Edit tour

Windows Analysis Report
ciKdWsb5h4.exe

Overview

General Information

Sample name:	ciKdWsb5h4.exe renamed because original name is a hash value
Original sample name:	bd129b2710c1f8fa9aa98dcc35c5b6b9.exe
Analysis ID:	1431450
MD5:	bd129b2710c1f8fa9aa98dcc35c5b6b9
SHA1:	572034f781967e768d6d9b49de62217561538a45
SHA256:	62c2c1f7335ed8b0a2120b1cf42a4c55cae1869a0245bef10d51de037e0d7ddf
Tags:	32exe
Infos:

Detection

RedLine

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

C2 URLs / IPs found in malware configuration

Installs new ROOT certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops certificate files (DER)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ciKdWsb5h4.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\ciKdWsb5h4.exe" MD5: BD129B2710C1F8FA9AA98DCC35C5B6B9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ciKdWsb5h4.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1666032685.0000000000032000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: ciKdWsb5h4.exe PID: 7632	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.ciKdWsb5h4.exe.30000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: ciKdWsb5h4.exe

Malware Configuration Extractor: RedLine {"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}

Multi AV Scanner detection for domain / URL

Source: 103.113.70.99:2630

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for submitted file

Source: ciKdWsb5h4.exe	ReversingLabs: Detection: 83%
Source: ciKdWsb5h4.exe	Virustotal: Detection: 76%			Perma Link

Source: ciKdWsb5h4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ciKdWsb5h4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb9 source: ciKdWsb5h4.exe, 00000000.00000002.2922388581.0000000000791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb' source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: ciKdWsb5h4.exe, 00000000.00000002.2924252741.0000000005E94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: ciKdWsb5h4.exe, 00000000.00000002.2922388581.0000000000791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdba source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 103.113.70.99:2630

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 103.113.70.99:2630

Source: Joe Sandbox View

IP Address: 103.113.70.99 103.113.70.99

Source: Joe Sandbox View

ASN Name: NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN

Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99
Source: unknown	TCP traffic detected without corresponding DNS query: 103.113.70.99

Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Responsex
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Responsex
Source: ciKdWsb5h4.exe	String found in binary or memory: https://api.ip.sb/ip

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp434B.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp435C.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_022B25D8	0_2_022B25D8
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_022BDC74	0_2_022BDC74
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B367D8	0_2_05B367D8
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B3A3D8	0_2_05B3A3D8
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B33F50	0_2_05B33F50
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B36FF3	0_2_05B36FF3
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B36FF8	0_2_05B36FF8

Source: ciKdWsb5h4.exe, 00000000.00000000.1666059017.0000000000076000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUpspearing.exe8 vs ciKdWsb5h4.exe
Source: ciKdWsb5h4.exe, 00000000.00000002.2922388581.000000000075E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ciKdWsb5h4.exe
Source: ciKdWsb5h4.exe	Binary or memory string: OriginalFilenameUpspearing.exe8 vs ciKdWsb5h4.exe

Source: ciKdWsb5h4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.winEXE@1/4@0/1

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe

File created: C:\Users\user\AppData\Local\Temp\Tmp434B.tmp

Jump to behavior

Source: ciKdWsb5h4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ciKdWsb5h4.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ciKdWsb5h4.exe	ReversingLabs: Detection: 83%
Source: ciKdWsb5h4.exe	Virustotal: Detection: 76%

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: Google Chrome.lnk.0.dr

LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ciKdWsb5h4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ciKdWsb5h4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ciKdWsb5h4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb9 source: ciKdWsb5h4.exe, 00000000.00000002.2922388581.0000000000791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb' source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: ciKdWsb5h4.exe, 00000000.00000002.2924252741.0000000005E94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: ciKdWsb5h4.exe, 00000000.00000002.2922388581.0000000000791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdba source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp

Source: ciKdWsb5h4.exe

Static PE information: 0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B3DFD1 push es; ret	0_2_05B3DFE6
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B3ECF2 push eax; ret	0_2_05B3ED01
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Code function: 0_2_05B349AB push FFFFFF8Bh; retf	0_2_05B349AD

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Jump to behavior

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Memory allocated: A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Memory allocated: 23E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Memory allocated: 21F0000 memory reserve \| memory write watch	Jump to behavior

Source: ciKdWsb5h4.exe, 00000000.00000002.2924328877.0000000005EF1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Users\user\Desktop\ciKdWsb5h4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ciKdWsb5h4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ciKdWsb5h4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: ciKdWsb5h4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ciKdWsb5h4.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666032685.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ciKdWsb5h4.exe PID: 7632, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: ciKdWsb5h4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ciKdWsb5h4.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666032685.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ciKdWsb5h4.exe PID: 7632, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ciKdWsb5h4.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
ciKdWsb5h4.exe	76%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://api.ip.sb/ip	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id20LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22LR	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id19LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id17LR	0%	Avira URL Cloud	safe
http://tempuri.org/	2%	Virustotal		Browse
http://tempuri.org/Entity/Id22Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id19LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id17LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id22LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id15Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id15LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id9LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6	1%	Virustotal		Browse
http://tempuri.org/Entity/Id10Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id20LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id19Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id13LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id7LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id19Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id11LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id13LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id1LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id5LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id7LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id1LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id3LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id6Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id7Responsex	0%	Avira URL Cloud	safe
103.113.70.99:2630	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id9LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id3LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id1Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id21Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6Responsex	2%	Virustotal		Browse
http://tempuri.org/Entity/Id23Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id7Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id21LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id23Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id2Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id11Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id20Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id2Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id21LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id8Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id18LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14Responsex	1%	Virustotal		Browse
103.113.70.99:2630	11%	Virustotal		Browse
http://tempuri.org/Entity/Id20Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id8Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id13Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id16Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id18LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id16LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id14LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id18Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id6LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13Responsex	0%	Virustotal		Browse
http://tempuri.org/Entity/Id21Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id12LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id9Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/	3%	Virustotal		Browse
http://tempuri.org/Entity/Id3Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id12LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id4LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id2LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14LR	2%	Virustotal		Browse
http://tempuri.org/Entity/Id12Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id17Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id4Responsex	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
103.113.70.99:2630	true	11%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/Entity/Id24LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id20LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id18Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id19LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id17LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id9LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id19Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id7LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id5LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id3LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id7Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id1Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	ciKdWsb5h4.exe	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id23Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id23LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id14Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id2Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id20Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id18LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id9Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id3Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id4LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id2LR	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id12Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id17Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/actor/next	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id4Responsex	ciKdWsb5h4.exe, 00000000.00000002.2923053111.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.113.70.99	unknown	India		133973	NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431450
Start date and time:	2024-04-25 05:57:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ciKdWsb5h4.exe renamed because original name is a hash value
Original Sample Name:	bd129b2710c1f8fa9aa98dcc35c5b6b9.exe
Detection:	MAL
Classification:	mal80.troj.winEXE@1/4@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 78 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
103.113.70.99	RP0143VgD8.exe	Get hash	malicious	RedLine	Browse
	CQPfRTSy7N.exe	Get hash	malicious	RedLine	Browse
	G4jZEW68K1.exe	Get hash	malicious	RedLine	Browse
	X8K556WeiK.exe	Get hash	malicious	RedLine	Browse
	X8K556WeiK.exe	Get hash	malicious	RedLine	Browse
	dmA2g7xZV7.exe	Get hash	malicious	RedLine	Browse
	dmA2g7xZV7.exe	Get hash	malicious	RedLine	Browse
	K2xdxHSWJK.exe	Get hash	malicious	RedLine	Browse
	XHr735qu8v.exe	Get hash	malicious	RedLine	Browse
	gm5v3JlTMk.exe	Get hash	malicious	RedLine	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN	RP0143VgD8.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	CQPfRTSy7N.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	G4jZEW68K1.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	X8K556WeiK.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	X8K556WeiK.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	dmA2g7xZV7.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	dmA2g7xZV7.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	K2xdxHSWJK.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	XHr735qu8v.exe	Get hash	malicious	RedLine	Browse	103.113.70.99
	gm5v3JlTMk.exe	Get hash	malicious	RedLine	Browse	103.113.70.99

Process:	C:\Users\user\Desktop\ciKdWsb5h4.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:32 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.4601743543125636
Encrypted:	false
SSDEEP:	48:8SDdPTndGRYrnvPdAKRkdAGdAKRFdAKR/U:8SR5
MD5:	93296231F661D8ACBE442350CB2E343E
SHA1:	6A5691873D199EFEB60BE972B68300C348B44C6D
SHA-256:	5C3ED758D68B99F99C8F9E79D74B30B999E0F39C449BC91A2EDF744A65A364D2
SHA-512:	9B52AFC361FB748FBCA5410B9284AE501DA620CB78C3207583E34DB3266D62636FFF24AC3F706C65443F6B462EC27F7AD2EE2027071094226D63E1B7275A0C38
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ......,.....d'........q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWQ`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWQ`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWQ`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Temp\Tmp434B.tmp

Download File

Process:	C:\Users\user\Desktop\ciKdWsb5h4.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp435C.tmp

Download File

Process:	C:\Users\user\Desktop\ciKdWsb5h4.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\ciKdWsb5h4.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	7.634466947125037
Encrypted:	false
SSDEEP:	48:S7SjQDUCrOSnnq8e8ychIa6kmJsrgvfTxbchRayHllRchxZ:ASUDn28yla6kVgvlgtFY5
MD5:	373B17759310F94FA7E099063BB941CC
SHA1:	0C173BDBC01BBD66B37228664E059A77B21EAFC7
SHA-256:	A176EA03BBCF5AF7352D45CAEC94EE1967A0613D2DF6853D6BA7390D238B0C86
SHA-512:	4C55FF1C9F404C741F3CC4C1C9940C505A96576AFA8914CE0F777214BC95D93C49BC8A1D4C14EBBB2857306DF39C182272B73C6E26273D282BACADD6FB88AD16
Malicious:	false
Reputation:	low
Preview:	........'...............P...............{41744BE4-11C5-494C-A213-BA0CE944938E}.....................RSA1..................v..XU~l2_.......vj....b.... ..&...X.Y...=q...).....`.1.0..~......5DL. ..S>.......<..y...?YOA.... eb.QD..B..<.!..'J..+.'...4fu.z./....]@.y.b...o...).j'......0}B.j..R..-..2.....'=...@....s....;. .v=..;...\$...G....2S....al.ZQ.Q...w...aXzW.....................z..O........"(&.JO....SM.'....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....(..*k.Q&..O...1...j...`....-............... .....M@$b.E...p]..q.$..t..d..<%....P.......I.0...:...c..........@.[...K..S)..\|..\./&.C&.%`..A]O..v...qx.P.0..x....,.^>.F...Y.G...C#.......hy....;hkT.C..?.&..%....0..I...9y\|.C.)1.Q.L#...)r.E...z[.T.f..N$...9S..p.sL.wu.....l.Z?:'pa............ZE...p......R.;}.....>Z.W...^.e.m.p.....%.0y.$..Q.._....r..........X...`T.0.oC..6.9:..Xv?..1?f7A...\...?.}[.PH.y.JS~>..".!rUvb.1...C..<..@...........~Y..y"....#...:U.+.B..a....}...8.<..]....M...xa14S..J

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.082418228904906
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ciKdWsb5h4.exe
File size:	311'296 bytes
MD5:	bd129b2710c1f8fa9aa98dcc35c5b6b9
SHA1:	572034f781967e768d6d9b49de62217561538a45
SHA256:	62c2c1f7335ed8b0a2120b1cf42a4c55cae1869a0245bef10d51de037e0d7ddf
SHA512:	abb8770681cd51454d3f2f4539f58133af88168d35934a4638a611c579d07018f256a9a8358c9723c8a985254bcf593556a886692781fa57016a82475f147e86
SSDEEP:	6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
TLSH:	04645C1823EC8911E27F4B7994A1E274D375ED56A452E30F4ED06CAB3E32741FA11AB2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

File Icon


Icon Hash:	4d8ea38d85a38e6d

Static PE Info

General

Entrypoint:	0x42b9ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
popad
add byte ptr [ebp+00h], dh
je 00007F0CED02A822h
outsd
add byte ptr [esi+00h], ah
imul eax, dword ptr [eax], 006C006Ch
xor eax, 59007400h
add byte ptr [edi+00h], dl
push edx
add byte ptr [ecx+00h], dh
popad
add byte ptr [edi+00h], dl
push esi
add byte ptr [edi+00h], ch
popad
add byte ptr [ebp+00h], ch
push 61006800h
add byte ptr [ebp+00h], ch
dec edx
add byte ptr [eax], bh
add byte ptr [edi+00h], dl
push edi
add byte ptr [ecx], bh
add byte ptr [ecx+00h], bh
bound eax, dword ptr [eax]
xor al, byte ptr [eax]
insb
add byte ptr [eax+00h], bl
pop ecx
add byte ptr [edi+00h], dl
js 00007F0CED02A822h
jnc 00007F0CED02A822h
pop edx
add byte ptr [eax+00h], bl
push ecx
add byte ptr [ebx+00h], cl
popad
add byte ptr [edi+00h], dl
dec edx
add byte ptr [ebp+00h], dh
pop edx
add byte ptr [edi+00h], dl
jo 00007F0CED02A822h
imul eax, dword ptr [eax], 5Ah
add byte ptr [ebp+00h], ch
jo 00007F0CED02A822h
je 00007F0CED02A822h
bound eax, dword ptr [eax]
push edi
add byte ptr [eax+eax+77h], dh
add byte ptr [ecx+00h], bl
xor al, byte ptr [eax]
xor eax, 63007300h
add byte ptr [edi+00h], al
push esi
add byte ptr [ecx+00h], ch
popad
add byte ptr [edx], dh
add byte ptr [eax+00h], bh
je 00007F0CED02A822h
bound eax, dword ptr [eax]
insd
add byte ptr [eax+eax+76h], dh
add byte ptr [edx+00h], bl
push edi
add byte ptr [ecx], bh
add byte ptr [eax+00h], dh
popad
add byte ptr [edi+00h], al
cmp dword ptr [eax], eax
insd
add byte ptr [edx+00h], bl
push edi
add byte ptr [esi+00h], cl
cmp byte ptr [eax], al
push esi
add byte ptr [eax+00h], cl
dec edx
add byte ptr [esi+00h], dh
bound eax, dword ptr [eax]
insd
add byte ptr [eax+00h], bh
jo 00007F0CED02A822h
bound eax, dword ptr [eax]
insd
add byte ptr [ebx+00h], dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2b95c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x32000	0x1c9d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2b940	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2e994	0x2ec00	64c48738b5efa1379746874c338807d5	False	0.4696168950534759	data	6.205450376900145	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x32000	0x1c9d4	0x1cc00	5b3e8f48de8a05507379330b3cf331a7	False	0.23725373641304348	data	2.6063301335912525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x50000	0xc	0x400	f921873e0b7f3fe3399366376917ef43	False	0.025390625	data	0.05390218305374581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x321a0	0x3d04	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9934058898847631
RT_ICON	0x35eb4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	0.09013072282030049
RT_ICON	0x466ec	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	0.13905290505432216
RT_ICON	0x4a924	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.17033195020746889
RT_ICON	0x4cedc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.2045028142589118
RT_ICON	0x4df94	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.24645390070921985
RT_GROUP_ICON	0x4e40c	0x5a	data	0.7666666666666667
RT_VERSION	0x4e478	0x35a	data	0.4417249417249417
RT_MANIFEST	0x4e7e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 05:57:57.833750963 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:57:58.839483976 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:58:00.855005980 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:58:04.870498896 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:58:12.886183023 CEST	49730	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:58:23.935637951 CEST	49737	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:58:24.948749065 CEST	49737	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:58:26.964272022 CEST	49737	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:58:30.964402914 CEST	49737	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:58:38.964427948 CEST	49737	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:58:49.997570038 CEST	49738	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:58:51.011176109 CEST	49738	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:58:53.011199951 CEST	49738	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:58:57.011187077 CEST	49738	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:59:05.011373997 CEST	49738	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:59:16.031699896 CEST	49740	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:59:17.042468071 CEST	49740	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:59:19.058190107 CEST	49740	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:59:23.073756933 CEST	49740	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:59:31.089340925 CEST	49740	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:59:42.122489929 CEST	49741	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:59:43.136220932 CEST	49741	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:59:45.136295080 CEST	49741	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:59:49.151844978 CEST	49741	2630	192.168.2.4	103.113.70.99
Apr 25, 2024 05:59:57.151979923 CEST	49741	2630	192.168.2.4	103.113.70.99

Target ID:	0
Start time:	05:57:56
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\ciKdWsb5h4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ciKdWsb5h4.exe"
Imagebase:	0x30000
File size:	311'296 bytes
MD5 hash:	BD129B2710C1F8FA9AA98DCC35C5B6B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1666032685.0000000000032000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	52
Total number of Limit Nodes:	9

Executed Functions

Function 05B33F50 Relevance: 1.8, Strings: 1, Instructions: 526
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05B341E4

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: bb3c37a1ab24a836deab114d383bc5b412ba567ac239d60d9332c238b371be63
Instruction ID: bb626df17dce3ec6ddd059a9abda45a7fd3e11304223964faf81cdef2620986b
Opcode Fuzzy Hash: bb3c37a1ab24a836deab114d383bc5b412ba567ac239d60d9332c238b371be63
Instruction Fuzzy Hash: D7126034B006158FCB14DF69C585AAEBBF2FF89710B1485A9D806EB365DB31EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B367D8 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbecc7d2e7f1b58c750af7d020814ab032e374f92f962ebc2bade43d8853688c
Instruction ID: 743e4b9b0dd82a6baae2d4ddc75a7a3ed308752837538345a098a2558e69426d
Opcode Fuzzy Hash: dbecc7d2e7f1b58c750af7d020814ab032e374f92f962ebc2bade43d8853688c
Instruction Fuzzy Hash: 6102B530A00205AFDB15DF69D885BAEBBF2FF84310F1485A9E509EB261DB31ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B3A3D8 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec4b2bd692bce6abef1f3a7a1b773687c5a46ba0d11c18cc354b9f05d0a1bf3
Instruction ID: 6c08911e3516910d98b52645435c6355042b126f64273f55f65fe832503f29af
Opcode Fuzzy Hash: 5ec4b2bd692bce6abef1f3a7a1b773687c5a46ba0d11c18cc354b9f05d0a1bf3
Instruction Fuzzy Hash: B6D10570910308CFCB15EFB4D845A9DBBB2FF8A301F5085A9E44AA7294DF355989CF11

Uniqueness

Uniqueness Score: -1.00%

Function 022BD0A8 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 022BD136
GetCurrentThread.KERNEL32 ref: 022BD173
GetCurrentProcess.KERNEL32 ref: 022BD1B0
GetCurrentThreadId.KERNEL32 ref: 022BD209

Memory Dump Source

Source File: 00000000.00000002.2922980939.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_ciKdWsb5h4.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2aff9f22eaa2b7b58b9a754b54b0b5556e6536d9d3a0a0ae670e44e42cb44b14
Instruction ID: 67107bcdf3349cfd3bcda6c2e83e889158e8be9fa6e5516263008dda7db4a154
Opcode Fuzzy Hash: 2aff9f22eaa2b7b58b9a754b54b0b5556e6536d9d3a0a0ae670e44e42cb44b14
Instruction Fuzzy Hash: 9E5176B09103498FEB05DFA9D5487DEBBF1EF48304F208859E019AB3A0DB74A884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 022BD0B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 022BD136
GetCurrentThread.KERNEL32 ref: 022BD173
GetCurrentProcess.KERNEL32 ref: 022BD1B0
GetCurrentThreadId.KERNEL32 ref: 022BD209

Memory Dump Source

Source File: 00000000.00000002.2922980939.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_ciKdWsb5h4.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fffb20a8e38d3d6413a3f8bce6ad71a9221aa49757b2cf55ad68b7741516b547
Instruction ID: 5e80bfc7790e32292435dd06e3f3536e28719779f37b08e5108d7146c92f2fac
Opcode Fuzzy Hash: fffb20a8e38d3d6413a3f8bce6ad71a9221aa49757b2cf55ad68b7741516b547
Instruction Fuzzy Hash: 245155B09102498FEB05DFAAD548BDEBBF1EF48304F208459E419A73A0C774A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05B33721 Relevance: 3.0, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 05B33764
d, xrefs: 05B339A5

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID: (bq$d
API String ID: 0-3334038649
Opcode ID: a70b64b5461c644874d93bf337a0d15e4e45ee5f01895ab9c1459f5a0bbc2242
Instruction ID: 917e5328ca179fbe3e3e1918bc1580caa33c513585e4196693fb8758322594af
Opcode Fuzzy Hash: a70b64b5461c644874d93bf337a0d15e4e45ee5f01895ab9c1459f5a0bbc2242
Instruction Fuzzy Hash: 82026B746006018FD714DF19C48596AFBF2FF88324B25CAA9D46AAB765DB30FC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 022BAE30 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 022BB086

Memory Dump Source

Source File: 00000000.00000002.2922980939.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_ciKdWsb5h4.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 782dd1e1e92fa59e080fbad6fdbd609129f62c88b5e38c9cc73ff4d3f1ac9352
Instruction ID: 584a7b5aaa47a0566f8fd42ff2aceee35cdf0e501209de06911e153b5d98f6af
Opcode Fuzzy Hash: 782dd1e1e92fa59e080fbad6fdbd609129f62c88b5e38c9cc73ff4d3f1ac9352
Instruction Fuzzy Hash: FB7134B0A10B058FDB25DFA9D04479ABBF1FF88344F00892DE48AD7A54DB75E849CB90

Uniqueness

Uniqueness Score: -1.00%

Function 022B4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 022B59F1

Memory Dump Source

Source File: 00000000.00000002.2922980939.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_ciKdWsb5h4.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1a422992cb319b9d15d2560dd4526cb39a887fb0ac6762299dae337c4b1610fb
Instruction ID: 43093dce273f3dcfb36030f1cb2e60748f1f215ed62567e664946a7f2075c4bf
Opcode Fuzzy Hash: 1a422992cb319b9d15d2560dd4526cb39a887fb0ac6762299dae337c4b1610fb
Instruction Fuzzy Hash: 0141E0B0D10619CBEB24CFA9C884BCDBBB5FF49304F24806AD408BB255DBB56949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 022B5935 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 022B59F1

Memory Dump Source

Source File: 00000000.00000002.2922980939.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_ciKdWsb5h4.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 161c01ee9f971da4406994280aec7607771fff31ded8f5a4135f2b14b35e09fc
Instruction ID: a2b8ce31a60f70cbfc80f4f9dbdec9ab7f02c17372e9402e714c68b8162e4228
Opcode Fuzzy Hash: 161c01ee9f971da4406994280aec7607771fff31ded8f5a4135f2b14b35e09fc
Instruction Fuzzy Hash: 8E41F1B0D00619CEEB24DFA9C8846CDBBF5BF49304F24806AD008BB255DBB96949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 022BD300 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022BD387

Memory Dump Source

Source File: 00000000.00000002.2922980939.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_ciKdWsb5h4.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ee5077966ec908cce0767fab8c49461e3bb5991ed19ff103e65f72a4fb15c09a
Instruction ID: b2064c492aa2ad6c807f348b0a3c95f75677d38bdb8b484e2d1b94d10e254d9e
Opcode Fuzzy Hash: ee5077966ec908cce0767fab8c49461e3bb5991ed19ff103e65f72a4fb15c09a
Instruction Fuzzy Hash: 4821E4B59002489FDB10CF9AD984ADEBBF4FF48310F14841AE918A7310C378A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 022BD2F9 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022BD387

Memory Dump Source

Source File: 00000000.00000002.2922980939.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_ciKdWsb5h4.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cc026b3d28db04864afa8021e0c1a9cbb59a22cab7f866dfbb6f3e29e7a82101
Instruction ID: a5991cc2a3f885cb68573751ea80cbfddfbb9f971153570d7be9d522e19e0ee6
Opcode Fuzzy Hash: cc026b3d28db04864afa8021e0c1a9cbb59a22cab7f866dfbb6f3e29e7a82101
Instruction Fuzzy Hash: A021F3B5900209DFDB10CFAAE584ADEBBF5FF48314F14841AE958A7350D378A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 022BA870 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022BB101,00000800,00000000,00000000), ref: 022BB312

Memory Dump Source

Source File: 00000000.00000002.2922980939.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_ciKdWsb5h4.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 87c42c81e97a60336e1c50494c0fde44655b396238f93cfeab69511b3482bd0e
Instruction ID: a89ab043c3b09a7445377eb825f1b1f8fc49daf95402ad49238a18d33bafa09a
Opcode Fuzzy Hash: 87c42c81e97a60336e1c50494c0fde44655b396238f93cfeab69511b3482bd0e
Instruction Fuzzy Hash: 3B1112B6D003499FDB10CF9AC444ADEFBF4EF48314F10842AE919AB214C3B5A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 022BB2A0 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022BB101,00000800,00000000,00000000), ref: 022BB312

Memory Dump Source

Source File: 00000000.00000002.2922980939.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_ciKdWsb5h4.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c9d4ec7b089ebdbab2a9e122a605d67007b6621fe6e02d407369c49a81efba08
Instruction ID: dc233dcd9274c9bb60b511388c750e5c630d93810a6cffe9a20e2afeeda03345
Opcode Fuzzy Hash: c9d4ec7b089ebdbab2a9e122a605d67007b6621fe6e02d407369c49a81efba08
Instruction Fuzzy Hash: 5F1112B6D003498FDB14CFAAD544ADEFBF4EF48314F10842AD859AB210C374A544CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 022BB020 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 022BB086

Memory Dump Source

Source File: 00000000.00000002.2922980939.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_ciKdWsb5h4.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e2304848ca2a5ec8b6bca87a437c102e0b12a796331e877122db45be1d147821
Instruction ID: 1315f519b892932e06e0c70418899f92a6bbbc3c660464d74ddcdd19a50a4b23
Opcode Fuzzy Hash: e2304848ca2a5ec8b6bca87a437c102e0b12a796331e877122db45be1d147821
Instruction Fuzzy Hash: F111D2B5D003498FDB10DF9AD444ADEFBF4AF48314F10845AD869B7214C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05B359D8 Relevance: 1.5, Strings: 1, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 05B35C29

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 1195f892aa018b7a90fbb89a7c9ca58e8be8f72253f106e4786d0df58199dc90
Instruction ID: 97f397a6c0aca6be8f83295bcec9b86f9d0710d872d3a98de5d64065d99a2a6b
Opcode Fuzzy Hash: 1195f892aa018b7a90fbb89a7c9ca58e8be8f72253f106e4786d0df58199dc90
Instruction Fuzzy Hash: 24C16E34600602DFCB25CF19C580D6ABBF2FF8931476AC999D45A9B6A5D730FC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B38E0B Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

LR^q, xrefs: 05B38E58

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 043382c633ffea3e88a4f892876d93ca40a7cb8cfb222dde722407857e6dba04
Instruction ID: 5a73e716c9e1d43c2f704db9c26eae483e16442e5279c8567b7a6ebbf6ed97d5
Opcode Fuzzy Hash: 043382c633ffea3e88a4f892876d93ca40a7cb8cfb222dde722407857e6dba04
Instruction Fuzzy Hash: D0416974E01218DFCB48DFA9D480AEEBBB2FF88315F10906AE415A7264DB75A946CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05B384C8 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05B385B1

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: a48aab4e1f68ca1d5a4f73854d912f1d8a789dfa800f8f36a72a33d388c7bad3
Instruction ID: e590b2bc0266e4de1e92a6a82e1e38d7ebf62d0e93ea29b0b0e6dcfa45c501d3
Opcode Fuzzy Hash: a48aab4e1f68ca1d5a4f73854d912f1d8a789dfa800f8f36a72a33d388c7bad3
Instruction Fuzzy Hash: 5F3190317002198FCB09EB79A5695BE7BE7EFC8204B504439E50ADB385EF35AD0687E1

Uniqueness

Uniqueness Score: -1.00%

Function 05B33DE0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05B33F25

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: e4248c7fbeeb8d6560e9a05466e3a219abb84c4523ad7dc5aca6324981677007
Instruction ID: 0d39eeeb7c8587bc16d55e3ea32c34ccba9d51482571e909219f8392262caa61
Opcode Fuzzy Hash: e4248c7fbeeb8d6560e9a05466e3a219abb84c4523ad7dc5aca6324981677007
Instruction Fuzzy Hash: 572147317002508FC716B778945456EBBE6EFC635131448BED00A8B395DE35EC0B83E2

Uniqueness

Uniqueness Score: -1.00%

Function 05B3B358 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05B3B399

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 909c03df147e3d17ca2804b1ba8ca17665b13a1ea69a192266f27bca0c311431
Instruction ID: 7c13ffa708980397b561eb729b0fa887ea7b870148519f6c9a5ff7f263af7fb0
Opcode Fuzzy Hash: 909c03df147e3d17ca2804b1ba8ca17665b13a1ea69a192266f27bca0c311431
Instruction Fuzzy Hash: 05019A74901349EFCB05EFB8E99468DBFB2FF85300B1848A9D48597355EB305A48CB11

Uniqueness

Uniqueness Score: -1.00%

Function 05B33EC3 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05B33F25

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: d9403c458cdb2ffdf35584250aa4fa286d439e60e0efcaee660ae5136466827b
Instruction ID: dbaa09b3e86efc767e19b7284aaed2eac5e4bf53c09062876658a1207777b08d
Opcode Fuzzy Hash: d9403c458cdb2ffdf35584250aa4fa286d439e60e0efcaee660ae5136466827b
Instruction Fuzzy Hash: B4F096327401014FC619FB39E49596EBBE7EBC92513548929D45A8B358EF20FD4F43A1

Uniqueness

Uniqueness Score: -1.00%

Function 05B33EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05B33F25

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 27296872e145d142d5f043d306958d56fab3713b4abc16c43023fe5c72a3de93
Instruction ID: 0b05e8b386044d2f026578ed920fe5b128c4878951256e15fcd6484ba9464bd7
Opcode Fuzzy Hash: 27296872e145d142d5f043d306958d56fab3713b4abc16c43023fe5c72a3de93
Instruction Fuzzy Hash: 2AF090313402054FC619FB39E49596EBBE7EBC92513508929D00A8B368EF20FD4E83A1

Uniqueness

Uniqueness Score: -1.00%

Function 05B3B368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05B3B399

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 0b2bc973a5e7c86e930be58ea5a1712a0c8a579d3188c97814b4e0b71289d28f
Instruction ID: c1ef7dc6de41696c5a19afeebb6652947fa6e88b0eb01f61899abe3e3f82a1c7
Opcode Fuzzy Hash: 0b2bc973a5e7c86e930be58ea5a1712a0c8a579d3188c97814b4e0b71289d28f
Instruction Fuzzy Hash: 83F08C74A41308EFCB08EFB8E59465DBBB2FB84300F1085A8D80697354DF301A48CB41

Uniqueness

Uniqueness Score: -1.00%

Function 05B34AFF Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6f7dff9c663a9fa7fb57ac39c029fb8112f995dfb5e4a83d58e47aa545e1c6
Instruction ID: 62bb20b05e4bc7b899e706c483c3867753ccab9720abbce3d026c59a40790a62
Opcode Fuzzy Hash: ea6f7dff9c663a9fa7fb57ac39c029fb8112f995dfb5e4a83d58e47aa545e1c6
Instruction Fuzzy Hash: 08C169347006058FCB14DF79C488AAABBF2FF88311B1585A9E546DB3A6DB30EC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05B37D58 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5461a71ec0eab205d2f926c89f912aeab044df750a3bb3d6d7a130f6e69d557
Instruction ID: aafdbef777698bf7415c514ca1d28e4a9a932e49eec9983c991d16855c04b818
Opcode Fuzzy Hash: a5461a71ec0eab205d2f926c89f912aeab044df750a3bb3d6d7a130f6e69d557
Instruction Fuzzy Hash: C25124B1E002589BDB14CFA9D885B9EBBB6FF48304F148469E419BB244DB74A946CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05B37D4C Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e18f6d9c06a8aa0846e31c905aa343717646f694c76e4d274d3c3e93717b38a
Instruction ID: 66e4dfa291f1fce997e5c575b91a41d2572bf548a250eb3fce0f63cc19a8feff
Opcode Fuzzy Hash: 7e18f6d9c06a8aa0846e31c905aa343717646f694c76e4d274d3c3e93717b38a
Instruction Fuzzy Hash: BD5126B0E002589BDB14CFA9C885BDEBBF6FF48304F148529E415BB294DB74A946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05B359C8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6213a2f6b79d9f877f8dcf9b327ede99c4311ecdb8c9c7f1b8e5d9bdeddc668
Instruction ID: d5422593b6b54fef4df0684c2f221ca83ddbc24802221e8b6792226e5a92a87b
Opcode Fuzzy Hash: a6213a2f6b79d9f877f8dcf9b327ede99c4311ecdb8c9c7f1b8e5d9bdeddc668
Instruction Fuzzy Hash: FE415B35600605DFCB20CF59C884DAAFBF2FF89314B15C999E559AB2A1D730F905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B3E8B0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9879a9fcfa60d54bdef98e03710f04608ff25670a2f459164a513801e0689b0f
Instruction ID: aa456f13455afc378a2d536337c24167be61b2e31275dea0445b49317e252971
Opcode Fuzzy Hash: 9879a9fcfa60d54bdef98e03710f04608ff25670a2f459164a513801e0689b0f
Instruction Fuzzy Hash: 2E410235A043448FCB06DF78C815A6A7FB6FF86300B1985DAD480DB3A2EA34DD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05B35579 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31362df30d6429d4c84655cdbfd9a7755dc3874710587d334efe2d410589b1bc
Instruction ID: cd14486fb984fb2610751eef02fbf9c52790f09f8f8d6ebf78a7264826e636c0
Opcode Fuzzy Hash: 31362df30d6429d4c84655cdbfd9a7755dc3874710587d334efe2d410589b1bc
Instruction Fuzzy Hash: C031AF357002109FCB15EF39D4849AEBBB2FF89311B0085A9E806DB3A9DB34ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B35583 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06734105686dc7eea65ce100c12cfdb284f43cf91243bbddbf672e669aa2074b
Instruction ID: 33d69fffa722a74f6920c2c45baee018b1c169184cccec2e86e95ebb3cf6a5dc
Opcode Fuzzy Hash: 06734105686dc7eea65ce100c12cfdb284f43cf91243bbddbf672e669aa2074b
Instruction Fuzzy Hash: D231A035701210AFCB15DF35D4849AEBBB2FF89311B1084A9E806DB369DB35ED06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B35588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533d921e37350b74442a5c2697acea8b2617991ac63440ad11f82017f498612b
Instruction ID: 9268ad13ec636d6ceff2592a30b15778a2b822f39dc9f6f1e50aca375abd60fd
Opcode Fuzzy Hash: 533d921e37350b74442a5c2697acea8b2617991ac63440ad11f82017f498612b
Instruction Fuzzy Hash: DC3180357012109FCB15DF39D48496EBBB2FF89311B5084A9E906DB369DB35ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B387A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a44890b56eea0748b666d777a2849066f9cbb568632226736af028f8872414
Instruction ID: 2768edeb6e73e74993159dfd7779eb006221b62b41b6bce58d526bc5ad9e5c18
Opcode Fuzzy Hash: b9a44890b56eea0748b666d777a2849066f9cbb568632226736af028f8872414
Instruction Fuzzy Hash: 4B41F0B1D01248DFDB14DFAAD945AEEFBF6AF88310F10802AE419B7254DB34A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05B38795 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4f25d2d49d1f207f928cb5c529a299c431b0750243aef4dcf847b201c40ee7
Instruction ID: 47dd47d6de5af3a37a3c8f239caea5e452f5578b9827ab3c55507ea6d56c353a
Opcode Fuzzy Hash: 3f4f25d2d49d1f207f928cb5c529a299c431b0750243aef4dcf847b201c40ee7
Instruction Fuzzy Hash: 953113B1D012489BDB14DFAAD945BDEBFF6AF48300F10802AE405B7250DB34A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05B38A98 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ff8fbd4bbaddf6d8858503ca16fba8c368c01988af47d56e8c6263d86f9278
Instruction ID: c0b25f524b8ae5a734b09625f8693b7682119265d381b2e665af3df56b4bd21b
Opcode Fuzzy Hash: 89ff8fbd4bbaddf6d8858503ca16fba8c368c01988af47d56e8c6263d86f9278
Instruction Fuzzy Hash: 423103B1D01259DFCB14CFA9D895BDEBBB9EF48310F24846AE409B7240DB75A842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0095D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2922661645.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_95d000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d20d6b2e6210944d8c1b007b071bee3874d8d86e944b21c5a01dd262108183
Instruction ID: 715c8a6f779e2d5eb389b8f7d5d84ab78c6faa4f4e059c69a7107e00bf626c58
Opcode Fuzzy Hash: d4d20d6b2e6210944d8c1b007b071bee3874d8d86e944b21c5a01dd262108183
Instruction Fuzzy Hash: FD213A71500204DFDB15DF15D9C0B26BF69FB94315F20C569DD094F2A6C33AE85AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0096D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2922710631.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c319060913a7df879c2184356c5d57a782bbfc98279b0e42757902444e00b4
Instruction ID: bee8a7eef39750778e0e68b437a53049fd46eb7950d30e9f8ead4dacc1c9d91f
Opcode Fuzzy Hash: 37c319060913a7df879c2184356c5d57a782bbfc98279b0e42757902444e00b4
Instruction Fuzzy Hash: 33210475A04240DFDB14DF14D9C4B26BFA9FB88314F24C96DE81A4B296C33BD847CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B3C0BF Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec864b33fd7f5743c6d9a892d7c31b9e93e441ca566b8a2fac72c2ea52a3bd76
Instruction ID: 32c7a12ecf043ea7a69fd38e3aa86c7e033ec1bc04c72808385bc632e22026d2
Opcode Fuzzy Hash: ec864b33fd7f5743c6d9a892d7c31b9e93e441ca566b8a2fac72c2ea52a3bd76
Instruction Fuzzy Hash: B111C4331453A04FC312EB3CEDA57DB7FE6CF82254B0801ABD0C6CA263D665994A8796

Uniqueness

Uniqueness Score: -1.00%

Function 05B38A8C Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006c22833af189c9439eea1e9daf98f41f8b0c34cd7d4d7df0447de90a523f81
Instruction ID: 3860841c4c5dfc6129525355289a3e94699a981fb4b98d868fb9d48aad60dc91
Opcode Fuzzy Hash: 006c22833af189c9439eea1e9daf98f41f8b0c34cd7d4d7df0447de90a523f81
Instruction Fuzzy Hash: 7C2126B1D01349DFDB14CFA9C895BDEBBF9AF48310F148429E405B7290DB75A842CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0096D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2922710631.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb6adb97a9833e5b680fa73ab8f8c55c3f2515400a10d65a782b70c07f27dfc
Instruction ID: e0a0df9807eeba5b961e92576d0af33683925a428db141637dda9c16d2ef58f3
Opcode Fuzzy Hash: 2bb6adb97a9833e5b680fa73ab8f8c55c3f2515400a10d65a782b70c07f27dfc
Instruction Fuzzy Hash: 99215E755093808FDB12CF24D994B15BF71EB46314F28C5EAD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 05B36E72 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccaf9bcaff5ab55e2497139bf513d578edcad3abede0f1a29934f06de9f49229
Instruction ID: cbd7bd0ade691bc0d9757c190446b6d40eb994c786f98561d5618a9df6edc498
Opcode Fuzzy Hash: ccaf9bcaff5ab55e2497139bf513d578edcad3abede0f1a29934f06de9f49229
Instruction Fuzzy Hash: 8701D8A36081D43FDB124EAA5C518FA3FA8DA9E1717094197FAD4C1182D418C916D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 05B38C58 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762889c49cf0497d6e409e8d9a4777f9753782a72997caedcc08d83935fe46a3
Instruction ID: e5573f27a2db6f29f0bebaa23dc029ff167bdf66e9d8a0eb315399353348a80e
Opcode Fuzzy Hash: 762889c49cf0497d6e409e8d9a4777f9753782a72997caedcc08d83935fe46a3
Instruction Fuzzy Hash: 6721E474E062189FCB08DFA9E8446DDBBF6FF88310F10902AE805B3360DB742945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0095D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2922661645.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_95d000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 71c9f14c08fefb632ecbadb9daf1546b8868ddb37a361d36aff27b5658f12bc1
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 18110372404240CFDB16CF00D5C4B16BF72FB94324F24C2A9DC090B266C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B3BC5D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce75e398612c6791c985f848e601d516cf17516823d3997e598a72d85b129800
Instruction ID: b58180780d55cdf34045c4d9e457a86e6a5d372983e119a5533c0aa1583e4e35
Opcode Fuzzy Hash: ce75e398612c6791c985f848e601d516cf17516823d3997e598a72d85b129800
Instruction Fuzzy Hash: 531104312403058FC78AE738E9A566FBBA3EFC13453158828E947C7B55DE34AE4E8791

Uniqueness

Uniqueness Score: -1.00%

Function 05B36E7B Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352104f4adcc5c26ae93b665ffd65faa3061a7e8b1a5b2f6a6638514241b55a7
Instruction ID: b5bfee520c2fdb5413abc787a55c47bffc422a88da72257d6d7077209f896be1
Opcode Fuzzy Hash: 352104f4adcc5c26ae93b665ffd65faa3061a7e8b1a5b2f6a6638514241b55a7
Instruction Fuzzy Hash: E401D6A22081D43FDB124EAA5C508FB3FA8DA8E1717094196FAE8C1182D418CA1697B1

Uniqueness

Uniqueness Score: -1.00%

Function 05B38350 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92fee3857601df66739d2b06f96e78e99dd41da7d6e23f4a9d86b4af0edd3c6
Instruction ID: afd9299c0d05f7ed2dc70148862397eee7d4b6829741cae631cfaa9d75fc421a
Opcode Fuzzy Hash: d92fee3857601df66739d2b06f96e78e99dd41da7d6e23f4a9d86b4af0edd3c6
Instruction Fuzzy Hash: 6F017172B001199FDF10DEA9AC45ABFBBBAEBC8651B148036F505D3240DB31A91587A1

Uniqueness

Uniqueness Score: -1.00%

Function 05B3C499 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa44c0688d9e2d4c1444cbc0b264f4253b89365eaf0aed57bcadb1d1d22dea3d
Instruction ID: 3e980c56ca6ae35414c20ccf2c65716e33427e5ecb5f14dba2b2b99f3734225c
Opcode Fuzzy Hash: fa44c0688d9e2d4c1444cbc0b264f4253b89365eaf0aed57bcadb1d1d22dea3d
Instruction Fuzzy Hash: 1011AC312443008FC329EF65E49461E7BE3EFC5311B108A6AD44687B95DB78A90A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 05B3BC70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fa7c1af262043c29d3e357c180d0dfe2deccbc4fdf4b82136ea974ab7cb156
Instruction ID: 826c499dfb54a5abfda8c7ffb791b6637b61bea46ce77a6f5348e06276cfe804
Opcode Fuzzy Hash: a4fa7c1af262043c29d3e357c180d0dfe2deccbc4fdf4b82136ea974ab7cb156
Instruction Fuzzy Hash: 4301B1312803054F8789B739E55862FBBA3EFC13913458828E90787754DE74BE8E8795

Uniqueness

Uniqueness Score: -1.00%

Function 05B35508 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83708f85b61e45c0b4a78fad17eb78a0b541cd2f538d7b2779581a3f3be2169e
Instruction ID: d381153c6faebd6724f3ceb851b3455fb72ea53017799f3a18e258642b23bf5b
Opcode Fuzzy Hash: 83708f85b61e45c0b4a78fad17eb78a0b541cd2f538d7b2779581a3f3be2169e
Instruction Fuzzy Hash: 6601AD30645302CFC739CA2AA501B27B7F3FF84215B1588ACD00392698DB75F880CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05B3C4A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d290b6f7d33662c80e2431e250c83a0d4d0f1783bf4cb7cacedc11659d20a50
Instruction ID: f9b46edcfe441b55cd51d0cf9257d03b5058173324e16285f8dc6762e78c3292
Opcode Fuzzy Hash: 7d290b6f7d33662c80e2431e250c83a0d4d0f1783bf4cb7cacedc11659d20a50
Instruction Fuzzy Hash: 8801CC312003048FC329AF35E04862BBBE3EFC4302F508A28D50A87785DF78AD0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 0095D5F3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2922661645.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_95d000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c532cc0eb4104bde2db108d07f0d9d21f1d90a8a914c2548c847170815bd2d09
Instruction ID: 853223f88f3ddd14fbabbb4d9939bc16dcbcdd1768da5bd2580a304798d53225
Opcode Fuzzy Hash: c532cc0eb4104bde2db108d07f0d9d21f1d90a8a914c2548c847170815bd2d09
Instruction Fuzzy Hash: 7AF0E776201604AF9720CF0AD884C27FBADFFD4775719C55AE84A4B616C671EC42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05B3E1D8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dccf0152cc09c89cdd58628997a19796bbebf27c4f968e30b020351f183bbee
Instruction ID: 139e1b5f6b625f11b46358461c50d97ec944b918c8f6dd47f59527f548291f08
Opcode Fuzzy Hash: 8dccf0152cc09c89cdd58628997a19796bbebf27c4f968e30b020351f183bbee
Instruction Fuzzy Hash: B1F0F673949384EFC717CB24EC92A9A7FBA9F42200B1945D7E444CB292F6385F168B61

Uniqueness

Uniqueness Score: -1.00%

Function 05B38F50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd21eebfd542ec9dbbcb1f6d3232417e5afdc936339f08613161d77aed54d7e
Instruction ID: 97092a33398e7f6bad7352c5bd65a124c339b19c8a6ab58f761c993daa38e595
Opcode Fuzzy Hash: 8dd21eebfd542ec9dbbcb1f6d3232417e5afdc936339f08613161d77aed54d7e
Instruction Fuzzy Hash: 0F01D6B4D0521ADFCB44DFA9D9456AEBBF1FB48301F1084A9E415B3351E7781A40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05B38F4B Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570984ee705b0d27a6bb73606cb915ab2b34f36f2c7cdc7c6168f77b374e6e2d
Instruction ID: 57dd2750aaf0155d6f2db3517dee9f94ea671c669d5689fcb518ede1c21dc619
Opcode Fuzzy Hash: 570984ee705b0d27a6bb73606cb915ab2b34f36f2c7cdc7c6168f77b374e6e2d
Instruction Fuzzy Hash: DB0112B4D0521ADFCB04DFA8D9456AEBFB1FB09301F2089AAE415B3341D7381A40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0095D5E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2922661645.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_95d000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb09cbade00e46f7822981e5a3246d4b813cf683cfd63a75853f86434fa02bd
Instruction ID: 4d43d8b3096802f839379529c74d71f8069a3bd7db61fd0e424a3d565b6ee551
Opcode Fuzzy Hash: deb09cbade00e46f7822981e5a3246d4b813cf683cfd63a75853f86434fa02bd
Instruction Fuzzy Hash: 63F03C75105680AFD725CF06C884C22BFB9FF857607198489E88A4B352C635FC42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05B354F8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5391515c10066ed688e5c3d30c8e87c6c033f78a2fe0e6c43bba9b5812a3bd3
Instruction ID: 114db768db68f7049c8a6d9987dc037feba38b83d2c9b69ac6b7ea6a081fc92a
Opcode Fuzzy Hash: a5391515c10066ed688e5c3d30c8e87c6c033f78a2fe0e6c43bba9b5812a3bd3
Instruction Fuzzy Hash: 90F02430504702CFCB31CE25D441ABBBBB3FF80224B058AACD042469D5D775F886CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05B3ADE9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4603893e6351205b3fba992b112e836e70589568760c503ff0f75f3e2bf4dd
Instruction ID: 0c906dedcb5c6a0beeb28f1ca6d56d3a19c478c117fa56241c26593a4a7c1b0b
Opcode Fuzzy Hash: db4603893e6351205b3fba992b112e836e70589568760c503ff0f75f3e2bf4dd
Instruction Fuzzy Hash: 39F027762043105FC3126B79E89579EBFE9EFCA342B04496DF08AC7642CA2858098762

Uniqueness

Uniqueness Score: -1.00%

Function 05B36EA0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b590cf9a8af929c1c1325dc0992c0bdaf6aa3c07a32f2121893bf00b7bb5346
Instruction ID: e1a27b1554360cf74ba746064f12eb32ecb9c7a7923ef835ffa16f7d3f97aa68
Opcode Fuzzy Hash: 0b590cf9a8af929c1c1325dc0992c0bdaf6aa3c07a32f2121893bf00b7bb5346
Instruction Fuzzy Hash: 7CF012622041E83F8B518EAB5C10DFB7FEDDB8E162B084196FF98D2141C429C921ABB0

Uniqueness

Uniqueness Score: -1.00%

Function 05B367C8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39cb07e9526e36f89d3758792688e9ddae5c2b4e8a813b82945ab3be8b45092d
Instruction ID: cbbefa9541d33493fb0960373a133ff386e18eaf20f31abc35edc59c5ba5f987
Opcode Fuzzy Hash: 39cb07e9526e36f89d3758792688e9ddae5c2b4e8a813b82945ab3be8b45092d
Instruction Fuzzy Hash: 44F09031744300AFD7219A28AC41FA57FE5EB85721F158266E264CF1E1D7A1E8458740

Uniqueness

Uniqueness Score: -1.00%

Function 05B3C170 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9d1ce45f565d9a466f23c71367c060bb23fd5f02b75eb110a23ce90d215b70
Instruction ID: 04e639d91d5464bbe8bcc07ed3c808833e5b54738b05a819fce7cffdcd14de6a
Opcode Fuzzy Hash: 1c9d1ce45f565d9a466f23c71367c060bb23fd5f02b75eb110a23ce90d215b70
Instruction Fuzzy Hash: 3501D176501B00CFD326DF61E489262BFF2FF483017008A1AD48AC3614DB38A50ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 05B38F42 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491790d112e2de47389c3c95648c01c35ba09b51878139c3fd3128fd79081a6f
Instruction ID: 03c84594963fda930d1b6cebc48f9b40037b2966d3bef454b435b7fec7f65939
Opcode Fuzzy Hash: 491790d112e2de47389c3c95648c01c35ba09b51878139c3fd3128fd79081a6f
Instruction Fuzzy Hash: 26015AB4D0925ADBCB04CFA4E5456ADBBB1FB09300F20459DF411B7392D7741A40CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05B3ACB8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16afda10173eff8590de5ab0e00a158ed30516418ca6073cfc66121e7697ccd7
Instruction ID: e86a218104ea70c83bfad33435af0ecf5c5922634d5a9720ad27548c152df0d3
Opcode Fuzzy Hash: 16afda10173eff8590de5ab0e00a158ed30516418ca6073cfc66121e7697ccd7
Instruction Fuzzy Hash: 5BF097F63482644FC30317346C1B0BC3F60DCC624238880EBE0C2DB296CE58950BC392

Uniqueness

Uniqueness Score: -1.00%

Function 05B38FC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7fe601604b202ec63698ccbadde9be77a5f399c403f352144750fd2e3a8564
Instruction ID: 474964684bc3e780eb825da74630941943b68373c36e4b73d81198e51f91288b
Opcode Fuzzy Hash: ef7fe601604b202ec63698ccbadde9be77a5f399c403f352144750fd2e3a8564
Instruction Fuzzy Hash: 28F0A9B5C091599FCB01CFA4D8561ADBFB1EB5A201F0045D6F402E7352E638AA01CB01

Uniqueness

Uniqueness Score: -1.00%

Function 05B38341 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0ae6810c4e62eb17569144aa10430c34a6c33596346d5547834a84cea758c3
Instruction ID: 5539bb06b1b68988cce9799e89a0c96311535b952dc66f1d57a1be0892b28e7a
Opcode Fuzzy Hash: 0f0ae6810c4e62eb17569144aa10430c34a6c33596346d5547834a84cea758c3
Instruction Fuzzy Hash: 0CF0EC72B141154B8F109EBABC455BF7BB9FB981707080177F924D3280FF34990683A1

Uniqueness

Uniqueness Score: -1.00%

Function 05B3ADF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5ef1a2c918d45ba434672a5f57c49f453f3f6b216dc43e59bd62b58a8b04d5
Instruction ID: a8668462e575383d12ca5f4b05825a04c66c695462a10e3878b87d93df044400
Opcode Fuzzy Hash: 5a5ef1a2c918d45ba434672a5f57c49f453f3f6b216dc43e59bd62b58a8b04d5
Instruction Fuzzy Hash: 23E092752002186FC3156A6AA489A9FBBEAEBC9351B40842CF10EC3642CE69580987A6

Uniqueness

Uniqueness Score: -1.00%

Function 05B3AC60 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f321ea1cfc333a54bd3ffc1b19617c3907ce564242613af78861a1101660f3bc
Instruction ID: bc08fabb6fbe4c2982435b1e4ca26f8d4a084692ed704822b19e9fe598811ec7
Opcode Fuzzy Hash: f321ea1cfc333a54bd3ffc1b19617c3907ce564242613af78861a1101660f3bc
Instruction Fuzzy Hash: 89F0E5B62582F80FC3035B3869360ED3F25DEC611234940EBE0C6CB293CD580A0ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 05B3C180 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9394e4cd8dc6c5d1c3d3bc82eacb8a3f0522521c7fdca240061fbecbf960d720
Instruction ID: 3480a7c4db54d796cad66c6f38b75871f43f64aa7b51638336760cb3f12af312
Opcode Fuzzy Hash: 9394e4cd8dc6c5d1c3d3bc82eacb8a3f0522521c7fdca240061fbecbf960d720
Instruction Fuzzy Hash: D3F06D75501B058FD729DF26E448563BBF6FF88301B008A2AE48B82A14DB74A509CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 05B35698 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc96f3fe0a16bd5e64718105a8e1b9a6d4e40a277a7f840aa88e8f00be0e5e91
Instruction ID: f2705e4afa3b6aea029e5069db327294821ba544a75a6fb506e1b545c9c535ad
Opcode Fuzzy Hash: cc96f3fe0a16bd5e64718105a8e1b9a6d4e40a277a7f840aa88e8f00be0e5e91
Instruction Fuzzy Hash: C7E092B210C2509FD340DB35E80489B7BE8EF95220F018CBEE445C7141E731EC41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05B3C120 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1e64e8c36657691fc45727863f0259caaebe8b41cf204f194582b3d938f394
Instruction ID: 0a36cf915d7cffd0bc205b1e20b27e0c629a64d756b125778a66061c2eae4189
Opcode Fuzzy Hash: 8c1e64e8c36657691fc45727863f0259caaebe8b41cf204f194582b3d938f394
Instruction Fuzzy Hash: 2DE0A9302407548FC325E72DE4087AFBFEADF81318F04056AE2468B742CBA5AC098B92

Uniqueness

Uniqueness Score: -1.00%

Function 05B3CC38 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f8dfc270be6920ca4ed0f0af897cb13a1288ff9ef25e5334097342a8f75c7f
Instruction ID: 9fe30f5be3fb848ff66951e94360d64c76eeded718eb78112993f0f30b85348e
Opcode Fuzzy Hash: 45f8dfc270be6920ca4ed0f0af897cb13a1288ff9ef25e5334097342a8f75c7f
Instruction Fuzzy Hash: 24E0D8322017408FC722EF28F891BDA7BA5EF41350F038059D080CF795D67059458FD1

Uniqueness

Uniqueness Score: -1.00%

Function 05B3CE88 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11432ce8e9921299bbc7e74d584e6571f03f7adef52ab3d543cc7028d640d703
Instruction ID: f070e24fcd5618bb6612cb6b5daf51993fe68c2f65dbce56e44ac23e864d73fa
Opcode Fuzzy Hash: 11432ce8e9921299bbc7e74d584e6571f03f7adef52ab3d543cc7028d640d703
Instruction Fuzzy Hash: 4EE0D8711053449FC753E730E483A593FA5DF4130070AC089D885DF796D660AD0A8B81

Uniqueness

Uniqueness Score: -1.00%

Function 05B3B500 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ef8735e73c33f2e8208c73b1fd5cb49a9b4a57e13c67707e8f6e2f4d6dd491
Instruction ID: 6f4d0cbf22728e8b2dcb5351b63163c3b76b0e5363a7f86dc542fbf03e372945
Opcode Fuzzy Hash: 97ef8735e73c33f2e8208c73b1fd5cb49a9b4a57e13c67707e8f6e2f4d6dd491
Instruction Fuzzy Hash: 47F03976D40208EFCB01DFB4DA489CEBBB5EB44201F1442E6D805E2240E6304B55CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05B3E280 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2841c1550f7efcb19cb3c5c758d6346c751ef8689606d746d4bf0f0d58a2eb
Instruction ID: d398b43844ce0d9b0b6a113becdeb4919987af476c7fc1348c5ae8cc36ddf2d9
Opcode Fuzzy Hash: 5d2841c1550f7efcb19cb3c5c758d6346c751ef8689606d746d4bf0f0d58a2eb
Instruction Fuzzy Hash: 5DE092310003518FC726E620FD8AA853BE9E786700F03409AD8009F6E9D6A45A898B92

Uniqueness

Uniqueness Score: -1.00%

Function 05B3AC80 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bf2f0c36e306d906d0788bf5d8aca26e1846caecdd63802b05d210741013bb
Instruction ID: 9b167df818433f9ee9a462fba2538d208ac3f5764bdd9de7e9a377de19681e33
Opcode Fuzzy Hash: 09bf2f0c36e306d906d0788bf5d8aca26e1846caecdd63802b05d210741013bb
Instruction Fuzzy Hash: 52D05B7531011C6786056779B4594AE7FAADAC56623404039F506C7340CE695D0987D7

Uniqueness

Uniqueness Score: -1.00%

Function 05B3E8F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dee59e64328594d3d5a31434af90fe2c60916268a76405fd682d88d6b47bd86
Instruction ID: a1eefa33bae6fd81c696071fc73bac2ff5dc76fd850448f4b6f0119a80d72bec
Opcode Fuzzy Hash: 9dee59e64328594d3d5a31434af90fe2c60916268a76405fd682d88d6b47bd86
Instruction Fuzzy Hash: 13E0173A664250CFC712CF24D9929613FB6BF5631130D84C6E4C0CB2B3D231E925EB50

Uniqueness

Uniqueness Score: -1.00%

Function 05B3B510 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc197f07dec0912749a5b7ea27202a9ed4685dd8d083e58ebeebb7ec7763eeb9
Instruction ID: 09089331870f4447789bbb8207f3d3ff74db2b648ad0cc3d4cf03ba94c639b03
Opcode Fuzzy Hash: dc197f07dec0912749a5b7ea27202a9ed4685dd8d083e58ebeebb7ec7763eeb9
Instruction Fuzzy Hash: 87E07E75E0020CEFCB44DFA4E9449DEBBB9EB48200F1082EAD909A3200EA346B559B80

Uniqueness

Uniqueness Score: -1.00%

Function 05B3E210 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005c16b24cdd097fec5c6f4ef31dd0152b97d0104ee3ef2e4d8817650b761e41
Instruction ID: 4e8dbe2fe8ba377c8d106840145e3da99eceb878ab375bfe3d4272d1fc684c82
Opcode Fuzzy Hash: 005c16b24cdd097fec5c6f4ef31dd0152b97d0104ee3ef2e4d8817650b761e41
Instruction Fuzzy Hash: 54D05E71A4020CFFCB45EFB8E94195EBBF9EB84344B1085A9D809E7340FA716F049B90

Uniqueness

Uniqueness Score: -1.00%

Function 05B3F8E0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18dd3ca2326d683fb60fe04f6f9ac5bf8c57f2e24513e378349c36b3649d557e
Instruction ID: f875a06096f5ad75dc0dab73f1ab85607805ca616189c34d5e2c72ceec6110e2
Opcode Fuzzy Hash: 18dd3ca2326d683fb60fe04f6f9ac5bf8c57f2e24513e378349c36b3649d557e
Instruction Fuzzy Hash: 65D0A76275026017C317177CB8042296A829BD529B746415AD916C7388C66258254781

Uniqueness

Uniqueness Score: -1.00%

Function 05B3DFD1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f39016fa64cb15be805d7febc118d8efc0f6cc56a0e193f79145f9bd1657ed2
Instruction ID: 91fd1e34ac756b4c9922fc29c37ab19fcfce348cc00c3661d82c03ba7fc4f24a
Opcode Fuzzy Hash: 8f39016fa64cb15be805d7febc118d8efc0f6cc56a0e193f79145f9bd1657ed2
Instruction Fuzzy Hash: 94B092A76CB3805AD70706248C1EA823B2A4B93E2170A40DBA6829D1A7E211440F82A2

Uniqueness

Uniqueness Score: -1.00%

Function 05B3372B Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0bf0ec3a6831e78dd7dfbfd78ad87449e37ee4cca727f12047f79f3d11e547
Instruction ID: cfc50cda304b6e0dbc15fb3495754a8cd66f0f8e8a147bcf23943abfdb009a83
Opcode Fuzzy Hash: 6a0bf0ec3a6831e78dd7dfbfd78ad87449e37ee4cca727f12047f79f3d11e547
Instruction Fuzzy Hash: 3FB012311442006EE700B6605504AA67BD1E79C722F104030F30542046C3B24813DA11

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05B36FF3 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3918117980b721f5d7e145a4779a4bf3f0e62bf77c50145bcefd52e357394b1c
Instruction ID: 4620b8b7171a72304efe8d603e101a0f04423764eafc46378d516c42e008f4c5
Opcode Fuzzy Hash: 3918117980b721f5d7e145a4779a4bf3f0e62bf77c50145bcefd52e357394b1c
Instruction Fuzzy Hash: D16232B06003049FDB49EF29C55472ABBE6EB84308F64C85CD10D9F396DBB6D94B8B91

Uniqueness

Uniqueness Score: -1.00%

Function 05B36FF8 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee81dcb37698e1e16e44bc4df5b38d12dafa43d859fdc6b3db588278420fbb4
Instruction ID: 748c3ea1fb29b03d942100b8c85c909ea31420f806e5b887634ad81561c81eb1
Opcode Fuzzy Hash: 3ee81dcb37698e1e16e44bc4df5b38d12dafa43d859fdc6b3db588278420fbb4
Instruction Fuzzy Hash: E56232B06003049FDB49DF29C55472ABBE6EB84308F64C85CD10D9F396DBB6D94B8B91

Uniqueness

Uniqueness Score: -1.00%

Function 022BDC74 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2922980939.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efdf0992a8e6169818b8c24de58a7ce75961f868b73cdac59cb404947a928886
Instruction ID: 15d67bd69eaab0c35c232ea1eb8fffb15c08705f9819b0f3de84e4a5856c7265
Opcode Fuzzy Hash: efdf0992a8e6169818b8c24de58a7ce75961f868b73cdac59cb404947a928886
Instruction Fuzzy Hash: 14A18B36E102068FCF06DFB4C9445DEB7B2FF84340B14856AE905AB269DB75E945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 022B25D8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2922980939.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a897443877291034d86f0da6952cef1d81853f0dfd0449c880ce96d4016d0b61
Instruction ID: b3451dbf93deba27add6f25163cfa037f604d2455ab4e3a3183adfff3f42d19b
Opcode Fuzzy Hash: a897443877291034d86f0da6952cef1d81853f0dfd0449c880ce96d4016d0b61
Instruction Fuzzy Hash: 4A314D4541C7D0CEC3235F7A4830A963FA0EE1326CB1B53CAC9A49B6EBE2548157C761

Uniqueness

Uniqueness Score: -1.00%

Function 05B3ED10 Relevance: 7.9, Strings: 6, Instructions: 374COMMON

Download Yara Rule

Strings

(_^q, xrefs: 05B3ED7A
(_^q, xrefs: 05B3F07A
(_^q, xrefs: 05B3F0F9
(_^q, xrefs: 05B3EF79
(_^q, xrefs: 05B3EEFA
(_^q, xrefs: 05B3EDF9

Memory Dump Source

Source File: 00000000.00000002.2924158446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_ciKdWsb5h4.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$(_^q$(_^q$(_^q$(_^q
API String ID: 0-2896069617
Opcode ID: 05aee646a43cd05bfa88a2ad95fb86c0cdeb0a8c9d9cc9db9af524086a61dacf
Instruction ID: dc9b48e408934eb5f5a6670bf0deec9f12cf92019f927751fe8d42a55e69715f
Opcode Fuzzy Hash: 05aee646a43cd05bfa88a2ad95fb86c0cdeb0a8c9d9cc9db9af524086a61dacf
Instruction Fuzzy Hash: 3BD1E039B043049FDB05EF78C41566E7BB6FF85340B2481AAD946DB381EA35EE06CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ciKdWsb5h4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

C:\Users\user\AppData\Local\Temp\Tmp434B.tmp

C:\Users\user\AppData\Local\Temp\Tmp435C.tmp

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

Windows Analysis Report
ciKdWsb5h4.exe

Function 05B33F50 Relevance: 1.8, Strings: 1, Instructions: 526
COMMON

Function 022BD0A8 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Function 022BD0B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 05B33721 Relevance: 3.0, Strings: 2, Instructions: 464
COMMON

Function 022BAE30 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Function 022B4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 022B5935 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 022BD300 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 022BD2F9 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Function 022BA870 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 022BB2A0 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Function 022BB020 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 05B359D8 Relevance: 1.5, Strings: 1, Instructions: 293
COMMON