: 4301DAB4D04209DFCB40DFA8E4496AEBBF5FB4A300F1085A9E809E3345EB705A41CF91

Function 00C02DC0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2e45c9a226dc128b3acc44b04cef49b9ad8aaf236603c48ee241e1a69651ec
Instruction ID: 5ba6712de6c3fb120565f1e5ff49e6727626d6f81f8d2153ebd966006e4fc287
Opcode Fuzzy Hash: 3f2e45c9a226dc128b3acc44b04cef49b9ad8aaf236603c48ee241e1a69651ec
Instruction Fuzzy Hash: 7AF0623060D3848FC7079BA8D468259BFB1AF47740F2A81DBE085CB2A7D7748D46C762

Function 06119E1B Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56f160f899450131647839aef8e3c0f30c2bda512af422d335a54c24af9cf00
Instruction ID: a8e6cbde78f1ec1f178cc0a980f61347eb2e80de2bc9a0a2d17fe419512238be
Opcode Fuzzy Hash: a56f160f899450131647839aef8e3c0f30c2bda512af422d335a54c24af9cf00
Instruction Fuzzy Hash: A5F044312007055BC714DF19ED85F87BBADEF80310F00893AB51687655DAB5E909C750

Function 05828140 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6b29bb2f0194588dbf1176d625cfd1a2045405597fe44b6bb416a0733f1b87
Instruction ID: 68e3242272b07171a2aeeb8fadd5db60caba4c1fbde9139d89bcd46b3822bfd2
Opcode Fuzzy Hash: dd6b29bb2f0194588dbf1176d625cfd1a2045405597fe44b6bb416a0733f1b87
Instruction Fuzzy Hash: 78018170D08348AFCB42DBB9C80499DBFF4AB06214F14C1EAD86497392D7715A42DB51

Function 0582AC18 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6790783abf86942a8151b328ee3da8f4f960417ea083ea6f25909231247bef2c
Instruction ID: a562c1417c7a7e1a67480be414a35772c1bd0146b9cdb1e01917986df9724b63
Opcode Fuzzy Hash: 6790783abf86942a8151b328ee3da8f4f960417ea083ea6f25909231247bef2c
Instruction Fuzzy Hash: 37F02434909248DFC709CBA4D941098BFB0FF1A311F1884EACC0887352C6724D87C744

Function 06119E28 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4e4cd47c02fb4cdef44d4cd6598fd12d8443524535e9867e3ef838c1d436bb
Instruction ID: d4d99be0bb36e8bbef6ec8eba992b81f0c217b7bc2687d809e42b04b500f66cc
Opcode Fuzzy Hash: 9a4e4cd47c02fb4cdef44d4cd6598fd12d8443524535e9867e3ef838c1d436bb
Instruction Fuzzy Hash: 7DF036312403055BC714DF19E984D8BFBAEEFC4310B008A39B51687665DAB4F909C790

Function 05FA7708 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d86bc111ce563597c6c2f0d3cffd7f7cb4ede19a2cbe66df374647d74e4082
Instruction ID: d54da172dace1399af33111dc583461f5ba610d22cee0777bb5070218a16ecce
Opcode Fuzzy Hash: 00d86bc111ce563597c6c2f0d3cffd7f7cb4ede19a2cbe66df374647d74e4082
Instruction Fuzzy Hash: 8EF0C2B5C09244AFCB42DFA8C9409A8BFF0EF06310B1085DAD854972A2D3354A02DB42

Function 058280A8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb56efe50cf9152ebb9eb82c237d299b8cbe1d613f9816a0f8a09095914b1e3
Instruction ID: a2d78164facf5282137530b4cc50788bebd64ee660b3c1dcd6acfb5b40930e08
Opcode Fuzzy Hash: 1fb56efe50cf9152ebb9eb82c237d299b8cbe1d613f9816a0f8a09095914b1e3
Instruction Fuzzy Hash: BCF04970D083989FCB51DBA8C94159DBFF0EB0A210F1481EAD868DB392D6759E42DF42

Function 00C021C0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49187db6eea606da66d57068eca1c66c42cf2d7b9173475f15758917572bcfcc
Instruction ID: 1ebc690c982dbc2aa61162bd995b5b32190fcecd11036a3f151e02dc1ceb3163
Opcode Fuzzy Hash: 49187db6eea606da66d57068eca1c66c42cf2d7b9173475f15758917572bcfcc
Instruction Fuzzy Hash: 09F0F6711047008FC7159F24E9517897BE5FF82B00F408AA9E0864F5BBCF74A909C750

Function 05FAAE08 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5d11c56e9858ff3f2272933d57fe557d9c2fd0cea42cf4b3dafbd69c8c648d
Instruction ID: c23d8fb5f1c7cbd2c042d39bd45bf4096279385c22aff9a8cd47bbaf83f70bfb
Opcode Fuzzy Hash: 1f5d11c56e9858ff3f2272933d57fe557d9c2fd0cea42cf4b3dafbd69c8c648d
Instruction Fuzzy Hash: 3DF0B476844148EFCF02CF94CD40AADBBB5FF19300F04C19AECA987252D7328A15EB11

Function 05828EC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997c13a3ecf7cbc9278ed14592425fa082d94428972d420f15934f1a389f876a
Instruction ID: 35452d4e7b025d83f28c4ed81e949922fdd032cfffb1188b88973750cdc1b27f
Opcode Fuzzy Hash: 997c13a3ecf7cbc9278ed14592425fa082d94428972d420f15934f1a389f876a
Instruction Fuzzy Hash: 9DF09038D092489FCF01CBA4C95019CBFB0EB15205F1082DACC68D7352D6728D42CB41

Function 00C02D75 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e705faa86f0d341ac2f14e75d17e1e15e7325ca2f07a2bdbb54239595d2c549
Instruction ID: 666fb0b1e1900f8887c46b2ed887a0328e1ef9de62947ab792d43bb43dc6d4fe
Opcode Fuzzy Hash: 6e705faa86f0d341ac2f14e75d17e1e15e7325ca2f07a2bdbb54239595d2c549
Instruction Fuzzy Hash: 22F0303060D3948FC7068BA8D468659BFB1BF46740F5681DBE481DB2A7CB749C86CB62

Function 0611AA38 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d03b4d51185682252abdb4b3315d6d70d442342dd7fe74861a4dd22f364b67
Instruction ID: 72c9e99f3c5eb972c108bfd24462f0f7e98ab46ee5381e7530aab1c00d266b71
Opcode Fuzzy Hash: 75d03b4d51185682252abdb4b3315d6d70d442342dd7fe74861a4dd22f364b67
Instruction Fuzzy Hash: 22F0FE393107009FC714DF19D858E6A7BAAEFC9721B154069FA568B760CA71EC42CB94

Function 05FA98B8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87c4b9bd3532d1b151efabfd9510bcad7af02d487bd4217c606e4dd03de650d
Instruction ID: 49e28935907b063ca60a9224f69464f0e1f7ccedd0fd921a7f7bcb8b3ee53d15
Opcode Fuzzy Hash: e87c4b9bd3532d1b151efabfd9510bcad7af02d487bd4217c606e4dd03de650d
Instruction Fuzzy Hash: 28F09672904249EFCF01CF94C9409DDBFB1FF1A310F14C19AE91497262C3768952EB51

Function 0611AA2B Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6ee0d84403278a711f144c8905642dba8b25c65b168b9e9be7da8beb5d14ba
Instruction ID: 34773f37833450108e203615b3a30552843cc742a9db5f095cee7298d48e657f
Opcode Fuzzy Hash: 0d6ee0d84403278a711f144c8905642dba8b25c65b168b9e9be7da8beb5d14ba
Instruction Fuzzy Hash: 20F0347A3103008FC705DF24D599F2A7BA6FF88721F0084A9EA468B7A1CB31EC42DB44

Function 05FAA5C8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a33ad47fcf9301073040adf41feb86aa1a1a21dd5a09af524cdcd3d13354bd
Instruction ID: f1dc2ba572c8e51135dd8586a150fc7318bccb964b2aa25e1b5bfca9f7b9f3d5
Opcode Fuzzy Hash: b8a33ad47fcf9301073040adf41feb86aa1a1a21dd5a09af524cdcd3d13354bd
Instruction Fuzzy Hash: D1F027B6808104DFC704CFA4C9416ECBF75AB11311F24859CDC8403342DA364E42C641

Function 05FA6060 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c469b3ed867599ad8dd0d9a4a48e68cc23c247973b5b16195e8a328dbaf5963
Instruction ID: ae658000ad363f54f7a40e20ea5118f151072ef0395f87092022f525ee71b978
Opcode Fuzzy Hash: 6c469b3ed867599ad8dd0d9a4a48e68cc23c247973b5b16195e8a328dbaf5963
Instruction Fuzzy Hash: 5FF0E2B2C892849FCB11CFB8D8851A87FB4AF06210F1882EAC848DB297E7754981C752

Function 05FABF18 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822ec7aeb6ceba4bc862456cf7a83ed130123898931053d33068a9fa03fb1548
Instruction ID: b0c2d527c3158836a51400ea3f219a4583b882d0d9aa16f430aa475d2df501ed
Opcode Fuzzy Hash: 822ec7aeb6ceba4bc862456cf7a83ed130123898931053d33068a9fa03fb1548
Instruction Fuzzy Hash: DAF0B479908208DFCB00DFE4D5425ACBFB4EB09301F1481EACC1857352D7368A02DF41

Function 06116EDF Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40116515212b7e1df3d54d6fc7528e516411f864e763209b14f8a698a516e04e
Instruction ID: 6722f546f6be5ceeea236f861a997fc40a222e5a2c834af1e8bf80153eed710d
Opcode Fuzzy Hash: 40116515212b7e1df3d54d6fc7528e516411f864e763209b14f8a698a516e04e
Instruction Fuzzy Hash: 46F020302043014BC7008B2AFC89E8FBFAEDFC1325F00C63AA44946665CF74A84AC390

Function 06111B71 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763aa907268d54dd52f4b91bf8014a59fd17e35306e6cdd7d14ce90ffb167030
Instruction ID: 5d190173226ebfc0f54bb31fd31d17654ed6ac5f9fa1ada205bfe97ae15c267a
Opcode Fuzzy Hash: 763aa907268d54dd52f4b91bf8014a59fd17e35306e6cdd7d14ce90ffb167030
Instruction Fuzzy Hash: 5BF0903190424D9BDF08DF54CD2A6DEBFB1AB89300F148529D50177380CF790A00CBA5

Function 05FA9DF0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e724443067993502162d26b752f537f02c672194878ffea8a415608b0a10ee
Instruction ID: a3ed35819da36e3f152055e50156e08d8f73ab93149e4ea3041760b176cda388
Opcode Fuzzy Hash: 09e724443067993502162d26b752f537f02c672194878ffea8a415608b0a10ee
Instruction Fuzzy Hash: E3F02772808204ABCB05CF64D9805ED7B75AF26315F2085A9CC085B343C7328E57CA51

Function 058284B9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41173494667d0077f65d79f9891af018421dca5ab7f237658212b34696f80718
Instruction ID: a223c61bebf8195b61c7fad0363de2fd0481adb8f5a744f83133c5bf164c4adb
Opcode Fuzzy Hash: 41173494667d0077f65d79f9891af018421dca5ab7f237658212b34696f80718
Instruction Fuzzy Hash: 92F0A0349092649BCB15DFA4D9415987F74AB06305F24C5EADC0897392CA325D82CB81

Function 05FA9780 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efbae8ad0c7108c222dc27cc827e9f1e04aa470d00754e47c4833099ec42140
Instruction ID: ffe00ad9d097f9e63d3d2211c47cf123d2f2d17748dff82d3ef1f21e10a41807
Opcode Fuzzy Hash: 7efbae8ad0c7108c222dc27cc827e9f1e04aa470d00754e47c4833099ec42140
Instruction Fuzzy Hash: 4FF0E271D082489FCB02CF68C9409ACBFB1FF56320B20C2EAD85487392C2764E43DB12

Function 05FA98C8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc562e2e14bb4a438aa8608cbc4a600e88a703b156bc0c444261e4aeffe6f532
Instruction ID: db022cf07a550d42bb155b5f29d6995c4a707d6cf648a99c672e2e6b945ba8f6
Opcode Fuzzy Hash: dc562e2e14bb4a438aa8608cbc4a600e88a703b156bc0c444261e4aeffe6f532
Instruction Fuzzy Hash: 13F0D475904208EFCF41DF98D94099DBBB5FB48300F10C1AAAD1993261D7769A61EF81

Function 05FAB390 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22cf83342de6aaf8fd0753e45f79bdabb8c4bc39d1521c618574d42bc6694cd
Instruction ID: be25013b8f47200c81bde3dd8484597038a02dbe88232fdd22d8388c9ae5c008
Opcode Fuzzy Hash: e22cf83342de6aaf8fd0753e45f79bdabb8c4bc39d1521c618574d42bc6694cd
Instruction Fuzzy Hash: 5BF065759881889FC741CBA4C9512ECBFB5EB46205F14C1DAC86947356CB364A03DB41

Function 0582EE20 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedab11f44bac4607a6f021fb3d5eea534e9dce781c21893f790b3aa494da7d6
Instruction ID: 68f39490de6a1226a85ef0fcfa9b739352f1caa98f2913d29b5ab1dfdb329582
Opcode Fuzzy Hash: dedab11f44bac4607a6f021fb3d5eea534e9dce781c21893f790b3aa494da7d6
Instruction Fuzzy Hash: DBF0F274908248AFCB81DFA9C840AADBFF8AB48311F14C1AAACA8D3241D6359A51DF50

Function 0582AA73 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67cab1e9987bbd2855c9680a9c1f9304fad6e86e1258b82bf0cea47f81642d6f
Instruction ID: e50c434729ef2a370be0da4589e00095af1c9634b4b266cfabe4a0820b83bbf4
Opcode Fuzzy Hash: 67cab1e9987bbd2855c9680a9c1f9304fad6e86e1258b82bf0cea47f81642d6f
Instruction Fuzzy Hash: EEE0ED74A48108DBC709CBA4DA812AC7F70EF45209F2481ADCC0A97382CA728E93CB81

Function 06111B80 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b4bfd2592ec3167e5d20fd2e0259886fc9721e40217e3fb22249554929a56e
Instruction ID: 2fd60da6ceccc4ad65bc183ee25ac4f7f8be0a2e3bca8311955387357c93e422
Opcode Fuzzy Hash: 78b4bfd2592ec3167e5d20fd2e0259886fc9721e40217e3fb22249554929a56e
Instruction Fuzzy Hash: 2CF01C31A0021D9BDF08DF95C91AADEBBF6AB89300F108429D50277340DFB51D048BE5

Function 05FA9FA0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcdf5ff991157e954918a304705f95fd5bc75a8f3e81abcd733604a89be203a
Instruction ID: 33d24b8aa336b09871995ba888bc4318ec3a51bd6dbfae5d3f9007135fb14230
Opcode Fuzzy Hash: ffcdf5ff991157e954918a304705f95fd5bc75a8f3e81abcd733604a89be203a
Instruction Fuzzy Hash: D7E0E57691D1559FC701CB50C5005A87BB1AB12220F0480D6C8084B253C6728D03D241

Function 06116EF0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69db4637d7f9461af1d8c4a4eb450c8b22123ef019993bf1f79676036c42405
Instruction ID: 645c255f01032e4ec9db8ad8b949ff79a48f6bc4b962edf8ec4664b6de960977
Opcode Fuzzy Hash: c69db4637d7f9461af1d8c4a4eb450c8b22123ef019993bf1f79676036c42405
Instruction Fuzzy Hash: 74E01A312003055BC7149B1AF889D4BFB9EEEC4365714CA3AA50A87629DE74ED4AC794

Function 05FA90F8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8332fbec80518be1c65fe54993d4d94af947c72938cdf58da8e8456c0cd1eccb
Instruction ID: da9f0ec7dca6b4b734eb3f68334d926c2e4b89d43d695a1799bb00b25037004e
Opcode Fuzzy Hash: 8332fbec80518be1c65fe54993d4d94af947c72938cdf58da8e8456c0cd1eccb
Instruction Fuzzy Hash: 9EF0A0B1D081559FCB50CBA8C9453ACBFF0EB46310F14C1EA885893392D7765B02DB01

Function 05FA63A8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82203a816489381a7b8badb4ea13da58d2bd91f00a1388cd97b2f21b54f42673
Instruction ID: b1a9bdba7c95fe3c78de41e3f4c1e34fca28255bca6dffbc5b51d024bf2fb2d5
Opcode Fuzzy Hash: 82203a816489381a7b8badb4ea13da58d2bd91f00a1388cd97b2f21b54f42673
Instruction Fuzzy Hash: 53F0A0B0D48294DFC741CBA8C8406A8BFF0EB06310F2886CBC858D73A2C7769A43DB01

Function 05FA6DCB Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68fe019a9986c7722553469700f149facbcc9e622d0407c45119bdf58b9f7a9c
Instruction ID: e3df4cc3dc3433b031e4cf146dbfd462d8ce6ce7923df409113d0b5a6abba943
Opcode Fuzzy Hash: 68fe019a9986c7722553469700f149facbcc9e622d0407c45119bdf58b9f7a9c
Instruction Fuzzy Hash: 7CE06575D041549FC700CFA8C841BE8BBF4EB45314F2882E9C8589B391C7365A43DB41

Function 05FA87E7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6afdb413623a0465ac21dc4c15c2494a60818e61144e6eeddfb4814ef6b33e3
Instruction ID: 35b14c5fa8b9ab150ac578e3e0ae39e46133757e7b444351dd9944bdb5b99f5b
Opcode Fuzzy Hash: d6afdb413623a0465ac21dc4c15c2494a60818e61144e6eeddfb4814ef6b33e3
Instruction Fuzzy Hash: 57F0B7B5A05208CFCB10DF94E844BAEBBB2FB4A300F504095E549AB254C7B45985CF52

Function 05FAA370 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff23c19917f99ee38ac4e2846485babc46af5d43c58156ecb6d04c49507a868a
Instruction ID: bf463c0af131250f075579a916925564ef5190cdfe74b178723cbab0f3ffde8a
Opcode Fuzzy Hash: ff23c19917f99ee38ac4e2846485babc46af5d43c58156ecb6d04c49507a868a
Instruction Fuzzy Hash: 3BF06D78949288DFC702CB98D9116ACBFB4FB4A305F1486DAC86993353C63A4E06DB01

Function 05FA9E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a748c48f5dfb941dfb497abb429259d3290c495eb5a9ba6079e15904f83518
Instruction ID: 3e5517a568e35c25eb1658814278f65fb6ba740df1d359c7d68789ce7fb15b03
Opcode Fuzzy Hash: a3a748c48f5dfb941dfb497abb429259d3290c495eb5a9ba6079e15904f83518
Instruction Fuzzy Hash: A1E0D87692D2809FCB16C764CA505A8BFB5EB57225F1889DEC848872A3C6B76C03C752

Function 058278A8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21a176c588d200ba7ef81075e0c65fd2d0585e4a904d819e4709743a376519b
Instruction ID: 49fbb1df53a85112fe73527d3e60c3384931829726b369d6654ae9d2d428cb32
Opcode Fuzzy Hash: e21a176c588d200ba7ef81075e0c65fd2d0585e4a904d819e4709743a376519b
Instruction Fuzzy Hash: A6E0DF70C09218DFC701CBA0DE426B57BB4FB02204B0484DFDC49D7652DB329D41C750

Function 06345EA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10a7d1ece84c6ba6d7b84918ced8319ef485cc857ada3509b8704c00adf9ae6
Instruction ID: c84c5ae5afb2f5a5876a870b17b8271bb14dda9d73d6ec54b930b6e0a4262905
Opcode Fuzzy Hash: d10a7d1ece84c6ba6d7b84918ced8319ef485cc857ada3509b8704c00adf9ae6
Instruction Fuzzy Hash: 5BE0C974E05208EFCB84DFA8D84069DFBF4EB48311F10C1AA981893351D771AA51DF80

Function 0634D340 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10a7d1ece84c6ba6d7b84918ced8319ef485cc857ada3509b8704c00adf9ae6
Instruction ID: 8ff302693d829a1100a6bc7938952e2727d39240add9cbb11020778c7c203b44
Opcode Fuzzy Hash: d10a7d1ece84c6ba6d7b84918ced8319ef485cc857ada3509b8704c00adf9ae6
Instruction Fuzzy Hash: 45E0C974D04208EFCB84DFA8D84069CFBF8FB48310F10C5AA981893351D731AA51DF80

Function 0634BBB8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10a7d1ece84c6ba6d7b84918ced8319ef485cc857ada3509b8704c00adf9ae6
Instruction ID: 7ffec15f34711e878451e4fe6cdbd8bb9f08aa5ba76ead66bee576e7056e65d9
Opcode Fuzzy Hash: d10a7d1ece84c6ba6d7b84918ced8319ef485cc857ada3509b8704c00adf9ae6
Instruction Fuzzy Hash: 7EE0C974D04208EFCB84DFA8D940A9CFBF8FB48311F10C5AA9809A3351D735AA51DF80

Function 0634A5E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10a7d1ece84c6ba6d7b84918ced8319ef485cc857ada3509b8704c00adf9ae6
Instruction ID: c286786f63f07f55064b1d3a1e9f50fcf1aa3e75493931ae9705fdedda602c90
Opcode Fuzzy Hash: d10a7d1ece84c6ba6d7b84918ced8319ef485cc857ada3509b8704c00adf9ae6
Instruction Fuzzy Hash: 44E0C974D05208EFCB84DFA8D941A9CFBF4EB48310F10C1AA981893355D735AE55DF80

Function 00C00CDE Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9086bab7d44eea84f2efd3b738b0ecb4c3b21b88dbdd4a83211d8fdd522ba1cc
Instruction ID: 147ba945d952e22b4ce8309043f41e0409fc585d7d05087a307a3c66f076fb33
Opcode Fuzzy Hash: 9086bab7d44eea84f2efd3b738b0ecb4c3b21b88dbdd4a83211d8fdd522ba1cc
Instruction Fuzzy Hash: 7CE04F1010D688DFE712036A98A96667F70AB5B301F760B97E182CA2E389190915E357

Function 00C00F70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdf5a3221b9a720fcf3865d8865e3518ee656aef3df34826be970a3dbf5bc92
Instruction ID: f16173b1456e26622e56491ac40300078567ee276d99228b0175e3408c724edb
Opcode Fuzzy Hash: fbdf5a3221b9a720fcf3865d8865e3518ee656aef3df34826be970a3dbf5bc92
Instruction Fuzzy Hash: 8EE0D870204403CFC2449FB9D654A253BA5BB8D700B3146C5F006C73AAEA20CC01E710

Function 05FAA4A6 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7220e7cf8f000a5cf65f67c2e5d53859e7b2fdb75c286c0156e18639f7bfcf41
Instruction ID: 78cce556c01d11f9a3d3d685c1366c578ae0b06140f1bbe6dafeb8cf90d66f69
Opcode Fuzzy Hash: 7220e7cf8f000a5cf65f67c2e5d53859e7b2fdb75c286c0156e18639f7bfcf41
Instruction Fuzzy Hash: 74E0C975D05208AFCB44DFA8D4446ACBBF5EB48200F10C5AA980C93351E6359A06CB41

Function 05FAEFE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44272826362c2cabdeb788c21a21b415db98ed644cd79a68ff7a8a3925370fb
Instruction ID: 75199692ec2999e7c5748cd6d8b17498518e14799e38daf4debd2aaefd566bf5
Opcode Fuzzy Hash: d44272826362c2cabdeb788c21a21b415db98ed644cd79a68ff7a8a3925370fb
Instruction Fuzzy Hash: 15F0C979904208EFCB05DF98D8459ACBBB9FB48310F10C1A9EC1857351D7329A61DB41

Function 05FA9790 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6811cc3238b4ce30f9a35a6dcf61f52f2a951ed437d7d3e9b3fcd2b8a52624ee
Instruction ID: b7f168136288d66936818bf4c76cfe351082c7758e7f163942dabd5f40b4f5cd
Opcode Fuzzy Hash: 6811cc3238b4ce30f9a35a6dcf61f52f2a951ed437d7d3e9b3fcd2b8a52624ee
Instruction Fuzzy Hash: 8FE03974D05208EFCB40DFA8C94069CBBF4FB48300F10C5AA980893340D7769E51DF41

Function 05FADE48 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6811cc3238b4ce30f9a35a6dcf61f52f2a951ed437d7d3e9b3fcd2b8a52624ee
Instruction ID: 484e411e6e75266d18a57bedd0cd76669e7b114c507cc9fb84070357c9747e40
Opcode Fuzzy Hash: 6811cc3238b4ce30f9a35a6dcf61f52f2a951ed437d7d3e9b3fcd2b8a52624ee
Instruction Fuzzy Hash: 52E0C975E04208EFCB44DFA8D84069DBBF5FB58311F10C1AA980993351D7359A51DF41

Function 05FAAE18 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44272826362c2cabdeb788c21a21b415db98ed644cd79a68ff7a8a3925370fb
Instruction ID: 55e560c5ad8a89ede607e141c0179f99a2831ff17bf19ce72795cc21ac858262
Opcode Fuzzy Hash: d44272826362c2cabdeb788c21a21b415db98ed644cd79a68ff7a8a3925370fb
Instruction Fuzzy Hash: 35F03275904208EFCB00CF98C880AACBBB9FB48310F10C1AEEC5853351DB329A21EB91

Function 05828150 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9431f77d790ba6402c2c741ad05eb25136debffcf3098e916a3099c23eaac1
Instruction ID: ed85e4d7cf3c3bf8c5da7b661522be358dbeabebe90d9d2f621edaee364c6fdf
Opcode Fuzzy Hash: 8a9431f77d790ba6402c2c741ad05eb25136debffcf3098e916a3099c23eaac1
Instruction Fuzzy Hash: 77E0A574D04208AFCB45DFA9D84069DBBB5EB48310F10C1AA981993351D7319E51DF40

Function 0634FA60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e97105f7c5f09414cf8da0885057840e9e9504a359a57bcf0a1ee35958f59a
Instruction ID: cdb27828e83132effcdfc2b2285d0713558f5a34898b3008521c7b7af00b2195
Opcode Fuzzy Hash: c8e97105f7c5f09414cf8da0885057840e9e9504a359a57bcf0a1ee35958f59a
Instruction Fuzzy Hash: 03E0C974D04208AFCB84DFA8D4406ACFBF4EB88304F1481A9981893341D671AA01CF80

Function 0634F490 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e97105f7c5f09414cf8da0885057840e9e9504a359a57bcf0a1ee35958f59a
Instruction ID: 3bd77b6db1b6049a580d88df1d45e087addf22f2a2ce080f920e74b43f80a8f4
Opcode Fuzzy Hash: c8e97105f7c5f09414cf8da0885057840e9e9504a359a57bcf0a1ee35958f59a
Instruction Fuzzy Hash: 69E0C974D04208AFCB84DFA8D54169CFBF4EB88310F1481AD981893341DA35AA41CB80

Function 05FA6DD8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16130b1784a3fbb937e87aae43a1a6d933e363dceb2ccbfbb6bd17457b64d6ce
Instruction ID: 4bbf3acba2e0b609782609a8981f69ae47d1c686e4171f2e73a6105dfb3d1d34
Opcode Fuzzy Hash: 16130b1784a3fbb937e87aae43a1a6d933e363dceb2ccbfbb6bd17457b64d6ce
Instruction Fuzzy Hash: ACE0E5B4E04208EFCB44DFA8D8406ACBBF8FB48304F14C1AA9809D3341DB369A42CF41

Function 05FA9108 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af72bb0ff53218af2d437777a32440d28899cddcb6dbb48be29779fb0c4b022d
Instruction ID: 9373af2cfd92eca54aba4eff23b612a2bdf2ec4ab32481e34ac59d61859b7328
Opcode Fuzzy Hash: af72bb0ff53218af2d437777a32440d28899cddcb6dbb48be29779fb0c4b022d
Instruction Fuzzy Hash: CAE0E5B4D08208AFCB44EFA8D9446ACBBF8EB49201F10C1BA981893381EA759A01DF41

Function 05FAE0F8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16130b1784a3fbb937e87aae43a1a6d933e363dceb2ccbfbb6bd17457b64d6ce
Instruction ID: 3872d8c1f847866532d5317ea851bbe2b36c874adab30073edc0a057823ef8ff
Opcode Fuzzy Hash: 16130b1784a3fbb937e87aae43a1a6d933e363dceb2ccbfbb6bd17457b64d6ce
Instruction Fuzzy Hash: 0DE0C274E04208AFCB44DFA8D8416ACBBF8EB48200F10C1AA980897341DA359A02CB41

Function 05FAA4A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16130b1784a3fbb937e87aae43a1a6d933e363dceb2ccbfbb6bd17457b64d6ce
Instruction ID: 225e7198cddc560884f092688179c1ad1b938ebfb36d839ca229ca43d93a640b
Opcode Fuzzy Hash: 16130b1784a3fbb937e87aae43a1a6d933e363dceb2ccbfbb6bd17457b64d6ce
Instruction Fuzzy Hash: 5DE0E575E05208EFCB84DFA8D8446ACBBF9FB48300F10C5AA980C93351DB359A06CF41

Function 05FA63B8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16130b1784a3fbb937e87aae43a1a6d933e363dceb2ccbfbb6bd17457b64d6ce
Instruction ID: d7e275b2bf12832c2ce727dd84fed3bcfbfd1a839130a924ac15b928231dfc1e
Opcode Fuzzy Hash: 16130b1784a3fbb937e87aae43a1a6d933e363dceb2ccbfbb6bd17457b64d6ce
Instruction Fuzzy Hash: 74E0E5B4E04208EFCB44DFA8D9406ACBBF8FB48304F14C5AA9808E3341DB75AA02CF41

Function 05FA7718 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16130b1784a3fbb937e87aae43a1a6d933e363dceb2ccbfbb6bd17457b64d6ce
Instruction ID: d9f986a1cb2e95a2487734b1dc48c0b4eb234160f327f1213e16fc64a47bb5a1
Opcode Fuzzy Hash: 16130b1784a3fbb937e87aae43a1a6d933e363dceb2ccbfbb6bd17457b64d6ce
Instruction Fuzzy Hash: CDE0ED74D05208EFCB45DFA8D84169CBBF4FB48314F10C5A9D80893341D7359A02CF81

Function 0582FD88 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af671585c0c697b15a654dc11e3ad30cfa8c73ccf0e99dbc1904e73d1f17d521
Instruction ID: 43a9429aabb4ec311b777eeba9bd9ee2b96fb84b7744b25dd1b39e4407ebeed3
Opcode Fuzzy Hash: af671585c0c697b15a654dc11e3ad30cfa8c73ccf0e99dbc1904e73d1f17d521
Instruction Fuzzy Hash: E9E0E534908108EFCB05DF94D841AADBF79FB49311F208199AD0457351DB329E61EB84

Function 00C0E430 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3099b0c05359c7892d12f3b22021eb34608c24c659c2dfe9abb3333a9a0d387e
Instruction ID: eb585e7659b0b7552b69564c87735af3e7d28b8fb947d4b3366b2d72e16c74d9
Opcode Fuzzy Hash: 3099b0c05359c7892d12f3b22021eb34608c24c659c2dfe9abb3333a9a0d387e
Instruction Fuzzy Hash: 2FE086B4948108EFC704DFD4D8419ADBFB8EB55311F14C5A9D84457381DB319E51EB91

Function 0611EEE3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3822f6d7f4e1d75cee0230d40f7a11ddd829c982dee9c4afeac80bfa7c61da3
Instruction ID: 6e99da2cf3e1e145e7ca1473d609861ebe5c6ae83ea44e10bb39a4c56a18d3cf
Opcode Fuzzy Hash: b3822f6d7f4e1d75cee0230d40f7a11ddd829c982dee9c4afeac80bfa7c61da3
Instruction Fuzzy Hash: 1FE0D872014384CBD7959F60DC44785BF61FB91305F1880AEDD4209192D7325406DB06

Function 05FABF28 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074528efd6fd6218e9735941f4dbab0c328a3bebc2a2877c5ec1b2c691bdf0ea
Instruction ID: b48f7cea2144f40fcb8288737c273f553a1a5eafa34cb34d538ed5e06a8f37fa
Opcode Fuzzy Hash: 074528efd6fd6218e9735941f4dbab0c328a3bebc2a2877c5ec1b2c691bdf0ea
Instruction Fuzzy Hash: 76E0E575D08208EFCB44DF98D8419ACBBB9FB48311F14C1AA980853351DB329A51DF81

Function 06348BA0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6646a224d5f4badf124e368c14f7065d206c9b49e9b7457789ba6855c86710b7
Instruction ID: 442bada564168172e9e2c2b71c33b16816ff9864b7fac97cb2225de73953bbbc
Opcode Fuzzy Hash: 6646a224d5f4badf124e368c14f7065d206c9b49e9b7457789ba6855c86710b7
Instruction Fuzzy Hash: 30E01A74D05108EFCB44DB98D4405ACFBF8EB48201F1481EAD85853341DB35AA41DB80

Function 00C0E048 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aae1b65e4ca6b0c80374b0589497804be2332f6ae0483eb4ada9e9f9f48827f
Instruction ID: 8822cb6f8dba36fc0d4f98fd29f0c0a7ee80438955e8b8b5d917d176527ce166
Opcode Fuzzy Hash: 9aae1b65e4ca6b0c80374b0589497804be2332f6ae0483eb4ada9e9f9f48827f
Instruction Fuzzy Hash: 28E01A34D04108AFCB04DF98D8406ACBBB8EB48305F1085AA981857391DA729E01EB40

Function 06111B30 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c81c4a5ee8069c5cc260c742181493488838f4fd77c527ded45927ff2606ea
Instruction ID: 3c106a4339ac0bb10a5748f0b62a53ec6ac3c26082ee5a1a43e1afd01c20c3c3
Opcode Fuzzy Hash: e3c81c4a5ee8069c5cc260c742181493488838f4fd77c527ded45927ff2606ea
Instruction Fuzzy Hash: 8ED05B31B40314BBFBA467604C02B65B3BD5B45755F1088B9DB055F380E766E841C799

Function 05FAA5D8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f8754700dc875148971466788839e4be106cef2e7445738b08ee96f218f24a
Instruction ID: 55c5d0c267091ee158002d2038c6acb067cc68e1dc30c402b374f4d4808af5ef
Opcode Fuzzy Hash: f5f8754700dc875148971466788839e4be106cef2e7445738b08ee96f218f24a
Instruction Fuzzy Hash: 51E0D6B4808208EFCB00CFA4D8008ACBBB8FB44300F1081AD980423340CB32AE92DA96

Function 05FA9FB0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f8754700dc875148971466788839e4be106cef2e7445738b08ee96f218f24a
Instruction ID: 30067cddc0732d6d551dac587be7176b5aab0c7c2fec485b35bc60e1a6177f60
Opcode Fuzzy Hash: f5f8754700dc875148971466788839e4be106cef2e7445738b08ee96f218f24a
Instruction Fuzzy Hash: F2E08C75909208EBCB04DF94E9409ACBBB9FB45311F10C1AADC0423351CB72AE62EB81

Function 05FAB3A0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e02550f4bc18c60c0ab1e1463e89f3c362a556862354ec1b5e98170f1e805ea
Instruction ID: 2a813f03ee45e1270b4a0053663f5d37fde83ebba95de1aa54a8b0915b01791b
Opcode Fuzzy Hash: 3e02550f4bc18c60c0ab1e1463e89f3c362a556862354ec1b5e98170f1e805ea
Instruction Fuzzy Hash: A9E01A74D08208EFCB04DB98D4415ACBBB9EB48201F1081AAD85857341DB359A11DB81

Function 05FAA380 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719df7e0bd270b3dabe2093c6f4bba929536d0095e294199b424a29d10cd546d
Instruction ID: bdeaf9216d3046c6da3d79d9007debe1004486cd7067f7d1ade282f693d8bd41
Opcode Fuzzy Hash: 719df7e0bd270b3dabe2093c6f4bba929536d0095e294199b424a29d10cd546d
Instruction Fuzzy Hash: 51E04F78D04208EFCB04DF98D4415ACFBB8FB48300F10C1AAD84953341DB329E06CB41

Function 05FA9E00 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f8754700dc875148971466788839e4be106cef2e7445738b08ee96f218f24a
Instruction ID: 332251e159cf5398aaeba66772c62fbfdadd2e437d49bfad7793f9ef7de6d12c
Opcode Fuzzy Hash: f5f8754700dc875148971466788839e4be106cef2e7445738b08ee96f218f24a
Instruction Fuzzy Hash: E1E04675908208EBCB04DF94D9809ADBBB9FB55311F2081A9980423352CB729E62DA91

Function 0582BD58 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4024ab2fbd056e0d4e93ad956a90ddd5754991c20498227d6a69796d456fcc34
Instruction ID: 02ba79c55edfcba543f4655a9faa599d8ebff3d675f215cc301834478717538e
Opcode Fuzzy Hash: 4024ab2fbd056e0d4e93ad956a90ddd5754991c20498227d6a69796d456fcc34
Instruction Fuzzy Hash: F5E04634909208EBCB04DFA4D840AECBFB9FB45316F1081A99C4463351DB329E92EA81

Function 05828ED0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ddad5c118110166dac692110eeb95a3fe0fa955f6b94d6f61c3962496cb611b
Instruction ID: a5f4efc735efd77ec3c8f5c84af612f6fd594af89457b746443e69494b93b395
Opcode Fuzzy Hash: 6ddad5c118110166dac692110eeb95a3fe0fa955f6b94d6f61c3962496cb611b
Instruction Fuzzy Hash: D5E01A34D04208EFCB04DF98D4405ACBBB4FB48314F1081A99C0893341DB32AE51CF40

Function 05827CF5 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055fc42f3902c65d38cd2bdc67b7f09ce8879f3bc19f14cf59795748dd511301
Instruction ID: a7cefa7fa1f7441c216d652936b927bf86e7fa727e02fb50abce13bca4e0cd0a
Opcode Fuzzy Hash: 055fc42f3902c65d38cd2bdc67b7f09ce8879f3bc19f14cf59795748dd511301
Instruction Fuzzy Hash: 86D0C272600148E7D701CF29C420CFDBB61EF8631471402FAD80983001DA314A19A700

Function 0582AC28 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4024ab2fbd056e0d4e93ad956a90ddd5754991c20498227d6a69796d456fcc34
Instruction ID: deb160de3ac24f6659e4a51ba50046203fa86c8dd60f26c8d5d504d6c3e4a98e
Opcode Fuzzy Hash: 4024ab2fbd056e0d4e93ad956a90ddd5754991c20498227d6a69796d456fcc34
Instruction Fuzzy Hash: 51E04634908208EFCB08DF94D9419ACBFB9FB45311F1481A99C0963351DB729E92DA84

Function 0634B458 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70eaaf33a6303f6de0ce3dd6f97dee95643f3999f4a2e95cad26c9b879a000b2
Instruction ID: e47c7da26fc58707e54778e5f92b6712570fd474e2ba0f21911e0e959da65f04
Opcode Fuzzy Hash: 70eaaf33a6303f6de0ce3dd6f97dee95643f3999f4a2e95cad26c9b879a000b2
Instruction Fuzzy Hash: D2E01271941208AFC741FFF89904A9EBBF9EF45241F0049B9950693160EE765E14D7A2

Function 06333E80 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7400429d4d33d8ea1df60cfa6c478d63689ad37a1a161732d9303fae04f6597b
Instruction ID: 92dc3115fc7686e2878b77b611bdd92732ad97ec496a83ce1eb877766eb936f1
Opcode Fuzzy Hash: 7400429d4d33d8ea1df60cfa6c478d63689ad37a1a161732d9303fae04f6597b
Instruction Fuzzy Hash: 64F030709080198FD7589F24E858A997FA1AF45304F1084E9E00DA7282DF711E84CF62

Function 0634E150 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c7acecf142edfa1b1479fe4586415b1070c8c97c998231455ed200588e432d
Instruction ID: ea7293d0635701d8d6ad0cada3e3aa5d69a6b6f7b4f4ab756a0cffeadbc64998
Opcode Fuzzy Hash: c9c7acecf142edfa1b1479fe4586415b1070c8c97c998231455ed200588e432d
Instruction Fuzzy Hash: 54E08C34908108DBCB04EBA4D8405ADFBB8FB45301F1081A9880813351CB32AE12CB80

Function 00C00F80 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2110505ab571bd6fcc3bb323a49d2148c7b9df1f221470af898306f67f05c208
Instruction ID: 9be2092a3f5b5b746c767bb4de2699e63f9608a57fd84053e4730af53a28c00a
Opcode Fuzzy Hash: 2110505ab571bd6fcc3bb323a49d2148c7b9df1f221470af898306f67f05c208
Instruction Fuzzy Hash: FCE0EC74258906DFC294ABA9E559A2637E9BB8C7107318994F00AC73A9EA21EC01E751

Function 05FA40A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741fe6d399fcaa51162205a75fca0867239c8359af525ea468c2ce3b0192ce0a
Instruction ID: 2188ea0c7c3477ba06a60a6de4a3b39af7c0d95365be95e787ab9f14e5103320
Opcode Fuzzy Hash: 741fe6d399fcaa51162205a75fca0867239c8359af525ea468c2ce3b0192ce0a
Instruction Fuzzy Hash: A5F04DB4D006288FCBA4CF28EC596D9BBB1AF49315F1082EA954AA3290DB301E908F40

Function 05FA6070 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f378d495c7d7ae5af9e5c308bde469cdc0befdfb283bee635169da2897ac1e56
Instruction ID: 5512c71ae7afb259592fc39c59f71983ff4bbabf1c9b38ddb7f89a0472ba9630
Opcode Fuzzy Hash: f378d495c7d7ae5af9e5c308bde469cdc0befdfb283bee635169da2897ac1e56
Instruction Fuzzy Hash: D8E01271D15208DFCB44EFB8E8496ACBFF8FB04611F1481A9D809D3351EB715A90CB51

Function 05FA9E90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa22f577d3b487eeb67d164552d13d045d907323f92ce2e21a19aa9915eec7ea
Instruction ID: c14839fc012bf07fcc2dbac45ef36eeb9c6ae097a88cc3925636c2791d3e5104
Opcode Fuzzy Hash: fa22f577d3b487eeb67d164552d13d045d907323f92ce2e21a19aa9915eec7ea
Instruction Fuzzy Hash: 3DE0C274918208DBCB04DF94D9805ACBBB9FB85302F2081ADD80813352CB729E52CB91

Function 0582AA80 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b4edcaf7d341d1c62e8a62126933c068a77d05d951bfd40b584389e7c2ae52
Instruction ID: fda447cc4976513871a0045b1390440d9398f32f9177647f840ddbee05b8a90e
Opcode Fuzzy Hash: 98b4edcaf7d341d1c62e8a62126933c068a77d05d951bfd40b584389e7c2ae52
Instruction Fuzzy Hash: CEE08C34A08208DBCB08DF94D9405ACBBB8FF45305F1081A98C0A63341CB72AE82CB80

Function 058284C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b4edcaf7d341d1c62e8a62126933c068a77d05d951bfd40b584389e7c2ae52
Instruction ID: 39db8752687b0a2e58fd8d395984c92c20c5946358669e2a88864270586e79bc
Opcode Fuzzy Hash: 98b4edcaf7d341d1c62e8a62126933c068a77d05d951bfd40b584389e7c2ae52
Instruction Fuzzy Hash: 1BE0C234908208DBCB04DF94D8405ACBFB8FB45305F6081ADDC0853341CB329E82CB80

Function 05827C5B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2e9477f207948d3d4517d5a7140ee06ff76875b0b4bd091bfe084e8248b811
Instruction ID: 784efa140b63ec3b9cc4581739f24f5000746dda788c98677f0cb7e2fe7f0a86
Opcode Fuzzy Hash: 5f2e9477f207948d3d4517d5a7140ee06ff76875b0b4bd091bfe084e8248b811
Instruction Fuzzy Hash: 19E020315413188EC702DBA8C901BC577A19F40200F4045A5C55D5F161CE355902A7C2

Function 05827C68 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56be4d5d2ddbe49050f0fd71a15798ca0eb42904aef791ed82fe431bf6d751b8
Instruction ID: f81f563b38a407f5a9377cec5e5bf801b502bb28a677017619888988db035a49
Opcode Fuzzy Hash: 56be4d5d2ddbe49050f0fd71a15798ca0eb42904aef791ed82fe431bf6d751b8
Instruction Fuzzy Hash: 71E0C23098120CAFCB00EFF88800A8E7BBDEF05200F0009A9C40AD3150EE764E10D792

Function 00C02FE1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e842e277300528aedebc53ab64ef35ad4cd96925db43637cdbd8b5bf703b96cc
Instruction ID: 426282723866c1ebbe398d452afa4d7f1f63a19cb9418a82bfe859a5d37db292
Opcode Fuzzy Hash: e842e277300528aedebc53ab64ef35ad4cd96925db43637cdbd8b5bf703b96cc
Instruction Fuzzy Hash: 64D05E1160D2605FCB0667E4A4250EDBBA2AF867527554093E0429A69BCB648909A392

Function 06118558 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b23cf1d3e6b75fa5ae3b8b0a486b4cfb30d933152ce2f506fb254b45ff163f
Instruction ID: ba1812544ae6187d0d511300b76ef4cc722bd7a4097f986e4fddc12a47b069ec
Opcode Fuzzy Hash: d3b23cf1d3e6b75fa5ae3b8b0a486b4cfb30d933152ce2f506fb254b45ff163f
Instruction Fuzzy Hash: 7DD02B3171C7814FC7438239BD145033FE55B8630030485AEE845CB285FF64CC098741

Function 058278B8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd27269decff3ab3e41bd2d474d89bc97c65ecefcad5ff5d933b8670cedc0db7
Instruction ID: 9c114484e5921599f6265ba918a9bc98f21e3cc8870e0bcb297ff0c693d57c47
Opcode Fuzzy Hash: bd27269decff3ab3e41bd2d474d89bc97c65ecefcad5ff5d933b8670cedc0db7
Instruction Fuzzy Hash: 8FD05E30509108EBC704EB95D801A69BBACEB45215F1081AD9C0983751EB72AD41C794

Function 00C00CB0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d21f7dcd1f59b59b1e18c03f01f55dd09b04e049a1c8162bc9d7211d9f0913
Instruction ID: a84a2d7358cf4e293614ab5a1fdee8843062ab3f426903632baf832d34be385b
Opcode Fuzzy Hash: 00d21f7dcd1f59b59b1e18c03f01f55dd09b04e049a1c8162bc9d7211d9f0913
Instruction Fuzzy Hash: A4D0973410E1809FE3083230CC0C6C27F308FCA300F920530EA63AB1F0CA248205C2A3

Function 06118080 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528ed973e009d37985aa291b0e80fa7e19c124e2fa3344a2b2485ce20fe6c2ff
Instruction ID: 9f2cbd7a63bb2ee953003fceaf457f8bf1adfe52210212deaf4e748cdaf2e0d6
Opcode Fuzzy Hash: 528ed973e009d37985aa291b0e80fa7e19c124e2fa3344a2b2485ce20fe6c2ff
Instruction Fuzzy Hash: 13D012311053069BC759DB18E940D9BBB99DFC0310B04CE39A45A4B538DBB4ED49C784

Function 05FA67EC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934773de310d619ef1248c8585e2a621c2eba4bee75dd8ace5afe824794b8964
Instruction ID: ffb2c78e08d4ad7b5091a959580984fc6e1c32a6f77d7cb754149cc329c464c8
Opcode Fuzzy Hash: 934773de310d619ef1248c8585e2a621c2eba4bee75dd8ace5afe824794b8964
Instruction Fuzzy Hash: CDE0C234A093198FCB51DF24D859B99BBBAEB0A304F1481E9D0199725ADB705A85CF02

Function 05828CC7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccac109a61f38c092f0832e1d9a8843176eb25e776ba51b4cfa3ea0f93b74180
Instruction ID: 69dc3351a53300e59649d03d41fd6f15da8305399f30118ac9549073cd7fbdf2
Opcode Fuzzy Hash: ccac109a61f38c092f0832e1d9a8843176eb25e776ba51b4cfa3ea0f93b74180
Instruction Fuzzy Hash: 16E07574E05229CFDBA4DF29E844BDDBBF1EB4A300F1181E9A849A7354DB705E808F51

Function 06118071 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979ed33ec6329822e46bb7c6be1ca23c30f90747c0ba6babe5eb6b6afd630a7f
Instruction ID: 423fb8009eca6deb0a9f9219037fb6d9cabae5202a168fc489c8e8262749e165
Opcode Fuzzy Hash: 979ed33ec6329822e46bb7c6be1ca23c30f90747c0ba6babe5eb6b6afd630a7f
Instruction Fuzzy Hash: 3FE08C700097428FC745DB28EA44E5BBFA8FF80304F058A39E0458B43ADB74E889CBA5

Function 05FA70FB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0a537f575aa0953baa919ffb69a9be4030457139f497ce720ebe648ed5f42d
Instruction ID: c72f21cdb0c0920bf5be04bfa3364325589d2ffd7e44f7f9b1e2fc3267670dd1
Opcode Fuzzy Hash: 9a0a537f575aa0953baa919ffb69a9be4030457139f497ce720ebe648ed5f42d
Instruction Fuzzy Hash: 7AE0B635A001198FCB60EB68E5457DCBBB2EB89211F1040E5E60CA7345DB305E868F41

Function 00C00B58 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9729c10672eed6b309d0f2a54f361e44e1e698f2a5998e091fada9474754caa7
Instruction ID: 014d48f585aeb1ca573abcb9b140392abb9de1849271c47c3acc04524ece4b58
Opcode Fuzzy Hash: 9729c10672eed6b309d0f2a54f361e44e1e698f2a5998e091fada9474754caa7
Instruction Fuzzy Hash: 15D0A771C052044FC311AB749E1C2457B606706115F4107D9CC15876B6DE2885188B51

Function 00C00CC0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bca63a2e3775a87ca6f056388a62d3001b1ab0111f053124d2d8764026eda0
Instruction ID: a7975699283ae17c043811c7117e7cb557e02537b3430e934178427e93cec0ca
Opcode Fuzzy Hash: a1bca63a2e3775a87ca6f056388a62d3001b1ab0111f053124d2d8764026eda0
Instruction Fuzzy Hash: A8C08C30906248ABE614226ACD0CB57BBB8CBC9300F228A30AA67662E09F756504D1A3

Function 00C00C90 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112d117e7f9b20efc9c89b26d4e5b4acedd07a9698bcac7cbdb341ae0e414a56
Instruction ID: 644796c10dfd74586c1fb3323aee59e2cd80f1597e6127aa5255a4c9928ed5ea
Opcode Fuzzy Hash: 112d117e7f9b20efc9c89b26d4e5b4acedd07a9698bcac7cbdb341ae0e414a56
Instruction Fuzzy Hash: D1C04C5400E7C5AFC70203765CAE496BF745E476407550AC7E082C70E3954C1C1AC356

Function 00C00B31 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad4b2f2f8efd4e39f0ebeb0f0632bdf949f459a9abd7d0c0fbf670066f78f91
Instruction ID: 053d6019f8b7c6b4a6a27e86c8366527dace050273b91df7b0c9e141f8a50f87
Opcode Fuzzy Hash: 7ad4b2f2f8efd4e39f0ebeb0f0632bdf949f459a9abd7d0c0fbf670066f78f91
Instruction Fuzzy Hash: 63C0026144D3C49FC71357A0AD794583F306E1710634A01CBE189DB9B3EA694818C727

Function 05FA14EC Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b962517bf821a76d7020c1a602937e6e7d57feb79be4b114fd4f8727cb04b6e8
Instruction ID: 91da17721b7ddcb60ad043ad4ff17e18d51b2355f1e75fda900abddb47227c57
Opcode Fuzzy Hash: b962517bf821a76d7020c1a602937e6e7d57feb79be4b114fd4f8727cb04b6e8
Instruction Fuzzy Hash: 79D052B08002188FCB64CF04EC09698BB78FB01208F0082D0E40952150CB341A48CF40

Function 00C00E3A Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48cecdded415f585763c0fc751e96bf9ca85e474fb4c30ed3321f19caab8648
Instruction ID: cf55ec9ce2956e518940f3c59ec6f1317923ffac1c9e0677cd8e8665f1fc3863
Opcode Fuzzy Hash: f48cecdded415f585763c0fc751e96bf9ca85e474fb4c30ed3321f19caab8648
Instruction Fuzzy Hash: 9EC09BF79453004BD3681F145154265779157953F03338799DC2F973FCD7505C109A60

Function 0611AA10 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 0611EF08 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae13863b5f042a0ee363b4de2e95ff56aa42cd37b020e4a59d67c0cee6f9b3e0
Instruction ID: 22255e18049adb5c2cfa9179c8e22ef7bc5878e9bc19178d67001b63a18165ca
Opcode Fuzzy Hash: ae13863b5f042a0ee363b4de2e95ff56aa42cd37b020e4a59d67c0cee6f9b3e0
Instruction Fuzzy Hash: F7B09232010208EB8600AB84EC04C66FB69EB59700B04C025B609061228B32A822DA94

Function 00C00B40 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5bd845b1cf0f23e0f2446cedc83749873f369b08447beb7ba09e8493b77b75
Instruction ID: 091697f1dac1fdbf687627ac06b1ce201fddf268f8533c3e8f3159203dfcd59e
Opcode Fuzzy Hash: bf5bd845b1cf0f23e0f2446cedc83749873f369b08447beb7ba09e8493b77b75
Instruction Fuzzy Hash: C4A01132008A088F82003BA0BC0E22CBB2CBA0020A3800220A00E838228FA028008A82

Function 00C00E27 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be9f8b18dbac6de3159e4aaf9e3a9d399d74e615081c0a2b74afee0f2b2fff
Instruction ID: 68190ca9dced4ec960cd6559db3ec2f1bab209cc6907461037efed01d6bb5ea0
Opcode Fuzzy Hash: c5be9f8b18dbac6de3159e4aaf9e3a9d399d74e615081c0a2b74afee0f2b2fff
Instruction Fuzzy Hash:

Function 0611854B Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebcd78d9370496ec861235e937a16f1f81f5708a1fa1cb94efa7d22e0d49277f
Instruction ID: c3c979eb06b6cb7547628c3490a18025ebd6652a04fb56a797af0c0bad966639
Opcode Fuzzy Hash: ebcd78d9370496ec861235e937a16f1f81f5708a1fa1cb94efa7d22e0d49277f
Instruction Fuzzy Hash:

Non-executed Functions

Function 05823A50 Relevance: 6.0, Strings: 4, Instructions: 983COMMON

Download Yara Rule

Strings

paq, xrefs: 0582460A
xb`q, xrefs: 05823B7D
Te]q, xrefs: 05824173
TJbq, xrefs: 05823BF2

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID: TJbq$Te]q$paq$xb`q
API String ID: 0-4160082283
Opcode ID: c153d1f7c9c2e8bae55b13f32ce0549c527e86a0c7f7c63729be9a69add8a4ef
Instruction ID: 1179699ef6796c9806d860713f6ec38a4e1b4d73023103edb5fe9708bcd66c2d
Opcode Fuzzy Hash: c153d1f7c9c2e8bae55b13f32ce0549c527e86a0c7f7c63729be9a69add8a4ef
Instruction Fuzzy Hash: 02A2D774A00628CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF50

Function 05823A41 Relevance: 4.0, Strings: 3, Instructions: 243COMMON

Download Yara Rule

Strings

xb`q, xrefs: 05823B7D
Te]q, xrefs: 05824173
TJbq, xrefs: 05823BF2

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID: TJbq$Te]q$xb`q
API String ID: 0-1930611328
Opcode ID: 0eed8a95f38dff21be57e8b0e78edfe8e4e7038a6726fcc2fd983c38bb332976
Instruction ID: 38308c5c5e97027571872fc75493b993b5f3531e748f15542ee7c81a3c7c38ae
Opcode Fuzzy Hash: 0eed8a95f38dff21be57e8b0e78edfe8e4e7038a6726fcc2fd983c38bb332976
Instruction Fuzzy Hash: CFC15775E016188FDB58DF6AC944ADDBBF2AF89300F14C1AAD809AB365DB305E81CF50

Function 06111248 Relevance: 2.8, Strings: 2, Instructions: 328COMMON

Download Yara Rule

Strings

(aq, xrefs: 061115EC
,aq, xrefs: 0611133E

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: (aq$,aq
API String ID: 0-1929014441
Opcode ID: 5fa34b2de20af142bf2deeebf1c08e322a9f9edea57e3a65d6d5f1d406c90447
Instruction ID: 3b00293822be170b67f20c842dd4fae3788df4c0319f3b476540603f11f5908b
Opcode Fuzzy Hash: 5fa34b2de20af142bf2deeebf1c08e322a9f9edea57e3a65d6d5f1d406c90447
Instruction Fuzzy Hash: 14D13934A006099FCB94CF68C585AAEFBF2BF89314F25C4A9E5069B365DB35EC41CB50

Function 00C0D070 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4']q, xrefs: 00C0D127
4']q, xrefs: 00C0D152

Memory Dump Source

Source File: 00000000.00000002.2065038391.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_Roahhi.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: f1a6294592531ddc6e9a5aec3bdfac495117a0c642a4c1033ffda53096d267b6
Instruction ID: e6efc97090655552ffd2c279b0e27e90c1ffe4065ed8d5d05b767b26e8772b78
Opcode Fuzzy Hash: f1a6294592531ddc6e9a5aec3bdfac495117a0c642a4c1033ffda53096d267b6
Instruction Fuzzy Hash: 3171E870E056058FDB08DFAAE94169ABBF6BFC8700F14C579D0049B27AEF745905CB51

Function 05FA7850 Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

3, xrefs: 05FA78EF
A, xrefs: 05FA84E8

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID: 3$A
API String ID: 0-694096507
Opcode ID: de4ebdb494eeda9f6b3a228a019ce9bb434a4bb09e3a328abb79efc30804ff49
Instruction ID: cd6ec1a80c97dde944e9044510b15bdfa99a3b0873a4fa6d4c0aeaafecd47f21
Opcode Fuzzy Hash: de4ebdb494eeda9f6b3a228a019ce9bb434a4bb09e3a328abb79efc30804ff49
Instruction Fuzzy Hash: 0B21CAB1D056588BDB28DF5BC9446DEBBF7AFC8300F14C0AA840CAA224DB745981CE41

Function 0634E730 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

Kw, xrefs: 0634E823, 0634E828

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID: Kw
API String ID: 0-3213648439
Opcode ID: f6e3cbf88c67d75b0cda49e8295641f895fd0481e828d1148aaee7ea06455fd5
Instruction ID: b25ce2adb83109b22966106d3556bf8e0c3fdbf49cb91d78daf6fb7f505844c7
Opcode Fuzzy Hash: f6e3cbf88c67d75b0cda49e8295641f895fd0481e828d1148aaee7ea06455fd5
Instruction Fuzzy Hash: 4B615C74E09208DFEB84EFAAE4447ADFBF6FB89310F109025E005A7695DB746885CF81

Function 05FA8CD0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

pqI, xrefs: 05FA8DFF

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID: pqI
API String ID: 0-1078129942
Opcode ID: 35d07e011be6107c4599c2de26b25d0be316d4a77b6ead7ddf415377cab41cd0
Instruction ID: c6c8f616416df5a4aa856bf3f7d8be50e268cdd86f58a8505d86fd52d43b8eeb
Opcode Fuzzy Hash: 35d07e011be6107c4599c2de26b25d0be316d4a77b6ead7ddf415377cab41cd0
Instruction Fuzzy Hash: 894190B6E0524ACFCB44CFA9C4801AEFBF6EF48280B54C965D416E7315E3BC8A128F51

Function 05FA8CE0 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

pqI, xrefs: 05FA8DFF

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID: pqI
API String ID: 0-1078129942
Opcode ID: d36600f8e673e35071e9e8d19161f40491ab73094b616b114c9c489055be9d36
Instruction ID: b367a67df8038990919449d5b8893c0249ab03a666c8e7cd2180ac55403d9a6e
Opcode Fuzzy Hash: d36600f8e673e35071e9e8d19161f40491ab73094b616b114c9c489055be9d36
Instruction Fuzzy Hash: 65414DB6E0514ADFCB44CFA9C4802AEF7F6FB48280F54C965D516E7315E3B88A128F41

Function 05FA7840 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

3, xrefs: 05FA78EF

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 7b8b6b2875b916200deb7182c9f503b1a07da56a288296d73eb87f01da30c68f
Instruction ID: 9399f77d28a65d3409a7cf8c40686a4d7780a5d739de48540eee6533725e4698
Opcode Fuzzy Hash: 7b8b6b2875b916200deb7182c9f503b1a07da56a288296d73eb87f01da30c68f
Instruction Fuzzy Hash: 4B2110B2D016589BDB28DF9BDD446DEFBF7AFC8301F14C07A8808AA229DB745941CE41

Function 06080040 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106150181.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9241aba759fa6a05920047471597c83c8b6016e109da36758d6eb55e07c151
Instruction ID: 9e32ef0823ba6a38c44216cf7a238d5eeaec8cfdb94028340b975837fbc33af8
Opcode Fuzzy Hash: 4d9241aba759fa6a05920047471597c83c8b6016e109da36758d6eb55e07c151
Instruction Fuzzy Hash: 99025A70B006168FDB98DF69C49476FFBF2BF88300F248529D99A97351DB34A945CB90

Function 060AF3E0 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106220576.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60a0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3407a3d7be76fe23d3d4a96e99fc2ceb0bae5fbee55c5a708be2eae68d490bab
Instruction ID: 78db159d088345370a47414a8944ffc0c006ce6a6ef9f48f709be178e00eb550
Opcode Fuzzy Hash: 3407a3d7be76fe23d3d4a96e99fc2ceb0bae5fbee55c5a708be2eae68d490bab
Instruction Fuzzy Hash: 3D12B170E006198FDB54CFAAC98069EFBF2BF88344F24C569D459EB21AD734A946CF50

Function 0608CB38 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106150181.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2535f433121595d220130254d86ae9e24ccb30d944f4530959453a0034b271d4
Instruction ID: f05576f05e6bcb38a4d8424fe039f006851af175a6a2bd8606dea66270106e64
Opcode Fuzzy Hash: 2535f433121595d220130254d86ae9e24ccb30d944f4530959453a0034b271d4
Instruction Fuzzy Hash: B1E1E470D40218CFEBA0DFA9C881B9DBBF1BF49304F1085AAD459B7290EB745985CF55

Function 0634E190 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108da586ab6b82def9a334cb014a2f0a88618ed73637421a047edae8986f7434
Instruction ID: 38331e23c7fd47a14e9e2726a47eb8ec6b81716bb10f3ff2d10d79390e40745f
Opcode Fuzzy Hash: 108da586ab6b82def9a334cb014a2f0a88618ed73637421a047edae8986f7434
Instruction Fuzzy Hash: 3B81FF70E15228CFEBA4EFA5C844B9DFBF6BF49300F1094A9D409A7651DB706A85CF81

Function 05824D1B Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8622b360e3452936497637ca51055f1783ccbfb64c051704c36c126e8ce98f92
Instruction ID: 631d05b906dc5a7f4ecfce4be795b97fdc3556752d09797602b16422797ace48
Opcode Fuzzy Hash: 8622b360e3452936497637ca51055f1783ccbfb64c051704c36c126e8ce98f92
Instruction Fuzzy Hash: 92612E71D05A688BEB18CF6BDC4469ABFB3BFC9301F14C0A9D408AB259DB711A85CF51

Function 060A0006 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106220576.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60a0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3165432d1ef60ec813de5ea1249ecccd012dee5e6c300e5ea53216a6dd86c0
Instruction ID: d3111dec030e911fffe2405cf0ca5e5c0757582a7c432cafc008a03bf34640fa
Opcode Fuzzy Hash: 1f3165432d1ef60ec813de5ea1249ecccd012dee5e6c300e5ea53216a6dd86c0
Instruction Fuzzy Hash: 8F515D71D056588FEB59CF6B8D402CAFAF3AFC9300F18C5FA844C9A165DB7409858F51

Function 05FA6BCB Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5650ec44972c5a8c82e4cbe305fc90f6e0e39cf88671e84692f30db47bd80da
Instruction ID: 53872845132f86f5587863016e705154bf79c4f67d714b78381c60f51c3fc98f
Opcode Fuzzy Hash: c5650ec44972c5a8c82e4cbe305fc90f6e0e39cf88671e84692f30db47bd80da
Instruction Fuzzy Hash: 0E4125B2E046098BDB04EFA9D485BEEBBF2FF48301F148469D919A7345D7749980CB91

Function 060A0040 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106220576.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60a0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8672d850b924d6277cb967491609577351d96bd55c49364d465cf4ca783f8238
Instruction ID: 460e6b21b6dfda95f403e432ff6103cacedd7eec16fdb9275d214dbfb57e6cd0
Opcode Fuzzy Hash: 8672d850b924d6277cb967491609577351d96bd55c49364d465cf4ca783f8238
Instruction Fuzzy Hash: E0515D71D046588BEB6CCF6B8D402CAFAF7AFC9344F14C1FA954CA6264DB7009C58E41

Function 06287545 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106679184.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6280000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d0405ffef152d37c4c979017f7050f088bebe490f9cab3c1e05c022a0886b9
Instruction ID: d27f631d69303ca89b2bfa20fec4a53f2432a9736216b885d8e499ab1337473e
Opcode Fuzzy Hash: 97d0405ffef152d37c4c979017f7050f088bebe490f9cab3c1e05c022a0886b9
Instruction Fuzzy Hash: 5C412871D052298FDB64DF6ADC447DDBBB2BF89300F14C4AAD849A7295EB344A81CF50

Function 060AD840 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106220576.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60a0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263ca569864105441584c26695a5e145ba1cbdbbefaf48144150960ff22bb519
Instruction ID: 24a6e3b444df8dcd9aa5e3d4bca3aadc0205e6490d112b432b54cc3e4b6a81cc
Opcode Fuzzy Hash: 263ca569864105441584c26695a5e145ba1cbdbbefaf48144150960ff22bb519
Instruction Fuzzy Hash: EA41DEB4D003489FDB54CFE9D985A9EBFF1EF09300F20902AE419AB290D7749885CF45

Function 06287570 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106679184.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6280000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0389815213950cd78da64dcb6f7cd4fc6b1bc0b747e2b5bc2f333bca4f0891ed
Instruction ID: 49fe6919df931e03e832fbe5dab54f10b3caa149523c151d77af010fc5887c3f
Opcode Fuzzy Hash: 0389815213950cd78da64dcb6f7cd4fc6b1bc0b747e2b5bc2f333bca4f0891ed
Instruction Fuzzy Hash: D2411771D12229CFEBA4EF6ADC4479DBBB6BB89300F10C0A9C91DA3295DB745981CF40

Function 05FA0006 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cb1e840bd31ec68821152ccd5458d5ae314fdcefc8d6e1f40aa2ee74e55688
Instruction ID: f60dcf84b0c630a6a033bfe6204c36fb0265069f0212ba1231bcd2e59f8034bf
Opcode Fuzzy Hash: 62cb1e840bd31ec68821152ccd5458d5ae314fdcefc8d6e1f40aa2ee74e55688
Instruction Fuzzy Hash: A641A5B2E05B548FE71DCF6B9C4029AFBF7AFC9311F59C1B6844C9A265EA3409468F01

Function 05FA0040 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105401682.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f4819df1e543d02bfccd55fb6322eb67806cad6b3b57b304b86936078577e4
Instruction ID: 0d3df430dc79dffccebac1f86575be1042a7ffa25d0d2c9f0616942e422ac540
Opcode Fuzzy Hash: 58f4819df1e543d02bfccd55fb6322eb67806cad6b3b57b304b86936078577e4
Instruction Fuzzy Hash: 834133B2E05A188BEB5CCF6B9D4069EFAF7AFC9301F14C1B9840CAB255DB3455868F01

Function 05820007 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e13899a3bcdc10855cc1f07d9747f86da271de45bcd8556335cc2ce2f9acc8
Instruction ID: 10bd35a8ece2755f2559506b766206dfde69685eda1e746467ab6792020f9104
Opcode Fuzzy Hash: 64e13899a3bcdc10855cc1f07d9747f86da271de45bcd8556335cc2ce2f9acc8
Instruction Fuzzy Hash: 4341EDB1D057588BEB55CF678C58789BEF7AF89300F14C1EAC44CAA265EB740985CF11

Function 06330040 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3700d02bac0bd82072ac41b6305110a6e25d7c60929dc835f4e9776668bf83
Instruction ID: 54ad8e00b18b4098b452d1ec8512c6c07318c565a98e8f9daceaab341f82e07a
Opcode Fuzzy Hash: 3f3700d02bac0bd82072ac41b6305110a6e25d7c60929dc835f4e9776668bf83
Instruction Fuzzy Hash: 3631C871E05628CBEB68CF2BD848699BBF6BF89300F04C1EA940DA7655DB700A85CF51

Function 06353B50 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca206a664e716a4ed77afaa12e26d7bdc1e353e91048fdbb802397beeec16a8
Instruction ID: d7c311cbc9b78a973b07c0aaebc1ba4905bf1fcf3d9b3fbf70c6769f634db929
Opcode Fuzzy Hash: 1ca206a664e716a4ed77afaa12e26d7bdc1e353e91048fdbb802397beeec16a8
Instruction Fuzzy Hash: 3B21EEB8C042189FDB14DFA9D841AEEFBF4FB49310F10902AE845B7250D7356945CFA5

Function 0633001E Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375c335ef71faa5179f2a8d2abf9d6ce57e88089dcbf1030ccc3662647142e97
Instruction ID: d9ab57ebf44cc767f66b4d132df98a63309a816fceba04d0fb3979925ef6b099
Opcode Fuzzy Hash: 375c335ef71faa5179f2a8d2abf9d6ce57e88089dcbf1030ccc3662647142e97
Instruction Fuzzy Hash: 6A31D9B1D056588BEB69CF6BCC4439ABBF7AF89300F04C5EBD448A6255DB300A86CF50

Function 05820040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104656360.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81219acef322ca05e5d00eb467ee9aea96d12b256cc9e135fd21eb6d733209c
Instruction ID: 28736a0bd1effbc0ef4ce743dde44ba31d097beec6ab90739ae4ca61f831b37b
Opcode Fuzzy Hash: f81219acef322ca05e5d00eb467ee9aea96d12b256cc9e135fd21eb6d733209c
Instruction Fuzzy Hash: 0A3177B0D05628CBEB58CF6BC84878AFAF7AFC8304F14C1A9D40CA6264DB750A85CF01

Function 06353B58 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23c13db88937541550d18c2f43fb896266df266249aa98a113e716e157a7808
Instruction ID: b86c0020db0a05e3e5c1f56e0e8e35272c50d8f80e2db0097402db7afa1a7102
Opcode Fuzzy Hash: e23c13db88937541550d18c2f43fb896266df266249aa98a113e716e157a7808
Instruction Fuzzy Hash: 1021FEB9C042189FDB14DFA9D981AEEFBF4FB49320F10901AE809B7250C735A945CFA4

Function 06088EC8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106150181.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb44f871486a8b83385d4dd11741ad21c46a96fde9705a93a680e5faba093bbb
Instruction ID: 9fbc3c2e1d2bec40e5d7bc8f5aaa73d9190626868b525f8f3639a4c71465a004
Opcode Fuzzy Hash: cb44f871486a8b83385d4dd11741ad21c46a96fde9705a93a680e5faba093bbb
Instruction Fuzzy Hash: C521F3B0E446189FEB58DF9BD8403DEFAF7AF89300F04C06AD449AA264EB740945CF40

Function 06088EB8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106150181.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e370e3ab62e51e4cd2b84983d7c7c34befc467554581d933bf2b16927adcc48e
Instruction ID: c6a6985907931367bd74c9483c33c70bf9f613065cbb9e3d4026d047182b0f10
Opcode Fuzzy Hash: e370e3ab62e51e4cd2b84983d7c7c34befc467554581d933bf2b16927adcc48e
Instruction Fuzzy Hash: 2E21E4B1E056189FEB58CF6BD84439EBAF7AFC9300F04C06AD448AA254EB750945CF41

Function 063536A9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107295810.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6350000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b791e8170ce56af0d5f46221a6b8466f900691cf3af60b70cc6b58068ab45760
Instruction ID: dd4da30328cdd6a130c66e3837462a19fe87bbbf6c1ab087d2e9a026a28feb03
Opcode Fuzzy Hash: b791e8170ce56af0d5f46221a6b8466f900691cf3af60b70cc6b58068ab45760
Instruction Fuzzy Hash: 4711E13185A2A49FC762CEB0AD04983BFB8AB06640B11099AE442F7011EA255A12C7E1

Function 06282D97 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106679184.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6280000_Roahhi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714b5a909245a5016e4be48595c161225f4a734248d0b55ac848777f1e96e56a
Instruction ID: e71f1fde3ccf38aaabb4812ec543a51a2744c438ccda70f62858cff169f283e7
Opcode Fuzzy Hash: 714b5a909245a5016e4be48595c161225f4a734248d0b55ac848777f1e96e56a
Instruction Fuzzy Hash: D1B0123E10951B4BC2AD590C8C4C5C97304D7292C2B0585B4E54C4F91BD2944D1BDAD0

Function 061170C8 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

4']q, xrefs: 0611719A
paq, xrefs: 0611721F
4']q, xrefs: 0611714C
4']q, xrefs: 06117212
(aq, xrefs: 06117292
4']q, xrefs: 0611717C

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: (aq$4']q$4']q$4']q$4']q$paq
API String ID: 0-463314800
Opcode ID: ec89c21dc9f6a4142ed63f26153a7ce7d0f385898a785a52a47e7440341cdc8a
Instruction ID: 5fac27e26b08e0a7c5c551f05079e5216c77c1b1d575dcd306ec43e97c2e3964
Opcode Fuzzy Hash: ec89c21dc9f6a4142ed63f26153a7ce7d0f385898a785a52a47e7440341cdc8a
Instruction Fuzzy Hash: F6D18C32A00215DFCB49CFA4D844E9ABBB6FF48310F0644A8E609AF276D735ED55DB90

Function 0611DF10 Relevance: 5.2, Strings: 4, Instructions: 194COMMON

Download Yara Rule

Strings

(_]q, xrefs: 0611E5BD
(_]q, xrefs: 0611E603
(_]q, xrefs: 0611E639
(_]q, xrefs: 0611E5B3

Memory Dump Source

Source File: 00000000.00000002.2106509385.0000000006110000.00000040.00000800.00020000.00000000.sdmp, Offset: 06110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6110000_Roahhi.jbxd

Similarity

API ID:
String ID: (_]q$(_]q$(_]q$(_]q
API String ID: 0-2651352888
Opcode ID: 72a5d226a8577286a8c33e7afa58200faed00106021edb8c53f28561b600535c
Instruction ID: 7e400a86620b4d7b7f17535018bf30e88b0c62edd44888170a2dbec0af890632
Opcode Fuzzy Hash: 72a5d226a8577286a8c33e7afa58200faed00106021edb8c53f28561b600535c
Instruction Fuzzy Hash: EA61E175A002018FC7449FB8C8959AE7BF2EF89304B1449BDE8469B352EB35DC82CB91

Function 06335102 Relevance: 5.0, Strings: 4, Instructions: 37COMMON

Download Yara Rule

Strings

L, xrefs: 06335112
U, xrefs: 06333C67
^, xrefs: 06333C38
/, xrefs: 06335141

Memory Dump Source

Source File: 00000000.00000002.2107173504.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6330000_Roahhi.jbxd

Similarity

API ID:
String ID: /$L$U$^
API String ID: 0-2646289668
Opcode ID: 7d82bf87a8287d31d31f32cde8b40dbca6e0222f8d9a0ae85aaed224b3b89e1f
Instruction ID: cd0bab9b71a33b71d69bb45c86a7803f0e18e85e9e07ea76099ebd7a263415e7
Opcode Fuzzy Hash: 7d82bf87a8287d31d31f32cde8b40dbca6e0222f8d9a0ae85aaed224b3b89e1f
Instruction Fuzzy Hash: 2E110374C4026A8FDBA89F24C888BE9BBF4BF05305F4094E5C419A7641DB701AC8DF81

Analysis Process: InstallUtil.exePID: 5168, Parent PID: 1028COMMON

Executed Functions

Function 02721EB3 Relevance: 2.7, Strings: 2, Instructions: 240COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0272203E
lLA, xrefs: 02722032

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID: Te]q$lLA
API String ID: 0-719906915
Opcode ID: 09f2522b95a003778c50a0f62652d911532f6142a671062f8aad132ef740efe7
Instruction ID: 9f1fc072fb4a60154e42a9610f57117bb3e3b45a7bad32d54ed16e04eb1b35b8
Opcode Fuzzy Hash: 09f2522b95a003778c50a0f62652d911532f6142a671062f8aad132ef740efe7
Instruction Fuzzy Hash: CDA1B234A04114CFCB14DF68D888BAA7BF2FF89311F6584A5D90ADB366CB719C89CB51

Function 02722538 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

Ddq, xrefs: 027225C7

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID: Ddq
API String ID: 0-562783569
Opcode ID: bd9f297e02b50b4cb553f57958b1af2c2e91ed4e208fd4bf0ef93943db30ffa8
Instruction ID: 325fb3a192754d9bb25d4e9ede61659856f644aa33ae4af5ac854346cf6ef1df
Opcode Fuzzy Hash: bd9f297e02b50b4cb553f57958b1af2c2e91ed4e208fd4bf0ef93943db30ffa8
Instruction Fuzzy Hash: 9DA19E35A006109FCB15EF69D594A5DBBF6FF88710F118169E809EB3A6DB31EC05CB90

Function 02722529 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

Ddq, xrefs: 027225C7

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID: Ddq
API String ID: 0-562783569
Opcode ID: c4373be297a8dc794181502e11ced76b747e367a3cc8b0fc823c4208b6e57395
Instruction ID: 323ec85f80248c2654c2d1e1e9e4708c9f2a31ed08c0310fac02f58f286520dd
Opcode Fuzzy Hash: c4373be297a8dc794181502e11ced76b747e367a3cc8b0fc823c4208b6e57395
Instruction Fuzzy Hash: A6718E35A006209FCB14EF29D594A59BBF2FF88714B1581A9D809EB3B6DB30ED45CF90

Function 02721B51 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f4655f51238c1c14b393ab3b6ebe2734f32dbe3fb2cd91d5ba3097e8500f3e
Instruction ID: 7d4f26942c516cc1d347cabd2f9e30a1de3784d7803a627a53d8b92726ba1650
Opcode Fuzzy Hash: 39f4655f51238c1c14b393ab3b6ebe2734f32dbe3fb2cd91d5ba3097e8500f3e
Instruction Fuzzy Hash: 58519E34B04114CFD714DF29D948BAA7BF2FB88310F558079D00AAB3AADB359C89DB50

Function 02721B30 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ce609e41d1c4a6586341a47e47b0f65809e7c02102b9b381a74b05731b7958
Instruction ID: b0d651e2a6d2413703e13baadb4e6caf452c202bffa604a4ad81a7c126a70f07
Opcode Fuzzy Hash: 76ce609e41d1c4a6586341a47e47b0f65809e7c02102b9b381a74b05731b7958
Instruction Fuzzy Hash: 0A519C38B05110CFD715DF29D898BA97BF2FB89305F5580B9D00AAB366EB359C89DB10

Function 02721B60 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23132080c561dc49b56356648feacb8700292bb27dc3e8834082473b4834f7e
Instruction ID: cca8abf3a3654d701add3e24c72a58a073d6bbf195a07967fdb64b116f1a33b8
Opcode Fuzzy Hash: b23132080c561dc49b56356648feacb8700292bb27dc3e8834082473b4834f7e
Instruction Fuzzy Hash: 76519C38B00114CFD714DF29D948BAA7BF6FB88300F548079D00AAB3AADB759C89DB50

Function 02721A40 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5beb137f10c337d35a5788b68f8438b17babb12a92e99d536b0133e6bd4da4
Instruction ID: dc997171c149c4af69a07877bf8b4f343eedf91e93628dc614feae37e0b37313
Opcode Fuzzy Hash: 2f5beb137f10c337d35a5788b68f8438b17babb12a92e99d536b0133e6bd4da4
Instruction Fuzzy Hash: AF21E970D09384AFC706DF68D86968CBFB1AF46200F5580EBC448DB2A3D7785A48CB66

Function 027259D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa77d0dd2a12a566d407354a785e1cb9462d908a617597accb7738d568fb0ee
Instruction ID: 5174e593556f6d65b6e915a3140badd97b4ee29b414086e4e2db210d77cc6be0
Opcode Fuzzy Hash: 3aa77d0dd2a12a566d407354a785e1cb9462d908a617597accb7738d568fb0ee
Instruction Fuzzy Hash: 29216F30919244DFDB44DFA8D48A35DBFF1FB49304F5580AAC405E7651E7744A8CCB65

Function 027259E0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2125cc422542050cc5be27a3146505c80a0df126a012770db83a23b7c9018b6
Instruction ID: 508c92425d26a4451a1d23a38d1842f83aa5235994e5f1493e0b912ce08d4686
Opcode Fuzzy Hash: f2125cc422542050cc5be27a3146505c80a0df126a012770db83a23b7c9018b6
Instruction Fuzzy Hash: 12116A30918248DBEB44DFA9C08935DBBF1EB48304F9580AAC409E7641EB748A8CCB65

Function 02721A88 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265d71a1757cbca8be0fb1c07d53d6360c9f09ced6f0f1e7594aaed2f059a3ba
Instruction ID: 9d0b9655638e39d27796002a27072b9fd2149d00e1e3cbf806ecfa7c29232eb5
Opcode Fuzzy Hash: 265d71a1757cbca8be0fb1c07d53d6360c9f09ced6f0f1e7594aaed2f059a3ba
Instruction Fuzzy Hash: 1A111770D04208EFDB44EFA9D58579CBBF1FB84304FA081AAD408A7256E7755A88CF94

Function 02720931 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fcdd8b6d9bd15bbd13a4d6886d94a48ba3acba415977f00d1e4d7163da43bd
Instruction ID: 849ffa88b0b536274cc45ea93dc7dc49c1fd5c2f73d20b5c9f2e2107c1a18712
Opcode Fuzzy Hash: 01fcdd8b6d9bd15bbd13a4d6886d94a48ba3acba415977f00d1e4d7163da43bd
Instruction Fuzzy Hash: 8A01AF3150D3D48FD7039B6898186553FB1AF4B300F0A40FBD8CADB2A3D6295819CB72

Function 02721E29 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d696ac82edd9a60ef40397c89e4973bb00c7b819b61d367167038ce64b401c1
Instruction ID: ce86c47150c081574020119a1108d7d61689e0bbeba17546b7380fd4b6ade2df
Opcode Fuzzy Hash: 0d696ac82edd9a60ef40397c89e4973bb00c7b819b61d367167038ce64b401c1
Instruction Fuzzy Hash: FEF065343443548FC305AF7DE559A953FF5EF4922031500FAE049CB365CA259C02CF62

Function 02721E77 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ae0f2889575ac68419feb7d67e18ee8f5bed09ae342c28f0c240455fda74e1
Instruction ID: 48cd622e7fb579933f25792a7a027c5afaea81f9eb1ae806689f72c141f9b39f
Opcode Fuzzy Hash: 24ae0f2889575ac68419feb7d67e18ee8f5bed09ae342c28f0c240455fda74e1
Instruction Fuzzy Hash: 3FE086357083449FC7016B74A81C4997FE59F4A22470104E7E486CB332DA348C01CBB6

Function 02721E88 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90ed3c6b6f136ab8eefc9ad2a3f0a5a313bc8d54d4aecf4c479522d6c46fd16
Instruction ID: e929fdf4c9a0e3a1f215ecc4df2661a1d93493bd55d7dd57198033e52276898d
Opcode Fuzzy Hash: c90ed3c6b6f136ab8eefc9ad2a3f0a5a313bc8d54d4aecf4c479522d6c46fd16
Instruction Fuzzy Hash: F3D0C9357143148FCB00ABB9E80C8597BE9AF8966534000A6F90ACB331EE359C018BF6

Function 02721DA1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8680dbad89a54f8980dc8fdd16bd9b5fd5ac60880f6c4368b535548c3fe535
Instruction ID: cc424b2e708c7445477cc19455079ab7eaa6be833c769671390e51018b3e7c27
Opcode Fuzzy Hash: eb8680dbad89a54f8980dc8fdd16bd9b5fd5ac60880f6c4368b535548c3fe535
Instruction Fuzzy Hash: 56D0176020E3C10FDF0B5BB818795483FA28E5331070A01EFC081CB2E7C88C041A8732

Function 02722E30 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44980a94756bd02684ae71e40c029f67f05e168e7f4de76cbfe6b946c595c308
Instruction ID: bccd097dadccfbd481b3881812596c1a50aa157e934af56f9792447dd5be4941
Opcode Fuzzy Hash: 44980a94756bd02684ae71e40c029f67f05e168e7f4de76cbfe6b946c595c308
Instruction Fuzzy Hash: 03C01230A14208EFDF046B90E801A6C7A32EB48300F000025F802A23A0CA218C11AB20

Function 0272D5A0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf696581669a2ea355d49b79eb61c8115ed13345bc1906c677be14177bce801c
Instruction ID: 2824695637ee9f6930201bc2b2a4f7435cd7f2735c91a654202c4b7298365f7d
Opcode Fuzzy Hash: cf696581669a2ea355d49b79eb61c8115ed13345bc1906c677be14177bce801c
Instruction Fuzzy Hash: E0A022300C2B0C82820A32B23008820338C8C0022A3C000B8C20C08A220833E0A088C0

Function 02720960 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3314961702.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2720000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0524685235f9640964bbe6b220038b985fca6d47f7ff7e88139adc4b7a10e440
Instruction ID: e0efc18644b9ede4d25baecce34cbfad4e0f1dfb5dd875efab0a2a5152519e8b
Opcode Fuzzy Hash: 0524685235f9640964bbe6b220038b985fca6d47f7ff7e88139adc4b7a10e440
Instruction Fuzzy Hash: D490023504470C8B45506795B909995779C95445257800052A50D816125E55641145A5

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Roahhi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\IsClosed.exe

C:\Users\user\AppData\Roaming\IsClosed.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
Roahhi.exe

Function 05824D28 Relevance: 3.8, Strings: 2, Instructions: 1335
COMMON

Function 06352038 Relevance: 3.1, Strings: 2, Instructions: 610
COMMON

Function 06352028 Relevance: 2.7, Strings: 2, Instructions: 196
COMMON

Function 06115E00 Relevance: 4.2, Strings: 3, Instructions: 478
COMMON

Function 06117AC0 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Function 0611C4A0 Relevance: 4.1, Strings: 3, Instructions: 356
COMMON

Function 061158B8 Relevance: 2.8, Strings: 2, Instructions: 341
COMMON

Function 06111930 Relevance: 2.7, Strings: 2, Instructions: 177
COMMON

Function 061189A0 Relevance: 1.9, Strings: 1, Instructions: 677
COMMON

Function 06112EE0 Relevance: 1.8, Strings: 1, Instructions: 534
COMMON