Edit tour

Windows Analysis Report
mdWXrbOxsY.exe

Overview

General Information

Sample name:	mdWXrbOxsY.exe renamed because original name is a hash value
Original sample name:	51b0ed6b4908a21e5cc1d9ec7c046040.exe
Analysis ID:	1428421
MD5:	51b0ed6b4908a21e5cc1d9ec7c046040
SHA1:	d874f6da7327b2f1b3ace5e66bc763c557ac382e
SHA256:	4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d
Tags:	32exetrojan
Infos:

Detection

Xehook Stealer

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Xehook Stealer

Allocates memory in foreign processes

Check if machine is in data center or colocation facility

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

mdWXrbOxsY.exe (PID: 6932 cmdline: "C:\Users\user\Desktop\mdWXrbOxsY.exe" MD5: 51B0ED6B4908A21E5CC1D9EC7C046040)

conhost.exe (PID: 6928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 2076 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 6640 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: mdWXrbOxsY.exe PID: 6932	JoeSecurity_xehookStealer	Yara detected Xehook Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6640	JoeSecurity_xehookStealer	Yara detected Xehook Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: mdWXrbOxsY.exe

ReversingLabs: Detection: 75%

Machine Learning detection for sample

Source: mdWXrbOxsY.exe

Joe Sandbox ML: detected

Source: mdWXrbOxsY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.169.128:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: mdWXrbOxsY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe

Code function: 0_2_00A6A223 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00A6A223

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: unotree.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /getjson.php?id=88 HTTP/1.1Host: unotree.ru
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown

DNS query: name: ip-api.com

Source: unknown

HTTPS traffic detected: 172.67.169.128:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: unotree.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /getjson.php?id=88 HTTP/1.1Host: unotree.ru
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: unotree.ru

Source: mdWXrbOxsY.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mdWXrbOxsY.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: mdWXrbOxsY.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: mdWXrbOxsY.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: mdWXrbOxsY.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000003.00000002.1836943376.0000000006330000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mF
Source: mdWXrbOxsY.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mdWXrbOxsY.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: mdWXrbOxsY.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: mdWXrbOxsY.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mdWXrbOxsY.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: mdWXrbOxsY.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: mdWXrbOxsY.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: RegAsm.exe, 00000003.00000002.1836259380.0000000003247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=11827
Source: mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1836259380.0000000003247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: mdWXrbOxsY.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: mdWXrbOxsY.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: mdWXrbOxsY.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: mdWXrbOxsY.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: mdWXrbOxsY.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000003.00000002.1836259380.0000000003179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000003.00000002.1836259380.000000000318A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unotree.ru
Source: mdWXrbOxsY.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1836259380.0000000003111000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://aiwhcpoaw.ru/
Source: mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/xehook
Source: RegAsm.exe, 00000003.00000002.1836259380.0000000003179000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1836259380.00000000031CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://unotree.ru
Source: mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1836259380.0000000003111000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://unotree.ru/
Source: RegAsm.exe, 00000003.00000002.1836259380.00000000031CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://unotree.ru/getjson.php?id=88
Source: mdWXrbOxsY.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Code function: 0_2_00A61040	0_2_00A61040
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Code function: 0_2_00A658CE	0_2_00A658CE
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Code function: 0_2_00A72C10	0_2_00A72C10
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Code function: 0_2_00A689AF	0_2_00A689AF
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Code function: 0_2_00A6DAB0	0_2_00A6DAB0
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Code function: 0_2_00A6DF38	0_2_00A6DF38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02EF64E0	3_2_02EF64E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02EF6DB0	3_2_02EF6DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02EF6198	3_2_02EF6198

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe

Code function: String function: 00A61F30 appears 35 times

Source: mdWXrbOxsY.exe

Static PE information: invalid certificate

Source: mdWXrbOxsY.exe	Binary or memory string: OriginalFilename vs mdWXrbOxsY.exe
Source: mdWXrbOxsY.exe, 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexehook.exe" vs mdWXrbOxsY.exe

Source: mdWXrbOxsY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@6/1@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03

Source: mdWXrbOxsY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mdWXrbOxsY.exe

ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\mdWXrbOxsY.exe "C:\Users\user\Desktop\mdWXrbOxsY.exe"
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: mdWXrbOxsY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mdWXrbOxsY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mdWXrbOxsY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mdWXrbOxsY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mdWXrbOxsY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mdWXrbOxsY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: mdWXrbOxsY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: mdWXrbOxsY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: mdWXrbOxsY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mdWXrbOxsY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mdWXrbOxsY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mdWXrbOxsY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mdWXrbOxsY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe

Code function: 0_2_00A73344 push ecx; ret

0_2_00A73357

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window / User API: threadDelayed 1793

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3720	Thread sleep count: 1793 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3488	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5816	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe

Code function: 0_2_00A6A223 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00A6A223

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegAsm.exe, 00000003.00000002.1836259380.0000000003247000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegAsm.exe, 00000003.00000002.1836259380.0000000003247000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegAsm.exe, 00000003.00000002.1835499855.00000000012E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox.dllNONE

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe

Code function: 0_2_00A61D08 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A61D08

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Code function: 0_2_00A6B79B mov eax, dword ptr fs:[00000030h]		0_2_00A6B79B
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Code function: 0_2_00A66FF9 mov ecx, dword ptr fs:[00000030h]		0_2_00A66FF9

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe

Code function: 0_2_00A6C211 GetProcessHeap,

0_2_00A6C211

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Code function: 0_2_00A6187D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A6187D
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Code function: 0_2_00A61D08 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A61D08
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Code function: 0_2_00A61E64 SetUnhandledExceptionFilter,	0_2_00A61E64
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Code function: 0_2_00A6636B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A6636B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe

Code function: 0_2_00A91C7D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_00A91C7D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 418000	Jump to behavior
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EA2008	Jump to behavior

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\mdWXrbOxsY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe

Code function: 0_2_00A61F75 cpuid

0_2_00A61F75

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\mdWXrbOxsY.exe

Code function: 0_2_00A61BF5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00A61BF5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Xehook Stealer

Source: Yara match	File source: Process Memory Space: mdWXrbOxsY.exe PID: 6932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6640, type: MEMORYSTR

Remote Access Functionality

Yara detected Xehook Stealer

Source: Yara match	File source: Process Memory Space: mdWXrbOxsY.exe PID: 6932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6640, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mdWXrbOxsY.exe	75%	ReversingLabs	Win32.Trojan.Znyonm
mdWXrbOxsY.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
unotree.ru	172.67.169.128	true	false		unknown
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Reputation
https://unotree.ru/	false	unknown
https://unotree.ru/getjson.php?id=88	false	unknown
http://ip-api.com/line/?fields=hosting	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://t.me/xehook	mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://unotree.ru	RegAsm.exe, 00000003.00000002.1836259380.000000000318A000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://aiwhcpoaw.ru/	mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1836259380.0000000003111000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000003.00000002.1836259380.0000000003179000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.mF	RegAsm.exe, 00000003.00000002.1836943376.0000000006330000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ip-api.com/json/?fields=11827	mdWXrbOxsY.exe, mdWXrbOxsY.exe, 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.1835305839.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://unotree.ru	RegAsm.exe, 00000003.00000002.1836259380.0000000003179000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1836259380.00000000031CD000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://ip-api.com	RegAsm.exe, 00000003.00000002.1836259380.0000000003247000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
172.67.169.128	unotree.ru	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428421
Start date and time:	2024-04-18 22:52:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mdWXrbOxsY.exe renamed because original name is a hash value
Original Sample Name:	51b0ed6b4908a21e5cc1d9ec7c046040.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@6/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 31 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target RegAsm.exe, PID 6640 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: mdWXrbOxsY.exe

Simulations

Behavior and APIs

Time	Type	Description
22:53:10	API Interceptor	11x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	transferencia_BBVA_97866456345354678976543425678.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	order & specification.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	SHIPPING DOCUMENTS_PDF..vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=query,status,countryCode,city,timezone
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=query,status,countryCode,city,timezone
	xmrhZ7VhlJjD.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	TransactionSummary_910020049836765_110424045239.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
172.67.169.128	99Rv0CX3IN.exe	Get hash	malicious	FormBook	Browse	www.sdrsg.top/hs94/?Xtu0F8pX=3yAAkKMFYss6bhJ/eePpeET7tCe9FhXs4BAzFDlSz0EGpOZkeED3iMDFL4Afpyqnhw9lZkfkBQ==&_jlXP=ZdmdX8opyj

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
unotree.ru	Hj8wbvoT1k.exe	Get hash	malicious	Xehook Stealer	Browse	104.21.54.236
	Hj8wbvoT1k.exe	Get hash	malicious	Xehook Stealer	Browse	172.67.169.128
	PEE1tTQcx4.exe	Get hash	malicious	Xehook Stealer	Browse	104.21.54.236
	Ghost Loader 8.7.1.exe	Get hash	malicious	PureLog Stealer, Xehook Stealer	Browse	104.21.54.236
	file.exe	Get hash	malicious	SmokeLoader, Xehook Stealer	Browse	172.67.169.128
ip-api.com	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	transferencia_BBVA_97866456345354678976543425678.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	order & specification.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SHIPPING DOCUMENTS_PDF..vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse	208.95.112.1
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse	208.95.112.1
	xmrhZ7VhlJjD.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	TransactionSummary_910020049836765_110424045239.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://wzxqi.theknittingdoula.com/ghoopuh/lopwiuiye	Get hash	malicious	HTMLPhisher	Browse	104.21.71.20
	KZWCMNWmmqi9lvI.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205
	DOCUMENTS OF OWNERSHIP AND PAYMENT REQUIREMENTS.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Arba Outstanding Statement.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205
	wFtZih4nN9.elf	Get hash	malicious	Mirai	Browse	104.28.24.146
	https://nwcchicago-my.sharepoint.com/:b:/p/jpsanavaitis/EZA36vHeUQxCnJ96O418g94BWiWpCx4SyNTLHION5X1T7g?e=N00DO7	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FBigge/aDRmd79087aDRmd79087aDRmd/ZHN3ZWF6YUBiaWdnZS5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	PO_983888123.xls	Get hash	malicious	Unknown	Browse	172.67.206.230
TUT-ASUS	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	transferencia_BBVA_97866456345354678976543425678.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	order & specification.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SHIPPING DOCUMENTS_PDF..vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse	208.95.112.1
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse	208.95.112.1
	xmrhZ7VhlJjD.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	TransactionSummary_910020049836765_110424045239.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	M0uVrW4HJb.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.169.128
	Hj8wbvoT1k.exe	Get hash	malicious	Xehook Stealer	Browse	172.67.169.128
	Hj8wbvoT1k.exe	Get hash	malicious	Xehook Stealer	Browse	172.67.169.128
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.128
	Request For Quotation.exe	Get hash	malicious	PureLog Stealer	Browse	172.67.169.128
	Request For Quotation.exe	Get hash	malicious	PureLog Stealer	Browse	172.67.169.128
	PEE1tTQcx4.exe	Get hash	malicious	Xehook Stealer	Browse	172.67.169.128
	SecuriteInfo.com.FileRepPup.2542.22578.exe	Get hash	malicious	Unknown	Browse	172.67.169.128
	SecuriteInfo.com.FileRepMalware.1286.7375.exe	Get hash	malicious	Unknown	Browse	172.67.169.128
	SecuriteInfo.com.FileRepMalware.1286.7375.exe	Get hash	malicious	Unknown	Browse	172.67.169.128

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1159
Entropy (8bit):	5.3458720040787515
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhIE4KnKIE4oKNzKoZAE4KzeosXE4qdKm:MxHKlYHKh3oIHKntHo6hAHKzePHA
MD5:	C646C30644D2229016DFAB3E9EAE4F00
SHA1:	A7715298F1AB001361AD6E0FA5C3FA06BF7BAB74
SHA-256:	053C89344DED8FB71CBB38E5B56E9128B3E06A6177AA0BA89E4F1735D7E84366
SHA-512:	174C65C1504F4E16D261E1B1E3798676833283AFF2F6B166BE7D57F76AF38404888CE1A7AF27B8B564AD898F63720458EF30B233409F6BF749488AEA6C7F27C5
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, Pu

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.4188328050455254
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mdWXrbOxsY.exe
File size:	215'152 bytes
MD5:	51b0ed6b4908a21e5cc1d9ec7c046040
SHA1:	d874f6da7327b2f1b3ace5e66bc763c557ac382e
SHA256:	4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d
SHA512:	48ec96b209d7061a1276496feb250cf183891b950465d3a916c999aa1efc1c8831b068ce0fce4ce21d09677f945b3d816ed4040146462a0ce0845318041586a2
SSDEEP:	6144:gQtdqzqv7rArb/LoEyavuW6uqQqNW14pv:gQtdqWk/LDmQqQqK4pv
TLSH:	0F24D00275C1C472E9B62D391460DBB65E3EFC340F6499EB235856BA4F303C29629E7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.N.-.N.-.N.-.....D.-...(...-...).Z.-..$(.h.-..$).\.-..$..\.-...,.K.-.N.,...-..'$.O.-..'..O.-..'/.O.-.RichN.-................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401873
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x662020C5 [Wed Apr 17 19:19:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	82004e1f718cc406824f64c2578845d6

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	08/10/2020 01:00:00 12/10/2023 13:00:00
Subject Chain	CN=ASUSTeK COMPUTER INC., O=ASUSTeK COMPUTER INC., L=Beitou District, S=Taipei City, C=TW, SERIALNUMBER=23638777, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=TW
Version:	3
Thumbprint MD5:	332CDC164B1324C3FF3F64E228C5FFFC
Thumbprint SHA-1:	CBFB3D25134A5FF6FCF2924D5B4BE16194EA7E13
Thumbprint SHA-256:	531855F05B9D55E4F6DDEBC443706382DDB9ACBD2B8AB24004822BE204420943
Serial:	0C9838F673F9B1CCE395CFAB2B6684E4

Entrypoint Preview

Instruction
call 00007F6739332C1Fh
jmp 00007F67393326C9h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [00414020h]
push dword ptr [ebp+08h]
call dword ptr [0041401Ch]
push C0000409h
call dword ptr [00414024h]
push eax
call dword ptr [00414028h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0041402Ch]
test eax, eax
je 00007F6739332857h
push 00000002h
pop ecx
int 29h
mov dword ptr [00432118h], eax
mov dword ptr [00432114h], ecx
mov dword ptr [00432110h], edx
mov dword ptr [0043210Ch], ebx
mov dword ptr [00432108h], esi
mov dword ptr [00432104h], edi
mov word ptr [00432130h], ss
mov word ptr [00432124h], cs
mov word ptr [00432100h], ds
mov word ptr [004320FCh], es
mov word ptr [004320F8h], fs
mov word ptr [004320F4h], gs
pushfd
pop dword ptr [00432128h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0043211Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00432120h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0043212Ch], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00432068h], 00010001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a444	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x32200	0x2670
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x34000	0x1024	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x19990	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x198d0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x14000	0x128	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12a5e	0x12c00	f6ccadd9ff87e1a997e6b45145621f49	False	0.6113151041666667	COM executable for DOS	6.648723080106595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x14000	0x6aec	0x6c00	61dc35e7cd6c6a53effc6b7024d883ec	False	0.4721137152777778	data	5.155468083915453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x17a44	0x17200	310378bb2024d62e7652078329c328fe	False	0.9713999155405405	data	7.951005189964415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x33000	0x1e0	0x200	7d123d6987b6fa0f191e9ee2fb0d9484	False	0.52734375	data	4.7113407225994175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x34000	0x1024	0x1200	52f90ef0453ffd330c5d98a658b368d0	False	0.7083333333333334	data	6.223288107692463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x33060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

GDI32.dll

OffsetRgn

KERNEL32.dll

VirtualProtect, WaitForSingleObject, CloseHandle, FreeConsole, CreateThread, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, WriteConsoleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetStringTypeW, GetProcessHeap, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, HeapSize, HeapReAlloc, CreateFileW, DecodePointer

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 22:53:11.064599037 CEST	49731	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:11.064697027 CEST	443	49731	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:11.064811945 CEST	49731	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:11.077316046 CEST	49731	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:11.077358007 CEST	443	49731	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:11.305000067 CEST	443	49731	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:11.305114985 CEST	49731	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:11.312829971 CEST	49731	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:11.312880039 CEST	443	49731	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:11.313322067 CEST	443	49731	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:11.364798069 CEST	49731	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:11.610054016 CEST	49731	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:11.656131983 CEST	443	49731	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:11.993846893 CEST	443	49731	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:11.993983030 CEST	443	49731	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:11.994057894 CEST	49731	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:12.005104065 CEST	49731	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:12.009016991 CEST	49732	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:12.009061098 CEST	443	49732	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:12.009143114 CEST	49732	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:12.009417057 CEST	49732	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:12.009434938 CEST	443	49732	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:12.234766006 CEST	443	49732	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:12.236896992 CEST	49732	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:12.236929893 CEST	443	49732	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:12.743427038 CEST	443	49732	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:12.743923903 CEST	443	49732	172.67.169.128	192.168.2.4
Apr 18, 2024 22:53:12.744018078 CEST	49732	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:12.744556904 CEST	49732	443	192.168.2.4	172.67.169.128
Apr 18, 2024 22:53:12.918029070 CEST	49733	80	192.168.2.4	208.95.112.1
Apr 18, 2024 22:53:13.034010887 CEST	80	49733	208.95.112.1	192.168.2.4
Apr 18, 2024 22:53:13.034187078 CEST	49733	80	192.168.2.4	208.95.112.1
Apr 18, 2024 22:53:13.034480095 CEST	49733	80	192.168.2.4	208.95.112.1
Apr 18, 2024 22:53:13.154808998 CEST	80	49733	208.95.112.1	192.168.2.4
Apr 18, 2024 22:53:13.165008068 CEST	49733	80	192.168.2.4	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 22:53:10.740794897 CEST	51029	53	192.168.2.4	1.1.1.1
Apr 18, 2024 22:53:11.057687044 CEST	53	51029	1.1.1.1	192.168.2.4
Apr 18, 2024 22:53:12.811954021 CEST	59653	53	192.168.2.4	1.1.1.1
Apr 18, 2024 22:53:12.916814089 CEST	53	59653	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 22:53:10.740794897 CEST	192.168.2.4	1.1.1.1	0xd0c7	Standard query (0)	unotree.ru	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:53:12.811954021 CEST	192.168.2.4	1.1.1.1	0x9186	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 22:53:11.057687044 CEST	1.1.1.1	192.168.2.4	0xd0c7	No error (0)	unotree.ru	172.67.169.128	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:53:11.057687044 CEST	1.1.1.1	192.168.2.4	0xd0c7	No error (0)	unotree.ru	104.21.54.236	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:53:12.916814089 CEST	1.1.1.1	192.168.2.4	0x9186	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

unotree.ru

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	208.95.112.1	80	6640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Apr 18, 2024 22:53:13.034480095 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 18, 2024 22:53:13.154808998 CEST	174	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 20:53:12 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.67.169.128	443	6640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 20:53:11 UTC	60	OUT	GET / HTTP/1.1 Host: unotree.ru Connection: Keep-Alive
2024-04-18 20:53:11 UTC	625	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 20:53:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Last-Modified: Wed, 17 Jan 2024 08:02:34 GMT Accept-Ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m4OPjG2utPdNWvC4%2BveC4f5NLn3E8rBytqRi%2BzYXN%2FR1CzWVqo0eO81W62es%2FZRe9u%2BMEksoh6WQDAb%2F1d5GmDGUvfuzeIspiKPICwBFUQL4l464gCnTcr2F6%2BIX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87678afbedaaadc9-ATL alt-svc: h3=":443"; ma=86400
2024-04-18 20:53:11 UTC	15	IN	Data Raw: 61 0d 0a 69 6e 64 65 78 2e 68 74 6d 6c 0d 0a Data Ascii: aindex.html
2024-04-18 20:53:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	172.67.169.128	443	6640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 20:53:12 UTC	53	OUT	GET /getjson.php?id=88 HTTP/1.1 Host: unotree.ru
2024-04-18 20:53:12 UTC	583	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 20:53:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JDIdvKDiouO3diDNfAH13VGszvSk5YX8qESAViUILh1W%2BYfVAvxmzGpNchbwwlPZC91C8L4ooMWCYBig0ceMce3GsXtdMYI6P271cLBWuFTlzcXHjW4uhqYDsTTA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87678b00bbb0674b-ATL alt-svc: h3=":443"; ma=86400
2024-04-18 20:53:12 UTC	335	IN	Data Raw: 31 34 38 0d 0a 7b 0d 0a 09 22 64 65 62 75 67 22 3a 20 22 30 22 2c 0d 0a 09 22 65 6d 75 6c 61 74 65 22 3a 20 22 30 22 2c 0d 0a 09 22 76 69 72 74 75 61 6c 62 6f 78 22 3a 20 22 31 22 2c 0d 0a 09 22 76 69 72 75 73 74 6f 74 61 6c 22 3a 20 22 31 22 2c 0d 0a 09 22 65 72 72 6f 72 22 3a 20 22 30 22 2c 0d 0a 09 22 65 72 72 6f 72 6e 61 6d 65 22 3a 20 22 4e 4f 4e 45 22 2c 0d 0a 09 22 65 72 72 74 65 78 74 62 6f 78 22 3a 20 22 4e 4f 4e 45 22 2c 0d 0a 09 22 63 6f 6d 70 65 74 69 74 6f 72 22 3a 20 22 30 22 2c 0d 0a 09 22 73 65 6c 66 6d 65 6c 66 22 3a 20 22 30 22 2c 0d 0a 09 22 64 6f 6d 61 69 6e 64 65 74 65 63 74 22 3a 20 22 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 3b 6c 69 6e 6b 65 64 69 6e 2e 63 6f 6d 3b 74 77 69 74 74 65 72 2e 63 6f 6d 22 2c 0d 0a 09 22 66 69 6c 65 78 74 22 Data Ascii: 148{"debug": "0","emulate": "0","virtualbox": "1","virustotal": "1","error": "0","errorname": "NONE","errtextbox": "NONE","competitor": "0","selfmelf": "0","domaindetect": "facebook.com;linkedin.com;twitter.com","filext"
2024-04-18 20:53:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	22:53:09
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\mdWXrbOxsY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mdWXrbOxsY.exe"
Imagebase:	0xa60000
File size:	215'152 bytes
MD5 hash:	51B0ED6B4908A21E5CC1D9EC7C046040
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:53:09
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:53:09
Start date:	18/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x260000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:53:09
Start date:	18/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xd70000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0.6%
Signature Coverage:	4.6%
Total number of Nodes:	1446
Total number of Limit Nodes:	25

Executed Functions

Function 00A91C7D Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00A91DEC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00A91DFF
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00A91E1D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00A91E41
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 00A91E6C
TerminateProcess.KERNELBASE(?,00000000), ref: 00A91E8B
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 00A91EC4
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 00A91F0F
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00A91F4D
Wow64SetThreadContext.KERNEL32(?,?), ref: 00A91F89
ResumeThread.KERNELBASE(?), ref: 00A91F98

Strings

GetP, xrefs: 00A91CFF
ress, xrefs: 00A91D07
aryA, xrefs: 00A91CC3
Load, xrefs: 00A91CBB

Memory Dump Source

Source File: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: GetP$Load$aryA$ress
API String ID: 2440066154-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 22f75ff730e6f4b060e6e2ef8288f678888291d98d3af143d4429c23ccc79382
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 2EB1D57664028AAFDB60CF68CC80BDA77E5FF88714F158524EA08AB341D774FA518B94

Uniqueness

Uniqueness Score: -1.00%

Function 00A61040 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 443
memorysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00A91AF0,000004AC,00000040,?), ref: 00A613D2
FreeConsole.KERNEL32 ref: 00A613D8
OffsetRgn.GDI32(00000000,00000000,00000000), ref: 00A6154A
CreateThread.KERNELBASE(00000000,00000000,Function_00031C78,00A7B8F0,00000000,?), ref: 00A615DE
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00A615E9
CloseHandle.KERNEL32(00000000), ref: 00A615F0

Strings

C, xrefs: 00A610EB

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: CloseConsoleCreateFreeHandleObjectOffsetProtectSingleThreadVirtualWait
String ID: C
API String ID: 3676713088-1037565863
Opcode ID: d8e3c2cd16a89999e27890720f44ddd1699f9c691888e1299dd1a94eb47b9cc3
Instruction ID: 9c7d5eca350ff6a3c2922120910afebeedcc87af27d7e0dbbd36ba87e18de4f8
Opcode Fuzzy Hash: d8e3c2cd16a89999e27890720f44ddd1699f9c691888e1299dd1a94eb47b9cc3
Instruction Fuzzy Hash: 54D1F02352091A0AF3049B7A8C563F67EB5EF56364F9D4336EEBAD73E2D7280542C244

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B79B Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0a67a22df8ded71e183b6d3aee453c070db472df862139261e9af044e7a5a5
Instruction ID: efd9df761475b4ccb711a17739c0f57e97d6a6f605f204ef833f12e67faa905b
Opcode Fuzzy Hash: 7b0a67a22df8ded71e183b6d3aee453c070db472df862139261e9af044e7a5a5
Instruction Fuzzy Hash: BEE08C32922268EFCB14DB88CA0498AF3FCEB84F40B1104AAB501D3101C770DE40CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A66FF9 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5642aa5a6774b5c0f550719bbd6caf530dee3c6aa7e7309ccfe1a7bc17351e2
Instruction ID: be7095a64f0024af259746ffd3ea5d83961ffba32b65993af9c8c7497e06b786
Opcode Fuzzy Hash: c5642aa5a6774b5c0f550719bbd6caf530dee3c6aa7e7309ccfe1a7bc17351e2
Instruction Fuzzy Hash: 16C08C340219004ACE299A1082717AC3374A3D2796FC0088CC8024B782C61FAD8AE7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A67B11 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00A67C1E,00A680EE,?,00000000,00000000,00000000,?,00A67DF4,00000021,FlsSetValue,00A755C0,00A755C8,00000000), ref: 00A67BD2

Strings

api-ms-, xrefs: 00A67B68
ext-ms-, xrefs: 00A67B7C

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 85491977b6ccfede54e4a6bf4890d6db4fe78329340470aa41fb732f3c8e52ad
Instruction ID: 450bfc94861c2c0276a3166315b126f99edb7c0c5b2a74e3959f7f457b643c90
Opcode Fuzzy Hash: 85491977b6ccfede54e4a6bf4890d6db4fe78329340470aa41fb732f3c8e52ad
Instruction Fuzzy Hash: C6210672A25210BBC721EB61EC45E5E7778EB45768F264160ED1BE7290EB34ED02CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 00A66F85 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00A670DB,?,00A66F7F,00000000,?,?,00A670DB,63A8B917,?,00A670DB), ref: 00A66F96
TerminateProcess.KERNEL32(00000000,?,00A66F7F,00000000,?,?,00A670DB,63A8B917,?,00A670DB), ref: 00A66F9D
ExitProcess.KERNEL32 ref: 00A66FAF

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 545fd68fee37db251f6112fcffd28d997b063f5c175b2f55543ab04711d95e5b
Instruction ID: e4d8c6abd3d8551bd29ed89306647d4b59018bad4a95a066ebec24314b3c960c
Opcode Fuzzy Hash: 545fd68fee37db251f6112fcffd28d997b063f5c175b2f55543ab04711d95e5b
Instruction Fuzzy Hash: ABD06C32404208AFCF116FA0ED0999A3F2AAA4C752B418020BA098A161CB39D9939A94

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D72D Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A6CE77: GetConsoleOutputCP.KERNEL32(63A8B917,?,00000000,?), ref: 00A6CEDA

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,?,?,00A6825F,?), ref: 00A6D896
GetLastError.KERNEL32(?,?,00A6825F,?,00A680EE,00000000,?,00000000,00A680EE,?,?,?,00A7A1C8,0000002C,00A6815F,?), ref: 00A6D8A0

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 9524725f57b2880d7802f22bcfc7852d010f5652af75a66dc440684e86ae360d
Instruction ID: 62c034518b1f3021ce3c6e59c77c8df063583c0ea240570af2167b8e6119ffa1
Opcode Fuzzy Hash: 9524725f57b2880d7802f22bcfc7852d010f5652af75a66dc440684e86ae360d
Instruction Fuzzy Hash: A361B3B1E00249AFDF15CFA8C988EEEBFB9AF09344F144095E914A7252D731D946CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D32F Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,?,00A6D87C,?,?,?,00000000,?,?), ref: 00A6D3CB
GetLastError.KERNEL32(?,00A6D87C,?,?,?,00000000,?,?,?,00000000,?,?,00000000,?,?,00A6825F), ref: 00A6D3F1

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 0cf0c4decee41be97f8efdba87ae0b93766a584f9fed6270a86323107ccc5283
Instruction ID: 853bd03e5ca4ed2ce182609add0c505ef85e2a5d6aa78caf40e7b83d9be72d43
Opcode Fuzzy Hash: 0cf0c4decee41be97f8efdba87ae0b93766a584f9fed6270a86323107ccc5283
Instruction Fuzzy Hash: 94217175B002199BCF15CF6ADD809DDB7B9EB4C341F1480AAEA0ADB311D730DE868B61

Uniqueness

Uniqueness Score: -1.00%

Function 00A68392 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A683DE
GetFileType.KERNELBASE(00000000), ref: 00A683F0

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: e7774f71ed82e3ab2ea2db9ce601092c2cec130f3a77c9f4d6a7f8359e39c8cd
Instruction ID: a2f20c4dc503ddde2adc95bda375c686459192b0baecb29fb59d72903423205b
Opcode Fuzzy Hash: e7774f71ed82e3ab2ea2db9ce601092c2cec130f3a77c9f4d6a7f8359e39c8cd
Instruction Fuzzy Hash: 3F119A715147424AC7308F3E9C8C6227ABDA766370B340719D1B6976F2CF78D887D641

Uniqueness

Uniqueness Score: -1.00%

Function 00A67BDC Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bfdbece0e8b33fe83b9f1a8150fb66ec063faea8e2015f33c5f060d4e2cb41
Instruction ID: 6c31d775e0ff19518e739598aa73741eadd527d0ae6daffe37c340611cb3fc65
Opcode Fuzzy Hash: d0bfdbece0e8b33fe83b9f1a8150fb66ec063faea8e2015f33c5f060d4e2cb41
Instruction Fuzzy Hash: ED01F5333241199FEB16CF69ED40A5E37BABBC43247148120FA15CB194EB31C8529790

Uniqueness

Uniqueness Score: -1.00%

Function 00A684CE Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00A6AC7C,00A680EE,?,00A6AC7C,00000220,?,?,00A680EE), ref: 00A68500

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 06ea4f06da4265ca4f4003583b1153449274696f76d497d02bed158816175a73
Instruction ID: 1ede54bd8cc636873d0c2e33fb9fc77e276dea35b226b5d6dc6552b02e5be9b0
Opcode Fuzzy Hash: 06ea4f06da4265ca4f4003583b1153449274696f76d497d02bed158816175a73
Instruction Fuzzy Hash: 6DE0E53210925167D63137A59C04B9B3ABC9B427B0F090321FC5692091CF1CCC00C6A4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A6DF38 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A6E11C

Strings

1#SNAN, xrefs: 00A6E044
1#QNAN, xrefs: 00A6E04B
1#IND, xrefs: 00A6E03D
1#INF, xrefs: 00A6E06E

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: b6341bce1862bb7b3a227adbf2c473beafc81228274be55e51287f302c91fece
Instruction ID: 2ef25b28b8bf5a06961b20a934193cf23b4cc5f14468a0a1116f46a478b6eb88
Opcode Fuzzy Hash: b6341bce1862bb7b3a227adbf2c473beafc81228274be55e51287f302c91fece
Instruction Fuzzy Hash: 8CD22976E082288FDB65CF28DD447EAB7B5EB44345F1441EAD40EE7240EB78AE858F41

Uniqueness

Uniqueness Score: -1.00%

Function 00A689AF Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A68A3C

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 2b07b3fb4d2f284f18c26563648069489a7a7ede171d4699298821c16c55e531
Instruction ID: 3000062d89be115f86ab66665444239750fca997a35489c53deddc2b114550af
Opcode Fuzzy Hash: 2b07b3fb4d2f284f18c26563648069489a7a7ede171d4699298821c16c55e531
Instruction Fuzzy Hash: F2B157729052459FDB15CF68C881BFEBBB9EF59340F15836AE905AB341DA3C9D01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A223 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00A6A313
FindNextFileW.KERNEL32(00000000,?), ref: 00A6A407
FindClose.KERNEL32(00000000), ref: 00A6A446
FindClose.KERNEL32(00000000), ref: 00A6A479

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: d434a41eac2471c545d9ea7944b766be038bc03dcbead0807c42baeded5f0a34
Instruction ID: 320db752a54451213c8a344f95509d1abecd129c0f4206e5a0e66dff169ce83f
Opcode Fuzzy Hash: d434a41eac2471c545d9ea7944b766be038bc03dcbead0807c42baeded5f0a34
Instruction Fuzzy Hash: 1B71F175844128AFDF21EF78CC9DAEEBBB9EB25300F1481D9E00DA7251DA318E858F11

Uniqueness

Uniqueness Score: -1.00%

Function 00A61D08 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00A61D14
IsDebuggerPresent.KERNEL32 ref: 00A61DE0
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A61DF9
UnhandledExceptionFilter.KERNEL32(?), ref: 00A61E03

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4deaf1ee986b8f2d2206182a1b3634d8af83f43c505bbe999012385314285865
Instruction ID: ff29d25d6f5e311ed4db9adc2acd93a242c28d843fd32c750ebe0c4d730034e1
Opcode Fuzzy Hash: 4deaf1ee986b8f2d2206182a1b3634d8af83f43c505bbe999012385314285865
Instruction Fuzzy Hash: D631F575D05218DBDB21DFA4DD497CDBBB8BF08300F1041AAE50DAB250EB759A868F45

Uniqueness

Uniqueness Score: -1.00%

Function 00A6636B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00A66463
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A6646D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00A6647A

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 60744417c7a52b5074cf13a84461e8259cd3c1517f330e2859cde515bfc6fe61
Instruction ID: f2dab7a8c354c2a99fe4a201c988e13461d97dc1d7c4e447f667ac290192bca4
Opcode Fuzzy Hash: 60744417c7a52b5074cf13a84461e8259cd3c1517f330e2859cde515bfc6fe61
Instruction Fuzzy Hash: 2631C4749112289BCB21DF68DD8979DBBB8BF08310F5081DAE41CA7251EB749B818F44

Uniqueness

Uniqueness Score: -1.00%

Function 00A6DAB0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7af88f4e99abe7e2ba8ad786fdd64479588621e3e2152c05de48b6c75abf19
Instruction ID: 9519a6d0c8ddc9ab8ec66091cb5d9d226d4df1073dfa7caa07bb15d7ace76a78
Opcode Fuzzy Hash: 7a7af88f4e99abe7e2ba8ad786fdd64479588621e3e2152c05de48b6c75abf19
Instruction Fuzzy Hash: D4F14071E012199FDF14CFA9C980AADBBB1FF88354F158269E815AB384D731AE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00A72C10 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A72C0B,?,?,00000008,?,?,00A72815,00000000), ref: 00A72E3D

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f2d23fd9db3935451f89ecc19f785cdd906e1287c48e6b8b085f3f3234a8598b
Instruction ID: 29c905b0fd2e876f42178200d26613a6a423679da6e0d3ad359ed71d9d5347b0
Opcode Fuzzy Hash: f2d23fd9db3935451f89ecc19f785cdd906e1287c48e6b8b085f3f3234a8598b
Instruction Fuzzy Hash: 76B10A31610609DFD725CF28C88AB657BB1FF45365F29C658E899CF2A2C335E992CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A61F75 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00A61F8B

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 8fa0278dfe10b06b08e0d443b46ca60acbb0959c946b46df053bdf1cbd7e885c
Instruction ID: 60f311e0fbc37cdd54e56205f0ad5e3e73306be61e14bb6e4af9ef6fb0d47427
Opcode Fuzzy Hash: 8fa0278dfe10b06b08e0d443b46ca60acbb0959c946b46df053bdf1cbd7e885c
Instruction Fuzzy Hash: 3651CFB1A11609DFDB18CFA8D8857AEBBF4FB48310F10852AD415EB6A0E7799D42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A658CE Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 00A65A58

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 3c9fc9105847d94d201f63a7004d26f89d404f9da2d3b2d35c50d2bae5108a39
Instruction ID: 471a8daa86871e0507f83271c52f5851e25349a862f58b3494c6c3da02156ef5
Opcode Fuzzy Hash: 3c9fc9105847d94d201f63a7004d26f89d404f9da2d3b2d35c50d2bae5108a39
Instruction Fuzzy Hash: B5B1C171E00E0ACBCB24CFB8C995ABEB7B5AF15314F24061ED492EB691DB31AD41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A61E64 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001E70,00A616E4), ref: 00A61E69

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e480ea96c097c3c8b82f01002d0b8c8930fd4bfe03fca5813197bb1838821b23
Instruction ID: 9af6d7f85bd537fd465e20aa6ff08e18e88fa83a160565985e49ce67497e8e0c
Opcode Fuzzy Hash: e480ea96c097c3c8b82f01002d0b8c8930fd4bfe03fca5813197bb1838821b23
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C211 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00A6C211

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1d8802b44095d5334652780597fd811a46f2b5aaab14cb654076b107ad7d717a
Instruction ID: 11a270c71f8bd379a1d4be5cc03fe8ac785dd974bb68d1481e9b650afc19f588
Opcode Fuzzy Hash: 1d8802b44095d5334652780597fd811a46f2b5aaab14cb654076b107ad7d717a
Instruction Fuzzy Hash: 19A02230302202CF8300CFF2AE0A30C3AECBB0A2C0300C03AA00AC0A30FF3880838B08

Uniqueness

Uniqueness Score: -1.00%

Function 00A6377B Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00A6389A
___TypeMatch.LIBVCRUNTIME ref: 00A639A8
_UnwindNestedFrames.LIBCMT ref: 00A63AFA
CallUnexpected.LIBVCRUNTIME ref: 00A63B15

Strings

csm, xrefs: 00A638D1
csm, xrefs: 00A63825
csm, xrefs: 00A637B8

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: bc0605f1fcbdf6647011f2632d059e6fa0bbf01d696b41f1291181b4e2831289
Instruction ID: f8dab7048671070c86a9c9c90b48d063fc097f58c4416543b906e0e7625feebb
Opcode Fuzzy Hash: bc0605f1fcbdf6647011f2632d059e6fa0bbf01d696b41f1291181b4e2831289
Instruction Fuzzy Hash: 34B14672C00209EFCF19DFA4CA81AAEBBB5FF14310B14415AE8516B252D772EB52DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A7162B Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00A716D1
__alloca_probe_16.LIBCMT ref: 00A7178C
__alloca_probe_16.LIBCMT ref: 00A7181B
__freea.LIBCMT ref: 00A71866
__freea.LIBCMT ref: 00A7186C
__freea.LIBCMT ref: 00A718A2
__freea.LIBCMT ref: 00A718A8
__freea.LIBCMT ref: 00A718B8

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 5febda913ae1d11f3433cf8332d6a3318ea4141549a5ca01b90c35a6386e75e5
Instruction ID: bc5598ef5cbb02d3d09700907bc72b23c338792b2f0705326242ee63fe4c8e82
Opcode Fuzzy Hash: 5febda913ae1d11f3433cf8332d6a3318ea4141549a5ca01b90c35a6386e75e5
Instruction Fuzzy Hash: A171C772900205ABDF259FACCD81BAE77FAAF45710F28C155ED0CA7281E775DC418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A621A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A621D7
___except_validate_context_record.LIBVCRUNTIME ref: 00A621DF
_ValidateLocalCookies.LIBCMT ref: 00A62268
__IsNonwritableInCurrentImage.LIBCMT ref: 00A62293
_ValidateLocalCookies.LIBCMT ref: 00A622E8

Strings

csm, xrefs: 00A6227D

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0ea1a5d0f6810ca1e114007fdaeb2cf4260ea883d9cba20b927e59ddf434a3fd
Instruction ID: 9a0a7c089992fd4cd4bdd6da7b794c0a1790f3566ed04c41e6cb82254c8da92c
Opcode Fuzzy Hash: 0ea1a5d0f6810ca1e114007fdaeb2cf4260ea883d9cba20b927e59ddf434a3fd
Instruction Fuzzy Hash: F341B274A00608ABCF10DF78CC90BDEBBB5BF45324F14C155E919AB392D731AA46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A62851 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A62848,00A6251C,00A61EB4), ref: 00A6285F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A6286D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A62886
SetLastError.KERNEL32(00000000,00A62848,00A6251C,00A61EB4), ref: 00A628D8

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8444eee619cd80e78f5d7bbb6f3472781ec61fedcc3fcadaecda25033fffc203
Instruction ID: 473c6fc4ee60ed48d8aa8a3d6f0486c7d0db9a2bea01d06f9a162ef2577ece82
Opcode Fuzzy Hash: 8444eee619cd80e78f5d7bbb6f3472781ec61fedcc3fcadaecda25033fffc203
Instruction Fuzzy Hash: 6101DF72619B155EA6246BF86C95B6B27B4EB01B78720433AFA28460F1FF114C839360

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A6FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\mdWXrbOxsY.exe, xrefs: 00A6A718

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\mdWXrbOxsY.exe
API String ID: 0-2702633102
Opcode ID: b0d38e534341f2f7a3a54582b5d48bfddce64b61e2e31244b7605d8a6bfa1874
Instruction ID: 21251769920c2f17f054df7be36c9b07df65f197761d2d5ca0b3b864c49941e9
Opcode Fuzzy Hash: b0d38e534341f2f7a3a54582b5d48bfddce64b61e2e31244b7605d8a6bfa1874
Instruction Fuzzy Hash: EF218EB2204205AFDB10AF758D80C6BB7BAEF713647108524F929E7150EB30EC918FA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A6701B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,63A8B917,?,?,00000000,00A739FA,000000FF,?,00A66FAB,00A670DB,?,00A66F7F,00000000), ref: 00A67050
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A67062
FreeLibrary.KERNEL32(00000000,?,?,00000000,00A739FA,000000FF,?,00A66FAB,00A670DB,?,00A66F7F,00000000), ref: 00A67084

Strings

mscoree.dll, xrefs: 00A67049
CorExitProcess, xrefs: 00A6705A

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5bdf4617dd522dd1ac93d1b0aa4ee3525f963cc6f035a1a9c4ed07f05cad14f7
Instruction ID: 92b24addfdea3b5d63b7ffa069d924497a224fd9203b03a4054c40ce3cdad56d
Opcode Fuzzy Hash: 5bdf4617dd522dd1ac93d1b0aa4ee3525f963cc6f035a1a9c4ed07f05cad14f7
Instruction Fuzzy Hash: B801A232A54619EFDB128B94CC05BAFBBBCFB08B15F018625F916E2690EB749941CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00A6FFF4 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00A7007B
__alloca_probe_16.LIBCMT ref: 00A7013C
__freea.LIBCMT ref: 00A701A3

Part of subcall function 00A684CE: RtlAllocateHeap.NTDLL(00000000,00A6AC7C,00A680EE,?,00A6AC7C,00000220,?,?,00A680EE), ref: 00A68500

__freea.LIBCMT ref: 00A701B8
__freea.LIBCMT ref: 00A701C8

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: efda8eb5a2b42a1b0a53a3717c340e25e1fd6ee13be4f3aba1541542cc6c2b22
Instruction ID: 7a374e63f517d8839f12b68a93961e3c57ce670fcdb4f6637229c1c2eff96796
Opcode Fuzzy Hash: efda8eb5a2b42a1b0a53a3717c340e25e1fd6ee13be4f3aba1541542cc6c2b22
Instruction Fuzzy Hash: C4518BB2610206EFEB219F64CD81EBB7AA9EF44354F55C228FD0CD6251EB71CD908760

Uniqueness

Uniqueness Score: -1.00%

Function 00A62A73 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00A62A24,00000000,?,00A923A0,?,?,?,00A62BC7,00000004,InitializeCriticalSectionEx,00A74C38,InitializeCriticalSectionEx), ref: 00A62A80
GetLastError.KERNEL32(?,00A62A24,00000000,?,00A923A0,?,?,?,00A62BC7,00000004,InitializeCriticalSectionEx,00A74C38,InitializeCriticalSectionEx,00000000,?,00A62947), ref: 00A62A8A
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00A62AB2

Strings

api-ms-, xrefs: 00A62A97

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: daac2a5096647fcb626652e0041dee0a295bebadd43720089aaf21bdfdb09c61
Instruction ID: f769d0f458dfef814fa46be491fed76a910f89b5c6ab674029f4674e4d742db3
Opcode Fuzzy Hash: daac2a5096647fcb626652e0041dee0a295bebadd43720089aaf21bdfdb09c61
Instruction Fuzzy Hash: D2E04871340604BBDF205BD0DC06F593F7AAB14B92F508420FE0DE84E1D7A5D896D645

Uniqueness

Uniqueness Score: -1.00%

Function 00A6CE77 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(63A8B917,?,00000000,?), ref: 00A6CEDA

Part of subcall function 00A6B1E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00A70199,?,00000000,-00000008), ref: 00A6B291

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A6D135
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00A6D17D
GetLastError.KERNEL32 ref: 00A6D220

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 4746e509e035d46c95d0f66c71eefb321fd590ef828ce679f6d5cabe06955786
Instruction ID: fdd5a35803d723871fb737d52f9b0476ea90d7c6cc6d94c22c63b2c9092eb718
Opcode Fuzzy Hash: 4746e509e035d46c95d0f66c71eefb321fd590ef828ce679f6d5cabe06955786
Instruction Fuzzy Hash: DED148B5E002489FCF15CFE8D890AADBBB5FF09310F18852AE956EB351D730A942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A63524 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00A635EB
___AdjustPointer.LIBCMT ref: 00A6360E
___AdjustPointer.LIBCMT ref: 00A636AA

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 68e42c13d0368438ae0404449014a2fef5cd17aa4d4543ac9b14d569a852db2f
Instruction ID: 170620daf69cf7b57e1004d1625379f95094853799e7821721b81a2c8f7c7d11
Opcode Fuzzy Hash: 68e42c13d0368438ae0404449014a2fef5cd17aa4d4543ac9b14d569a852db2f
Instruction Fuzzy Hash: 5F51D1B7A05602BFDF288F14C945B6BB7B4EF04710F14852EE90687291E731EE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A69F12 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00A6B1E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00A70199,?,00000000,-00000008), ref: 00A6B291

GetLastError.KERNEL32 ref: 00A69F76
__dosmaperr.LIBCMT ref: 00A69F7D
GetLastError.KERNEL32(?,?,?,?), ref: 00A69FB7
__dosmaperr.LIBCMT ref: 00A69FBE

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: da9f24618c9cbe87c5b964852a984dc3a034a10702655fc0c3951501120c75b3
Instruction ID: 98f5c3037645fc4c0ded090de8e7d448830f5c56ac544289df1d16a96b95e06a
Opcode Fuzzy Hash: da9f24618c9cbe87c5b964852a984dc3a034a10702655fc0c3951501120c75b3
Instruction Fuzzy Hash: 9E219272608205AF9B10EFA5CD8086BB7BDEF543687128519F919D7240D735EC51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B2D3 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A6B2DB

Part of subcall function 00A6B1E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00A70199,?,00000000,-00000008), ref: 00A6B291

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A6B313
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A6B333

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 4577b8daf33c2b6de56fe40ce89a165de6e2cef4650525572a04cd88078ba797
Instruction ID: bf1dfede2f00341d0e6cde611c650defb1770c0239d73b886cfdfb4aaa120c75
Opcode Fuzzy Hash: 4577b8daf33c2b6de56fe40ce89a165de6e2cef4650525572a04cd88078ba797
Instruction Fuzzy Hash: D111D2B2625625BEA71177F16D8ACAF6A7CDE893D87104025F606D6201FF28CE828570

Uniqueness

Uniqueness Score: -1.00%

Function 00A71965 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00A70A03,?,00000001,?,?,?,00A6D274,?,?,00000000), ref: 00A7197C
GetLastError.KERNEL32(?,00A70A03,?,00000001,?,?,?,00A6D274,?,?,00000000,?,?,?,00A6D7FB,?), ref: 00A71988

Part of subcall function 00A7194E: CloseHandle.KERNEL32(FFFFFFFE,00A71998,?,00A70A03,?,00000001,?,?,?,00A6D274,?,?,00000000,?,?), ref: 00A7195E

___initconout.LIBCMT ref: 00A71998

Part of subcall function 00A71910: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00A7193F,00A709F0,?,?,00A6D274,?,?,00000000,?), ref: 00A71923

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00A70A03,?,00000001,?,?,?,00A6D274,?,?,00000000,?), ref: 00A719AD

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: cd123d33100044d530dea45e4ff5b110aab2cf39776d01aa046cec98892d4ad6
Instruction ID: fdeb7feea367af51704f25352a66a808ebb2b341b1e360f0ae9c9abe1a19f447
Opcode Fuzzy Hash: cd123d33100044d530dea45e4ff5b110aab2cf39776d01aa046cec98892d4ad6
Instruction Fuzzy Hash: 14F0FE36100158BBCF226FD5AC14A897FA5FB493A0B04C410FB2C95120D73288629B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A63B20 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00A63B45

Strings

MOC, xrefs: 00A63B57
RCC, xrefs: 00A63B5F

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: dc6e3d81323c7734dc18188ddb66273a2e42bf333bc930561b562787a62d5444
Instruction ID: 920f874b8e8d731cc496fc2b2a2beb4956efdb8733b1266c12ce3a4d3ffd8d95
Opcode Fuzzy Hash: dc6e3d81323c7734dc18188ddb66273a2e42bf333bc930561b562787a62d5444
Instruction Fuzzy Hash: 7B415772900249AFDF15DF98CD81AAEBBB5FF48304F188099FA05B7261D3359A62DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A67159 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00A67159
GetCommandLineW.KERNEL32 ref: 00A67164

Strings

`%, xrefs: 00A6715F

Memory Dump Source

Source File: 00000000.00000002.1809059094.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1809043271.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809098497.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809122261.0000000000A7B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809143351.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809161853.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809178351.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_mdWXrbOxsY.jbxd

Similarity

API ID: CommandLine
String ID: `%
API String ID: 3253501508-3167696263
Opcode ID: d9c200f539d1318cb6d48e2d127452eb93f770bbbb5ccc25064182020790a88f
Instruction ID: 1600c5c6935e869df664822f469fb2c1be16f64f6644a08a52ed542d7461429a
Opcode Fuzzy Hash: d9c200f539d1318cb6d48e2d127452eb93f770bbbb5ccc25064182020790a88f
Instruction Fuzzy Hash: 7EB00879A45300AF8B40DFF5AD2C2457AA4BA5865238295569919C2720EB3D4087DF10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 6640, Parent PID: 6932COMMON

Executed Functions

Function 02EF64E0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023014cb5551b5343a7bab5b1497f14cc6acfb8bb3e577a17299d4679869de28
Instruction ID: 0e3c5ee717e7e301a7afb1906c4b45d3c9cf270b748be8f751a3189020e11c24
Opcode Fuzzy Hash: 023014cb5551b5343a7bab5b1497f14cc6acfb8bb3e577a17299d4679869de28
Instruction Fuzzy Hash: 73B18B70E002098FDF50CFA8C9857AEBBF6BF88308F14D529D925A7294EB749845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02EF6DB0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b7edac8c8dfe43d24280bef5823c3e88e6e637976041d7944c2a351ff5080f
Instruction ID: f2bf4cb50c6b9f27b84a02aefea42da5eda627caa4927d2513db7a3d066f3848
Opcode Fuzzy Hash: c9b7edac8c8dfe43d24280bef5823c3e88e6e637976041d7944c2a351ff5080f
Instruction Fuzzy Hash: DEB19C71E00209CFDB50CFA9D8817EEBBF2AF88318F14D529E915E7294EB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02EF19E8 Relevance: 2.8, Strings: 2, Instructions: 321COMMON

Download Yara Rule

Strings

(hq, xrefs: 02EF1C58
(hq, xrefs: 02EF1C84

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: (hq$(hq
API String ID: 0-2483692461
Opcode ID: beb8c5ae7feee3b740a94dac62bfbbbd96559aa8c1af44672bb93d997e7aabdd
Instruction ID: 7b22d9f26e244677211d611e56a878b933a91a09c0c2a2ce17e3c2b87d86276e
Opcode Fuzzy Hash: beb8c5ae7feee3b740a94dac62bfbbbd96559aa8c1af44672bb93d997e7aabdd
Instruction Fuzzy Hash: 82B18871B10209CFCF54DB6DD4906AEB7F2EF89215B10956AD60ADB754EB30EC02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EF0DE0 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

Tedq, xrefs: 02EF0F2D

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 0f9877e31aff9db1e34b780df385178351e75054d28eef53c7960b4c1c2c4227
Instruction ID: 4fea108ea7b06b69a729b6176c29010c3b104f1b6b2764e9ecdb6d8e5ab179d2
Opcode Fuzzy Hash: 0f9877e31aff9db1e34b780df385178351e75054d28eef53c7960b4c1c2c4227
Instruction Fuzzy Hash: 4371ED70B403058FDB44AB76D95466E7BA2EF84748B408929E90ADB358EF349C46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02EF0DF0 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

Tedq, xrefs: 02EF0F2D

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 246ca3d4344b6530fe354dff6010a92bbe706609f65f26f4f84cfcaf0f96f90d
Instruction ID: 7721aae32bc13127305314fcfe204d61e80bd2c7c0425465aa1426a195fdcb49
Opcode Fuzzy Hash: 246ca3d4344b6530fe354dff6010a92bbe706609f65f26f4f84cfcaf0f96f90d
Instruction Fuzzy Hash: C871CC70B403058FDB44AB76D95462E7BA2EF84748B408929E90ADB358EF34AC46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02EF3565 Relevance: .6, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3fcde257632a6eeac07ac387dd1e310be03001c9ae6229f430ad2354d1a5f44
Instruction ID: 3a24ffda91e7f0c1be405274e70dbca37aee20ffebf6278dd261e77e59c4fdeb
Opcode Fuzzy Hash: c3fcde257632a6eeac07ac387dd1e310be03001c9ae6229f430ad2354d1a5f44
Instruction Fuzzy Hash: 6441CF31B402508FDB05EB35C654A6D37F2AF8A704F2084A9D606EB3B5DB3ACC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02EF64D4 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e40749d9b5bd2d50cecce9d35a1400f3ea699b26329bafcc7fc7856460d9c99
Instruction ID: 9a516e7b85947107f1172cde102426e28bff5ce8e012d213341a6abaa90d6ed6
Opcode Fuzzy Hash: 1e40749d9b5bd2d50cecce9d35a1400f3ea699b26329bafcc7fc7856460d9c99
Instruction Fuzzy Hash: B2B17AB0E402098FDB50CFA8C9857DDBBF6BF88308F14D529DA25A7294EB349845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02EF6DA6 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed9b5b5d1c370ce572250a35bcde20901dd0bf74cecaba21d948d1fa3a61997
Instruction ID: d544ee2d5c207410c2f1a9ab72e324f5a2e6be15dd97585a7a42dffde241ecf8
Opcode Fuzzy Hash: 2ed9b5b5d1c370ce572250a35bcde20901dd0bf74cecaba21d948d1fa3a61997
Instruction Fuzzy Hash: B6A18B71E40209CFDB50CFA9D9817DEBBF2AF48318F14E529E914E7294EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02EF2F64 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37133b6d49e4b4d93544e9fa297039527a5f676408b8d4f915c92a0b520a0d80
Instruction ID: e069a94b689eafd6fba0740248efd8ea25aadb761a88817022fb7a5153c73b7a
Opcode Fuzzy Hash: 37133b6d49e4b4d93544e9fa297039527a5f676408b8d4f915c92a0b520a0d80
Instruction Fuzzy Hash: A07109303142A18FCB4ADB66EB5065D77B2EBC4611B00A585ED019B3B9DB3C9D82C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 02EF1DA8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d0fcb037559f4b56833994a0ef1ecc18bc6474b9f5d19f2028dc2073fa2a7a
Instruction ID: 278922de0977cabb363b478034b529df5fa45dce287c290fa94ddb2558d676f1
Opcode Fuzzy Hash: 96d0fcb037559f4b56833994a0ef1ecc18bc6474b9f5d19f2028dc2073fa2a7a
Instruction Fuzzy Hash: E6412672A04358CFCB05DB69C9106AEBBF2EF49310F05D49AD509EB392DB389C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02EF38F8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c43acd725166791e996fcfa3a0e6d520205c88499ca8920e58a58ee5294aa2
Instruction ID: 0af6b861f32308d80f3569503c418ac81af7c620346af197977f21730e11d4ba
Opcode Fuzzy Hash: c8c43acd725166791e996fcfa3a0e6d520205c88499ca8920e58a58ee5294aa2
Instruction Fuzzy Hash: 49418C30B406518FDB45EB35C654A6D37B2AF89704F2084A9DA06EB3A4DB3A9C42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02EF45EC Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff0c9751c809cf9a853ab96af3377587acd3d3afe70b8023ef59e276a5f7d3f
Instruction ID: 13ac3d8a7c7ceb6d62236e2ae1a94fe8d753c777e879c9a193f782c8fe4f7f4c
Opcode Fuzzy Hash: 8ff0c9751c809cf9a853ab96af3377587acd3d3afe70b8023ef59e276a5f7d3f
Instruction Fuzzy Hash: 1A4147B1D00349DFDB14DFA9C484ADEBFF1EF48318F24841AE619AB290DB349946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02EF45F8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bc784cb0e0a3c3e91a0319a2d06ed59e5da6f58a5655f0cf49aa45ec795635
Instruction ID: 758c5660c5b1e8e7a2bb7e9d0cce0a2bce6c740bc43413c06a8a3601f35fe76e
Opcode Fuzzy Hash: 34bc784cb0e0a3c3e91a0319a2d06ed59e5da6f58a5655f0cf49aa45ec795635
Instruction Fuzzy Hash: FA41F0B0D00349DFDB14DFA9C584ADEBFF5EF48314F148029E519AB290DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EF3B57 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be4d2350300da6bbbc953d76fed4ef6fd963965c789884e280132b8309f64ca
Instruction ID: 23c590d4040c5d9297ca3db58cade98adfd1839fadfc86d083140d37b5233884
Opcode Fuzzy Hash: 2be4d2350300da6bbbc953d76fed4ef6fd963965c789884e280132b8309f64ca
Instruction Fuzzy Hash: 60216B70780240CFEB55EB34D5547AD77B2AF49708F20C0A8D606AB3A1CB7A9C82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02EF1E0F Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba4bbc47d7c9bad9d959bb5d8d974d7dd0a78e8022309bf436fe4a585023c91
Instruction ID: 1678c7a6fb380ae737bc26a6d830aeb9a257c977d1488d2337ceeea4523a0d81
Opcode Fuzzy Hash: 4ba4bbc47d7c9bad9d959bb5d8d974d7dd0a78e8022309bf436fe4a585023c91
Instruction Fuzzy Hash: 9A118E71E40228DFCB40DFA899443AEB7E5FF89304F049169D609EB350EB7899428BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02EF72A0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0907c7d0a5436d1b9d216639a72120a2baa15ae0598651e8ffd20c0c85d7048
Instruction ID: 9d47bee9f5d1fa7c599e5917465341ec73d6598c5f9a47137c45d147de2e7255
Opcode Fuzzy Hash: b0907c7d0a5436d1b9d216639a72120a2baa15ae0598651e8ffd20c0c85d7048
Instruction Fuzzy Hash: 96012D71B802049BDB40EB24D6017DE7BF2AB88710F20C055EA01BB295DF3A4E02C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 02EF1540 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c1e5175046f7deef2839704d6b9c6d4acb01605104a9c136933fabd5af10ab
Instruction ID: 3c224c712a58f60dec21d6641049b67f3888eeaba739db5317271ea89e1950ba
Opcode Fuzzy Hash: 44c1e5175046f7deef2839704d6b9c6d4acb01605104a9c136933fabd5af10ab
Instruction Fuzzy Hash: 130126313102049BDB44DB3AEE41B5F3BCAEBC92607548235E60ACB344EE78DC428B90

Uniqueness

Uniqueness Score: -1.00%

Function 02EF72B0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f9d8273d8d588a1e96602b9e1c399cb9e5662f2f798e76537aa9349043b3ee
Instruction ID: d4b70c26716b21080e52735966e3435843fe60899e3e954a38c632d6674b0f10
Opcode Fuzzy Hash: c3f9d8273d8d588a1e96602b9e1c399cb9e5662f2f798e76537aa9349043b3ee
Instruction Fuzzy Hash: 9601F770B802149BEB41EB64C5147AE7AF29B48700F20C058EA01BB2D5DF750E41CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 02EF0960 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c8d733942eae962e40a5b712ecc2dbe107e36bbfd9c7e22e24d70bcbeea19e
Instruction ID: ce31f5b703cdecf62c175bea576a2cfc896f9c4eede94fd470f98cb0d81fe9c5
Opcode Fuzzy Hash: 99c8d733942eae962e40a5b712ecc2dbe107e36bbfd9c7e22e24d70bcbeea19e
Instruction Fuzzy Hash: A0E0D830945288AFCF51CBB4ED965ED7FB1DF4220470485E9D449D7212D9311E06DB41

Uniqueness

Uniqueness Score: -1.00%

Function 02EF0970 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1836149728.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5c09f646c18fda935eaaf7236bdfa6845b9f741d6917857c9e2c9ac601d813
Instruction ID: 7c456dac6b22cb907fbd60cb3d4f84b5b70d118351d50df2868e570613d0133e
Opcode Fuzzy Hash: ca5c09f646c18fda935eaaf7236bdfa6845b9f741d6917857c9e2c9ac601d813
Instruction Fuzzy Hash: 9BD01770A4020CEF8F40DFA8EA0055DBBF9EB44309B5089A9D909D7204EA312E009B81

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mdWXrbOxsY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Windows Analysis Report
mdWXrbOxsY.exe

Function 00A91C7D Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Function 00A61040 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 443
memorysynchronizationthreadCOMMON

Function 00A67B11 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00A66F85 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00A6D72D Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Function 00A6D32F Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 00A68392 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00A67BDC Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Function 00A684CE Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON