Edit tour

Windows Analysis Report
X8K556WeiK.exe

Overview

General Information

Sample name:	X8K556WeiK.exe renamed because original name is a hash value
Original sample name:	6f5adb2e7998f571b25a6f332207d0de.exe
Analysis ID:	1431134
MD5:	6f5adb2e7998f571b25a6f332207d0de
SHA1:	be9eb5b2d4cdcb867568f646a72f6f5e28930199
SHA256:	c2886ea3aee978297806940b8e8c4c9e8be23bb9ff8f039be91c040bdc5f3a62
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RedLine Stealer

C2 URLs / IPs found in malware configuration

Installs new ROOT certificates

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops certificate files (DER)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

X8K556WeiK.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\X8K556WeiK.exe" MD5: 6F5ADB2E7998F571B25A6F332207D0DE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
X8K556WeiK.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1625957481.0000000000892000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: X8K556WeiK.exe PID: 7540	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: X8K556WeiK.exe PID: 7540	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.X8K556WeiK.exe.890000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) - Source IP: 103.113.70.99 - Destination IP: 192.168.2.4

Timestamp:	04/24/24-16:12:04.026960
SID:	2046056
Source Port:	2630
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.4 - Destination IP: 103.113.70.99

Timestamp:	04/24/24-16:11:58.515716
SID:	2046045
Source Port:	49730
Destination Port:	2630
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.4 - Destination IP: 103.113.70.99

Timestamp:	04/24/24-16:12:11.029118
SID:	2043231
Source Port:	49730
Destination Port:	2630
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 103.113.70.99 - Destination IP: 192.168.2.4

Timestamp:	04/24/24-16:11:58.745873
SID:	2043234
Source Port:	2630
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: X8K556WeiK.exe

Malware Configuration Extractor: RedLine {"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}

Multi AV Scanner detection for submitted file

Source: X8K556WeiK.exe

ReversingLabs: Detection: 65%

Source: X8K556WeiK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: X8K556WeiK.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 4x nop then jmp 06F8B848h	0_2_06F8B350
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	0_2_06F87790
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 4x nop then jmp 06F88785h	0_2_06F884C0
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 4x nop then jmp 06F870E3h	0_2_06F86EB0
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 4x nop then jmp 06F8825Dh	0_2_06F87E90
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 4x nop then jmp 06F8825Dh	0_2_06F87E81
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 4x nop then jmp 06F88F87h	0_2_06F88828
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 4x nop then jmp 06F85973h	0_2_06F8595B

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 103.113.70.99:2630
Source: Traffic	Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 103.113.70.99:2630
Source: Traffic	Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 103.113.70.99:2630 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 103.113.70.99:2630 -> 192.168.2.4:49730

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 103.113.70.99:2630

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 103.113.70.99:2630

Source: Joe Sandbox View

IP Address: 103.113.70.99 103.113.70.99

Source: Joe Sandbox View

ASN Name: NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN

Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99

Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: X8K556WeiK.exe, 00000000.00000002.1908966691.000000000104E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response0
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003234000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: X8K556WeiK.exe	String found in binary or memory: https://api.ip.sb/ip
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003234000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003234000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003234000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003234000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003234000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003234000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003234000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\X8K556WeiK.exe	File created: C:\Users\user\AppData\Local\Temp\TmpEBFA.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File created: C:\Users\user\AppData\Local\Temp\TmpEC0A.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_02B2DC74	0_2_02B2DC74
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_064D67D8	0_2_064D67D8
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_064DA3E8	0_2_064DA3E8
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_064D3F50	0_2_064D3F50
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_064DA3D8	0_2_064DA3D8
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_064D6FE8	0_2_064D6FE8
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_064D6FF8	0_2_064D6FF8
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F8E2B8	0_2_06F8E2B8
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F8D2A8	0_2_06F8D2A8
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F8B350	0_2_06F8B350
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F89BC0	0_2_06F89BC0
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F87790	0_2_06F87790
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F8778F	0_2_06F8778F
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F842C8	0_2_06F842C8
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F842B9	0_2_06F842B9
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F85070	0_2_06F85070
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F86048	0_2_06F86048
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F86037	0_2_06F86037
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F89140	0_2_06F89140
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F87E90	0_2_06F87E90
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F87E81	0_2_06F87E81
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F83E68	0_2_06F83E68
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F83E59	0_2_06F83E59
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F83E21	0_2_06F83E21
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F81D90	0_2_06F81D90
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F81D80	0_2_06F81D80
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F848F7	0_2_06F848F7
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F88828	0_2_06F88828
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F84908	0_2_06F84908

Source: X8K556WeiK.exe, 00000000.00000000.1625992348.00000000008D6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUpspearing.exe8 vs X8K556WeiK.exe
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs X8K556WeiK.exe
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs X8K556WeiK.exe
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs X8K556WeiK.exe
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs X8K556WeiK.exe
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs X8K556WeiK.exe
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs X8K556WeiK.exe
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs X8K556WeiK.exe
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\080904B0\\OriginalFilename vs X8K556WeiK.exe
Source: X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs X8K556WeiK.exe
Source: X8K556WeiK.exe, 00000000.00000002.1908611738.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs X8K556WeiK.exe
Source: X8K556WeiK.exe	Binary or memory string: OriginalFilenameUpspearing.exe8 vs X8K556WeiK.exe

Source: X8K556WeiK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/5@0/1

Source: C:\Users\user\Desktop\X8K556WeiK.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\X8K556WeiK.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\X8K556WeiK.exe

File created: C:\Users\user\AppData\Local\Temp\TmpEBFA.tmp

Jump to behavior

Source: X8K556WeiK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: X8K556WeiK.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\X8K556WeiK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\X8K556WeiK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\X8K556WeiK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\X8K556WeiK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\X8K556WeiK.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\X8K556WeiK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: X8K556WeiK.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\X8K556WeiK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: Google Chrome.lnk.0.dr

LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe

Source: C:\Users\user\Desktop\X8K556WeiK.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: X8K556WeiK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: X8K556WeiK.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: X8K556WeiK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: X8K556WeiK.exe

Static PE information: 0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]

Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_064DE060 push es; ret	0_2_064DE070
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_064DECF2 push eax; ret	0_2_064DED01
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_064D3B4F push dword ptr [esp+ecx*2-75h]; ret	0_2_064D3B53
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_064D49AB push FFFFFF8Bh; retf	0_2_064D49AD
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F8BC62 push esp; ret	0_2_06F8BC63
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Code function: 0_2_06F8BBB3 push esp; ret	0_2_06F8BBB4

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\X8K556WeiK.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Jump to behavior

Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\X8K556WeiK.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\X8K556WeiK.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\X8K556WeiK.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\X8K556WeiK.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\X8K556WeiK.exe TID: 7716	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe TID: 7560	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\X8K556WeiK.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\X8K556WeiK.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: X8K556WeiK.exe, 00000000.00000002.1915073145.00000000068C6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\X8K556WeiK.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\X8K556WeiK.exe

Code function: 0_2_06F89BC0 LdrInitializeThunk,

0_2_06F89BC0

Source: C:\Users\user\Desktop\X8K556WeiK.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\X8K556WeiK.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Users\user\Desktop\X8K556WeiK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\X8K556WeiK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\X8K556WeiK.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\X8K556WeiK.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\X8K556WeiK.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\X8K556WeiK.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\X8K556WeiK.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\X8K556WeiK.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: X8K556WeiK.exe, type: SAMPLE
Source: Yara match	File source: 0.0.X8K556WeiK.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1625957481.0000000000892000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X8K556WeiK.exe PID: 7540, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\X8K556WeiK.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X8K556WeiK.exe PID: 7540, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: X8K556WeiK.exe, type: SAMPLE
Source: Yara match	File source: 0.0.X8K556WeiK.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1625957481.0000000000892000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X8K556WeiK.exe PID: 7540, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
X8K556WeiK.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno

Source	Detection	Scanner	Label
http://purl.oen	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id9	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id2Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id4	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id7	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22Response0	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id19Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id9Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id20	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id16Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id12	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id16	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id19	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id17	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id18	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8Response	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003234000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id14ResponseD	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23ResponseD	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003000000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id12Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id2Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id21Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id9	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6ResponseD	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id4	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id7	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://purl.oen	X8K556WeiK.exe, 00000000.00000002.1908966691.000000000104E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id19Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id22Response0	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003000000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id13ResponseD	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id15Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5ResponseD	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id6Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	X8K556WeiK.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1ResponseD	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id9Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003234000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id20	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id23	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id24	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id24Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000003234000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id21ResponseD	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10ResponseD	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id13	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id17	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id18	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id19	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id15ResponseD	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D64000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id11ResponseD	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8Response	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	X8K556WeiK.exe, 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.113.70.99	unknown	India		133973	NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431134
Start date and time:	2024-04-24 16:15:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	X8K556WeiK.exe renamed because original name is a hash value
Original Sample Name:	6f5adb2e7998f571b25a6f332207d0de.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 102 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: X8K556WeiK.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
103.113.70.99	dmA2g7xZV7.exe	Get hash	malicious	RedLine	Browse
	dmA2g7xZV7.exe	Get hash	malicious	RedLine	Browse
	K2xdxHSWJK.exe	Get hash	malicious	RedLine	Browse
	XHr735qu8v.exe	Get hash	malicious	RedLine	Browse
	gm5v3JlTMk.exe	Get hash	malicious	RedLine	Browse
	o8uKhd6peZ.exe	Get hash	malicious	RedLine	Browse
	vguZEL1YWf.exe	Get hash	malicious	RedLine	Browse
	djiwhBMknd.exe	Get hash	malicious	RedLine	Browse
	ExAXLXWP9K.exe	Get hash	malicious	RedLine	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN	dmA2g7xZV7.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	dmA2g7xZV7.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	K2xdxHSWJK.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	XHr735qu8v.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	gm5v3JlTMk.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	o8uKhd6peZ.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	vguZEL1YWf.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	djiwhBMknd.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	ExAXLXWP9K.exe	Get hash	malicious	RedLine	Browse	103.113.70.99

Process:	C:\Users\user\Desktop\X8K556WeiK.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:28 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.453756697943058
Encrypted:	false
SSDEEP:	48:8S+VdZTBnGRYrnvPdAKRkdAGdAKRFdAKR/U:8S+hZ
MD5:	0E857535A2A19ED88A59DC3874CE1FD9
SHA1:	FAF74DEE6831CE3E11C840A9900771A5B46456E1
SHA-256:	795690637D6E6950F98603F177384E4420807FE1809A5C68DCFBF2DEDA2EA86B
SHA-512:	7050BD5E2DFA5037F7E2102CF1EAAC3D72B26014CB525D930F777FBE6FC2025B9FEB95C7B4A6D80B3C1DBB0A47D240DE574089DC81B91CD527AA35C3CCEDC94B
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ......,.....o.........q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWO`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWO`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWO`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\X8K556WeiK.exe.log

Download File

Process:	C:\Users\user\Desktop\X8K556WeiK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
MD5:	0C1110E9B7BBBCB651A0B7568D796468
SHA1:	7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA
SHA-256:	112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2
SHA-512:	46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\TmpEBFA.tmp

Download File

Process:	C:\Users\user\Desktop\X8K556WeiK.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\TmpEC0A.tmp

Download File

Process:	C:\Users\user\Desktop\X8K556WeiK.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\X8K556WeiK.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.053325044389024
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	X8K556WeiK.exe
File size:	313'638 bytes
MD5:	6f5adb2e7998f571b25a6f332207d0de
SHA1:	be9eb5b2d4cdcb867568f646a72f6f5e28930199
SHA256:	c2886ea3aee978297806940b8e8c4c9e8be23bb9ff8f039be91c040bdc5f3a62
SHA512:	3a3427354b422a53107adf26777a5a07e6743808754c478710b9a926c10188f3f3f2bd52091d726a7e8b3edf25f89952f6d24d5f2e8cc2ed3b9c61f3f5e47d9f
SSDEEP:	6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
TLSH:	EC645C1823EC8911E27F4B7994A1E274D375ED56A452E30F4ED06CAB3E32741FA11AB2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

File Icon


Icon Hash:	4d8ea38d85a38e6d

Static PE Info

General

Entrypoint:	0x42b9ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
popad
add byte ptr [ebp+00h], dh
je 00007FD7C06B5122h
outsd
add byte ptr [esi+00h], ah
imul eax, dword ptr [eax], 006C006Ch
xor eax, 59007400h
add byte ptr [edi+00h], dl
push edx
add byte ptr [ecx+00h], dh
popad
add byte ptr [edi+00h], dl
push esi
add byte ptr [edi+00h], ch
popad
add byte ptr [ebp+00h], ch
push 61006800h
add byte ptr [ebp+00h], ch
dec edx
add byte ptr [eax], bh
add byte ptr [edi+00h], dl
push edi
add byte ptr [ecx], bh
add byte ptr [ecx+00h], bh
bound eax, dword ptr [eax]
xor al, byte ptr [eax]
insb
add byte ptr [eax+00h], bl
pop ecx
add byte ptr [edi+00h], dl
js 00007FD7C06B5122h
jnc 00007FD7C06B5122h
pop edx
add byte ptr [eax+00h], bl
push ecx
add byte ptr [ebx+00h], cl
popad
add byte ptr [edi+00h], dl
dec edx
add byte ptr [ebp+00h], dh
pop edx
add byte ptr [edi+00h], dl
jo 00007FD7C06B5122h
imul eax, dword ptr [eax], 5Ah
add byte ptr [ebp+00h], ch
jo 00007FD7C06B5122h
je 00007FD7C06B5122h
bound eax, dword ptr [eax]
push edi
add byte ptr [eax+eax+77h], dh
add byte ptr [ecx+00h], bl
xor al, byte ptr [eax]
xor eax, 63007300h
add byte ptr [edi+00h], al
push esi
add byte ptr [ecx+00h], ch
popad
add byte ptr [edx], dh
add byte ptr [eax+00h], bh
je 00007FD7C06B5122h
bound eax, dword ptr [eax]
insd
add byte ptr [eax+eax+76h], dh
add byte ptr [edx+00h], bl
push edi
add byte ptr [ecx], bh
add byte ptr [eax+00h], dh
popad
add byte ptr [edi+00h], al
cmp dword ptr [eax], eax
insd
add byte ptr [edx+00h], bl
push edi
add byte ptr [esi+00h], cl
cmp byte ptr [eax], al
push esi
add byte ptr [eax+00h], cl
dec edx
add byte ptr [esi+00h], dh
bound eax, dword ptr [eax]
insd
add byte ptr [eax+00h], bh
jo 00007FD7C06B5122h
bound eax, dword ptr [eax]
insd
add byte ptr [ebx+00h], dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2b95c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x32000	0x1c9d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2b940	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2e994	0x2ec00	64c48738b5efa1379746874c338807d5	False	0.4696168950534759	data	6.205450376900145	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x32000	0x1c9d4	0x1cc00	5b3e8f48de8a05507379330b3cf331a7	False	0.23725373641304348	data	2.6063301335912525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x50000	0xc	0x400	f921873e0b7f3fe3399366376917ef43	False	0.025390625	data	0.05390218305374581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x321a0	0x3d04	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9934058898847631
RT_ICON	0x35eb4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	0.09013072282030049
RT_ICON	0x466ec	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	0.13905290505432216
RT_ICON	0x4a924	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.17033195020746889
RT_ICON	0x4cedc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.2045028142589118
RT_ICON	0x4df94	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.24645390070921985
RT_GROUP_ICON	0x4e40c	0x5a	data	0.7666666666666667
RT_VERSION	0x4e478	0x35a	data	0.4417249417249417
RT_MANIFEST	0x4e7e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-16:12:04.026960	TCP	2046056	ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)	2630	49730	103.113.70.99	192.168.2.4
04/24/24-16:11:58.515716	TCP	2046045	ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	49730	2630	192.168.2.4	103.113.70.99
04/24/24-16:12:11.029118	TCP	2043231	ET TROJAN Redline Stealer TCP CnC Activity	49730	2630	192.168.2.4	103.113.70.99
04/24/24-16:11:58.745873	TCP	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	2630	49730	103.113.70.99	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 16:16:21.106343985 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:21.327548027 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:21.327805996 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:21.336291075 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:21.556934118 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:21.598536015 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:21.827295065 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:21.876352072 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:26.865920067 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:27.233700037 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:27.233766079 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:27.233807087 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:27.233844995 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:27.233900070 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:27.233958960 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:27.234031916 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:27.394383907 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:27.618664980 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:27.673021078 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:27.700603008 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:27.929794073 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:27.930020094 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:27.933315992 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:28.184690952 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:28.232383966 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:28.395387888 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:28.438728094 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:28.504267931 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:28.725562096 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:28.733874083 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:28.955631018 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:28.955673933 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:28.955709934 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:28.955741882 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:28.956388950 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:28.963130951 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:29.184406996 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.235577106 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:29.263901949 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:29.490520000 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.490650892 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.490686893 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.490720987 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.490730047 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:29.490827084 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:29.798027992 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:29.822109938 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.822221041 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:29.842602015 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.842659950 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.842837095 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:29.842890978 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:29.852864027 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.856111050 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:29.856746912 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.867388964 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.867965937 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:29.882097960 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.883946896 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:29.897881985 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.913589954 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:29.946614027 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.143785954 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.144224882 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.161289930 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.167062998 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.168210030 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.168631077 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:30.168809891 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:30.169506073 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.169538975 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.169569969 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.169600964 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.169631004 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.171089888 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.171268940 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.171530962 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:30.171694040 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:30.398325920 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398379087 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398412943 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398499012 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398534060 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398566008 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398597956 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398685932 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398739100 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398775101 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398807049 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398854971 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398931026 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398963928 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.398996115 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.399086952 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.399147034 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.399202108 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:30.399276018 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.399358034 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.399378061 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:30.399394989 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.403656006 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.403920889 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:30.404047012 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:30.648452997 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.663743019 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.678699970 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.694336891 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.709873915 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.725409985 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.725853920 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:30.726053953 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:30.740114927 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.754973888 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.770833015 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.785834074 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.800909042 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.859831095 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.860511065 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:30.860639095 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:30.952562094 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.955341101 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.957951069 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.958115101 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:30.958316088 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.011905909 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.012563944 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:31.012713909 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:31.083643913 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.083704948 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.083739042 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.083821058 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.083962917 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.083997011 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.084079981 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.084132910 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.084167004 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.084199905 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.084232092 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.084628105 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:31.242525101 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.257960081 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.273725033 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.289143085 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.304959059 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.320518970 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.545337915 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.559669971 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.575218916 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.590882063 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.605701923 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.845427036 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:31.891796112 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:31.987907887 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:32.209156036 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:32.237493038 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:32.458364010 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:32.464634895 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:32.687393904 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:32.689513922 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:32.957119942 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:33.001137018 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:33.362339020 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:33.628154039 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:33.773370028 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:33.778264046 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:34.000288010 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:34.004862070 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:34.225961924 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:34.227993965 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:34.451042891 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:34.464373112 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:34.744949102 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:34.787476063 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:34.844949007 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:35.025110960 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:35.129746914 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:35.129831076 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:35.258153915 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:35.313642979 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:35.344595909 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:35.565711021 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:35.610677958 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:36.025943041 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:36.366496086 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:36.407430887 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:36.624448061 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:36.700463057 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:36.700544119 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:36.901320934 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:36.902744055 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:37.129950047 CEST	2630	49730	103.113.70.99	192.168.2.4
Apr 24, 2024 16:16:37.181998968 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 24, 2024 16:16:37.212771893 CEST	49730	2630	192.168.2.4	103.113.70.99

Target ID:	0
Start time:	16:16:18
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\X8K556WeiK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\X8K556WeiK.exe"
Imagebase:	0x890000
File size:	313'638 bytes
MD5 hash:	6F5ADB2E7998F571B25A6F332207D0DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1625957481.0000000000892000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1909602773.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	47
Total number of Limit Nodes:	6

Executed Functions

Function 06F8D2A8 Relevance: 6.6, Strings: 5, Instructions: 301
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 06F8D608
Hbq, xrefs: 06F8D549
Hbq, xrefs: 06F8D57A
Hbq, xrefs: 06F8D518
Hbq, xrefs: 06F8D5C1

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: 5fcd626ccf79c268c574619b1ffc2035278545c5e87f0532247374097250fb23
Instruction ID: 85cda0a155588380f10ff60a2789b74c51943eae1893c0e18140c746016d5b86
Opcode Fuzzy Hash: 5fcd626ccf79c268c574619b1ffc2035278545c5e87f0532247374097250fb23
Instruction Fuzzy Hash: B1C19331E00256CFCB55DF74C4501ADFBB2FF85300F2486A9D416AB285DB78AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06F89BC0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1088
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

k , xrefs: 06F8A282, 06F8A287

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-1498809912
Opcode ID: 799c95832c46b4ecd51194f5da2a5115434636982dcaaebbb4d6cc69eaed07dc
Instruction ID: 7414e34c46df114c051aad053d120382e3b8ee96dc1e2a750424522f6a030b59
Opcode Fuzzy Hash: 799c95832c46b4ecd51194f5da2a5115434636982dcaaebbb4d6cc69eaed07dc
Instruction Fuzzy Hash: 87C28D74E012298FDBA4EF24D998B9DBBB2FB49304F1085E9D409A7354DB31AE85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 06F8B350 Relevance: 2.9, Strings: 2, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1, xrefs: 06F8B655
., xrefs: 06F8B5D0

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: .$1
API String ID: 0-1839485796
Opcode ID: 5246662c46b9f6a439c78da21ce39f69b1f9a53464b9c8bfb1113911d2ca53a4
Instruction ID: 2cbb374f7bfe82c75076149682661c6e93ce913bfa64c0db8f287e1f60ebe2ed
Opcode Fuzzy Hash: 5246662c46b9f6a439c78da21ce39f69b1f9a53464b9c8bfb1113911d2ca53a4
Instruction Fuzzy Hash: 1BF1CD74E01228CFDB68DF65C884B9DBBB2BF89301F1091E9E51AA7250DB319E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 064D3F50 Relevance: 1.8, Strings: 1, Instructions: 523
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 064D41E4

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 65391ca424c16ea7e3cdf9df6cfd0f7885088ef67509bc180885e2fcffaa2e0d
Instruction ID: 6f62116605998c73ab632dadc85ee6c001b5140de29027122632925932cca196
Opcode Fuzzy Hash: 65391ca424c16ea7e3cdf9df6cfd0f7885088ef67509bc180885e2fcffaa2e0d
Instruction Fuzzy Hash: DD127D34F002158FCB55DF69C594AAEBBF6BF88710B14856AE806EB365DB31DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F8E2B8 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64f5212f22985eec21d37f4020410d771dcecac7a343c8401405911773ca886
Instruction ID: f15c67ad81956945101fba9af5d374af0e38e98ffccfb0ade33a9084e4df4f2b
Opcode Fuzzy Hash: e64f5212f22985eec21d37f4020410d771dcecac7a343c8401405911773ca886
Instruction Fuzzy Hash: 64826BB5A10226CFEBA4EF34D448B6AB7B1BB44308F1081E9D809DB7A5EB349D45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 064D67D8 Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6894fd866139c6d9bc69a2f3bf7c7d327d45671c45c4ba8484cc2e4a1bd57ae
Instruction ID: 08736bbbffb52577c3110f6a4821062980e3f63f6cb3e9ca2c575f20747d806e
Opcode Fuzzy Hash: a6894fd866139c6d9bc69a2f3bf7c7d327d45671c45c4ba8484cc2e4a1bd57ae
Instruction Fuzzy Hash: 7D22AE31E002199FCB15DF68D990B9EBBF2EF85310F15856AE5099B361DB30ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064DA3D8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d81d39ff8b8ca47c5dc759dabb901bb57ddfa216dd532959f1af995784cc885
Instruction ID: 15a49a2c667cb6a89ef4cceb2b31afb65e54ee90a11bb88e9ef9a2a7b3d8842b
Opcode Fuzzy Hash: 2d81d39ff8b8ca47c5dc759dabb901bb57ddfa216dd532959f1af995784cc885
Instruction Fuzzy Hash: 5FD1D634D01218CFCB18EFB4D858A9DBBB2FF8A301F1085A9D51AAB354DB359986CF51

Uniqueness

Uniqueness Score: -1.00%

Function 064DA3E8 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f394f7c8500d4e57600178d1b267e6f36ac1145cc1ff9402ba38c16f94bc045c
Instruction ID: 3f78e0bd95bb99a19a7a47bc2987b9e8e7b48cc26bade8031dbf53b09ccae452
Opcode Fuzzy Hash: f394f7c8500d4e57600178d1b267e6f36ac1145cc1ff9402ba38c16f94bc045c
Instruction Fuzzy Hash: 24D1C634D00218CFCB18EFB4D858A9DBBB2FF8A301F5085A9D51AAB354DB359986CF51

Uniqueness

Uniqueness Score: -1.00%

Function 064C0D80 Relevance: 10.4, Strings: 8, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 064C0E78
$^q, xrefs: 064C0E84
$^q, xrefs: 064C0E52
$^q, xrefs: 064C0F86
$^q, xrefs: 064C0FB8
$^q, xrefs: 064C0F36
$^q, xrefs: 064C0E02
$^q, xrefs: 064C0FAC

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 7842bd535a039e4ac2f1184792b9dcd4dc153fb2745ae334bb46a612cd21f7ce
Instruction ID: 89c1e80fea6c3d7a11386697b8d0237ac89cf19c411f044607c4f2e21739661b
Opcode Fuzzy Hash: 7842bd535a039e4ac2f1184792b9dcd4dc153fb2745ae334bb46a612cd21f7ce
Instruction Fuzzy Hash: C2F1AC34B04205CFDB959B69C848A6EBBF6BF89720B14845EE406DB3A2CF35DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 064C1298 Relevance: 10.2, Strings: 8, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 064C1336
$^q, xrefs: 064C13A0
$^q, xrefs: 064C13EB
$^q, xrefs: 064C137B
$^q, xrefs: 064C1461
$^q, xrefs: 064C1455
$^q, xrefs: 064C1430
$^q, xrefs: 064C13AC

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 5aacb40faf77645cd8342ccefc1c95a2b68b0cbbadce3ac7b71349d2fac190d1
Instruction ID: 795ae1401056ef3723b670b3fdf2b5f0c1a19673bcfd7434ded4ff9b624caf3b
Opcode Fuzzy Hash: 5aacb40faf77645cd8342ccefc1c95a2b68b0cbbadce3ac7b71349d2fac190d1
Instruction Fuzzy Hash: 1861C6787042049FE7959BA98854A3A77E6BF88714F11841EE9028B7A7CE71DC42C791

Uniqueness

Uniqueness Score: -1.00%

Function 064C1297 Relevance: 2.6, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 064C1336
$^q, xrefs: 064C13EB

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: d8332c37dcd46d54eaba1bdd5372e588ff3d1501589b504812ae6bc6d35041e9
Instruction ID: 662cdb8a541f117a2251c384ad3f00c753f6197be9413bf3d3e17c120258a53d
Opcode Fuzzy Hash: d8332c37dcd46d54eaba1bdd5372e588ff3d1501589b504812ae6bc6d35041e9
Instruction Fuzzy Hash: AE41F8787402005FE7C59AA9C854F7B36EBEF8D715F11442AFA029B3A6CEB1DC428791

Uniqueness

Uniqueness Score: -1.00%

Function 064C0598 Relevance: 1.7, Strings: 1, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`lPj, xrefs: 064C059C

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: `lPj
API String ID: 0-1282658121
Opcode ID: 7d9dd5aa4ef6b54e36f196d767917cd3432cb6a46b4054a3c60e9f0ff269e5d2
Instruction ID: 7bc1a3620e454ccc4043ed347e5196c7aab595750908b8699867d01b853c7c82
Opcode Fuzzy Hash: 7d9dd5aa4ef6b54e36f196d767917cd3432cb6a46b4054a3c60e9f0ff269e5d2
Instruction Fuzzy Hash: 5B02AB347406148FDB959F78C864A2EBBA2FF85B14F00486DD5429B3A1CF7AEC46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02B2AE30 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B2B086

Memory Dump Source

Source File: 00000000.00000002.1909450346.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_X8K556WeiK.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d8c6db2add4b8a51225f5e4ddc0c166e7470a2b75ae6e43aa919f34c402e981b
Instruction ID: f595b7d6f0fe67607a9aedb426e8f27241f4abc675167e29d2001fa13235cd5a
Opcode Fuzzy Hash: d8c6db2add4b8a51225f5e4ddc0c166e7470a2b75ae6e43aa919f34c402e981b
Instruction Fuzzy Hash: 5E7133B0A00B158FD724DF29D14075ABBF2FF88704F10896DD48ADBA50DB79E84ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B24248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B259F1

Memory Dump Source

Source File: 00000000.00000002.1909450346.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_X8K556WeiK.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7d6a883eca8d364e9faff85b5d67d7914d9b514afd4504793fc58a66041ecfb9
Instruction ID: 1e83e12a37655e5d6674da3ce16b0eb42613a4da0c75e820c9f50cd1c6c112d7
Opcode Fuzzy Hash: 7d6a883eca8d364e9faff85b5d67d7914d9b514afd4504793fc58a66041ecfb9
Instruction Fuzzy Hash: B541F1B0D00729CFDB24CFA9C984B9DBBB5FF49304F6080AAD408AB251DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B25935 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02B259F1

Memory Dump Source

Source File: 00000000.00000002.1909450346.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_X8K556WeiK.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5070fd2c694791da3b89505eb470ae9ee1a76382613c6d2574d72122253a8310
Instruction ID: a3bb0556f4efd26c208b6f3674305f38bbe04312280150b46ca2f4555538eb40
Opcode Fuzzy Hash: 5070fd2c694791da3b89505eb470ae9ee1a76382613c6d2574d72122253a8310
Instruction Fuzzy Hash: DD41F2B0C00729CEDB24CFA9C88479DBBB5FF49304F6480AAD418BB255DB755989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A858 Relevance: 1.6, APIs: 1, Instructions: 77libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B2B101,00000800,00000000,00000000), ref: 02B2B312

Memory Dump Source

Source File: 00000000.00000002.1909450346.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_X8K556WeiK.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 255a9c150c0cd5575e102970fb301d6fe53962904f9ca5a46131a6a7833c4920
Instruction ID: 7f0f7a94b15ac9117410e43674f646fb3f913b2d4b5c873b7d99e8fadc3601f6
Opcode Fuzzy Hash: 255a9c150c0cd5575e102970fb301d6fe53962904f9ca5a46131a6a7833c4920
Instruction Fuzzy Hash: 8631CEB68043988FDB01DFA9C894BDEBFF4EF49314F04809AD458AB211C774A548CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B2C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B2D2C6,?,?,?,?,?), ref: 02B2D387

Memory Dump Source

Source File: 00000000.00000002.1909450346.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_X8K556WeiK.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 84a7374168c16e3267e4b3207245490aa3cd9a6dcbd499c7787b63f5c2b79e52
Instruction ID: 1228db1fa01fc116d598a57a87707fc28371f47bbf1b89ca237ce7be330e537e
Opcode Fuzzy Hash: 84a7374168c16e3267e4b3207245490aa3cd9a6dcbd499c7787b63f5c2b79e52
Instruction Fuzzy Hash: 7121E6B5900319DFDB10CF9AD584ADEFBF4EB48310F14845AE918A7310D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B2D2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B2D2C6,?,?,?,?,?), ref: 02B2D387

Memory Dump Source

Source File: 00000000.00000002.1909450346.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_X8K556WeiK.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f53621a3e94eea205b3a75f9e845176a5236e0fd75fc0d26a26a80671a6262e3
Instruction ID: 82a915ef3372aab59f2062b1a953701e571ba6bbf583ef3d7c794a6a85398784
Opcode Fuzzy Hash: f53621a3e94eea205b3a75f9e845176a5236e0fd75fc0d26a26a80671a6262e3
Instruction Fuzzy Hash: A421E2B5D00219DFDB10CFA9D585ADEBBF5FB48314F14845AE918A3350D378A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B2B101,00000800,00000000,00000000), ref: 02B2B312

Memory Dump Source

Source File: 00000000.00000002.1909450346.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_X8K556WeiK.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ff771cb672c158ec2673fb68ce0e13c9cadf13707a49429c33d16c57fa73ed86
Instruction ID: 1d7e034f5fc993170b28ae5eadf4c619d1ca6e31fe679fdca9cf745f02f3166b
Opcode Fuzzy Hash: ff771cb672c158ec2673fb68ce0e13c9cadf13707a49429c33d16c57fa73ed86
Instruction Fuzzy Hash: 961114B6D003599FCB10CF9AC544BDEFBF8EB88314F10846AD859A7210C775A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B2B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B2B101,00000800,00000000,00000000), ref: 02B2B312

Memory Dump Source

Source File: 00000000.00000002.1909450346.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_X8K556WeiK.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3268d4c6b205176f2ac94d48e489345446243d84c7b3ec623b311dcd5b45e93f
Instruction ID: ed12ef632153d26d1a788c6d3ceb3778281fd2d209a50f8684ee7f4d3190ea79
Opcode Fuzzy Hash: 3268d4c6b205176f2ac94d48e489345446243d84c7b3ec623b311dcd5b45e93f
Instruction Fuzzy Hash: A21144B68003488FDB10CF9AC444BDEFBF4EB88324F14846AD419A7200C775A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B2B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B2B086

Memory Dump Source

Source File: 00000000.00000002.1909450346.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_X8K556WeiK.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b09a0ac95b28aa1ef97e4b4d6c906a626e0c4e66f45e2b3352c60ef17c96766a
Instruction ID: d6593a6171d6771ccec8523b1180f4ad169b77e523a45c4da16af1e87d9e6929
Opcode Fuzzy Hash: b09a0ac95b28aa1ef97e4b4d6c906a626e0c4e66f45e2b3352c60ef17c96766a
Instruction Fuzzy Hash: D011D2B5D00759CFCB10DF9AC444BDEFBF4EB88214F10845AD469A7210C775A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 064D6218 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

,bq, xrefs: 064D628E

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 5850b1411b5a7faad014e261c021ec0c540f723eacdfeb6573443c888eef0631
Instruction ID: e2c4358bf6427ee597cf963cac3f1ca0246167527ae4685c1a15a5f5f506444f
Opcode Fuzzy Hash: 5850b1411b5a7faad014e261c021ec0c540f723eacdfeb6573443c888eef0631
Instruction Fuzzy Hash: 48512C34B442008FC799DB29C59482A7BF3BFC9311B6685A9E506CF776DA31EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 064D6208 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

,bq, xrefs: 064D628E

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 14ec89ee71e785445d708897a18d0fa8903d6bcb08c20e0dc0e94405dcfb6f9d
Instruction ID: 8cf8bdfcfd904e54ca08b3e1ee69f05057a8692ad2caf5fccf87e10b82d8f668
Opcode Fuzzy Hash: 14ec89ee71e785445d708897a18d0fa8903d6bcb08c20e0dc0e94405dcfb6f9d
Instruction Fuzzy Hash: 72413A34B041008FC798EB39C59492A7BE3AFC9315B6685ADE506CF76ADA31DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 064D3DE0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

4'^q, xrefs: 064D3F25

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: e61253dd39caae1dc487d816b43ab959f326bffa381867e93fbd19e16d4d3a23
Instruction ID: 7843717bd5120bc1f357e9f69be4a5469967aba09b88aba4e5bf354a7f635cb1
Opcode Fuzzy Hash: e61253dd39caae1dc487d816b43ab959f326bffa381867e93fbd19e16d4d3a23
Instruction Fuzzy Hash: DA31D031B002514FC71AAB38E4506AE7BE6DBC671071548BAD4498B391DE35DC0B87A1

Uniqueness

Uniqueness Score: -1.00%

Function 064D84C8 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

4'^q, xrefs: 064D85B1

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: eadbf8a2f2c9dd64ee0be09599fca4d7f33dd216c0c13983efdd63443330b926
Instruction ID: 8d10b794ca65321e3c3fc58d13c1b078ea30c660643f4e0cd15691dd10a5e21c
Opcode Fuzzy Hash: eadbf8a2f2c9dd64ee0be09599fca4d7f33dd216c0c13983efdd63443330b926
Instruction Fuzzy Hash: D131AB31B002098FDB09EB79E4A427E76E7EBC8610764447AD50BCB385EE35CD068792

Uniqueness

Uniqueness Score: -1.00%

Function 064C1BA0 Relevance: 1.3, Instructions: 1345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15f1e3863901be5c2b3d5dc806b9fb85e90b3c1f771d1db6465773d355f21777
Instruction ID: 027d8fe9c6be128da5b1f1f828617b5f5517202ad4e5c91b066bd6a578895bc6
Opcode Fuzzy Hash: 15f1e3863901be5c2b3d5dc806b9fb85e90b3c1f771d1db6465773d355f21777
Instruction Fuzzy Hash: FAC24E34B401189FDB559F68CD51AAE7BB2FF88700F10809AE606AB3A1DB71DE85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 064DB358 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

4'^q, xrefs: 064DB399

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 47270c1c59feb8b82789eab02a9f8359c3250d14d22432b11afbb4cc8b8ab8e2
Instruction ID: 07bcff3948b0fbf8238a24e812de5bc0835f4c39d3b4ac800dd8bc3d3c792d92
Opcode Fuzzy Hash: 47270c1c59feb8b82789eab02a9f8359c3250d14d22432b11afbb4cc8b8ab8e2
Instruction Fuzzy Hash: 3201D434906249EFCB04FF78E99469DBFB2FF45200B1501A9E405D7355DB305E46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 064D3EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

4'^q, xrefs: 064D3F25

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 94737a8da2d46b3de202ead88c15dbaea91b0f153c3a18e5c5f26208597e41d6
Instruction ID: 194fd9c1634f01e5bdd1e3d9e69916fd3dc1d4c3d15f01b2717c77bab94137c4
Opcode Fuzzy Hash: 94737a8da2d46b3de202ead88c15dbaea91b0f153c3a18e5c5f26208597e41d6
Instruction Fuzzy Hash: F2F09A313402018FC208FB29E850A6EB7DBEBC9A503145969D05A8B328EF60EC4B87A5

Uniqueness

Uniqueness Score: -1.00%

Function 064DB368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'^q, xrefs: 064DB399

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 66353796a306102837fc91ba60c2710194fa8c7d0db79ff75918ede254a37589
Instruction ID: 3f90141de7ecefaaa97c53c32cf2f4af6d7c6099f1b282e32102f6e268773cbc
Opcode Fuzzy Hash: 66353796a306102837fc91ba60c2710194fa8c7d0db79ff75918ede254a37589
Instruction Fuzzy Hash: 9CF08C70E01209EFCB04FFB8E58855CBBB2FB84200B1545A9D406D7714DB306E45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 064C3A42 Relevance: .7, Instructions: 749COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f933a8a9c87db3d9409229151966d84906a82eb3ab38083d0cad92ba34dab33c
Instruction ID: 0a8eac8d415d9dc4a1d3faf4c56f6963c3401a7af7be42e20649df5b18376432
Opcode Fuzzy Hash: f933a8a9c87db3d9409229151966d84906a82eb3ab38083d0cad92ba34dab33c
Instruction Fuzzy Hash: 24524934B402149FDB45DF68C994EAABBF6FF89704F10809AE506DB3A2DA71ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 064C00D8 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2a85e44e946a3d66abca1f04bf4f8067884de98be845004f2e3c9ffb692876
Instruction ID: 5bde2c74810997b5588795d7e7d4dda43255848de354f6a0a1def30f37429cfc
Opcode Fuzzy Hash: 9d2a85e44e946a3d66abca1f04bf4f8067884de98be845004f2e3c9ffb692876
Instruction Fuzzy Hash: C2425B347406288FCB65AF78D550A2EBBA2FBC5B14B10495CD5439B3A0CF7AED068B85

Uniqueness

Uniqueness Score: -1.00%

Function 064C2078 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03444c23383f5e2e1b1c25586cc45a55ebda719789b733ea2aec13a73ade5fac
Instruction ID: 9cbee07984dca3a22c2148ba994f3fe068961e4986d0681d8cc9df7f8be715f4
Opcode Fuzzy Hash: 03444c23383f5e2e1b1c25586cc45a55ebda719789b733ea2aec13a73ade5fac
Instruction Fuzzy Hash: B522B474B405148FCB559F28C955EAF77B2EF88714F10809AEA065B3A1CFB1EEC18B91

Uniqueness

Uniqueness Score: -1.00%

Function 064C2077 Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3639933e50668f01ccf614b0fae9c7d7ff38906aee89569acd48090b082a8ada
Instruction ID: 27dd6b3b226a93648c896ca669a445e59fd905ea1994acd0fbd4fb3809b45b0e
Opcode Fuzzy Hash: 3639933e50668f01ccf614b0fae9c7d7ff38906aee89569acd48090b082a8ada
Instruction Fuzzy Hash: B422A474B405148FCB559F28C955EAF77B2EF88714F10809AEA065B3A1CFB1DEC18B91

Uniqueness

Uniqueness Score: -1.00%

Function 064C0610 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50865493d09c061965fef3dc3b904f82f7a10d87488abd4f700b8cd76dbc4185
Instruction ID: 2ff7d9d650a95e129d08dbfe474f3daa9fb8bd2260e7aab77fab00ac3ae05420
Opcode Fuzzy Hash: 50865493d09c061965fef3dc3b904f82f7a10d87488abd4f700b8cd76dbc4185
Instruction Fuzzy Hash: A7F1BD34740214CFDB959F68C955A2EBBA2FF85B14F00886DD5429B3A1CF7AEC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 064C0688 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0d34ebed1b086ed2ab310d390a839779e13f7d5eb34c66a9e9fdeca0d46de8
Instruction ID: 379c87e71ad24b9a09abce183daad6bfc1c6c51e7a4c4b74dfc6527da51b5855
Opcode Fuzzy Hash: 9f0d34ebed1b086ed2ab310d390a839779e13f7d5eb34c66a9e9fdeca0d46de8
Instruction Fuzzy Hash: DDE1E334740214CFDB859F68C969B2A7BB2FF89B14F008469D5429B3A1CF7ADC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 064C0700 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f503740e101029b95ddf2fd4e08f347a1f71dd1668508f79827adf29fff82d85
Instruction ID: 7487b0a5d0ca50c5f1853bfc140b7bb60f437833829b18a1b83d41aaca033472
Opcode Fuzzy Hash: f503740e101029b95ddf2fd4e08f347a1f71dd1668508f79827adf29fff82d85
Instruction Fuzzy Hash: 4FD1C674740314CFDB859B68C969B2A7BB2FF89B14F00846AE5429B3A1CF76DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 064C00D7 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad165ccdbb2230f7330f9f9cd5115159ad9b9f617a441478aca5acdc7dd6ded
Instruction ID: 316ea39f23e2db3b409d04ad82063a2e4eb8c320b32f4a7977c347871e09ead2
Opcode Fuzzy Hash: bad165ccdbb2230f7330f9f9cd5115159ad9b9f617a441478aca5acdc7dd6ded
Instruction Fuzzy Hash: 6EC1A874B00204CFDB859B68C959B6A7BB6FF89B14F10806AE542DB3A1CF76DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 064C00B8 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757b3aa40146be5840ddf7fa7a226e1f7b506a011b5460e8ce179fd1931cbb04
Instruction ID: 9d4d6997c21b3aa55677a8c6afa7f53662b26f1a89ac9fc0afb632715986601b
Opcode Fuzzy Hash: 757b3aa40146be5840ddf7fa7a226e1f7b506a011b5460e8ce179fd1931cbb04
Instruction Fuzzy Hash: 1AC1B874740204CFDB859B68C969B6A7BB6FF89B14F10806AE542CB3A1CF76DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 064D4AFF Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d36f226f63feab47ae864bb7c60229fd7f1e636654db4539803414c8f89ec8
Instruction ID: bcb308f1d9881cd2ec6d0173abf7673a408b85c416a991860f20fa2d5ddd71fe
Opcode Fuzzy Hash: 56d36f226f63feab47ae864bb7c60229fd7f1e636654db4539803414c8f89ec8
Instruction Fuzzy Hash: DDC14734B00605CFCB45DF69C598AAABBF2FF88301B2585A9E546DB365DB30EC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 064C1530 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60c074958453738dd94a8abb53429d8962dd1e4f10523de467dafe8430d52f9
Instruction ID: 18eea8905305dd40decefbfcd555d332cf62ff1f12f364b4f5588896833799fa
Opcode Fuzzy Hash: c60c074958453738dd94a8abb53429d8962dd1e4f10523de467dafe8430d52f9
Instruction Fuzzy Hash: 5471AF78B046559FCB859B68C858A7EBBF6EF89710B14846ED412D73A2DF30DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 064D7D58 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cccc008c68058822e859282a3b6e8c028ddfa4510b45cee70331192ee6a02319
Instruction ID: 6f2df5489a3f12eb1043660d8d146f3217b84801a20a5e728be7899bbbb94e29
Opcode Fuzzy Hash: cccc008c68058822e859282a3b6e8c028ddfa4510b45cee70331192ee6a02319
Instruction Fuzzy Hash: C5512671E00218DFDB55CFA9C891BDEBBF6AF48314F14842AE419AB244DB749846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 064D59C8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7273bec78f8d014fafa682d685e0f2d066f8257f44c688849df2ecd78613546f
Instruction ID: 6e58df9b4f44a9e9e4087011e60ffe7b7b2b3f79e84ef6b07dc9736a7e4e3718
Opcode Fuzzy Hash: 7273bec78f8d014fafa682d685e0f2d066f8257f44c688849df2ecd78613546f
Instruction Fuzzy Hash: 57418B35A00606CFCB15CF58C9909AAFBF2FF89310B15C99AE5599B361DB30F801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064D7D4C Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492853257b980b56e633f5a2ee058e0fb0763eeef89bd1e5acfe22e298228c57
Instruction ID: 201ab26d0d3ad30a63fd74f344aefcf13ec78e99550d1b92ca823a8803639649
Opcode Fuzzy Hash: 492853257b980b56e633f5a2ee058e0fb0763eeef89bd1e5acfe22e298228c57
Instruction Fuzzy Hash: 255149B0E00218DFDB55CFA9C895BDEBBF5AF48304F14852AE419AB284DB749846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 064D6E90 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b1a87b1259544c71017da968674c37aac2c8877560812aad0006395c871ff0
Instruction ID: fe35816fc91b13f0cf2d36a5fe28338de579564e4f74f9cc0ce204d044d3882a
Opcode Fuzzy Hash: 62b1a87b1259544c71017da968674c37aac2c8877560812aad0006395c871ff0
Instruction Fuzzy Hash: 40412975505F848FC726CF2EC580987FFF0AF99200B04896EE5DA87B62D270E948CB60

Uniqueness

Uniqueness Score: -1.00%

Function 064D5579 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8be33fbabc03e52ef387fa8b7eb595f893f82d45c4cfab5f3a55fd633918b4
Instruction ID: fbcabe0db0a96aa2eb4c8c1bae23d9bc11c7b90223f9b3b937333e61aeedd052
Opcode Fuzzy Hash: 0f8be33fbabc03e52ef387fa8b7eb595f893f82d45c4cfab5f3a55fd633918b4
Instruction Fuzzy Hash: D3316879B012109FCB0ADF38D894A6EBBB6BF89300B518469E905CB365DB30ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064D5588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37076f4ee58e292d3d51549e3d8828fd19695f9dcedb9a891d1a9a8cc4b6c9a9
Instruction ID: b32d7789d10af1ce526878de60f92b9b7bf183ea655394a1667322e94c0fcb7e
Opcode Fuzzy Hash: 37076f4ee58e292d3d51549e3d8828fd19695f9dcedb9a891d1a9a8cc4b6c9a9
Instruction Fuzzy Hash: 8B314675B012109FCB5ADF38D89496EBBB6FF89300B508469E906CB369DB31ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064D87A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1aa0958e3e509174c5a25c6205c6a06336010d73ff477aef90edff18a6a553
Instruction ID: b8cc112ce3e7b8866939872c7c89e3cbd1b75d08a76d9f42aa8a50438788014c
Opcode Fuzzy Hash: 2a1aa0958e3e509174c5a25c6205c6a06336010d73ff477aef90edff18a6a553
Instruction Fuzzy Hash: D241F3B1D01248DFDB54DFAAD950AEEFBF6AF88310F10802AE419B7254DB35A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 064C2EC8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8b9512531d8e1f872242f29fd95f42ce33069572e6cefa9a979b456ead06fa
Instruction ID: 5ff4dc74e670c1766ab72ed51790d2949df95e1d5e720731ceea89e0ebf83477
Opcode Fuzzy Hash: 1a8b9512531d8e1f872242f29fd95f42ce33069572e6cefa9a979b456ead06fa
Instruction Fuzzy Hash: A5313835E106199FCB44CFA9D8848DFF7F6FF89310B11816AE915A7320EBB0A905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064C2EC7 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c67a82c1ed1dcd35a2041f7f9612c919cbccb83c8e284ca9175a5c85c712be
Instruction ID: a6ad7bedcacfe4050ffbe63f1d7c71214e467a6893422422eea4de330a3c2b29
Opcode Fuzzy Hash: 96c67a82c1ed1dcd35a2041f7f9612c919cbccb83c8e284ca9175a5c85c712be
Instruction Fuzzy Hash: 69313835E10619AFCB44CFA9D8808DEF7B6FF88310B11806AE905A7310EBB0A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 064D8796 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4f04af0fb24847bd7bcb7544cf3970b8832a9c4947e6ac07f4a8c28fce77d0
Instruction ID: 83125d7e982a204300d8dd81868381976c22bbdbacb49db57c30f3b857ca7fec
Opcode Fuzzy Hash: 3c4f04af0fb24847bd7bcb7544cf3970b8832a9c4947e6ac07f4a8c28fce77d0
Instruction Fuzzy Hash: 8F3103B1D012489FDB14DFAAD954AEEBFF6AF88300F14802AE415AB250DB35A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 064C152F Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfada419ded0cc4980b78408fcffc8771846373818d03fb052bbd5ddd60dbd2
Instruction ID: c3104e10cc350100da52eb111668fbcf9cb533a3fc4cfb9ee623d07ceffdd26c
Opcode Fuzzy Hash: 3bfada419ded0cc4980b78408fcffc8771846373818d03fb052bbd5ddd60dbd2
Instruction Fuzzy Hash: FB217178B002159FCB849F69C8449AFB7FAFB88714B10852AD516973A1DB71DC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 064C345B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2208e4a7c4cc92d42c167703e7f18bcdea7c6b961c38c5b67fd04802e810433e
Instruction ID: 730716d200c118495567026deff3dafdb93de3c59409f006e01fce4113308966
Opcode Fuzzy Hash: 2208e4a7c4cc92d42c167703e7f18bcdea7c6b961c38c5b67fd04802e810433e
Instruction Fuzzy Hash: BF216D35B40004AFCB55DF69D984DAABBB2EF88714F15C0A9E9059B3B5DB31EC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 064C360B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e53c1bcd4fcdcf95cc4b8afcd26766259a76401fe09ed31715fa709a62c6c3d3
Instruction ID: 816fd4cd27d5093f8cc99d254790c59c288d299b95594ae2c89478c916285179
Opcode Fuzzy Hash: e53c1bcd4fcdcf95cc4b8afcd26766259a76401fe09ed31715fa709a62c6c3d3
Instruction Fuzzy Hash: 01215C35B400049FCB55DF69D894EAABBB2FF8C714F1180A9EA059B3A5DA31EC06CB10

Uniqueness

Uniqueness Score: -1.00%

Function 064D8A98 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d2a8b728e09b59221f5ce0b5b7ebdca020ff1c66dc8e00657d6fad73b084b8
Instruction ID: 194c6d77b1e21ae8b9c02b00c7b482a90f00f323fd4bdfb2e7757efabc42e27e
Opcode Fuzzy Hash: 21d2a8b728e09b59221f5ce0b5b7ebdca020ff1c66dc8e00657d6fad73b084b8
Instruction Fuzzy Hash: CD31F4B1D01258DFDB14CFA9D894BEEBBF9EF48310F24842AE409A7240C775A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0298D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1909122421.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_298d000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87dce57333bd2c1cff21db42436e354452c30dacd334be4ec9c7ce7992f7b553
Instruction ID: 26d456d590cb570dd17731b2e6f2898f7e3e0b3ff8ab332af26395794dcf0653
Opcode Fuzzy Hash: 87dce57333bd2c1cff21db42436e354452c30dacd334be4ec9c7ce7992f7b553
Instruction Fuzzy Hash: 5521C471504204DFDB09EF24D9C4B26BF69FB94324F28C569D90A4B2D6C336E456C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0299D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1909160388.000000000299D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0299D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_299d000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6cb73d013d2b5ebc33f6808c5eec9bb7d8b9ffc157ce1bd6801c71c23cea1c0
Instruction ID: f09558a892dcb82510bcee20c689823678f8de850ef485e4d4275f2efdbbf9ea
Opcode Fuzzy Hash: d6cb73d013d2b5ebc33f6808c5eec9bb7d8b9ffc157ce1bd6801c71c23cea1c0
Instruction Fuzzy Hash: 2A21F271604200DFDF14EF28D9C4B26BBA5FB88324F24C969D84A4B296C33BD447CA71

Uniqueness

Uniqueness Score: -1.00%

Function 064C106F Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb04614845d76480527d4a71182f7352cf9c4a2bde20459a258a3091351f429
Instruction ID: 791c8f2e4075750931d6aed92377dc76e7abb5100b9e114186a49b5f92353d76
Opcode Fuzzy Hash: dbb04614845d76480527d4a71182f7352cf9c4a2bde20459a258a3091351f429
Instruction Fuzzy Hash: 6021BE38B001049FDB859B6DD8449AABBEAEFC8220B15852AE415877A2DE30CC018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 064D8A8C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0793ff33420ba914f37f8e9f12dc6acc18df7d93d38cf316901b3f1cfc93dbf
Instruction ID: f0707c1741ded77d6f375bfe7806a6978a00f49e2414e8e18e170945b1ea5da1
Opcode Fuzzy Hash: a0793ff33420ba914f37f8e9f12dc6acc18df7d93d38cf316901b3f1cfc93dbf
Instruction Fuzzy Hash: 352128B0D01258DFDB14DFA9C895BEEBFF9AF48310F14842AE005A7280D7759845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 064D549F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d1fcc4f83f22ca7656c58e10576f14f8bfade0934bb5feca217fbb334f7bbc
Instruction ID: 43bb962698349c41f8d55ffceff9ae33821f4c78e15ef951c4e98851aafca8d7
Opcode Fuzzy Hash: f8d1fcc4f83f22ca7656c58e10576f14f8bfade0934bb5feca217fbb334f7bbc
Instruction Fuzzy Hash: 4B110A34E083918FD7AFCA7855641ABBFF2AF8120671884AFE041C7A6ADD35D446C351

Uniqueness

Uniqueness Score: -1.00%

Function 0299D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1909160388.000000000299D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0299D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_299d000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937376caa0f83c9918e4b54824463263b354d19d98e56814d03fa25025c48a6d
Instruction ID: 1a4c00b5335bbd83f791c7a8b925ae5e382663e461361da3e2025fcef9ed949c
Opcode Fuzzy Hash: 937376caa0f83c9918e4b54824463263b354d19d98e56814d03fa25025c48a6d
Instruction Fuzzy Hash: B02181755093C08FDB12DF24D9D4715BF71EB46224F28C5DAD8898F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 064DBC5F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875d4aa75ac2fe2e0364d18d563a25e3ac19cc2ddfa332da3bc25daefa2e82ba
Instruction ID: f597af3391ab0198c6edd896c32b51b4e1eeb4536f879b20cba013701a974f30
Opcode Fuzzy Hash: 875d4aa75ac2fe2e0364d18d563a25e3ac19cc2ddfa332da3bc25daefa2e82ba
Instruction Fuzzy Hash: 8C1125302103004FC7817B34E92456EBBEBEEC235031A082DD207C7F12CE24A94A8794

Uniqueness

Uniqueness Score: -1.00%

Function 064D8C58 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5071e02decebf27022824373d50959d994b7f0ccec38a15752af3b67972be4
Instruction ID: b06b25426b4c08bed930081377809382739abdb06f792c7e0d90996146b26213
Opcode Fuzzy Hash: 3e5071e02decebf27022824373d50959d994b7f0ccec38a15752af3b67972be4
Instruction Fuzzy Hash: BA21B074E05218DFDB48DFA9E858AEDBBF5BF88310F14912AE805B3390EB741945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0298D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1909122421.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_298d000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 4b8f220f186c8c5bbda935c5ee053cf1f223ad6fd61f31ddd94ccd644bbfc1d8
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: EB112672404240DFDB06DF20D5C4B16BF72FB94324F28C2A9DC090B296C33AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 064D6170 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b17e660f4ca5148bed521982643c32df28f452bea28ca4773325fbaa6a50e28
Instruction ID: 992a1f88eebedf1bb111617c79122201c5215e3e7972f41d4fff4c88696d33e8
Opcode Fuzzy Hash: 9b17e660f4ca5148bed521982643c32df28f452bea28ca4773325fbaa6a50e28
Instruction Fuzzy Hash: 4101F576A002108FC3258B29C814B5ABBE5DF89321F1A447FE48AC7332DB71EC81C790

Uniqueness

Uniqueness Score: -1.00%

Function 064DC499 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8aac08aaf49bb98fcff450d100222db98acb64307afd1d75381eea3012b3cc
Instruction ID: 1a1e0c805d85f9b84b4eb0a1e4d18acb4048f449a8b3fd4ed7761afb2ef23ff3
Opcode Fuzzy Hash: 0e8aac08aaf49bb98fcff450d100222db98acb64307afd1d75381eea3012b3cc
Instruction Fuzzy Hash: 9F01E1302082048FD311AB75E50866E7BE3EFC5311B158A2AD14A87B45CF749C0E8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 064D8350 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e72d480c07a72b42d60fa99e435cb797f76f470e379eff46284039eaf4ab9d
Instruction ID: 6621888cb892ab6ddc8fb6c6f04126ab4006f6cb9ce224d54b3b36c060789e06
Opcode Fuzzy Hash: 64e72d480c07a72b42d60fa99e435cb797f76f470e379eff46284039eaf4ab9d
Instruction Fuzzy Hash: D1018F31B0011A9FDB10DEA9EC44ABFBBFAEBC4651B14413AE614D3340EB31991587A1

Uniqueness

Uniqueness Score: -1.00%

Function 064DBC70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293497974258065ddb39827ed7ccb3835d94064d69abc828bd7b347b0b57af15
Instruction ID: 338d045fe51dd3d32ac1ca0f27b9b4616a5b4ca0c2136ad876e188b68378a835
Opcode Fuzzy Hash: 293497974258065ddb39827ed7ccb3835d94064d69abc828bd7b347b0b57af15
Instruction Fuzzy Hash: 8101BC312102014F8684BB38E96852EBBEBEEC135475A4828D2078BB15DE74BC8B8B95

Uniqueness

Uniqueness Score: -1.00%

Function 0298DA61 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1909122421.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_298d000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720af858df299617e8403de5a5f0a81e7c3d1dfa1fa3a7eeb5ef1bff790cbb77
Instruction ID: 6651cb577e391139a137c3f723d7aebd375aca5eb6ed9c285dbc1790aa470f30
Opcode Fuzzy Hash: 720af858df299617e8403de5a5f0a81e7c3d1dfa1fa3a7eeb5ef1bff790cbb77
Instruction Fuzzy Hash: A201A73110C3449AE710AA35CD84B67BF9CEF45324F2CC969ED194A1D6C7799840C671

Uniqueness

Uniqueness Score: -1.00%

Function 064DE8B0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2e5cc69572f94b2cfd0970889b8b3e4219c17231c6daada89686234d6b6adc
Instruction ID: 2d268c36f0c9e94c7d1dc864fc7d6a627ba9587beb6af8970aafb55fa7e96dc2
Opcode Fuzzy Hash: 5f2e5cc69572f94b2cfd0970889b8b3e4219c17231c6daada89686234d6b6adc
Instruction Fuzzy Hash: 0D0126346083489FCB02EF78D81099A7FBAEF8630071488EAE841CB762DB32DD05C790

Uniqueness

Uniqueness Score: -1.00%

Function 064DC4A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f4e0bb831ac5879303441583c83b2ba5c9cd161c65d289f7c8f586160255604
Instruction ID: 0389ae9a91a076049fe74713f8814676c8672d19b526fbff56efa4cb5655d5ee
Opcode Fuzzy Hash: 2f4e0bb831ac5879303441583c83b2ba5c9cd161c65d289f7c8f586160255604
Instruction Fuzzy Hash: CB019A302042048FD324AF75E04866EBBE3EFC9711B158A29C14A87B88DF75AC0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 064D5508 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da93945d494d195d63cbdaf716ccbf2fbeefefb6a461ecbcf2ff02013d00ab8
Instruction ID: c40dd378426e2c3dc1a73cd94513bb70efb94e6306bdd67b37b52640dc212f86
Opcode Fuzzy Hash: 3da93945d494d195d63cbdaf716ccbf2fbeefefb6a461ecbcf2ff02013d00ab8
Instruction Fuzzy Hash: 8001AD30E11302CFDBAF8A29A524523B7E7BF84205B54882AE40686618DE71E481CB80

Uniqueness

Uniqueness Score: -1.00%

Function 064DC170 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf82bf70b4d14788a2db59527d18b8e59772b4814687c61753969b7b7bee3667
Instruction ID: 769f83ef9ee245eabf5a66a4e4dc4c0362aeac7b2f2d6d9e4dfbc01aab52f246
Opcode Fuzzy Hash: bf82bf70b4d14788a2db59527d18b8e59772b4814687c61753969b7b7bee3667
Instruction Fuzzy Hash: B901D6311057458FD711DF66E508656BFFAFF89300701865FE88BC2A11CB30A509CF84

Uniqueness

Uniqueness Score: -1.00%

Function 064D8F42 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf21d2d457efbb83e8174787822d549fdf7bd951119071df6880539f1d8c01c
Instruction ID: 9ba468af325e15bcb4385778197283ed083d222f5a7d5ac665c9ff7f5fd5667b
Opcode Fuzzy Hash: 9cf21d2d457efbb83e8174787822d549fdf7bd951119071df6880539f1d8c01c
Instruction Fuzzy Hash: CB0156B8D0825ADFDB01DFA4D555AFEBFB1FB0A311F1041AAE461A7381D7740A82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064D8F50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c93dd29a37c1cfb87f8f0a8c6f258fe3f84947a1ff3f01db7bd5e34dc2d3a89
Instruction ID: 5cad890a298d9d851478ab1585e32647703590d4291f76e67481ba98b8175acd
Opcode Fuzzy Hash: 4c93dd29a37c1cfb87f8f0a8c6f258fe3f84947a1ff3f01db7bd5e34dc2d3a89
Instruction Fuzzy Hash: 6701D6B4D0420AEFDB44DFA9D9556BEBBF6BF48301F1084AAE455A3340E7741A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0298DA60 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1909122421.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_298d000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eee50d72a01297c80b7984addc62408057f5b8007a5cd32040fd8828767cc13
Instruction ID: bfb8f2fc5e664aa17b5b77c8b5f91348c1ccf9cd7411e04154e86caf3a729c54
Opcode Fuzzy Hash: 2eee50d72a01297c80b7984addc62408057f5b8007a5cd32040fd8828767cc13
Instruction Fuzzy Hash: 86F06271408344AEE7109A26CD84B62FFACEB41734F2CC55AED484E296C3799844CA71

Uniqueness

Uniqueness Score: -1.00%

Function 064DC110 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38228737b885da0be9b465ef2a247b9f43ae92091cfaed068b486f282af49d5f
Instruction ID: 4c19133a4727f9ea34c1083a6ea6b875b2fd3c33ef9b630867ba3a7ecf86db44
Opcode Fuzzy Hash: 38228737b885da0be9b465ef2a247b9f43ae92091cfaed068b486f282af49d5f
Instruction Fuzzy Hash: B4F0F63010A3905FC312A738E91879B7FE69F82204B09049AE142CB652CA656945C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 064D61CA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ce4b4b8342ca7164ae8934d8ef37c64061ef332742a3c838e7e8d51fc5defb
Instruction ID: fd58f2921a7b54021db8f525e2e0b4f205e78fbb97fa7d3ecb98197e94d5935b
Opcode Fuzzy Hash: c0ce4b4b8342ca7164ae8934d8ef37c64061ef332742a3c838e7e8d51fc5defb
Instruction Fuzzy Hash: C6F0E936B406018FCB50E729E9545DB7BD1EF84316F06447BD409CB631EA20E845C740

Uniqueness

Uniqueness Score: -1.00%

Function 064D6EA0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9edd803a0690c42536f08bdc68c15f8d9dcb5e24a241405a997438e25e17c43
Instruction ID: e1f8a6f76709dc4691fd92551774e14e73eebb9002ae8df323fd5178f9fb12c9
Opcode Fuzzy Hash: f9edd803a0690c42536f08bdc68c15f8d9dcb5e24a241405a997438e25e17c43
Instruction Fuzzy Hash: BCF012662041E83F8B515EAA9C10CFB7FEDDA8E561B084156FE98D2141C429C921ABB0

Uniqueness

Uniqueness Score: -1.00%

Function 064DACB8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7145a82e3bf5f7c1e9fdc3e4b4e142238f7ea12cc8e1d6e98e9912de1f182cba
Instruction ID: 29b831d4c4a374568bbc9bbbe02e5c1c725f9403d0974a7946109954a6b71cf3
Opcode Fuzzy Hash: 7145a82e3bf5f7c1e9fdc3e4b4e142238f7ea12cc8e1d6e98e9912de1f182cba
Instruction Fuzzy Hash: C4F09E727492944FC7171738AC240BD7FA6DCC365130800DFD683CB256CA044507C3E1

Uniqueness

Uniqueness Score: -1.00%

Function 064DADE9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe715a2434755a834b15db76e971f54eb273b8de3945059a5ed68cf99a03b53
Instruction ID: ae85b479db06603d9d29ad7ae0288500e8854f26abfcb33f0a84c42f5f5d3460
Opcode Fuzzy Hash: afe715a2434755a834b15db76e971f54eb273b8de3945059a5ed68cf99a03b53
Instruction Fuzzy Hash: 10F027312491846FC3203B6AA8547DFBFEBEFCA710F04006DE24AC7243DA65184987A4

Uniqueness

Uniqueness Score: -1.00%

Function 064D67C8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6556d7f36fd1ea954cb982df9b326304ee7330b8acaf0b6e1ef8a70292a26342
Instruction ID: d8fe29c220b09abbaca00b8abcefbb0477c092adca72994da65182afd5f928b0
Opcode Fuzzy Hash: 6556d7f36fd1ea954cb982df9b326304ee7330b8acaf0b6e1ef8a70292a26342
Instruction Fuzzy Hash: C5F02E32B003009FD7218B28A814F927BE1AB86711F06826AF214CF2E1D3B1E8098340

Uniqueness

Uniqueness Score: -1.00%

Function 064D8FC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7762b5ddf153bff3dbca114745275a9b3aa27c3a29e9a7b4e61b37b996ba31
Instruction ID: c4404921dda73241c454e8fee728aaf54030e8fa9c37f31bbec753e41febd4b6
Opcode Fuzzy Hash: 8d7762b5ddf153bff3dbca114745275a9b3aa27c3a29e9a7b4e61b37b996ba31
Instruction Fuzzy Hash: D9F049B5C081599FDB41CBA4D8655BEBFB2EF5A201F00419BE446E7391E6359A42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 064D54F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b98ef77820c84b950ccd4e083e5f39033585e9a96e45b4ed99f28a76c5aff2a
Instruction ID: c5847b97242b2eb121ea7eeb8b1add61e4b69dc400a38c4a4bacccbac3ada43d
Opcode Fuzzy Hash: 5b98ef77820c84b950ccd4e083e5f39033585e9a96e45b4ed99f28a76c5aff2a
Instruction Fuzzy Hash: 11F024319007018FDBAACE61E510767BBF2AF80314F48886ED04646A29CE75E485CB40

Uniqueness

Uniqueness Score: -1.00%

Function 064D8341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86095dd11e3f006f83de7d7046ee424ac08061423e0ab8cec73fd01c40063063
Instruction ID: 6629272e525ba0c6f53a884df533c5339b256ad9f0f8b30cadbc658efb2b141d
Opcode Fuzzy Hash: 86095dd11e3f006f83de7d7046ee424ac08061423e0ab8cec73fd01c40063063
Instruction Fuzzy Hash: 5BF0E572F1001A4FDB20DAA9EC445BF77F9FB98261B080137D618C3240F73489198791

Uniqueness

Uniqueness Score: -1.00%

Function 064DADF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbfe91f104f76956402222ea02b289478fa780b5fbf484d032589e735ea23aee
Instruction ID: 54bb40071c4bbd6b26aee98528e970635d01db3f74036ebb43dd96677981363e
Opcode Fuzzy Hash: cbfe91f104f76956402222ea02b289478fa780b5fbf484d032589e735ea23aee
Instruction Fuzzy Hash: F2E09231248104AFC3143BAAE888A9FBAEBEBC9751B00402CE30EC3246DA65580987A5

Uniqueness

Uniqueness Score: -1.00%

Function 064DC180 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6918389b5adb39fda0c3cd7effabf5960ebe9d41b8c31203fb00c2ca06cd60
Instruction ID: 4829e854522db267d46aeb5b7e5b66e166d7ee7922ec2001b5a9753842e9af3a
Opcode Fuzzy Hash: 9a6918389b5adb39fda0c3cd7effabf5960ebe9d41b8c31203fb00c2ca06cd60
Instruction Fuzzy Hash: 94F09A35505B01CFD725EF66E408616BBFAFF88304701C62EE98B82A10DB70A909CF84

Uniqueness

Uniqueness Score: -1.00%

Function 064DFF60 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2076c8b9a6bcf7f5c854a3164fdf657e78ac1e18bf725316852df93ed941477
Instruction ID: 9e3828ccdd561882229f96209858d844d6c5a645ae9f0d8b291edc678a4c873e
Opcode Fuzzy Hash: a2076c8b9a6bcf7f5c854a3164fdf657e78ac1e18bf725316852df93ed941477
Instruction Fuzzy Hash: D2E04F32B105046F4794AA5F949482AB79BFBCEA6436540BEE21EC7311DE32DC0A86A0

Uniqueness

Uniqueness Score: -1.00%

Function 064DCC38 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4cd9b97782c44e178dcef2d386310a68b4da2845914e7b21a60bc76d3477dc
Instruction ID: cfe02ac6e2c6a5cb7c7560b84b670a6f8e6f92e8d7edbf114df5d936e39116c3
Opcode Fuzzy Hash: cd4cd9b97782c44e178dcef2d386310a68b4da2845914e7b21a60bc76d3477dc
Instruction Fuzzy Hash: 63E0DF312063509FC602BB29F810BDB3BA6EB82A31B11415AE145C7B5ACB340E4A8BE5

Uniqueness

Uniqueness Score: -1.00%

Function 064DB500 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed7e8d87a7a80c9149654b129447483c03541cd82bed3f5f4826633166d6025
Instruction ID: 394bad75fa85fe077cc19f39d4a16820d5c2b0c776e65076664034c04123f32f
Opcode Fuzzy Hash: bed7e8d87a7a80c9149654b129447483c03541cd82bed3f5f4826633166d6025
Instruction Fuzzy Hash: 10F01535D0520CEFCB01DFB4D9489CEBBB9EB44200F1042A6A805E3240EA305B858B91

Uniqueness

Uniqueness Score: -1.00%

Function 064DC120 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25e25a1326eb144c8ea329f3b1e3ddede1d27d331392f79afb77a68a01e23f9
Instruction ID: eba68f9129261f4b250b622e913c1b7f0596e22fd1bd43e7f2a08d0fc196eaf3
Opcode Fuzzy Hash: b25e25a1326eb144c8ea329f3b1e3ddede1d27d331392f79afb77a68a01e23f9
Instruction Fuzzy Hash: A5E0A9302047618FC210AB29E5087AEBBE6DBC1318F04042EE2468BB00CBA6A8458BE1

Uniqueness

Uniqueness Score: -1.00%

Function 064DCE88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f530b1948ff034cec3a592c7b2c407d8d569fdb0a9b76ffb0f3ae43115e2d5b4
Instruction ID: a1aa13346c050570a2fd60ba30875ef18ad9e250fc5781dc0a557a981f13f0f7
Opcode Fuzzy Hash: f530b1948ff034cec3a592c7b2c407d8d569fdb0a9b76ffb0f3ae43115e2d5b4
Instruction Fuzzy Hash: 8EE0DF70406390EFC702B724B954BDB3BBA9B82A30B010099E881C7A19C6384E86C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 064D5698 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72941ae4935a9e3c19fdfe8d4261d88a0b72c3c1be826a35a968ffda2500a42a
Instruction ID: 3c69549b48989cc358b98f405722d34d66612c7e827ffeda5a492702eeceb0b8
Opcode Fuzzy Hash: 72941ae4935a9e3c19fdfe8d4261d88a0b72c3c1be826a35a968ffda2500a42a
Instruction Fuzzy Hash: DEE04FB211D3414FD3099A64F80998B6B98EB62321F518CBFE0448A096EA35D457C655

Uniqueness

Uniqueness Score: -1.00%

Function 064DE1FF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26c852db98107404c416f0c7a7f4a77ba03981a9fef66de4ace6349e79b4d07
Instruction ID: 47e60379fbebfcc5dd29c08ebfc436b97c12c6110531c0481bc3f29e5270bdac
Opcode Fuzzy Hash: f26c852db98107404c416f0c7a7f4a77ba03981a9fef66de4ace6349e79b4d07
Instruction Fuzzy Hash: 7CE0DF71A09204FFCB01DFB8EC009EE7BB2DE82210B2146EAD809D76A0E6300F159791

Uniqueness

Uniqueness Score: -1.00%

Function 064DE8F8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695941cb7da7519b02467e114a52ae921d46bb81e50d9fa43c6cdafe0d875988
Instruction ID: 6d63ea63a9b880793854bcd8f10f412795f2f6738cccc3b9204cd3c566c9f7c3
Opcode Fuzzy Hash: 695941cb7da7519b02467e114a52ae921d46bb81e50d9fa43c6cdafe0d875988
Instruction Fuzzy Hash: 80E01239156344AFC702AB59DC40D967FB9BF5AA1031441CAF9818F273C3219925DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 064DAC80 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d30541f1450062733030cb09202a4afbe1974497057e3c9294806c58dec6fa
Instruction ID: 671602f3ce44359daade990a12b53b8181f5d49064fe0c3115ad43a7034bf77b
Opcode Fuzzy Hash: 83d30541f1450062733030cb09202a4afbe1974497057e3c9294806c58dec6fa
Instruction Fuzzy Hash: 84D05E353401285B8A1A7769F4184AF7BABEAC5662304006EE70BC7344DE655D06CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 064DB510 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb435b68fef011f4d4940a231e72faa809f84a9d7ebd36dfe2e9b4811c0e553
Instruction ID: 1a04191099626a2bcba0cf776496c94ace94c930876ec035febad5911162cb16
Opcode Fuzzy Hash: 2cb435b68fef011f4d4940a231e72faa809f84a9d7ebd36dfe2e9b4811c0e553
Instruction Fuzzy Hash: 5CE09275D0420CEFCB40DFE5E9448DDBBB9FB48200F1082AAE909A3200EB316B55DF80

Uniqueness

Uniqueness Score: -1.00%

Function 064DE280 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b4269ed0c2af35bc67dbf854fbc598cecb2bf582276cc0c1fd372b5562fef4
Instruction ID: 481885360dd79b32b4e01f50b45bed235228ead5323889451c1a9c20db2990d2
Opcode Fuzzy Hash: c1b4269ed0c2af35bc67dbf854fbc598cecb2bf582276cc0c1fd372b5562fef4
Instruction Fuzzy Hash: DAE086309102258FCB54FB14FD85BC973A2E784F24F110118D8069B768C7701F5A9BD8

Uniqueness

Uniqueness Score: -1.00%

Function 064D61D8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fccb81239a39bf4d508ee47cd8a9f422d9560ec341f52609cb53c384e04a7e3b
Instruction ID: 78155e01b4ae4295b8f32e61aaa78d95cd634a0d2d93376f367f1f2481ce150b
Opcode Fuzzy Hash: fccb81239a39bf4d508ee47cd8a9f422d9560ec341f52609cb53c384e04a7e3b
Instruction Fuzzy Hash: DBD0A7316407168BC615972EE84089BBBDEDF88322700843AE40A87634DF60F88187D4

Uniqueness

Uniqueness Score: -1.00%

Function 064DE210 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c19b0ac67f5ea8a369014b88bc27249d7f748336816b3a8ffc6a9346addc68
Instruction ID: f56ac16e63dc20ed2cb5953372e3e783974c2c44ac1b3b1ba58005e4fefcd39a
Opcode Fuzzy Hash: c3c19b0ac67f5ea8a369014b88bc27249d7f748336816b3a8ffc6a9346addc68
Instruction Fuzzy Hash: 6BD01771A00208FF8B40EFA8E900A9DB7BAEB84214B1045A9D509E3700EA316F009B90

Uniqueness

Uniqueness Score: -1.00%

Function 064DF8EA Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bae75b2d11ad803c8d8e301db98f5dc24465b26455307686ef0795dff60fe6
Instruction ID: 8ca41b34cf1912e4ca163a462aee7bab9a4726399eff8422313489c58dd9cf58
Opcode Fuzzy Hash: 12bae75b2d11ad803c8d8e301db98f5dc24465b26455307686ef0795dff60fe6
Instruction Fuzzy Hash: 31C01232B141200B0284BB6CB0141AD6AD793E86A339B006EE60FC3388CEB08C425784

Uniqueness

Uniqueness Score: -1.00%

Function 064D3721 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6518f73997865f1e2217aa30956bc10e93425c61150753195c92853f4af5082
Instruction ID: d698c510e05542c4981f8eaa4239a794e80aa3de119da5df9376ff21ce57d980
Opcode Fuzzy Hash: f6518f73997865f1e2217aa30956bc10e93425c61150753195c92853f4af5082
Instruction Fuzzy Hash: 0DC09BEF91914147C30522102C92FE2171557B6148F4B1591955587283F51445154465

Uniqueness

Uniqueness Score: -1.00%

Function 064DDFD1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48818a81b26c55c529003b4280957ec1a071b3aece73d006e5bafa61d797ad6
Instruction ID: afa34a1b4bee7bb9279bc31a4bb7e41e0c4d38b8894176d833b6a10ef13c30fb
Opcode Fuzzy Hash: c48818a81b26c55c529003b4280957ec1a071b3aece73d006e5bafa61d797ad6
Instruction Fuzzy Hash: BDC09B7154F3D46FDF020734CC5D5C53E165F9271471600C6A741CF466D6710015C7E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06F87790 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F879DB
$^q, xrefs: 06F8792B
$^q, xrefs: 06F879F1
$^q, xrefs: 06F87941

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 107a7315a8ea3f84e6034d1f6a40e3b569ce2713fa067b24d83a9b6f07b1cb0b
Instruction ID: 4fa0c25938257a3747042f588eac5e047ec2893bff49163bb5e668cd30f24ec7
Opcode Fuzzy Hash: 107a7315a8ea3f84e6034d1f6a40e3b569ce2713fa067b24d83a9b6f07b1cb0b
Instruction Fuzzy Hash: C5C1B870E01218CFDB58EFA5C99079EBBB2BF89300F2495A9D409AB354DB345D86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06F89140 Relevance: 2.7, Strings: 2, Instructions: 203COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F892A2
$^q, xrefs: 06F89292

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 13297816e643a4a43508a954b716176b3786df8d098dc589d1948aa0c5fa8ca2
Instruction ID: a70cf002780272af8f494bf290ad7cbbe2e681a950a93272bd806eaeab1f58b4
Opcode Fuzzy Hash: 13297816e643a4a43508a954b716176b3786df8d098dc589d1948aa0c5fa8ca2
Instruction Fuzzy Hash: 9191C374E01218CFDB54EFA9D584AADBBF2FF89301F208569E409AB354DB359986CF10

Uniqueness

Uniqueness Score: -1.00%

Function 06F85070 Relevance: 1.8, Strings: 1, Instructions: 525COMMON

Download Yara Rule

Strings

3&, xrefs: 06F8515D, 06F85162

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: 3&
API String ID: 0-3260511313
Opcode ID: 98852143cd30715130617bccd0a074ff5cbbdbbe43f9887f513bd4861cf45df6
Instruction ID: efeb4af168dc62afc0701d88c1354e26e2b57592bd54491ab7436d93323e4386
Opcode Fuzzy Hash: 98852143cd30715130617bccd0a074ff5cbbdbbe43f9887f513bd4861cf45df6
Instruction Fuzzy Hash: BB428F74E012298FDBA4DF64C994BEEBBB2BF89300F1085E9D40AA7254DB315E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06F86EB0 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F87064

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 9809fb4e627b23b5e7f2c33263fa76d7142b01c08c624057e055392270b9951c
Instruction ID: 31e7012f0782e73d5acdbeec9f7a4f7d99fc7d5017e1319eb2be2dd3bb8d3db6
Opcode Fuzzy Hash: 9809fb4e627b23b5e7f2c33263fa76d7142b01c08c624057e055392270b9951c
Instruction Fuzzy Hash: FA71F574E00218CFDB68EFA9D884AADBBB2BF89304F209469D415BB354DB359C46CF44

Uniqueness

Uniqueness Score: -1.00%

Function 064D6FE8 Relevance: .8, Instructions: 784COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e16308e3551a91bc31bd26baa0fae42d6c4cfda3ff4c379ff9a3665cc17a40
Instruction ID: 0750c29267846c1c7c45df7b76b25586eadc0df988ae0674c9197b847ed38207
Opcode Fuzzy Hash: 45e16308e3551a91bc31bd26baa0fae42d6c4cfda3ff4c379ff9a3665cc17a40
Instruction Fuzzy Hash: 84623FB0B002019FD749EF28C45471ABAE6EF85308F64C49DC10E9F395DBBAD94B8B95

Uniqueness

Uniqueness Score: -1.00%

Function 064D6FF8 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee22806e2068eb159accd9c0930948143170190f63038c4fe545868bc159f28
Instruction ID: 6b21f8abb1146108a980501164bc273232846dcd5ae9b29e5fb21fa13d33b9a8
Opcode Fuzzy Hash: fee22806e2068eb159accd9c0930948143170190f63038c4fe545868bc159f28
Instruction Fuzzy Hash: 7E622EB0B002019FD749EF28C45471ABAE6EB85308F64C49DC10E9F395DBBAD94B8F95

Uniqueness

Uniqueness Score: -1.00%

Function 06F88828 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741afd6c0a534f34af49683e4676e6531d9fa7b9f68c1c893e2cd19566594d03
Instruction ID: 9d624ddb49fd1affee34886a7cca21bddc72dc0e20b73dffe9bd4287512877a3
Opcode Fuzzy Hash: 741afd6c0a534f34af49683e4676e6531d9fa7b9f68c1c893e2cd19566594d03
Instruction Fuzzy Hash: F9228D74D01229CFDBA5EF68C890BD9B7B2BF49300F5085EAD519A7254EB306E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06F842C8 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cb4321c5fc154ec7128c4a4945868d053e26e21844694ac6cd69a8a8b2bf7a
Instruction ID: c6b3bf318f2baaef07d66e8440c9228cc6c658130ef18a6a6d8e7b1091ffb1ae
Opcode Fuzzy Hash: 20cb4321c5fc154ec7128c4a4945868d053e26e21844694ac6cd69a8a8b2bf7a
Instruction Fuzzy Hash: 28F1B074A01229CFDB68EF64C890B9EBBB2BF89304F1085E9D509A7354DB315E86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06F83E68 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e85e60ebedc271a6cee00e90ccf78ac20cdba830782e2165ccfd7ca661e5e9
Instruction ID: fb128424963057242ce0749d046f92edffe319f4dcf080e362037cd609638cb9
Opcode Fuzzy Hash: 32e85e60ebedc271a6cee00e90ccf78ac20cdba830782e2165ccfd7ca661e5e9
Instruction Fuzzy Hash: 25D1BE74E05218CFDB64DFA9C984B9DBBF2BF89300F1091A9D819AB354DB349A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06F86048 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb2309bdf605bb448d5ea70d6c67443d682c0c44051ff991180d3929d473b7f
Instruction ID: 4a77ec74cbfa5370263c68150100336465722a1e60b68666ef92e0316caef2dc
Opcode Fuzzy Hash: 3bb2309bdf605bb448d5ea70d6c67443d682c0c44051ff991180d3929d473b7f
Instruction Fuzzy Hash: C5D1BF74E01228CFDBA4EFA5C994B9DBBB2BF89300F1085A9D409A7350DB315D85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 06F84908 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd09bbadd67146c4a6570fcfa9364227063733af9b5e111dceaace05862343a
Instruction ID: 0213ec7f108c06d1a7947e2487b9a08259eb3484fdab394a76371e6f4618c6c6
Opcode Fuzzy Hash: 8fd09bbadd67146c4a6570fcfa9364227063733af9b5e111dceaace05862343a
Instruction Fuzzy Hash: 6BC1D371D01229CFDB68DF69C850BDEBBB2BF89304F1091EAC409AB254DB755A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06F81D80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb75d70810a43fec6c0f803267a8366e32a4abd2739678c394c961d3a8403f77
Instruction ID: 353441c4e3486b5e304e6d7220d0f05f1aba997c478a8cf28df14c13ab0fbb97
Opcode Fuzzy Hash: eb75d70810a43fec6c0f803267a8366e32a4abd2739678c394c961d3a8403f77
Instruction Fuzzy Hash: 15D1F631D10A5A8ACB10EFA4D990ADDB7B1FFD5300F10879AE1497B215EB70AAC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06F87E81 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ab63c0393c1065659375a4616b7e912f117f211a1ebbc0aa4d5bfff3d559b0
Instruction ID: 683191ea414759585915cb1f4d2f71c0ffdf0de6f2b16d64974ddb80581966ff
Opcode Fuzzy Hash: 99ab63c0393c1065659375a4616b7e912f117f211a1ebbc0aa4d5bfff3d559b0
Instruction Fuzzy Hash: C0C1B174E01228CFDB54DFA9D890B9DBBB2BF89300F1085AAD419AB354DB345E86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06F81D90 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c97ab08db14f8c93f7382fd051c8d5aac84727277bbef83acdfdf2cdea668b9
Instruction ID: b9872c24e43df9541d8be3784f8d4efe96426d626a03d536ecd5baf3e851979a
Opcode Fuzzy Hash: 9c97ab08db14f8c93f7382fd051c8d5aac84727277bbef83acdfdf2cdea668b9
Instruction Fuzzy Hash: 3FD1E531D1065A8ACB10EFA4D990ADDB7B1FFD5300F10879AE1597B224EB70AAC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B2DC74 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1909450346.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab71134c826d002cc62f215cd033aeeddb2b79e9ba3b95c444e533c9a7fdddf
Instruction ID: c37f81aca54efad11b3a0ca9efc7694e25c0a2f25879bf9ddfc8cdd3d84281d4
Opcode Fuzzy Hash: cab71134c826d002cc62f215cd033aeeddb2b79e9ba3b95c444e533c9a7fdddf
Instruction Fuzzy Hash: 49A17F32E007268FCF05DFB4C4405AEB7B2FF85300B1545AAE909AB265DB71D959CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06F87E90 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bac7b235dc6a0d3fbfbda5e60607e38e171d065e5f65c43f276964cdeadd103
Instruction ID: b52df9938486ed0aeb266beb9aa55b4460faa0429522d32a5e86cd9b4a659ce8
Opcode Fuzzy Hash: 9bac7b235dc6a0d3fbfbda5e60607e38e171d065e5f65c43f276964cdeadd103
Instruction Fuzzy Hash: 21C1A174E01218CFDB54DFA9D890B9DBBB2BF89300F2085AAD419AB354DB346D86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06F842B9 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284dc45ee40241722d5a26b0cf38c658358686987faef98347cbaecc35838754
Instruction ID: d52ede568ffe45db1ed5db2a4fe9ef181168661ece3cba475be8181a50c94920
Opcode Fuzzy Hash: 284dc45ee40241722d5a26b0cf38c658358686987faef98347cbaecc35838754
Instruction Fuzzy Hash: F7A1F870E01228DFDB68EFA5C850B9EBBB2BF89304F2085A9D409A7354DB315E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06F848F7 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a676a6df872d2a1240dfe8883f6ce76a0663eace7bb605def8b6cfd102f10bb9
Instruction ID: 2b92ee52e183c6be726c3b0d8fcaee2de6bed2b826211f7c81e1667a1c761cde
Opcode Fuzzy Hash: a676a6df872d2a1240dfe8883f6ce76a0663eace7bb605def8b6cfd102f10bb9
Instruction Fuzzy Hash: CB91C471D012298FDB68DF69C850BDEBBB2BF89300F14C1EAD409AB294DB355A85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 06F884C0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6163dec76e8e91e08bed0938528c8db0a4152cd1800d08ff0e4f012e458c79
Instruction ID: 461dc5583b2b54bfa26f6deb458a6c1cb0ce86ca5779a9eb591dd6e29115bd48
Opcode Fuzzy Hash: 8c6163dec76e8e91e08bed0938528c8db0a4152cd1800d08ff0e4f012e458c79
Instruction Fuzzy Hash: FF911374E00219DFDB64EFA9C994B9DBBB2BF49304F1085A9D419B7350EB306A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06F83E59 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba3c88b8ca1c59e9350075e073bf7f6477bfa40cebfe80e95f53a7071824643
Instruction ID: 1f577aab2d8512c355cefda53295054700127879f732dce757bb655aaa604bc5
Opcode Fuzzy Hash: 8ba3c88b8ca1c59e9350075e073bf7f6477bfa40cebfe80e95f53a7071824643
Instruction Fuzzy Hash: CA310476E042588FEB19DFAAD8006DDFBF6AFC9300F18D06AC818AB255DB301946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06F8778F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec5788f6c975bfac516afd7f9ab73ff1bb8d4cf6e7724598563c98f7ca16022
Instruction ID: f8988a25b23f8a9f40c4cd9654e1388fdaa19e160158a06994260d1e663bf4e3
Opcode Fuzzy Hash: aec5788f6c975bfac516afd7f9ab73ff1bb8d4cf6e7724598563c98f7ca16022
Instruction Fuzzy Hash: 0131A1B0E012088FDB58EFAAC95069EFBF3BF89300F24D56AC419AB254DB345946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06F86037 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64dc1a57570b6b24121f37553493a104186ee01cb9e93c1276a12030f9d26aba
Instruction ID: 62f4a45274d27a4e33703d93789f29e06efa9087e8d254abae04435e2b3e0690
Opcode Fuzzy Hash: 64dc1a57570b6b24121f37553493a104186ee01cb9e93c1276a12030f9d26aba
Instruction Fuzzy Hash: C53135B1E056488FEB18DFAAD81469EFBF2BFC9301F18D06AC419BB254DB300946CB41

Uniqueness

Uniqueness Score: -1.00%

Function 06F83E21 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b9bf5ffb1d1a6d6118d2256d3e2fbca95ea4c412a1930c4a491123f818763e
Instruction ID: 7feed9fbd648ecd7a0e919f4acebe54c39829d0ecf40e71e85d6b49f22e25ca8
Opcode Fuzzy Hash: e8b9bf5ffb1d1a6d6118d2256d3e2fbca95ea4c412a1930c4a491123f818763e
Instruction Fuzzy Hash: 4D31C7B1E056098FEB48DFEAD84459DFBF7AFC9300F14D06AD408AB264DB341902CB54

Uniqueness

Uniqueness Score: -1.00%

Function 06F8595B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1917264835.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_X8K556WeiK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96096bd33992cd05445846756db7817c56d85298b848ef404f35dec01a58c9da
Instruction ID: 589b5aa1be26fcadd6f9752524eccec852aeabc9698d4f0d1b9f8e3952a906f7
Opcode Fuzzy Hash: 96096bd33992cd05445846756db7817c56d85298b848ef404f35dec01a58c9da
Instruction Fuzzy Hash: 4BE092B1C4511EDFEB90AF91C4067BFF6706B41225F605485880973244CBB04A45CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 064C1790 Relevance: 15.3, Strings: 12, Instructions: 316COMMON

Download Yara Rule

Strings

$^q, xrefs: 064C194D
$^q, xrefs: 064C1A88
$^q, xrefs: 064C1873
$^q, xrefs: 064C1959
$^q, xrefs: 064C1A57
$^q, xrefs: 064C182E
$^q, xrefs: 064C18A4
$^q, xrefs: 064C1A12
$^q, xrefs: 064C1A7C
$^q, xrefs: 064C1928
$^q, xrefs: 064C18E3
$^q, xrefs: 064C1898

Memory Dump Source

Source File: 00000000.00000002.1914780076.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1826369576
Opcode ID: ec6e3c180c91ea3daa533b31e86cddbcd6b775395dd184b45b5c213b2025acc4
Instruction ID: 726790040f66afa11a361df969750e1900456620f15b2f50ccc936f72857baff
Opcode Fuzzy Hash: ec6e3c180c91ea3daa533b31e86cddbcd6b775395dd184b45b5c213b2025acc4
Instruction Fuzzy Hash: 6EB11534B046148FDB999B69C894A2A7BE6BFC9714F00885ED5028B3A7CF75EC06C791

Uniqueness

Uniqueness Score: -1.00%

Function 064DED10 Relevance: 5.2, Strings: 4, Instructions: 242COMMON

Download Yara Rule

Strings

(_^q, xrefs: 064DEEFA
(_^q, xrefs: 064DEF79
(_^q, xrefs: 064DED7A
(_^q, xrefs: 064DEDF9

Memory Dump Source

Source File: 00000000.00000002.1914796231.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_X8K556WeiK.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$(_^q$(_^q
API String ID: 0-2697572114
Opcode ID: 229b8f275fa45a887aa1f4c3b99e5f8fb6dc9faaf6543fdc13a86e00c23ce228
Instruction ID: 2677e48e92b6c44180ede0adeb779aa29a27f130e6adf27793767357886c857a
Opcode Fuzzy Hash: 229b8f275fa45a887aa1f4c3b99e5f8fb6dc9faaf6543fdc13a86e00c23ce228
Instruction Fuzzy Hash: EA91AA35F042449FCB45AFB8C4246AE7BB2EFC5310F2485AAD9069F381DA35DE06CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report X8K556WeiK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\X8K556WeiK.exe.log

C:\Users\user\AppData\Local\Temp\TmpEBFA.tmp

C:\Users\user\AppData\Local\Temp\TmpEC0A.tmp

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
X8K556WeiK.exe

Function 06F8D2A8 Relevance: 6.6, Strings: 5, Instructions: 301
COMMON

Function 06F89BC0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1088
COMMON

Function 06F8B350 Relevance: 2.9, Strings: 2, Instructions: 364
COMMON

Function 064D3F50 Relevance: 1.8, Strings: 1, Instructions: 523
COMMON

Function 064C0D80 Relevance: 10.4, Strings: 8, Instructions: 418
COMMON

Function 064C1298 Relevance: 10.2, Strings: 8, Instructions: 196
COMMON

Function 064C1297 Relevance: 2.6, Strings: 2, Instructions: 123
COMMON

Function 064C0598 Relevance: 1.7, Strings: 1, Instructions: 462
COMMON

Function 02B2AE30 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 02B24248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON