Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
Analysis ID:	1430705
MD5:	2d41e117f7b73d3b0b8804794b4fe9dd
SHA1:	f0bd15035e0bf67f621c7e87c65b62c007e79fda
SHA256:	5b88fdc4c1564305f8883e5ec48cadea105d082a5a1bae6a17c57c81c01069a7
Tags:	exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe" MD5: 2D41E117F7B73D3B0B8804794B4FE9DD)

conhost.exe (PID: 1076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 3608 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2018294948.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.2018294948.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x510bb:$s1: file:/// 0x50ff3:$s2: {11111-22222-10009-11112} 0x5104b:$s3: {11111-22222-50001-00000} 0x4dbc3:$s4: get_Module 0x48dc9:$s5: Reverse 0x49662:$s6: BlockCopy 0x48db1:$s7: ReadByte 0x510cd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.MSBuild.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.2.MSBuild.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.MSBuild.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x510bb:$s1: file:/// 0x50ff3:$s2: {11111-22222-10009-11112} 0x5104b:$s3: {11111-22222-50001-00000} 0x4dbc3:$s4: get_Module 0x48dc9:$s5: Reverse 0x49662:$s6: BlockCopy 0x48db1:$s7: ReadByte 0x510cd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x510bb:$s1: file:/// 0x50ff3:$s2: {11111-22222-10009-11112} 0x5104b:$s3: {11111-22222-50001-00000} 0x4dbc3:$s4: get_Module 0x48dc9:$s5: Reverse 0x49662:$s6: BlockCopy 0x48db1:$s7: ReadByte 0x510cd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4f2bb:$s1: file:/// 0x4f1f3:$s2: {11111-22222-10009-11112} 0x4f24b:$s3: {11111-22222-50001-00000} 0x4bdc3:$s4: get_Module 0x46fc9:$s5: Reverse 0x47862:$s6: BlockCopy 0x46fb1:$s7: ReadByte 0x4f2cd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x676bb:$s1: file:/// 0x675f3:$s2: {11111-22222-10009-11112} 0x6764b:$s3: {11111-22222-50001-00000} 0x641c3:$s4: get_Module 0x5f3c9:$s5: Reverse 0x5fc62:$s6: BlockCopy 0x5f3b1:$s7: ReadByte 0x676cd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 11 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9.dll

Virustotal: Detection: 51%

Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Virustotal: Detection: 49%			Perma Link
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	ReversingLabs: Detection: 31%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Code function: 0_2_6CE99F48 FindFirstFileExW,

0_2_6CE99F48

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91

Source: MSBuild.exe, 00000003.00000002.2021726688.00000000028CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $sq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\sq equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000003.00000002.2021726688.00000000028CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000003.00000002.2021726688.00000000028CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\sq equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000003.00000002.2021726688.00000000028CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,sq equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000003.00000002.2021726688.00000000028CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,sq#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: MSBuild.exe, 00000003.00000002.2021726688.000000000289E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000289E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: MSBuild.exe, 00000003.00000002.2021726688.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_a5581eb7-f

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp6D6D.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp6D5D.tmp			Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, Strings.cs

Large array initialization: Strings: array initializer size 6160

PE file contains section with special chars

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Static PE information: section name: .{_x}
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Static PE information: section name: .Z%j5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_6CE91C80 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,GetModuleHandleW,GetProcAddress,	0_2_6CE91C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF5C20 NtProtectVirtualMemory,	0_2_02EF5C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF6100 NtAllocateVirtualMemory,	0_2_02EF6100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF60DD NtAllocateVirtualMemory,	0_2_02EF60DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF5C1F NtProtectVirtualMemory,	0_2_02EF5C1F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_6CE91C80	0_2_6CE91C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_6CE92350	0_2_6CE92350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_6CEA04E5	0_2_6CEA04E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_6CE91000	0_2_6CE91000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_6CE94810	0_2_6CE94810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_6CE91220	0_2_6CE91220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_01369020	0_2_01369020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_01361098	0_2_01361098
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136E0D0	0_2_0136E0D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_01369B00	0_2_01369B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136DBD0	0_2_0136DBD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136C228	0_2_0136C228
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_01369218	0_2_01369218
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136B6B8	0_2_0136B6B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136A12A	0_2_0136A12A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136A148	0_2_0136A148
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_01369010	0_2_01369010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136920A	0_2_0136920A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136A2AF	0_2_0136A2AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136A2C0	0_2_0136A2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136DD30	0_2_0136DD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136BD2A	0_2_0136BD2A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136A47F	0_2_0136A47F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_01368FB0	0_2_01368FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136DFD0	0_2_0136DFD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_0136D609	0_2_0136D609
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF9E9A	0_2_02EF9E9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF9BF8	0_2_02EF9BF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF0040	0_2_02EF0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF7400	0_2_02EF7400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF2DB0	0_2_02EF2DB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF9900	0_2_02EF9900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF36C0	0_2_02EF36C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF36D0	0_2_02EF36D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF8AB0	0_2_02EF8AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF2650	0_2_02EF2650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF3220	0_2_02EF3220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF2B78	0_2_02EF2B78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF9320	0_2_02EF9320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF4F00	0_2_02EF4F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF54E8	0_2_02EF54E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF3CE0	0_2_02EF3CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF84C8	0_2_02EF84C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF84B9	0_2_02EF84B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF44B0	0_2_02EF44B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF0006	0_2_02EF0006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF95D8	0_2_02EF95D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF2DA0	0_2_02EF2DA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF3948	0_2_02EF3948
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF3958	0_2_02EF3958
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF6920	0_2_02EF6920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF6910	0_2_02EF6910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00B7E3E8	3_2_00B7E3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00B7E3D8	3_2_00B7E3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00B70878	3_2_00B70878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00B70868	3_2_00B70868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00B72CE4	3_2_00B72CE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00B74DD0	3_2_00B74DD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Code function: String function: 6CE95A70 appears 33 times

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe, 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameRenowning.exe" vs SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe, 00000000.00000002.2008317345.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe, 00000000.00000000.1999217761.0000000000B46000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameasca1ex_crypted.exeT vs SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Binary or memory string: OriginalFilenameasca1ex_crypted.exeT vs SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, mLrwBjaNEgFvrhaGTgv.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, TaskParameter.cs	Task registration methods: 'CreateNewTaskItemFrom'
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, OutOfProcTaskHostNode.cs	Task registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, TaskLoader.cs	Task registration methods: 'CreateTask'
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, RegisteredTaskObjectCacheBase.cs	Task registration methods: 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, Strings.cs

Base64 encoded string: 'GSk+Lyw0PSESIjU7AQ8FJDM7DA46MyEwJT0lBCEOAVU0QBUHLwJBVDAmGyERJAc5MSsRHTFAJhkuH1Nc'

Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 3.2.MSBuild.exe.3849970.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *.sln
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 00000003.00000002.2027925622.0000000003841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

File created: C:\Users\user\AppData\Roaming\d3d9.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6A9D.tmp

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Virustotal: Detection: 49%
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: linkinfo.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: Google Chrome.lnk.3.dr

LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Static file information: File size 4988416 > 1048576

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Static PE information: Raw size of .OKDa is bigger than: 0x100000 < 0x4c0e00

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, mLrwBjaNEgFvrhaGTgv.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, G8WxH38hhBnr1IE68vI.cs	.Net Code: lrPIYdBHH0
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, G8WxH38hhBnr1IE68vI.cs	.Net Code: kKcFHrrDYN

Source: initial sample

Static PE information: section where entry point is pointing to: .OKDa

Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Static PE information: section name: .{_x}
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Static PE information: section name: .Z%j5
Source: SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Static PE information: section name: .OKDa

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_6CEA0C14 push ecx; ret		0_2_6CEA0C27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_02EF1F40 push esp; iretd		0_2_02EF1F41

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, G8WxH38hhBnr1IE68vI.cs	High entropy of concatenated method names: 'uYP5UMy1hu', 'nt15Ceoiwh', 'opo5rgGLQg', 'gA95bU2ExD', 'Rks5BkBZi5', 'ADm5J0cpqR', 'NaM52ZqZyD', 'THoZbd2fUw', 'Y8N5itYb3g', 'Wb65MvkIMT'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, mLrwBjaNEgFvrhaGTgv.cs	High entropy of concatenated method names: 'oQG8WrDol0', 'g38PJ8K3c0', 'jBH8UdC1PV', 'UlO8CDfJsQ', 'hcC8rW5pKa', 'mN58bMtfWM', 'ts3XxWXD9Z', 'OigaEK3D3W', 'jroa4iUVTS', 'B6saGICwMv'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

File created: C:\Users\user\AppData\Roaming\d3d9.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,SQ
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\SQ
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Memory allocated: 1360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Memory allocated: 2F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Memory allocated: 53C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Memory allocated: 73C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Memory allocated: 7600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Memory allocated: 9600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4840000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe TID: 5536	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6464	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Code function: 0_2_6CE99F48 FindFirstFileExW,

0_2_6CE99F48

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\sq
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,sq
Source: MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: MSBuild.exe, 00000003.00000002.2031047933.00000000074AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Code function: 0_2_6CE958FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CE958FA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Code function: 0_2_6CE9B66B GetProcessHeap,

0_2_6CE9B66B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_6CE958FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CE958FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_6CE99897 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CE99897
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Code function: 0_2_6CE95421 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CE95421

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Code function: 0_2_6CE92350 MSIGame,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,CloseHandle,CloseHandle,

0_2_6CE92350

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 462000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4BE000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6C3008	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Jump to behavior

Source: MSBuild.exe, 00000003.00000002.2021726688.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: MSBuild.exe, 00000003.00000002.2021726688.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Code function: 0_2_6CE95AB8 cpuid

0_2_6CE95AB8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Code function: 0_2_6CE95543 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CE95543

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2018294948.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2018294948.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2018294948.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2018294948.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6cea8000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.6ce90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	412 Process Injection	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Install Root Certificate	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	49%	Virustotal		Browse
SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	32%	ReversingLabs	Win32.Trojan.CrypterX
SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\d3d9.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\d3d9.dll	51%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
bg.microsoft.map.fastly.net	0%	Virustotal		Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ip.sb/ip	0%	URL Reputation	safe
https://api.ip.s	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ip.sb/ip	MSBuild.exe, 00000003.00000002.2021726688.000000000289E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.s	MSBuild.exe, 00000003.00000002.2021726688.000000000289E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	MSBuild.exe, 00000003.00000002.2021726688.000000000294A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430705
Start date and time:	2024-04-24 03:30:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/7@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 69 Number of non-executed functions: 51
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.122.28.179, 20.114.59.183, 72.21.81.240, 199.232.210.172, 192.229.211.108, 52.165.164.15, 40.127.169.103
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	ScreenConnect.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.211.108
	ScreenConnect.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.211.108
	SecuriteInfo.com.Python.Stealer.1437.14994.32063.exe	Get hash	malicious	Python Stealer	Browse	192.229.211.108
	https://www.longin-eki.co.jp.cduhzkc.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.longin-eki.co.jp.nebxshr.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.admin-longin.co.jp.mc3lva.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.longin.co.jp.wiibhaq.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://emv1.3rujia.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://wmicrosouab-4ba8.udydzj.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://www.longin-eki.co.jp.zurxyjp.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
bg.microsoft.map.fastly.net	ScreenConnect.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	6W9hpMEmjY.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	6W9hpMEmjY.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	cncUVRcGoI.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.admin-longin.co.jp.mc3lva.cn/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.longin-eki.co.jp.zurxyjp.cn/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://xxnewmac5xx.z13.web.core.windows.net/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://windowdefalerts-error0x21916-alert-virus-detected.pages.dev/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	199.232.210.172
	https://windowdefalerts-error0x21915-alert-virus-detected.pages.dev/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	199.232.210.172
	https://netorg442802-my.sharepoint.com/:b:/g/personal/darek_daronto_com/EeXtnEaZ3XJBqGk13it6odUB-K9vuYAC7zp7SfyciZ3BpQ?e=nkKu2w	Get hash	malicious	Unknown	Browse	199.232.214.172

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:53 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2106
Entropy (8bit):	3.445666597951605
Encrypted:	false
SSDEEP:	48:8S0l2dfTXd3RYrnvPdAKRkdAs6IdAKRFdAKRE:8S0lOw
MD5:	86451F73A23786D7FA8F015CFF75EC69
SHA1:	83B116DE0CB8966FEFCFC5E6C2800E8F2D8A338C
SHA-256:	D014BEF9DA82C968A3760B55FEFDAE0FBE641E623A40A07EBD5B2F6BEE060620
SHA-512:	DB9366827BFAE1DBE7E4418E793963F9FD7C164BC14A82208206D30ACD204EE69E897D6A15FBDE989CF8AE5DF5668CD7D40F1BC2DD68E0080BD2DA10085B898B
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ......,....6e.l.......q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDW.r....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWUl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWUl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWUl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDW.r..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.".-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1299
Entropy (8bit):	5.342376182732888
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4xLE4qE4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0H6
MD5:	D62639C5676A8FA1A0C2215824B6553A
SHA1:	544B2C6E7A43CE06B68DF441CC237AB7A742B5CD
SHA-256:	761379FF547D28D053F7683499D25F7F1B5523CC7262A2DA64AF26448F7E2D76
SHA-512:	5B46D1BDB899D8FA5C7431CA7061CDD1F00BE14CD53B630FAB52E52DA20F4B2BED405F932D7C0E9D74D84129D5BB5DE9B32CC709DA3D6995423E2ED91E92ACD3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Tmp6D5D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp6D6D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\d3d9.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	866816
Entropy (8bit):	5.757237855888856
Encrypted:	false
SSDEEP:	12288:8tSX+xi19hdEmUUqS8nm8M83SN4hyhUstTN:rM2EmUSgBM3+i
MD5:	D0B35E6C99D48C4456DB3F9FEE7D25E7
SHA1:	9B1C74529BF52607BB37BD6F2161DD8B442E77B9
SHA-256:	550E9CE8DE15B9EF48F7F54DF4075468B9DEE17BFDBC53F7D65CF039EF1C86DE
SHA-512:	E03976B1B902B7F9590811B84D58F99F09CD38469D6B96D8176C3F17D4C4C92BEAFE73BD4A77D3874529E47403C52992DD216F643B0D70F9ACBAAEB25F7F8A43
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 51%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............kQ..kQ..kQ..hP..kQ..nPr.kQ..oP..kQ..jP..kQ..jQ..kQ.jnP..kQ.joP..kQ.jhP..kQ..kQ..kQ.jkP..kQ.jiP..kQRich..kQ................PE..L.....(f...........!...&.....@.......S.......................................p............@..........................j..P...Pj..(............................P..(...._..............................@^..@...............@............................text...c........................... ..`.rdata...a.......b..................@..@.data...d............f..............@....reloc..(....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.476466811694825
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
File size:	4'988'416 bytes
MD5:	2d41e117f7b73d3b0b8804794b4fe9dd
SHA1:	f0bd15035e0bf67f621c7e87c65b62c007e79fda
SHA256:	5b88fdc4c1564305f8883e5ec48cadea105d082a5a1bae6a17c57c81c01069a7
SHA512:	3932ba5248d7d6ca7f9164c9df9f7d8ef767dcc0bdd8ad753af61a90e4e9e4ab9ddee6aec4ea251f0b7e2c773814551dcd77e63edfbe29c3592f1ad5276722ed
SSDEEP:	49152:JQhzPHd7fjm0s3CPRAYchlk7OFpur/q0HEiAEy0LssIeAyYyJ9ILvwUgPb2acdQa:6FHRSyPRA7swQ/jRHLAs0yHJ9ILqb
TLSH:	0C36F6213DEF105D7362AAAD4FD8F8AFC95EF777264A21BA20710B474312D428D92739
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(f..................$...........J.. ....%...@.. ........................q...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8ad09c
Entrypoint Section:	.OKDa
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66280887 [Tue Apr 23 19:14:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00652000h]
mov ax, ss
aad A6h
cwde
imul esi
mov edx, C566F3D5h
and edi, eax
sub ah, byte ptr [eax+69AE6704h]
mov al, 1Dh
or ebx, dword ptr [ebx]
mov cl, D2h
scasb
imul esi, dword ptr [eax-53E6C534h], B069AECCh
sbb al, byte ptr [edi-6Ch]
dec ebp
dec ebp
dec edi
sbb cl, byte ptr [ebx+0Ch]
std
loopne 00007FA8748E8516h
daa
push 41A64FDCh
test dword ptr [edx+4FDC68E1h], eax
dec dword ptr [ebp+ebp*4-60h]
xor eax, DC685033h
dec edi
mov bp, cs
push cs
and al, byte ptr [edi]
dec edi
sub ecx, dword ptr [eax]
xor eax, BA7386D5h
sbb dword ptr [esi], ecx
mov eax, E0091B79h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4a3ae0	0x28	.OKDa
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x716000	0x638	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x718000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x252000	0x8	.Z%j5
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x4c57f0	0x48	.OKDa
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x24d274	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.{_x}	0x250000	0x643	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.Z%j5	0x252000	0x8	0x200	890097eda9091e142fbb036c033a8ff4	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.OKDa	0x254000	0x4c0cc4	0x4c0e00	42dfe2d271cae593ea683f8a2fc8dbfb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x716000	0x638	0x800	9b6651015a439afb7c90a366e6b07c47	False	0.33935546875	data	3.4920647628337567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x718000	0xc	0x200	f6b8c6f4ea6d86262b09cfbe8da4c289	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x7160a0	0x3a8	data			0.42094017094017094
RT_MANIFEST	0x716448	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 03:30:54.727421999 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 24, 2024 03:30:54.727426052 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 24, 2024 03:30:54.821297884 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 24, 2024 03:31:04.336743116 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 24, 2024 03:31:04.336863041 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 24, 2024 03:31:04.430509090 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 24, 2024 03:31:05.852627039 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 24, 2024 03:31:05.854435921 CEST	49703	443	192.168.2.5	23.1.237.91

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 03:31:15.698327065 CEST	1.1.1.1	192.168.2.5	0x6b85	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 24, 2024 03:31:15.698327065 CEST	1.1.1.1	192.168.2.5	0x6b85	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 24, 2024 03:31:15.888097048 CEST	1.1.1.1	192.168.2.5	0x914f	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 03:31:15.888097048 CEST	1.1.1.1	192.168.2.5	0x914f	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 24, 2024 03:31:29.226206064 CEST	1.1.1.1	192.168.2.5	0x9bda	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 03:31:29.226206064 CEST	1.1.1.1	192.168.2.5	0x9bda	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:30:56
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe"
Imagebase:	0x430000
File size:	4'988'416 bytes
MD5 hash:	2D41E117F7B73D3B0B8804794B4FE9DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:30:56
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:30:56
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x510000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2018294948.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2018294948.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.2%
Dynamic/Decrypted Code Coverage:	2.1%
Signature Coverage:	6.3%
Total number of Nodes:	1004
Total number of Limit Nodes:	11

Executed Functions

Function 6CE92350 Relevance: 49.4, APIs: 21, Strings: 6, Instructions: 2192memorythreadinjectionCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 6CE9313A
VirtualAlloc.KERNELBASE ref: 6CE9319A
Wow64GetThreadContext.KERNEL32 ref: 6CE931E0
ReadProcessMemory.KERNELBASE ref: 6CE932A9
VirtualAllocEx.KERNELBASE ref: 6CE93378
VirtualAllocEx.KERNEL32 ref: 6CE933CD
WriteProcessMemory.KERNELBASE ref: 6CE9366F
ReadProcessMemory.KERNEL32 ref: 6CE93F43
WriteProcessMemory.KERNEL32 ref: 6CE93FD6
Wow64SetThreadContext.KERNEL32 ref: 6CE943DC
ResumeThread.KERNELBASE ref: 6CE943EB
CloseHandle.KERNEL32 ref: 6CE9453F
ReadProcessMemory.KERNEL32 ref: 6CE9465B
CloseHandle.KERNEL32 ref: 6CE947F1

Strings

@, xrefs: 6CE933C5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CE92FA4, 6CE945DC
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CE92F2E
7*,x, xrefs: 6CE941A4
D, xrefs: 6CE92EDA
7*,x, xrefs: 6CE9471B

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$Memory$AllocReadThreadVirtual$CloseContextHandleWow64Write$CreateResume
String ID: 7*,x$7*,x$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D
API String ID: 2880406585-1007386547
Opcode ID: 030e768f68a9c71d4100fb71311fe9a99b4582fcadcc6c245d2d17a7e462fa22
Instruction ID: 883b91005c0ee3733f6a8d06b095fa274b165db125db29d0945020e7a03c3017
Opcode Fuzzy Hash: 030e768f68a9c71d4100fb71311fe9a99b4582fcadcc6c245d2d17a7e462fa22
Instruction Fuzzy Hash: 7913D3B2A05655CFCF15CE7CC9983DD7BF1AB86319F20419AD419DBB40D33A9A898F01

Uniqueness

Uniqueness Score: -1.00%

Function 6CE91C80 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KH, xrefs: 6CE92131
ntdll.dll, xrefs: 6CE91FAB, 6CE92292
KH, xrefs: 6CE9232D
NtQueryInformationProcess, xrefs: 6CE91FBF, 6CE922A6

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: NtQueryInformationProcess$ntdll.dll$KH$KH
API String ID: 0-3525560144
Opcode ID: 44c6abfa92e43f529184d408fa351dd8835502a1fb5a76ecfe815f0c4141e987
Instruction ID: bd2cda25a1b3c5ee959219eaaf4a4cdd39da0a108d1b2682a941fcfaffcf2b5b
Opcode Fuzzy Hash: 44c6abfa92e43f529184d408fa351dd8835502a1fb5a76ecfe815f0c4141e987
Instruction Fuzzy Hash: 2302CC76F152059FCF08CFBCD5987DEBBF2AB5A304F208419E815EB764C635990A8B41

Uniqueness

Uniqueness Score: -1.00%

Function 01361098 Relevance: 14.9, Strings: 6, Instructions: 7367COMMON

Download Yara Rule

Strings

.f28, xrefs: 013654DB
=~60, xrefs: 013612A0
&h#1, xrefs: 01366AE9
8y4a, xrefs: 01365A28
)s=B, xrefs: 0136544F
$&:, xrefs: 01364608

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $&:$&h#1$)s=B$.f28$8y4a$=~60
API String ID: 0-187508944
Opcode ID: 8ef391a4c7f7b5f97bccad50786590b9a1149b394f1b500bf357e492fb36b866
Instruction ID: be9b3fe715afadfa5bf3ee023b268bc97dc2bb62b9d9ee074960e1c05995eba5
Opcode Fuzzy Hash: 8ef391a4c7f7b5f97bccad50786590b9a1149b394f1b500bf357e492fb36b866
Instruction Fuzzy Hash: 90E341B9E112298FCB68DF68C85069DB7F6BB88204F4585E9D809F7354DB31AD85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02EF0040 Relevance: 6.7, Strings: 4, Instructions: 1718COMMON

Download Yara Rule

Strings

?+"x, xrefs: 02EF1480
pwq, xrefs: 02EF1401
Hwq, xrefs: 02EF1CBD
pwq, xrefs: 02EF0C21

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ?+"x$Hwq$pwq$pwq
API String ID: 0-3500585567
Opcode ID: 1df50c25937bafa1e6c94f0ac4fe9c8ac4bfa6c7cd4b2b0a250658256ad6fb55
Instruction ID: 4d0cfb5bc8e92e54620b1b2694bc73d380d5a04591e36504c6ef7cc25d4e33bc
Opcode Fuzzy Hash: 1df50c25937bafa1e6c94f0ac4fe9c8ac4bfa6c7cd4b2b0a250658256ad6fb55
Instruction Fuzzy Hash: 53E26775B412198FCB64DFA9CCC4A99B7B2BF88304F1580A9E609EB365DB319D85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0136E0D0 Relevance: 6.2, Strings: 4, Instructions: 1243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\ssq, xrefs: 0136E208
(osq, xrefs: 0136E1E3
Hwq, xrefs: 0136E3BA
;sq, xrefs: 0136E375

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (osq$Hwq$\ssq$;sq
API String ID: 0-3095602133
Opcode ID: 3b7c1f47f8c330177e64ba9e9d2f48d4f6fe45766998669dd96fce7700f302cb
Instruction ID: de9e128a394d68a30b9b1fa04a73a7c0498c60a37f6ce9950644bb32fe9a84f1
Opcode Fuzzy Hash: 3b7c1f47f8c330177e64ba9e9d2f48d4f6fe45766998669dd96fce7700f302cb
Instruction Fuzzy Hash: A481D236F002258FCB14EBAED8904ADFBE6BFC8214B598579D919E7394DA319C05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EF7400 Relevance: 2.0, Strings: 1, Instructions: 792COMMON

Download Yara Rule

Strings

Hwq, xrefs: 02EF74EA

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hwq
API String ID: 0-933684408
Opcode ID: 7999a3b5a1cf4af4901d90797bbab0a3014957af5d6d9f785206721c7692b1c8
Instruction ID: cd62a325fbb6d2804b24897a0d3f30b1da54991d3113406fd8e44836923ba264
Opcode Fuzzy Hash: 7999a3b5a1cf4af4901d90797bbab0a3014957af5d6d9f785206721c7692b1c8
Instruction Fuzzy Hash: 5C627775A00A068FCB54CF58C880AAEFBB2FF88314F55DA69D51A9B655D730FC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EF95D8 Relevance: 1.8, Strings: 1, Instructions: 599
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4y j, xrefs: 02EF9909

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4y j
API String ID: 0-1036931025
Opcode ID: 3c7bcd216b9f57b4b746c8caf76d48988c58beaca93f765358f5c1fb9006d13b
Instruction ID: 847cab5c8d1756cda3a7014951e1d638df9b02e3a12669abe36670866642fad5
Opcode Fuzzy Hash: 3c7bcd216b9f57b4b746c8caf76d48988c58beaca93f765358f5c1fb9006d13b
Instruction Fuzzy Hash: AD716932F412354FC75CDB7D88502ADBBA2ABC421430B957ADD96EB3A2EA648D04C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01369B00 Relevance: 1.7, Strings: 1, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/7,q, xrefs: 01369CBD

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: /7,q
API String ID: 0-3858938213
Opcode ID: 187c98319fdcc5384e3f9ee8d1ecf084f4f846df700454bf84103dd4515beb55
Instruction ID: b7ca0b796f9fe2935995a5848c1f4d64e46d755eed91fdbf473c1c20b99268e0
Opcode Fuzzy Hash: 187c98319fdcc5384e3f9ee8d1ecf084f4f846df700454bf84103dd4515beb55
Instruction Fuzzy Hash: FBE19D71B043098FDB18DFB9D8D4A9DBBF6BF88208B658129E509EB355DB70AC45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02EF60DD Relevance: 1.6, APIs: 1, Instructions: 80
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 02EF6183

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 2f6375db9059013267ff20764ee7999f12f43ec1f20c0d70201506a30cb06e44
Instruction ID: f985f6aff9942f83316df2a45e93253303fa7a93fa21a8fe0d43287d5fd479d8
Opcode Fuzzy Hash: 2f6375db9059013267ff20764ee7999f12f43ec1f20c0d70201506a30cb06e44
Instruction Fuzzy Hash: 822135B1D003499FCB10CFAAC881ADEFBF5FF48320F14842AE519A7210C779A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EF5C20 Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02EF5CA9

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d8bad3d928cf4a3e62a957e7d6d45cceda5188c6a618dfd6244bb31421f2eb0e
Instruction ID: 57203cb116452d453e1c10f80bc86eed7de24db5ad81733e8517b5e0bf344173
Opcode Fuzzy Hash: d8bad3d928cf4a3e62a957e7d6d45cceda5188c6a618dfd6244bb31421f2eb0e
Instruction Fuzzy Hash: D721D2B1D013499FCB10DFAAD985ADEFBF5FF48324F24842AE519A7250C775A900CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EF5C1F Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02EF5CA9

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: ab789b9c431c794b7d34db97f2c87fcdbd11844b9c2f300ff34276f33f0469b0
Instruction ID: 0185b574b1af32648db099cbc6ec6c2155ad8606ce8d36dba180635f5f438460
Opcode Fuzzy Hash: ab789b9c431c794b7d34db97f2c87fcdbd11844b9c2f300ff34276f33f0469b0
Instruction Fuzzy Hash: 7D21D4B1D013499FCB10CFAAD985ADEFBF5FF98314F24842AE519A7250C7759901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EF6100 Relevance: 1.6, APIs: 1, Instructions: 61
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 02EF6183

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c118af1592d48d451ca74b1be52333fc10adb571991be9eed2a63ea75e6edfe5
Instruction ID: 3812f55458b97bc18943f3a16bd4162e3150c795d062207e2e67a911736f886b
Opcode Fuzzy Hash: c118af1592d48d451ca74b1be52333fc10adb571991be9eed2a63ea75e6edfe5
Instruction Fuzzy Hash: 4521F5B5D002499FCB10DFAAC885ADEFBF5FF48324F10841AE519A7210C775A954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EF9900 Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

4y j, xrefs: 02EF9909

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4y j
API String ID: 0-1036931025
Opcode ID: 1706767f27dacf225afee5377bec8d83c4bbfcbbdf6e61038185bdcd09cb5dec
Instruction ID: aaacd2012313d9e8a1f53ae39b85d5ef65592d5835672e3f73418afd4b701cc7
Opcode Fuzzy Hash: 1706767f27dacf225afee5377bec8d83c4bbfcbbdf6e61038185bdcd09cb5dec
Instruction Fuzzy Hash: D1613633F502394B87ACDABD885426EB6E3ABC4244707943ADD56FB3A5EB60DD0487D0

Uniqueness

Uniqueness Score: -1.00%

Function 01369218 Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4721537e24891ef5f48f9b197402b49a6fadb32ce844dc273fb6d287b590c7cc
Instruction ID: 3661ea91dd8cda7a9de2781a11dbf94f37e1c442cb0cfa4c5b8b4368f49e07a6
Opcode Fuzzy Hash: 4721537e24891ef5f48f9b197402b49a6fadb32ce844dc273fb6d287b590c7cc
Instruction Fuzzy Hash: 9E325B75E0071A8FCB18CFA8C8916AEBBF2BF88314F14852AD515B7254DB74AD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0136B6B8 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816676ae119510e6aa10dc1d75dd1bb126e0569b93af1bc7915b75a62f4710c6
Instruction ID: be0061dcc58d293d9c6481101e1853e3e91c4242a37b430788b47a600920596f
Opcode Fuzzy Hash: 816676ae119510e6aa10dc1d75dd1bb126e0569b93af1bc7915b75a62f4710c6
Instruction Fuzzy Hash: 8CC19339B105258FC719EB6CC8A852DB7EAFF8D6593098468E907DB36DDE20DC058B90

Uniqueness

Uniqueness Score: -1.00%

Function 02EF2DB0 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8beb4be93922ca3878959bc9f753f090e20da735e55a8cb3020f07d606a062c3
Instruction ID: be9993c27b585437f8a7cd9d1576a1a59930759abb5dd5d30dfd3edc95e78a03
Opcode Fuzzy Hash: 8beb4be93922ca3878959bc9f753f090e20da735e55a8cb3020f07d606a062c3
Instruction Fuzzy Hash: EFB16D75E10219CFCB54DFA9C894A9DB7B2BF88304F65C1A9D909EB354DB31AD41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0136920A Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ec6f65edffabd63bb903edce215ff45fe8a3efdc7d4b81d69676ad2d031702
Instruction ID: ae8735f051455b973ca015b770f03e1231bd7fb19b8cc843226269166a176fe9
Opcode Fuzzy Hash: 19ec6f65edffabd63bb903edce215ff45fe8a3efdc7d4b81d69676ad2d031702
Instruction Fuzzy Hash: EAC1EAB4E0020A8FCB58CFA8D4925AEBBF2FF88314F64812AD605E7354D7349985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0136C228 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e13f84f1230cab2d9f7848719d18f5da4eec797576b76f697a7690b1c77b86f
Instruction ID: 5add2122f7104bd675e1f875970db83bf16b2f4aab1b1225a765404cfdc6f9d2
Opcode Fuzzy Hash: 0e13f84f1230cab2d9f7848719d18f5da4eec797576b76f697a7690b1c77b86f
Instruction Fuzzy Hash: 77713726F101258BDF299AAD489402EA5DB7BD822834AD43ADD4AEB34DDE64CC0543C1

Uniqueness

Uniqueness Score: -1.00%

Function 02EF9E9A Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2341b7e1e4c380fe4e7902938d6ec907ece8f47ea4e10b117c0ce927711b988f
Instruction ID: 7cfa88aaf93bfabf77998f5126ff45412068c436bb2c1071afcf29cc447f7568
Opcode Fuzzy Hash: 2341b7e1e4c380fe4e7902938d6ec907ece8f47ea4e10b117c0ce927711b988f
Instruction Fuzzy Hash: 1C91D272E043598FCB51CFA9C8806AEBBF1AB49314F06816AD858EB351D7789C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02EF9BF8 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251c366b237cb4e343e93ee6ff5ce2ea053ba3838b78f88be6926bf7fd4fb417
Instruction ID: 1b15332787a754fe9375ec7516c0fc4e9fc5447e72ecdc2ebcdccf336530929d
Opcode Fuzzy Hash: 251c366b237cb4e343e93ee6ff5ce2ea053ba3838b78f88be6926bf7fd4fb417
Instruction Fuzzy Hash: 5951F372E042294FCB15DF68C8505ADBBF2AF8831071A46AAD855FB351DA349D45CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02EF2DA0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517d223a25accd44b856d092dad746d41e22a7b7650f48da1c910528cf23424f
Instruction ID: 74807dc1b833a1426a87c42114bfacd0102dd347c3ddfcf9d0a8ddbae2448481
Opcode Fuzzy Hash: 517d223a25accd44b856d092dad746d41e22a7b7650f48da1c910528cf23424f
Instruction Fuzzy Hash: E3518C71E402598FCB58CFA9C84069DB7B2BF89304F21C1AAE909EB354EB319D41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01369010 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e34d4b149fe4910d697a7c1ccde8bc4ccdbb71e101c5767ac5fc22fadad0a9
Instruction ID: c5ea6ac454750df0aa4832082eec645ae994f73bf9d48c6e8c300abae5dc2df1
Opcode Fuzzy Hash: 72e34d4b149fe4910d697a7c1ccde8bc4ccdbb71e101c5767ac5fc22fadad0a9
Instruction Fuzzy Hash: 98512577F106398FDB58CEAEC8411AAF7F6AB98324B06816AD949F7344D6349D05CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 01369020 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c459886ffcfd39070c8b4a744c4e3e53c88134c6aa152d55cb2c6cf619d3f4
Instruction ID: 9e45ef204ed48db2cf39e217f791e512a079ba4243313ecb4cfcb67f9057a0cd
Opcode Fuzzy Hash: d4c459886ffcfd39070c8b4a744c4e3e53c88134c6aa152d55cb2c6cf619d3f4
Instruction Fuzzy Hash: EF412573F105398BDB18CE9EC8411AAF7FA9BD8224B06816AD909F7744D6309D05CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0136DBD0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a162c76ace4f785b93cc68ebe31556cdd7c79e511719f62a65293fe34491ffa
Instruction ID: 78c237f0492d009d700d086ab6781b959c7f38a2fd57bab0d036435f1fcb23ee
Opcode Fuzzy Hash: 2a162c76ace4f785b93cc68ebe31556cdd7c79e511719f62a65293fe34491ffa
Instruction Fuzzy Hash: C6312872F106294FC758DFADD8945AAFBF6BF88614305816DD949EB328DA709D04CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 6CE95218 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CE9525F
___scrt_uninitialize_crt.LIBCMT ref: 6CE95279

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: cbb12c5f762c8426d7c52c765027db93e1bee94ae4d16ac17d05e4f65907f5ef
Instruction ID: 5796f70f4d312831da2f3777a8c8f5e44c23739e3ef07fec430d92a8341156e2
Opcode Fuzzy Hash: cbb12c5f762c8426d7c52c765027db93e1bee94ae4d16ac17d05e4f65907f5ef
Instruction Fuzzy Hash: B941D172E07618AFCB20CF55C840BAE7B75EB46B5EF31431AE82457B44C7B049458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CE952C8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CE95305
dllmain_crt_dispatch.LIBCMT ref: 6CE9531C
dllmain_raw.LIBCMT ref: 6CE95364
dllmain_crt_dispatch.LIBCMT ref: 6CE95377
dllmain_raw.LIBCMT ref: 6CE9538A

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: e27acd46e83ef14273d1cc88d978a0f42e026ea0f70bdc991072e25ec6387353
Instruction ID: 8bb29c9caa5d0f22ecd32ade13b2bd00d1e22845de221dc58e010f2d8e470d30
Opcode Fuzzy Hash: e27acd46e83ef14273d1cc88d978a0f42e026ea0f70bdc991072e25ec6387353
Instruction Fuzzy Hash: E6217172D07659ABCB218F55CC40AAF3B79EB86A9EB314319FC1557B14D3B08D418BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0136AB50 Relevance: 3.8, Strings: 3, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\;sq, xrefs: 0136AC0A
\;sq, xrefs: 0136ABFA
BC9, xrefs: 0136AC7D

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: BC9$\;sq$\;sq
API String ID: 0-2583880813
Opcode ID: 92acf8b65f071ebf32fc4fb79c8728d874672b035c1c355ea3047251329f45c3
Instruction ID: 27ae9870d77f4516557b97e5970bd5df82032a135503e9434a1b4510fa95e231
Opcode Fuzzy Hash: 92acf8b65f071ebf32fc4fb79c8728d874672b035c1c355ea3047251329f45c3
Instruction Fuzzy Hash: 0931C776F002288BDF15DB68C554BEEBBFAAB48308F158069D901F7398CE749C44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CE95111 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CE9515E

Part of subcall function 6CE955DB: InitializeSListHead.KERNEL32(6CF64430,6CE95168,6CEA6450,00000010,6CE950F9,?,?,?,6CE95321,?,00000001,?,?,00000001,?,6CEA6498), ref: 6CE955E0

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CE951C8

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 744f3a4c2562657e07cb7f2e91404c7e271fd2e7f84c6ea3158f6eef53948433
Instruction ID: 5988462e973bfd0ef339b8bd4709edc4c33babf7a3a9d4ea93fb02094befc442
Opcode Fuzzy Hash: 744f3a4c2562657e07cb7f2e91404c7e271fd2e7f84c6ea3158f6eef53948433
Instruction Fuzzy Hash: CD21AE3764B740AEEB10ABF598117DD3B719B1666FF30071DD8512BF82CB214189C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 6CE9B73C Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CE9B788
GetFileType.KERNELBASE(00000000), ref: 6CE9B79A

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 7a9caaaf020d4138e58cc6c72f9aff75542273e93d0b5d3519d39c196fe24417
Instruction ID: 947d98233617beb3d63c1c23b0c9abb5ea5af1404710742ed177ce2c9988df50
Opcode Fuzzy Hash: 7a9caaaf020d4138e58cc6c72f9aff75542273e93d0b5d3519d39c196fe24417
Instruction Fuzzy Hash: FC119371E047518ADB314E3E8CC87227AB5AB9727DB35271DD0B696FF1C230D5868681

Uniqueness

Uniqueness Score: -1.00%

Function 02EF4AE8 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000), ref: 02EF4B58

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: db18219eca8f27a1c35e34ab6463b236690786d5d19e4b542aecb0f12ff53c71
Instruction ID: e48e9dc0a3ee03d7f5cddfbabf89dd361926ede1ca1dc4f1df5d9fdb99cf9e25
Opcode Fuzzy Hash: db18219eca8f27a1c35e34ab6463b236690786d5d19e4b542aecb0f12ff53c71
Instruction Fuzzy Hash: FC1112B5D0061A9BCB10CF9AD945B9EFBF8FB48324F14815AE919B7340C774A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02EF4AE7 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000), ref: 02EF4B58

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2ebf703dafa5b535678d43f0bd6158024058df0d65442f714b59c9e88b82640b
Instruction ID: 3ae5c106acf46a43cbbf1af73603e4b51514020a044644ecb6952b821c987fdc
Opcode Fuzzy Hash: 2ebf703dafa5b535678d43f0bd6158024058df0d65442f714b59c9e88b82640b
Instruction Fuzzy Hash: 6A1103B5D006199BCB14CF9AD545A9EFBF4FB88324F14815AD919B7240C374A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EF95BC Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00000000,-B7E9DCA0,-B4F9E68F,?,02EF9BC2), ref: 02EFA357

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 167cf665dff0b7ccb473e53f682d1e0254043cde4d27a16e25d569451b61e0c6
Instruction ID: 2f90a2cfb36272f425085c1d6b419dfd9a4d3d87f3f67e600276303bed1c8bb9
Opcode Fuzzy Hash: 167cf665dff0b7ccb473e53f682d1e0254043cde4d27a16e25d569451b61e0c6
Instruction Fuzzy Hash: AD1146B58006498FDB10DF9AC445BDEBBF4EB48324F24846AD528A7340C779A940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA2F1 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00000000,-B7E9DCA0,-B4F9E68F,?,02EF9BC2), ref: 02EFA357

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e9642649d0e666d90ff956fcdc3e5c2bc2ec252221a35a572c60eee0ded2a9e7
Instruction ID: b1b7120472f52c3ddb6bd8cbfb113808923258c66398122ccb0a48ce8471d628
Opcode Fuzzy Hash: e9642649d0e666d90ff956fcdc3e5c2bc2ec252221a35a572c60eee0ded2a9e7
Instruction Fuzzy Hash: EA1146B5800249CFDB10DFAAC585BEEBBF4EF88324F24846AD519A7340C779A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0136C7F0 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

Hwq, xrefs: 0136C821

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hwq
API String ID: 0-933684408
Opcode ID: 983d7e75acba2308fb7d712b83972034e11cacd7b80f0e0f6eada39e2204a817
Instruction ID: c124eefee8197affbc064320656f66b53d80ceecb38ef1a6dff5aadecf1bc32b
Opcode Fuzzy Hash: 983d7e75acba2308fb7d712b83972034e11cacd7b80f0e0f6eada39e2204a817
Instruction Fuzzy Hash: 18414732B101320FCB5A67BD642007D6ADBEBC9679349857BE50EE7384CE254C1A03D5

Uniqueness

Uniqueness Score: -1.00%

Function 0136DA90 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

NR32, xrefs: 0136DA9B

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: NR32
API String ID: 0-151731836
Opcode ID: 6b279108bb6102e33cafecec7d0b3f8ea9cfbbe319d4cb9de5c2ade7b92fedc7
Instruction ID: c0d06624e277220bfec7036b4683d072d2ebef78c2771031bcedc1f375a27375
Opcode Fuzzy Hash: 6b279108bb6102e33cafecec7d0b3f8ea9cfbbe319d4cb9de5c2ade7b92fedc7
Instruction Fuzzy Hash: 6831C232B042658FC718DE6DD89055ABBBABFC521471A85BAD819EB259DB30EC02C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 01368CD0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7de7aab8dae92ec56c4232dc537d002d75ecf631be47cb39b49a88a5ca7740
Instruction ID: 81669b0418c7ede9d518e9b0671bab9391c47375283fc9292f841f1727dcf2ac
Opcode Fuzzy Hash: 5f7de7aab8dae92ec56c4232dc537d002d75ecf631be47cb39b49a88a5ca7740
Instruction Fuzzy Hash: 0A414C75B00319CFCB18CFA8C49499DBBF6BF8D314B1581A9E805AB355DB71AC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01368DBC Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc73dc95385950ace0a4773bca8483a79942fde2a9a8d9919fe83e36c660584a
Instruction ID: 903609b125c80738d999f2589530ce416f6badb909786d47140488faf52395ed
Opcode Fuzzy Hash: fc73dc95385950ace0a4773bca8483a79942fde2a9a8d9919fe83e36c660584a
Instruction Fuzzy Hash: B5415D75A4030ACFCB18CFA8D88099DBBF6BF98314B1581A9E405AB315DB71D842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01368CBF Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598a658f9d9d8a23dc0127ad43bca8a3afbbf731f8e70a7f09851f9d627d5555
Instruction ID: 194cac5b490be851e663e2dcb9c3810c0c44dc8190162ee635407be0df1d8b4e
Opcode Fuzzy Hash: 598a658f9d9d8a23dc0127ad43bca8a3afbbf731f8e70a7f09851f9d627d5555
Instruction Fuzzy Hash: 34417B71B00315CFCB19CFA8D49459DBBF6BF89318B1581AAE809EB755DB719C42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0136C038 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae024d5314499fa5235c0a2d39ea1c8bdb1ac4ace0ff2a345a5439ab6c446d7
Instruction ID: aeaa6433ad4d722bc94b937ed9cef7118b6e418e1788f2ddeaa8bb28ca788a82
Opcode Fuzzy Hash: 8ae024d5314499fa5235c0a2d39ea1c8bdb1ac4ace0ff2a345a5439ab6c446d7
Instruction Fuzzy Hash: 07418D75A00216CFCB14DF79C8949AEBBBAFF89304B518069D819EB364DB31DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0136C048 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36796632b9699c26db3fc176aa75a93421192cfde64fbba5350caed37aba873f
Instruction ID: 5c1b04f3869194cf480d2b27eee74da53c85d42cacb3eedbde422bd648d61308
Opcode Fuzzy Hash: 36796632b9699c26db3fc176aa75a93421192cfde64fbba5350caed37aba873f
Instruction Fuzzy Hash: A3415975A00116CFCB14DF69C89496EBBBAFF89308B518069D91AEB364DB31EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0136E0C1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7a9c2db651fc3bf79686659810816aaf1fe8c0fc497d1e85d32c4e26f02316
Instruction ID: 8b464d2293280ae494aec92c62d5cfdb7ce523232d3b39583e8ab6d2c63b2743
Opcode Fuzzy Hash: de7a9c2db651fc3bf79686659810816aaf1fe8c0fc497d1e85d32c4e26f02316
Instruction Fuzzy Hash: 7231E436F002298FC714DFBDC89049DBBF6BB89214B4984BDE805EB3A5DA319C05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0136DB20 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebe3ed7dc68f3e757d4f5a3c6d2c211c7685f1f731f433ffa3f1aa56b9f9454
Instruction ID: d27468053fcd36b5f1665a36e09f500e0f3c3c934d3be0e53b9a79d8f5a44f93
Opcode Fuzzy Hash: aebe3ed7dc68f3e757d4f5a3c6d2c211c7685f1f731f433ffa3f1aa56b9f9454
Instruction Fuzzy Hash: DE11CE31F002298FD718DA7EC85095AF7AABF89218715857AE84AEB348EB35DC01C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0136DB30 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2a68ee09a4629d824cd9294522bce88477a3fbe9a487d7276c13e6f267b316
Instruction ID: f41645de2876bdcab81bea97add661bc0d1a1fdfbf9f83bc9dfc7de2e5a95346
Opcode Fuzzy Hash: 9d2a68ee09a4629d824cd9294522bce88477a3fbe9a487d7276c13e6f267b316
Instruction Fuzzy Hash: 70118E31F002299FD718DA6ED85095AF7AABBC82187158579D819E7308DB719C01C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0136D9DF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41aa6fd4d775b004df3e19a4b91ca5e12370ce7572bf9a266739494d3839eb7f
Instruction ID: a7c2b8f0889b3d07c1a812b8c4e5d79e981d31c89479990d53ad221b9224d89b
Opcode Fuzzy Hash: 41aa6fd4d775b004df3e19a4b91ca5e12370ce7572bf9a266739494d3839eb7f
Instruction Fuzzy Hash: 4911A036B052148FC7159F78C84146ABBA6EF9A22431940B9E805EF395D635EC01CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0136ADF1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a849b38320dba6183ee362f571454d543bc442e27c774eb9a60e5a0d312d9f6
Instruction ID: 1f2ee1fd0891dd60b01a24a7cc47d1aba810bdc1a41a8afb980b9bc689d38e8f
Opcode Fuzzy Hash: 1a849b38320dba6183ee362f571454d543bc442e27c774eb9a60e5a0d312d9f6
Instruction Fuzzy Hash: C6016D32610220CFC3449F78D89495977F9EF8A22431640B9E409DF371DB368C46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0136D9F0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47538e18bc413eaae278f46117a66f37a8fc494a96198f6ebccaf5233202d784
Instruction ID: a76ba405422c63ce3dd3dcf068c770776b6b863c8e3bccba19263868b672768e
Opcode Fuzzy Hash: 47538e18bc413eaae278f46117a66f37a8fc494a96198f6ebccaf5233202d784
Instruction Fuzzy Hash: 45019236B102248F8B18DF6DD84545EB7A6ABD922531981B9EC09EF354D635EC01CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0136CDD8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b04df67584fe4f2e19a8c37be240852a4249f5e7fa3d427bcc389b40eb8722
Instruction ID: c3dee76ef7985fa149c6d2e846c7127b90d30f06ac9d02eb101965950ea20eb3
Opcode Fuzzy Hash: 82b04df67584fe4f2e19a8c37be240852a4249f5e7fa3d427bcc389b40eb8722
Instruction Fuzzy Hash: 1301D472B003248FC7449F6CD84449A73F5EF8922435644BDE805EB362D635CC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0136C1A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42f0e88f6d37d01b5bfccbba799a6cab8694ba7cc1aaa4c3bf593125ec0a7c4
Instruction ID: 1552f6efe6bb3b9dced450729efa9d9f8d9622e51a49a92d0d930f9d84369490
Opcode Fuzzy Hash: e42f0e88f6d37d01b5bfccbba799a6cab8694ba7cc1aaa4c3bf593125ec0a7c4
Instruction Fuzzy Hash: BD01F271A0E3A95FD312173A482465A7FAA6FC3254B1A04BBCD81DB293DA149C09C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0136A23A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ea8220d10b5c5632cc240cc469e3bfc40d9d50d64cdb358774ea8978c70f26
Instruction ID: cad1c22bfcc9d8ae376b5306808b5bbdbbbf53a41eb1e3261dec435e8fd83506
Opcode Fuzzy Hash: 64ea8220d10b5c5632cc240cc469e3bfc40d9d50d64cdb358774ea8978c70f26
Instruction Fuzzy Hash: AC011770501306CFC729DF74D8408AABBB6FF87319750497DE056972A4DB36A846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0136CDE8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a7b2f4ea7e356b1d3dd87b78a52f7ce4f145a7429f7750ddbc892c3f0cc5a5
Instruction ID: f9339f09ba697d8c3f350ef03ab02060a98b91e4c8a8043139070ade9ce408aa
Opcode Fuzzy Hash: b0a7b2f4ea7e356b1d3dd87b78a52f7ce4f145a7429f7750ddbc892c3f0cc5a5
Instruction Fuzzy Hash: BBF0AF73B012298FC7049B6CD84485AB3EAEB8922839644BDE909EB361CA35DC01CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0136AE00 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711412f71495f4695175baddfbc7a9595e6593ea09228305645f30b1bc38116a
Instruction ID: 6cfefea7ad916c97bd8b206445eb5fd70f5c007ad4713a5420ca61dc2c184b89
Opcode Fuzzy Hash: 711412f71495f4695175baddfbc7a9595e6593ea09228305645f30b1bc38116a
Instruction Fuzzy Hash: 51012C327106208FC754DB79D89495AB7E9EF8962935640B9E909DB375CB32DC40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0136A248 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbaef1023e77c4b5c650bd9841bd0657370f1a426e32dfe68fdf5d0da1cd63ee
Instruction ID: 9d20bdc382d8c3c2b37132e36317c73acfaf5dfa415eae8c556cc494f818e925
Opcode Fuzzy Hash: dbaef1023e77c4b5c650bd9841bd0657370f1a426e32dfe68fdf5d0da1cd63ee
Instruction Fuzzy Hash: 4F011630601306DFC738EF79D84099AB7BAFF86219750496CE05697394DB32A805CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0136BCC2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c1fbdfcd20b43f61e6f54bce004084f494b7ec0d7ffb458be0e330ecd35df4
Instruction ID: a2d17bc3c4818eaf64ed0eb906fbc69b52f6a084575c107ddb161a5ce1cb262f
Opcode Fuzzy Hash: 65c1fbdfcd20b43f61e6f54bce004084f494b7ec0d7ffb458be0e330ecd35df4
Instruction Fuzzy Hash: 51F0C2367043119FC3299B3AA81041FB7FBEBC212831684BEC006DB3A8CA715C46CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0136BCD0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3d6b6047ef64d0a1c673eaf5f7c156cafdb2854d1f597ed903bf3324ef001b
Instruction ID: 6c6092303d49380511fe7c8733d400ce6d40b28637f3f5896f4d32bd8f347b50
Opcode Fuzzy Hash: 5c3d6b6047ef64d0a1c673eaf5f7c156cafdb2854d1f597ed903bf3324ef001b
Instruction Fuzzy Hash: B2F089367043155BC728AB7EA41041FB7EFEBD511C315C56DD10A97398CD715C468B85

Uniqueness

Uniqueness Score: -1.00%

Function 0136C7E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564fe51c3f6fbbf1317b47956a614c7e90c4fa84c7020ea223ee5947caf38ea0
Instruction ID: afd7f141705f2b2952395cad8a070a3c79be5d8797f810756b049938065ff5d9
Opcode Fuzzy Hash: 564fe51c3f6fbbf1317b47956a614c7e90c4fa84c7020ea223ee5947caf38ea0
Instruction Fuzzy Hash: 82E0D8311007012FC325963DEC5085A7B69DEC6628314C979E559CB628EE64AC4A83C1

Uniqueness

Uniqueness Score: -1.00%

Function 01360838 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc16f7e9b12d8adfc1886fd04576cb4ebbc5867fab8d09cace35509a2e49d25
Instruction ID: 58ba2c4deb80839fc943460db11d16308e78f4cff8e4ddedb07d791fd9987724
Opcode Fuzzy Hash: 4fc16f7e9b12d8adfc1886fd04576cb4ebbc5867fab8d09cace35509a2e49d25
Instruction Fuzzy Hash: ECE09230A06308EFC705CFB0D91555D7BB9EF87214B5141FAD405DB191EA301E01DB51

Uniqueness

Uniqueness Score: -1.00%

Function 01360848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a81920c925cf605781e7e22adcd556dbe104a5575d1f9d0587cd79e5c23421b
Instruction ID: 253c505103ea1f37f7f69b4936ea49e015e12fec767b9f890361cfa92143e671
Opcode Fuzzy Hash: 2a81920c925cf605781e7e22adcd556dbe104a5575d1f9d0587cd79e5c23421b
Instruction Fuzzy Hash: 61D01270E01208EFC704DFA4D95565DB7BAEB8A215B504499D405DB244DA711E009B91

Uniqueness

Uniqueness Score: -1.00%

Function 0136CE80 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4342d6f03f43ae7f3e6007e62da7603825d4d3a85c1d14f9d97edc2ba90219
Instruction ID: 5e857e98fd870dee48fb7e7399b369d79a8fc4d9fdc682a7c9e1903498d239a7
Opcode Fuzzy Hash: 2b4342d6f03f43ae7f3e6007e62da7603825d4d3a85c1d14f9d97edc2ba90219
Instruction Fuzzy Hash: 8DE0E238245640DFC385CB28C4988907BE0AF1A22431A90EAE009CB333C236DC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0136CE90 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1143f55756a09f5e70747524647b931d80b85b55b08b2b6466ecce1d0ca0bae7
Instruction ID: ead2ebb3c6689187c3695b260a175d416fcd5ecf75964e7462b05f19424d0145
Opcode Fuzzy Hash: 1143f55756a09f5e70747524647b931d80b85b55b08b2b6466ecce1d0ca0bae7
Instruction Fuzzy Hash: D3C001382542088F8344DB59E889C51BBE9EF88A2535A80A9E90D8B732CA31FC40CA84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6CE91220 Relevance: 30.4, APIs: 13, Strings: 4, Instructions: 673COMMON

Download Yara Rule

Strings

c:\windows\system32\ntdll.dll, xrefs: 6CE9153E
@, xrefs: 6CE91C4E
ntdll.dll, xrefs: 6CE914FF
.text, xrefs: 6CE91877

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: .text$@$c:\windows\system32\ntdll.dll$ntdll.dll
API String ID: 0-830164916
Opcode ID: 750dd6d331d7d5c9cbb46e7a985d47fa1c38b76f44c1e0ac361379545687433b
Instruction ID: cb498a968c0920f6af460269999f43501f31eff98d1907719d9fa7eaa76607d1
Opcode Fuzzy Hash: 750dd6d331d7d5c9cbb46e7a985d47fa1c38b76f44c1e0ac361379545687433b
Instruction Fuzzy Hash: C342AAB5A04219CFDB08CFBCCA9439EBBF6BB46354F208619E415EB754E739D8099B01

Uniqueness

Uniqueness Score: -1.00%

Function 6CE958FA Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CE95906
IsDebuggerPresent.KERNEL32 ref: 6CE959D2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CE959EB
UnhandledExceptionFilter.KERNEL32(?), ref: 6CE959F5

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 6c5d4242f00a6b45c08ab9c7520ad8d226e5cca15d2528e71dfcc4b885aaf2f3
Instruction ID: 52c88f1900b9147feac14a9b0395e75ee5daa5bf0523c7cb41dd1fb8925b9278
Opcode Fuzzy Hash: 6c5d4242f00a6b45c08ab9c7520ad8d226e5cca15d2528e71dfcc4b885aaf2f3
Instruction Fuzzy Hash: 8B31F8B5D02318DBDF10DFA5D9897CDBBB8AF08305F2041AAE40DAB240EB749A849F45

Uniqueness

Uniqueness Score: -1.00%

Function 6CE99897 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CE9998F
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CE99999
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CE999A6

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6612d62fb84e758bb8424fcae77dbdaadbc8d4f241819a8198b1a3100a324652
Instruction ID: 0e82e1792c7dceb17877bbcb41e1e8b3d905b835a3aa33038fe6d865cdf82cd4
Opcode Fuzzy Hash: 6612d62fb84e758bb8424fcae77dbdaadbc8d4f241819a8198b1a3100a324652
Instruction Fuzzy Hash: C531C5749122189BCB21DF65D889BCDBBB8BF08314F6052EAE41CA7250E7709F858F54

Uniqueness

Uniqueness Score: -1.00%

Function 6CE94810 Relevance: 4.4, Strings: 3, Instructions: 618COMMONLIBRARYCODE

Download Yara Rule

Strings

KydD, xrefs: 6CE95080
KydD, xrefs: 6CE94DB9
&e, xrefs: 6CE94C93

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: KydD$KydD$&e
API String ID: 0-189371891
Opcode ID: fbc43cf09394532b0b57af62b9ecd18249390628c8721293193575468ac2ddbf
Instruction ID: 40774157fa5e848cb2af4b67bfb599d4a73ce867a1ecddb7eaab254c0ec17b79
Opcode Fuzzy Hash: fbc43cf09394532b0b57af62b9ecd18249390628c8721293193575468ac2ddbf
Instruction Fuzzy Hash: FF221636E415058FCF09CEBCD5A53DD7BF2AB47315F20961AE432EB7A4C62A88068F54

Uniqueness

Uniqueness Score: -1.00%

Function 02EF8AB0 Relevance: 2.8, Strings: 2, Instructions: 320COMMON

Download Yara Rule

Strings

Hwq, xrefs: 02EF8E65
Hwq, xrefs: 02EF8E4A

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hwq$Hwq
API String ID: 0-741242263
Opcode ID: cb542143d7a28628fb2e5d45bd3d5018f22a7a6fe79239a94364d56b33a630f0
Instruction ID: 6fd50bc41f0e1f1c5b08be8fb939e2a94c69e234af48fbbc49fba389ded7048b
Opcode Fuzzy Hash: cb542143d7a28628fb2e5d45bd3d5018f22a7a6fe79239a94364d56b33a630f0
Instruction Fuzzy Hash: 91B1C37AF501258FCF48DB7888905AEB7B6AFC8214709D06ADD05F7355DA389C06C790

Uniqueness

Uniqueness Score: -1.00%

Function 02EF3CE0 Relevance: 2.7, Strings: 2, Instructions: 223COMMON

Download Yara Rule

Strings

Hwq, xrefs: 02EF3E9D
Hwq, xrefs: 02EF3D49

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hwq$Hwq
API String ID: 0-741242263
Opcode ID: dae278b339a75ae423ad4be0e80475d92622b5de8d3f3705ae5f2859fe3ee228
Instruction ID: 33c3b574228e07f4a1b8ee100a3fbd710c9916452cdf1ae4434f10123cafcda6
Opcode Fuzzy Hash: dae278b339a75ae423ad4be0e80475d92622b5de8d3f3705ae5f2859fe3ee228
Instruction Fuzzy Hash: CF615632B043658FC7599B3DD85009DBBE2EFC622871681AEE905DB751DB349C06C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 02EF4F00 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

Hwq, xrefs: 02EF4F4C
;sq, xrefs: 02EF4F21

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hwq$;sq
API String ID: 0-1006236087
Opcode ID: ff7efad86233d062dcc72454e10873d3ef3d7d919d6e26e745a5dc10bd5b0664
Instruction ID: 26705f7435e344003fcce1506823c720f89cf582624d727bab812683ff295708
Opcode Fuzzy Hash: ff7efad86233d062dcc72454e10873d3ef3d7d919d6e26e745a5dc10bd5b0664
Instruction Fuzzy Hash: 24512636F002258FCB58DB6DC85056EB7A6AFC4214B56D1AADD09EB390DB31DC41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CEA04E5 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CEA04E0,?,?,00000008,?,?,6CEA00E3,00000000), ref: 6CEA0712

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1d4a3dbf089116dc4467b088f96a0c95beb38844dc4993d48821b703286b7363
Instruction ID: c791a43cf8590941f2374d92f09d547cea0c0cb666a4b8ecfb09e5ddca888681
Opcode Fuzzy Hash: 1d4a3dbf089116dc4467b088f96a0c95beb38844dc4993d48821b703286b7363
Instruction Fuzzy Hash: D0B126316106489FD715CF68C486B957BF0FF45368F358698E8AACF6A1C335E992CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6CE95AB8 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CE95ACE

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 76afe76bf0b47e46378fb58294dd694564a43f0c5f1a2907a821178e9ca72ed8
Instruction ID: 85486b04b48b8199529cc3d89d35760506030bb8aa5f462a25e3529e7a37893e
Opcode Fuzzy Hash: 76afe76bf0b47e46378fb58294dd694564a43f0c5f1a2907a821178e9ca72ed8
Instruction Fuzzy Hash: 16516AB2E12205CFEB44CF66C4917AABBF0FB4A319F20866AD925EB740D3759901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CE99F48 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf089ee9aba91ba979ecc8d3365d5132f88d0cdedee0b35cd733b83e4db641bf
Instruction ID: c545d7ff137df7d1c36c786e092791058e7b7b4de6daf468a4f683a2433f39e2
Opcode Fuzzy Hash: bf089ee9aba91ba979ecc8d3365d5132f88d0cdedee0b35cd733b83e4db641bf
Instruction Fuzzy Hash: 0F418FB5D05218AEDB10DF69CC88AEABBB9AF45308F2442DDE45D93340DB359E848F60

Uniqueness

Uniqueness Score: -1.00%

Function 02EF54E8 Relevance: 1.6, Strings: 1, Instructions: 366COMMON

Download Yara Rule

Strings

%l/W, xrefs: 02EF56D0

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %l/W
API String ID: 0-276188782
Opcode ID: 78415e86ba66d30066e2cfc1411c454767f036e3fbc3f950cc8bc3c34c6e54db
Instruction ID: 4da61f5c0c820375abbf1257d17c96c2dad3e295a82d7f1f2c11289a2e94d48d
Opcode Fuzzy Hash: 78415e86ba66d30066e2cfc1411c454767f036e3fbc3f950cc8bc3c34c6e54db
Instruction Fuzzy Hash: DBE14B72E115188FCB48CFA9CC8169DFBF3BFD8314F6A816AD119EB325DA3499058B50

Uniqueness

Uniqueness Score: -1.00%

Function 02EF3220 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

3, xrefs: 02EF334E

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: c8663d3ff897334e838a6a2e85cd8a050bcb67547e1855cb38674f928332ccb5
Instruction ID: f3d417b382d1e760447d7ae95e7125137746364bd3a1525bce22d0047237fa62
Opcode Fuzzy Hash: c8663d3ff897334e838a6a2e85cd8a050bcb67547e1855cb38674f928332ccb5
Instruction Fuzzy Hash: 41913575E04259AFCB48CFA9D88059EFBB2FF88314B14D5AAE525E7340D7349A52CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02EF6910 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

)[>7, xrefs: 02EF6A2C

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: )[>7
API String ID: 0-1710178443
Opcode ID: 850e107f724f8a2e2ebddbf115a44bc29659fb972e50ff3525d82946a67d9cae
Instruction ID: c6e60a1ba93cfbe660b406feb64c5a5321f5f630a3636a4003cd90784ae2574b
Opcode Fuzzy Hash: 850e107f724f8a2e2ebddbf115a44bc29659fb972e50ff3525d82946a67d9cae
Instruction Fuzzy Hash: A0514A73F552264BCB489BBC886016DF2D6BB9825431A957DCD2EFB392DA60DC09C3C1

Uniqueness

Uniqueness Score: -1.00%

Function 02EF6920 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

)[>7, xrefs: 02EF6A2C

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: )[>7
API String ID: 0-1710178443
Opcode ID: 30b2a29d107f010a80a1062f46ac933504b5576310095c75c7f1e3edb60e080f
Instruction ID: b361e43809cebd1eca38dcecd73252860915542f9f58b9749a41a3635ca85a1b
Opcode Fuzzy Hash: 30b2a29d107f010a80a1062f46ac933504b5576310095c75c7f1e3edb60e080f
Instruction Fuzzy Hash: 7A515A73F512214BCB48ABBC886016DE2D7BB9825431A957DCD2EFB392DA20DC08C3C1

Uniqueness

Uniqueness Score: -1.00%

Function 0136DD30 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

Hwq, xrefs: 0136DF04

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hwq
API String ID: 0-933684408
Opcode ID: 6d29102e02438998dc7149c16994d3d1751723fea2d58183d06de3b710c0677d
Instruction ID: 52b5bd3303c419a407b6e6744098e3831c69a59069fd88ba90f7ed7b1cb42b92
Opcode Fuzzy Hash: 6d29102e02438998dc7149c16994d3d1751723fea2d58183d06de3b710c0677d
Instruction Fuzzy Hash: 0851A336F002258FCB14DBADC85496DF7FABF9825471684A9E90AEB361DA31DC05CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0136DFD0 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

, xrefs: 0136E03A

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6df9155d93ba4d2c1948335fba6bf06d2e9dfb37e715c03cd9449729076249b0
Instruction ID: d0b5816996212680f6c57415710e008b0d47a9096ae375484d6d81007c8c10a8
Opcode Fuzzy Hash: 6df9155d93ba4d2c1948335fba6bf06d2e9dfb37e715c03cd9449729076249b0
Instruction Fuzzy Hash: 2521A075B101158FDB08DB7DC8916AEB7F6EFC8214B18857EE50AEB365CA34DC058780

Uniqueness

Uniqueness Score: -1.00%

Function 6CE9B66B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CE9B66B

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: ed1981de20cc926aa472f1099a3cdfca3d67f7d0cd3c050a0ab1b326fd8199b1
Instruction ID: a553371dcb41847172256e2b4a6d638cb29636595e9b8187f3f03f14d5405ef7
Opcode Fuzzy Hash: ed1981de20cc926aa472f1099a3cdfca3d67f7d0cd3c050a0ab1b326fd8199b1
Instruction Fuzzy Hash: B7A01130B00202CF8B80CFB2820830C3AF8AA222823028028A008C0200EA2080008F00

Uniqueness

Uniqueness Score: -1.00%

Function 02EF0006 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c52873a18391b53864e03c282cdc71ef71a8236846a226e869eb36b5d882b7e
Instruction ID: 96f5e3d8b6446f793e1391df5d1f22c768f7dd0e68577d40731f2bbcf019b16c
Opcode Fuzzy Hash: 1c52873a18391b53864e03c282cdc71ef71a8236846a226e869eb36b5d882b7e
Instruction Fuzzy Hash: FBF1B935B453188FCB64CF69CCC8799B7F2AB88204F5980A9E609DB356EB749D85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0136A47F Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae20a5451c3927f49a03fcdd5d234e3f08b5f168bd8429a319775b83a74e8b73
Instruction ID: 1a86d59bf92fd8ae582d6ba944c566a9df7ed0129435c35fe7c3498cbf6f740c
Opcode Fuzzy Hash: ae20a5451c3927f49a03fcdd5d234e3f08b5f168bd8429a319775b83a74e8b73
Instruction Fuzzy Hash: 54B1D136E102298BCB05DFA8C8805AEB7B6BB48314B1A8569D91AFB355D735EC41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02EF84C8 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4109c47bf3797fb4b5af19d7bbb689ac0ef6c4aba6d326ff78832715807c4f9
Instruction ID: 585ebcceda3b146d7dec49fdb096c07165811dc8d9cc36c1dd0d4efcf69e9067
Opcode Fuzzy Hash: e4109c47bf3797fb4b5af19d7bbb689ac0ef6c4aba6d326ff78832715807c4f9
Instruction Fuzzy Hash: 7E91C172F002258FCB58DFB9C454559B7F2AB88314B2A85A9D80AFB354DB75DC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EF3958 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b488bc0aeb82d52bbcd337b8feeee851ed79d02669cdc07afcb3a26fb202aca1
Instruction ID: 23092bd66449cb246d442d403e97d04decaed2b463823839814de2e9c519ed80
Opcode Fuzzy Hash: b488bc0aeb82d52bbcd337b8feeee851ed79d02669cdc07afcb3a26fb202aca1
Instruction Fuzzy Hash: FE91DF73F505298FCB58CEADC8816DEB7F2AB88214B1A816ADC19FB314D7359D058BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0136BD2A Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c4899e2cbd2baab71c4f29b13babc699c72abcd89ff60a8d7277fd3d49ac04f
Instruction ID: 8b723513d95f7ad87a046ac772423d22e7047a964f6cabff04f11935bc2fcd65
Opcode Fuzzy Hash: 5c4899e2cbd2baab71c4f29b13babc699c72abcd89ff60a8d7277fd3d49ac04f
Instruction Fuzzy Hash: FE71D376F102298BDB14CAADD89069EF7FAAB84214F16816ADD05FB359DA709C41CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 02EF3948 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d05920b92d96affdc47e78dcda1710678cb87f3ce45cfbbc704c6609fd7325
Instruction ID: 086fa3b005b8aa2f386682f7e7dc1addeb4cb100f3088ac7bcd0aec97e219b20
Opcode Fuzzy Hash: c8d05920b92d96affdc47e78dcda1710678cb87f3ce45cfbbc704c6609fd7325
Instruction Fuzzy Hash: 0E71BE72F115298FCB48CFADD8856DEB7F2AB88214B1A8169DD19FB314E7359D018BC0

Uniqueness

Uniqueness Score: -1.00%

Function 6CE91000 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b214e0ecb99e9a48203d99bd95381384449536869f63c5a5f171ad1dfd6dc196
Instruction ID: 221565d3dc7709ad12660feddf8d40739ce0b0e5299aed295fc188dc42315c6a
Opcode Fuzzy Hash: b214e0ecb99e9a48203d99bd95381384449536869f63c5a5f171ad1dfd6dc196
Instruction Fuzzy Hash: 315104B2A442458FDF04CEFDC8A17DEBBF5AB4A314F209119D825A7781C236980A8B55

Uniqueness

Uniqueness Score: -1.00%

Function 01368FB0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4bfecd7eadd074f90ba6538f7d25299bcc417e0d3b0ee60ef87634cda379e1
Instruction ID: db3e052d54cd3525741a84c24e96cded4be67b25df5063b0f0fb099c3295ebd0
Opcode Fuzzy Hash: 6b4bfecd7eadd074f90ba6538f7d25299bcc417e0d3b0ee60ef87634cda379e1
Instruction Fuzzy Hash: A5514A73F007298FDB14CE6DC8501A9FBF6AF8822470685BAD945EB755D6349C09CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 02EF2650 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6354bd00602475c89030577230726767eed2c045871d4ac652aefbc1f766234
Instruction ID: 3b3609e6f903b344b9e831d0f65af12d6660661e11478ee18a688f86500c09c0
Opcode Fuzzy Hash: a6354bd00602475c89030577230726767eed2c045871d4ac652aefbc1f766234
Instruction Fuzzy Hash: 5F51E272F102298F9B18CEACC88099EB7F2BB8C254756816ADE15FB350E7759C05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02EF9320 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e13d5988dc44a81bb77d6377e81e2cec846cd7fe9b57e21827df26164a6c75
Instruction ID: 6b50802f21bf6fa478ca076f5bd78099227debf82a36bb42f91b1d3f90fa4a78
Opcode Fuzzy Hash: f9e13d5988dc44a81bb77d6377e81e2cec846cd7fe9b57e21827df26164a6c75
Instruction Fuzzy Hash: 454115B7F102264F8B54CE6CC8C05AEF7F2BB9821471A816AED15FB365DA349C058BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0136A2AF Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aea1b13c0d9ef7c2881d419a6de70c29d8f3dfba592aee3bdfbcdd5183a38c5
Instruction ID: f8ef83a4f8cb68c7c91c7bb0bcf865b46b897574ec48eee15ce0cee6999b2ea4
Opcode Fuzzy Hash: 0aea1b13c0d9ef7c2881d419a6de70c29d8f3dfba592aee3bdfbcdd5183a38c5
Instruction Fuzzy Hash: C741F673F106398BDB54DE6DC8511AAB6E2AFD432070A82AAD819FB751D6748C06CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0136A2C0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1dd8c77c20861ea0cd562301a695eb6ac9e061435e100d6ad1689156ccf2678
Instruction ID: d42e1b8deb946eb7489d36674a8140a0ce38339d57233ad7cfea276dd5c59247
Opcode Fuzzy Hash: f1dd8c77c20861ea0cd562301a695eb6ac9e061435e100d6ad1689156ccf2678
Instruction Fuzzy Hash: C1412673F105394BDB54DE6DC8501AAF6E7ABD432070A816ADC19FB741EA748D05CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 02EF36C0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9468ace41e48d49a31cf5d237cb650f7fe5007e94b18e777dd06b92e031efe73
Instruction ID: e5baf6a1b2421c2d135236ae53d4f5ff633113bca695268908ca3597d295a05f
Opcode Fuzzy Hash: 9468ace41e48d49a31cf5d237cb650f7fe5007e94b18e777dd06b92e031efe73
Instruction Fuzzy Hash: 4F41F2B3E402298FCB14DFA9C88059EF7F6AB88654B1641AADD05FB354D3309D058BD4

Uniqueness

Uniqueness Score: -1.00%

Function 02EF84B9 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da580d698355dbaf759e2d5933d8758bb37940cfa6a1e0971efddadfb03a411c
Instruction ID: 823d7d92a5599bf5fb395be69cc76f0878e1b35e8d52913be16865e6dc18bad6
Opcode Fuzzy Hash: da580d698355dbaf759e2d5933d8758bb37940cfa6a1e0971efddadfb03a411c
Instruction Fuzzy Hash: 5141C071F112258FCB58DF79D85446AB7F6BF8831872A84AAD806EB360DB35DC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EF36D0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7d0f43ae81e8f5bd1e1818e7ef8967384040e5c25e98eb2c9b87b3b2c1b78a
Instruction ID: 9767a21027a344fa9d2d5d2e3d9aeddc57ba549be7777e3dccdd88a953c669e1
Opcode Fuzzy Hash: 9b7d0f43ae81e8f5bd1e1818e7ef8967384040e5c25e98eb2c9b87b3b2c1b78a
Instruction Fuzzy Hash: 084133B3E002388BCB14DFA9C88059EF7F6BB88640B5A41AADD05FB354D330AD048BC0

Uniqueness

Uniqueness Score: -1.00%

Function 02EF44B0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f7b618b9f55d193e9d7196c4d40059b925d82410c6a906b7ca2fbe06fe20b3
Instruction ID: 105393cfd295873987a84dbcf1de65fa2c8be61a7cc7dc650552d184e0b984bb
Opcode Fuzzy Hash: 95f7b618b9f55d193e9d7196c4d40059b925d82410c6a906b7ca2fbe06fe20b3
Instruction Fuzzy Hash: 1241D276F106298F8B18DFADC8514AEB7F2BF8822471581BAD919F7361E7708C018B90

Uniqueness

Uniqueness Score: -1.00%

Function 0136D609 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e2c97e0932d0326cc4a94f225a329d4e039036ea00b816e489bd72d95f53f1
Instruction ID: 20df22df6362be558030e7b94273b02817ada5876e87292d8aa9ce270d7dbf43
Opcode Fuzzy Hash: 39e2c97e0932d0326cc4a94f225a329d4e039036ea00b816e489bd72d95f53f1
Instruction Fuzzy Hash: 85312873F106244FD744DABD88545ABB7F6ABD826471A8079DC49EB311DA74DC0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 02EF2B78 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010578175.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56625bbd563d72cd5fb68be9e3ca4e7a95f4f812bfe7deadd8963266de14666f
Instruction ID: 9fe3521cd03c2834c23bb38bf4033545285fe4a69d7e0b6cf0f85f84573521a1
Opcode Fuzzy Hash: 56625bbd563d72cd5fb68be9e3ca4e7a95f4f812bfe7deadd8963266de14666f
Instruction Fuzzy Hash: 4D412576E512198FDB04CFAAC8819DEFBF5BF8C214B55816AD915BB320D7309D05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0136A12A Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52ae92059ccb9f9340c7e91f710186469d83af7249803fcb246d3021cfa9cf9
Instruction ID: a597950fe761c92c58c065b1eb8e49fd04019363dcd94bca635ac268631f44ba
Opcode Fuzzy Hash: e52ae92059ccb9f9340c7e91f710186469d83af7249803fcb246d3021cfa9cf9
Instruction Fuzzy Hash: 41214233B543758FD705CA298C800A5B3E2AB9162430B81BBC805EB392D935CC068B90

Uniqueness

Uniqueness Score: -1.00%

Function 0136A148 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010216758.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fac49090cec7b044c2aca93c609429c64922ffd5dd880d316ab8f6d84d76f9
Instruction ID: 94b217799c08b1fef60512f271c41e3534c2813f5c24a872082cd6f5973052eb
Opcode Fuzzy Hash: 43fac49090cec7b044c2aca93c609429c64922ffd5dd880d316ab8f6d84d76f9
Instruction Fuzzy Hash: 6D213573F102394BE704CA0ECC809AAB2DBABD462470B817AD909EB394DA71CC01CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6CE9732A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6CE97449
___TypeMatch.LIBVCRUNTIME ref: 6CE97557
_UnwindNestedFrames.LIBCMT ref: 6CE976A9
CallUnexpected.LIBVCRUNTIME ref: 6CE976C4

Strings

csm, xrefs: 6CE97480
,^l, xrefs: 6CE97440
csm, xrefs: 6CE97367
csm, xrefs: 6CE973D4

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: ,^l$csm$csm$csm
API String ID: 2751267872-3279529499
Opcode ID: 2b67850ab7f6f14c07e97d97224059bffcbe0a6dc5e1d1af039125ce99c6e4d0
Instruction ID: a40c3cfd94ddcecf1b585c98d8c9f5ece2cfd6b94c0de2c825b8998197274302
Opcode Fuzzy Hash: 2b67850ab7f6f14c07e97d97224059bffcbe0a6dc5e1d1af039125ce99c6e4d0
Instruction Fuzzy Hash: 9EB17A71805209EFCF15CFA9C88099EBBB5FF05318F64415AE810ABB12D731DA69CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CE963D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6CE96407
___except_validate_context_record.LIBVCRUNTIME ref: 6CE9640F
_ValidateLocalCookies.LIBCMT ref: 6CE96498
__IsNonwritableInCurrentImage.LIBCMT ref: 6CE964C3
_ValidateLocalCookies.LIBCMT ref: 6CE96518

Strings

csm, xrefs: 6CE964AD

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: aa24270637215862daa7dc24f7bab476736f1d94fe4d264efa936cafce8ec889
Instruction ID: c8f61fee1013606f71d9a098b6b81223decf4f930772a79dee94a0d33b419f66
Opcode Fuzzy Hash: aa24270637215862daa7dc24f7bab476736f1d94fe4d264efa936cafce8ec889
Instruction Fuzzy Hash: 92418134A00254AFCF50CFA9C840A9EBBB9BF4536CF20815AD814DB751D735EA19CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6CE9B29A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6CE9B3A9,00000000,6CE98BB0,00000000,00000000,00000001,?,6CE9B522,00000022,FlsSetValue,6CEA2678,6CEA2680,00000000), ref: 6CE9B35B

Strings

ext-ms-, xrefs: 6CE9B305
api-ms-, xrefs: 6CE9B2F1

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: a8ed7347ba03d2148896f67ee00e013e85631b93859d18027db8cbc35b74f1f1
Instruction ID: 0b7d6fa32f6e421da76275d938087e8d89ae3fd4bbebc8a5ff91e8d1d69ee4cc
Opcode Fuzzy Hash: a8ed7347ba03d2148896f67ee00e013e85631b93859d18027db8cbc35b74f1f1
Instruction Fuzzy Hash: F321E435E05210EFCB31DAA6DC84A5E7778EF437A8B360210ED25A7B80D770E901CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 6CE9697C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CE965B1,6CE956D0,6CE950E9,?,6CE95321,?,00000001,?,?,00000001,?,6CEA6498,0000000C,6CE9541A), ref: 6CE9698A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CE96998
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CE969B1
SetLastError.KERNEL32(00000000,6CE95321,?,00000001,?,?,00000001,?,6CEA6498,0000000C,6CE9541A,?,00000001,?), ref: 6CE96A03

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 066f16ac26ca3031a4f79b0254e4f7dca84eefdc2f6b71732059dd138ef780a3
Instruction ID: d34f975f645ecd81935190dd5dd65f2ffdeb1582df64d48b344b2e225cc4df2d
Opcode Fuzzy Hash: 066f16ac26ca3031a4f79b0254e4f7dca84eefdc2f6b71732059dd138ef780a3
Instruction Fuzzy Hash: C401927371D3255EAA9016BA6C8569A3BB8DB0367C730032FE524C2BD0EB928C496284

Uniqueness

Uniqueness Score: -1.00%

Function 6CE9A4CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe, xrefs: 6CE9A4EA

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe
API String ID: 0-1594820940
Opcode ID: c842b789dcf2762b1a1e7bae8f1d195f285be349e08d64c6d36aa23bd1beaa61
Instruction ID: e9125fca1f9d640182e1d5bc45f7283f25f66a80f6fdfd6f39097436c5100321
Opcode Fuzzy Hash: c842b789dcf2762b1a1e7bae8f1d195f285be349e08d64c6d36aa23bd1beaa61
Instruction Fuzzy Hash: 92218E71B84205AFDB109F6A988099B77BDEF4636C7244628F919D7B50E734ED048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CE984DE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BA003315,00000000,?,00000000,6CEA0DE2,000000FF,?,6CE98478,?,?,6CE9844C,?), ref: 6CE98513
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CE98525
FreeLibrary.KERNEL32(00000000,?,00000000,6CEA0DE2,000000FF,?,6CE98478,?,?,6CE9844C,?), ref: 6CE98547

Strings

mscoree.dll, xrefs: 6CE9850C
CorExitProcess, xrefs: 6CE9851D

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f93f2f9f60222d471f29c9a86f8188b3483c6709e52f7c3f3593a51e7f7e0bb2
Instruction ID: 8cfecf272463ab316c060a93fd11bb2094f0c45b1246447b4c257ad4bdfe17d7
Opcode Fuzzy Hash: f93f2f9f60222d471f29c9a86f8188b3483c6709e52f7c3f3593a51e7f7e0bb2
Instruction Fuzzy Hash: EF01A236A00659EFDB019FD1CC04BBEBBF8FB04758F104626E821A2B90DB34D904CA50

Uniqueness

Uniqueness Score: -1.00%

Function 6CE9CF55 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CE9CFDA
__alloca_probe_16.LIBCMT ref: 6CE9D0A3
__freea.LIBCMT ref: 6CE9D10A

Part of subcall function 6CE9C0FA: HeapAlloc.KERNEL32(00000000,6CE9AA47,6CE9BE14,?,6CE9AA47,00000220,?,?,6CE9BE14), ref: 6CE9C12C

__freea.LIBCMT ref: 6CE9D11D
__freea.LIBCMT ref: 6CE9D12A

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 799c4c8df98f4550090185462927bee0d90fcfd616b9b56553abaeb8bb66277e
Instruction ID: 6047f2652bab03bfa5582224ef3dab2b9a4f329fd59daf4403f69e5c6c4cf7da
Opcode Fuzzy Hash: 799c4c8df98f4550090185462927bee0d90fcfd616b9b56553abaeb8bb66277e
Instruction Fuzzy Hash: 1951AE7B601216ABEF109F66CC81EAB3ABAEF8571CB350528FD1496B00E735CE55C660

Uniqueness

Uniqueness Score: -1.00%

Function 6CE96F52 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CE96F03,00000000,?,00000001,?,?,?,6CE96FF2,00000001,FlsFree,6CEA1D50,FlsFree), ref: 6CE96F5F
GetLastError.KERNEL32(?,6CE96F03,00000000,?,00000001,?,?,?,6CE96FF2,00000001,FlsFree,6CEA1D50,FlsFree,00000000,?,6CE96A51), ref: 6CE96F69
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CE96F91

Strings

api-ms-, xrefs: 6CE96F76

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 89a04b1e3a1551539aceea3f973c43c434f7ee9321a61387cb83b2b92d8518ee
Instruction ID: 10e8a9ee4f36f2e0bdd8d6fd7f02c2cb32eb2a174ded04365b41c26bd77d8e1c
Opcode Fuzzy Hash: 89a04b1e3a1551539aceea3f973c43c434f7ee9321a61387cb83b2b92d8518ee
Instruction Fuzzy Hash: 98E01A74648208FFEE101EE2EC46B4D3A7AAB01B98F264025F90DE8AD1D7A2E55099D5

Uniqueness

Uniqueness Score: -1.00%

Function 6CE9D662 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BA003315,00000000,00000000,?), ref: 6CE9D6C5

Part of subcall function 6CE9B09C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CE9D100,?,00000000,-00000008), ref: 6CE9B0FD

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CE9D917
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CE9D95D
GetLastError.KERNEL32 ref: 6CE9DA00

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 15f02acbf5b44ae3d232b57972b213e65e74091d4a0cc8d7a95888a57feb8ad7
Instruction ID: 6cab9fceda8db18ea9571e2c4c9177d10f746001fe5af038f5e015abf6de9914
Opcode Fuzzy Hash: 15f02acbf5b44ae3d232b57972b213e65e74091d4a0cc8d7a95888a57feb8ad7
Instruction Fuzzy Hash: 4CD17DB5E052589FCF11DFA8C880AEDBBB4FF0A318F24416AE465EB741D730AA55CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CE970D3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6CE9719A
___AdjustPointer.LIBCMT ref: 6CE971BD
___AdjustPointer.LIBCMT ref: 6CE97259

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 5920027da90c692a466f59f2b9460a1a9d07e448b777de685a4866494f821cc5
Instruction ID: 6e56d1dbcae1c55310e7b6627693035f2ef7f854631ebc1a92fb59e39054e13f
Opcode Fuzzy Hash: 5920027da90c692a466f59f2b9460a1a9d07e448b777de685a4866494f821cc5
Instruction Fuzzy Hash: F651B2B26056069FEB158F55D880BAA77B5FF01318F30452EEC2587B90EB31E889C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CE99CE8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6CE9B09C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CE9D100,?,00000000,-00000008), ref: 6CE9B0FD

GetLastError.KERNEL32 ref: 6CE99D4C
__dosmaperr.LIBCMT ref: 6CE99D53
GetLastError.KERNEL32(?,?,?,?), ref: 6CE99D8D
__dosmaperr.LIBCMT ref: 6CE99D94

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 41232824cf9b3c7f1ef5586fe35d890c85c2a99a9718eb578e8328687aad1041
Instruction ID: 5eecfb7efc0e6687aadaf10eacb69f14486f1a53fd0cb1f2aba9c44f29707ed8
Opcode Fuzzy Hash: 41232824cf9b3c7f1ef5586fe35d890c85c2a99a9718eb578e8328687aad1041
Instruction Fuzzy Hash: 3521B071604215BFDB108FA688C099AB7BEFF4636E7248618E91DDBB20D731EC1187A0

Uniqueness

Uniqueness Score: -1.00%

Function 6CE9B13F Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6CE9B147

Part of subcall function 6CE9B09C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CE9D100,?,00000000,-00000008), ref: 6CE9B0FD

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CE9B17F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CE9B19F

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 2ce95fd0531cdcd2234248d6669e4f49dce5023884ec0aa4be83549d278974c8
Instruction ID: 59d45f1efc97fcc46cfb250bfc0be52afb456ec22038b54130fdaff0766796f0
Opcode Fuzzy Hash: 2ce95fd0531cdcd2234248d6669e4f49dce5023884ec0aa4be83549d278974c8
Instruction Fuzzy Hash: 6D11E1B6E25255BEAB2116F75C89CAF79BCDF8A29C7300019F80591A00FB34DD0581B0

Uniqueness

Uniqueness Score: -1.00%

Function 6CE9EFD6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CE9E796,00000000,00000001,00000000,?,?,6CE9DA54,?,00000000,00000000), ref: 6CE9EFED
GetLastError.KERNEL32(?,6CE9E796,00000000,00000001,00000000,?,?,6CE9DA54,?,00000000,00000000,?,?,?,6CE9DFF7,00000000), ref: 6CE9EFF9

Part of subcall function 6CE9EFBF: CloseHandle.KERNEL32(FFFFFFFE,6CE9F009,?,6CE9E796,00000000,00000001,00000000,?,?,6CE9DA54,?,00000000,00000000,?,?), ref: 6CE9EFCF

___initconout.LIBCMT ref: 6CE9F009

Part of subcall function 6CE9EF81: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CE9EFB0,6CE9E783,?,?,6CE9DA54,?,00000000,00000000,?), ref: 6CE9EF94

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CE9E796,00000000,00000001,00000000,?,?,6CE9DA54,?,00000000,00000000,?), ref: 6CE9F01E

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e30505607d183fff0be212147528ecb99f50482773d7b45dd9a8aeb97b468980
Instruction ID: 63a09961ec30f687db306b0e913c91ae26039c90379152511c6f6ba3b6592a46
Opcode Fuzzy Hash: e30505607d183fff0be212147528ecb99f50482773d7b45dd9a8aeb97b468980
Instruction Fuzzy Hash: E9F0AC36A04664FBCF525FE6EC44ADE3F36FB0A3B5B144115FA5D96620C632C860EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CE976CF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6CE976F4

Strings

MOC, xrefs: 6CE97706
RCC, xrefs: 6CE9770E

Memory Dump Source

Source File: 00000000.00000002.2019590644.000000006CE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2019564193.000000006CE90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019688250.000000006CEA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CEA8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2019718873.000000006CF48000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2020521433.000000006CF65000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 56c228c9fde7e13391dbd42c905c0969df0e2f586cb8eb4cccf592690a0248ef
Instruction ID: 27da64e9fbd4e09e5566ec2175df7e6c9df581395aed528fff98f8ab85a5d050
Opcode Fuzzy Hash: 56c228c9fde7e13391dbd42c905c0969df0e2f586cb8eb4cccf592690a0248ef
Instruction Fuzzy Hash: AC416972900209AFCF05CFA8CD81AEE7BB5FF48309F248199F914A7660E3359964DB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exePID: 3608, Parent PID: 6300COMMON

Execution Graph

Execution Coverage:	17.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	1

Executed Functions

Function 00B7EC69 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00B7ECE0

Memory Dump Source

Source File: 00000003.00000002.2019591841.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_MSBuild.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: a104ff0c3da0291a9e29ee4ffe7040df4cb45b151da33216fbe418871099a51d
Instruction ID: 59fc33cdc54c36dedaf74ea783b7755754167d409289a50adabbe40e1820f6a9
Opcode Fuzzy Hash: a104ff0c3da0291a9e29ee4ffe7040df4cb45b151da33216fbe418871099a51d
Instruction Fuzzy Hash: 7121EAB5D012198FCB10DFA9D581ADEBBF4EF48320F24906AE429B7300C775A902CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7EC70 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00B7ECE0

Memory Dump Source

Source File: 00000003.00000002.2019591841.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_MSBuild.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: c9f9789ffc64a0016a7712c8fad9e3fc262c328f2cf2e88bc901e7def6793310
Instruction ID: 9f926291eba9162fe94e6e764d8bfad06bcd5afe6ffe2f3ff87148b09370cf91
Opcode Fuzzy Hash: c9f9789ffc64a0016a7712c8fad9e3fc262c328f2cf2e88bc901e7def6793310
Instruction Fuzzy Hash: 4621D9B5D002098FCB10CFA9D585ADEBBF4EF48320F24906AE429B7300C775A901CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D4B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2019255090.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b0d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9cc7897610072d2abb01626f232e6b4b9f24997de1ecaa19550ee32fd570850
Instruction ID: 00fbaf602708bd89b638e1c6680b3b13ea928cfc67e063c52b7f58bcc9cb0416
Opcode Fuzzy Hash: b9cc7897610072d2abb01626f232e6b4b9f24997de1ecaa19550ee32fd570850
Instruction Fuzzy Hash: 032128B1504200EFCB15DF54D9C0B26BFA5FBA8318F24C5A9ED090B2D6C336D856DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D100 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2019255090.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b0d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0791e8a908f484307525a7e30670d4b26caed90ad21f428a921e83babacb27
Instruction ID: 292c298f09487f7bded9e5f1bf225a72d10d1cec69c6039cdb4567bea06a7cd2
Opcode Fuzzy Hash: 2f0791e8a908f484307525a7e30670d4b26caed90ad21f428a921e83babacb27
Instruction Fuzzy Hash: B92145B1504200EFCB14DF54D9C0B26BFA6FB98320F24C5A9E9091B2D6C736D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2019310508.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b1d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b07c7788be52690e988c5e604917e0ff70fa9bd30d4e98a8ce5b10980e3643
Instruction ID: 329f18bdcc0d286d2f24381f7f2d63fce95988b371617a69d4bf5596c4f35907
Opcode Fuzzy Hash: b4b07c7788be52690e988c5e604917e0ff70fa9bd30d4e98a8ce5b10980e3643
Instruction Fuzzy Hash: CC2129B1604200EFDB05DF14D5C0B66BBE5FB84314F74CAADE9094B251C336D886CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2019310508.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b1d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40618d8f8c852ce343e06d4d0a87bde23a9499808fa89aff46fb030e568a1f40
Instruction ID: 517f818778d5baa0df3d45eaad3109b2ecd639e56207523ac6f3d7825ba54f66
Opcode Fuzzy Hash: 40618d8f8c852ce343e06d4d0a87bde23a9499808fa89aff46fb030e568a1f40
Instruction Fuzzy Hash: 13210775504200DFCB14DF14D9D8B66BBA5FB88314F64C5ADD90A4B256C33BD887CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2019310508.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b1d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c6dbbe3fbb890cf60bfc245cf58a6a84f52067c9df756694992d87acc25330
Instruction ID: 14131ba56fb5b2c595aaf5584949bae1c23f9d3cb13dd6eade403560f39102e3
Opcode Fuzzy Hash: a7c6dbbe3fbb890cf60bfc245cf58a6a84f52067c9df756694992d87acc25330
Instruction Fuzzy Hash: 132165755087809FDB12CF14D994B11BFB1EB4A314F24C5DAD8498F2A7C33AD856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D0FB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2019255090.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b0d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 4cbc80794651143df8823eec892165109b130386415c7189ef0cfb2c87380072
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: DF11E172404240CFCB16CF50D9C0B16BFB2FB94324F24C2A9DC090B296C33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D4AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2019255090.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b0d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 47ea7bec2bc4d008d1e1a12f396d9e008477f5492c6fc01379c2dcb31dd0936d
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 2D11B476504240DFCB16CF54D9C4B16BFB1FB94314F24C5A9DC094B696C336D456CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2019310508.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b1d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: ba395627c24037940924ad67106e1a0750635b6e7d61aa999313ac82959f230a
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 37119D75504280DFDB16CF14D5C4B55FBB2FB84314F24C6AED8494B696C33AD88ACBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe.log

C:\Users\user\AppData\Local\Temp\Tmp6D5D.tmp

C:\Users\user\AppData\Local\Temp\Tmp6D6D.tmp

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Users\user\AppData\Roaming\d3d9.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exe

Function 6CE91C80 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 469
COMMON

Function 0136E0D0 Relevance: 6.2, Strings: 4, Instructions: 1243
COMMON

Function 02EF95D8 Relevance: 1.8, Strings: 1, Instructions: 599
COMMON

Function 01369B00 Relevance: 1.7, Strings: 1, Instructions: 463
COMMON

Function 02EF60DD Relevance: 1.6, APIs: 1, Instructions: 80
memorynativeCOMMON

Function 02EF5C20 Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Function 02EF5C1F Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Function 02EF6100 Relevance: 1.6, APIs: 1, Instructions: 61
memorynativeCOMMON

Function 6CE95218 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CE952C8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 0136AB50 Relevance: 3.8, Strings: 3, Instructions: 99
COMMON

Function 6CE95111 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6CE9B73C Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 02EF4AE7 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON