Edit tour

Windows Analysis Report
DCwTjs2dTP.exe

Overview

General Information

Sample Name:	DCwTjs2dTP.exe
Analysis ID:	679101
MD5:	2ed2a1d6604afeaa681f4c66dcd84194
SHA1:	6134d837220afe9377cd78950c8aca43dde08d8c
SHA256:	2a48fa5118bf1c97de6a6b7b0a45bcc95bd678d54f31e2f2d003e5f3ea49c780
Tags:	DCRatexeRAT
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected DcRat

Yara detected AsyncRAT

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Machine Learning detection for sample

Yara detected Generic Downloader

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses schtasks.exe or at.exe to add and modify task schedules

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores large binary data to the registry

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

DCwTjs2dTP.exe (PID: 5664 cmdline: "C:\Users\user\Desktop\DCwTjs2dTP.exe" MD5: 2ED2A1D6604AFEAA681F4C66DCD84194)

cmd.exe (PID: 2612 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5128 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 6128 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5344 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

sihost.exe (PID: 5352 cmdline: "C:\Users\user\AppData\Roaming\sihost.exe" MD5: 2ED2A1D6604AFEAA681F4C66DCD84194)

cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "techandro.giize.com,hsolic.duckdns.org", "Ports": "6906,6907", "Version": " 1.0.7", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "sihost.exe", "AES_key": "w28XgttPSPRfTrqDPtKQKIftMUNaIi1O", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICKzCCAZSgAwIBAgIVANmCJqwMXdgA6yyfZkFj0aZTsu+7MA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB2Rldk5vZGUxEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMTEwMjAwODIxNThaFw0zMjA3MjkwODIxNThaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoRh2gPhcjrCexqYsTMZyZzR9nvXDArts2Pxe7vU8QXZ/2N2LtomHs8oIRK8BSNIq8pybY9t19WGwPVl1go5W14d1Gku1DmuB7h/osKUvia9151iX4HtEJzVUZ21JY54BTSNkrB7mO9MIt+NPmW+T434g9pwjXeLqwPn9vNMjlDwIDAQABozIwMDAdBgNVHQ4EFgQUAiSCu6ZEkdGGrjqlINwtfX5B6ncwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCYJ/7raO8AXKrzJF9npX6m1mUuFIiPNrmznT/3GogAp/JEDW8keA7Mq+IuMV5zjeQ6jrHVToqCFDUPGd3/yMbwmDlQMYjuj+bNl5f5m2pjHKTX1B/QuUUUPLJ/kXiGOb2zml6uK4n5siqJB5Dhza1QKxnOe0RDyLEnlkVondXy6A==", "ServerSignature": "ZbnE26z/kUoafAYsNOaYAdifPsyY0NUimw56hYN83bmpUDLwVLP2BeWbnk3Mb+RyC7+/9H+auM6ptQK6ib0j+DbOdeQNsf+okOIez8zETDI0UKu51c+FUimCHgyZK+I5Z5tXrRFLS4JhVTH6rhdkluo83hNFkwm6R8TV62hDMtE=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x115fbc:$b2: DcRat By qwqdanchun1

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x111f7:$b2: DcRat By qwqdanchun1 0x20733:$b2: DcRat By qwqdanchun1 0x20977:$b2: DcRat By qwqdanchun1 0x24e4b:$b2: DcRat By qwqdanchun1
0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x3175d:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x316ac:$s2: L2Mgc2NodGFza3MgL2
0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x28bb:$b2: DcRat By qwqdanchun1 0x8cf3:$b2: DcRat By qwqdanchun1 0x8f2f:$b2: DcRat By qwqdanchun1
00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x17991:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd13e:$q1: Select * from Win32_CacheMemory 0xd17e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1cc:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd21a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd77a:$s1: DcRatBy
0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x678c:$a2: timeout 3 > NUL 0x67b8:$a3: START "" " 0x28d8:$b1: DcRatByqwqdanchun 0x2505f:$b2: DcRat By qwqdanchun1
0000000A.00000002.546757964.000000000A90A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1c6f:$b2: DcRat By qwqdanchun1
0000000A.00000002.527734779.0000000002B49000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1c3b:$b2: DcRat By qwqdanchun1 0x1e77:$b2: DcRat By qwqdanchun1
0000000A.00000003.516805151.000000000A8F3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xdddb:$b2: DcRat By qwqdanchun1
00000000.00000002.540094195.000000000478F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x6e1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.526006194.0000000002F00000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1ab4:$b1: DcRatByqwqdanchun 0xd5f8b:$b2: DcRat By qwqdanchun1
0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x8b87:$b2: DcRat By qwqdanchun1
0000000A.00000003.516841569.000000000A90B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xc6f:$b2: DcRat By qwqdanchun1
00000000.00000002.521245478.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x587e7:$b2: DcRat By qwqdanchun1
Process Memory Space: DCwTjs2dTP.exe PID: 5664	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: DCwTjs2dTP.exe PID: 5664	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: DCwTjs2dTP.exe PID: 5664	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xcbf1:$a1: havecamera 0x14850:$b1: DcRatByqwqdanchun 0x3f712:$b1: DcRatByqwqdanchun 0x3f726:$b1: DcRatByqwqdanchun 0x42326:$b2: DcRat By qwqdanchun1
Process Memory Space: sihost.exe PID: 5352	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: sihost.exe PID: 5352	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x16682:$b1: DcRatByqwqdanchun 0x16696:$b1: DcRatByqwqdanchun 0x2b41:$b2: DcRat By qwqdanchun1 0x1f283:$b2: DcRat By qwqdanchun1 0x22062:$b2: DcRat By qwqdanchun1 0x3ce73:$b2: DcRat By qwqdanchun1 0x962c2:$b2: DcRat By qwqdanchun1
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.DCwTjs2dTP.exe.abb0000.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.DCwTjs2dTP.exe.abb0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xb33e:$q1: Select * from Win32_CacheMemory 0xb37e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xb3cc:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xb41a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.DCwTjs2dTP.exe.abb0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xb97a:$s1: DcRatBy
0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd13e:$q1: Select * from Win32_CacheMemory 0xd17e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1cc:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd21a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd77a:$s1: DcRatBy
10.2.sihost.exe.54d0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x2f95d:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x2f8ac:$s2: L2Mgc2NodGFza3MgL2
10.2.sihost.exe.3b4cbb0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x3175d:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x316ac:$s2: L2Mgc2NodGFza3MgL2
10.2.sihost.exe.3b4cbb0.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x2f95d:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x2f8ac:$s2: L2Mgc2NodGFza3MgL2
10.2.sihost.exe.54d0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x3175d:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x316ac:$s2: L2Mgc2NodGFza3MgL2
Click to see the 6 entries

Snort Signatures

ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) - Source IP: 182.186.88.126 - Destination IP: 192.168.2.3

Timestamp:	182.186.88.126192.168.2.36906497402848152 08/05/22-09:16:42.961653
SID:	2848152
Source Port:	6906
Destination Port:	49740
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DCwTjs2dTP.exe

ReversingLabs: Detection: 50%

Antivirus / Scanner detection for submitted sample

Source: DCwTjs2dTP.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\sihost.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\sihost.exe

ReversingLabs: Detection: 50%

Machine Learning detection for sample

Source: DCwTjs2dTP.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\sihost.exe

Joe Sandbox ML: detected

Source: 0.0.DCwTjs2dTP.exe.b10000.0.unpack

Avira: Label: TR/Dropper.MSIL.Gen

Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "techandro.giize.com,hsolic.duckdns.org", "Ports": "6906,6907", "Version": " 1.0.7", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "sihost.exe", "AES_key": "w28XgttPSPRfTrqDPtKQKIftMUNaIi1O", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICKzCCAZSgAwIBAgIVANmCJqwMXdgA6yyfZkFj0aZTsu+7MA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB2Rldk5vZGUxEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMTEwMjAwODIxNThaFw0zMjA3MjkwODIxNThaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoRh2gPhcjrCexqYsTMZyZzR9nvXDArts2Pxe7vU8QXZ/2N2LtomHs8oIRK8BSNIq8pybY9t19WGwPVl1go5W14d1Gku1DmuB7h/osKUvia9151iX4HtEJzVUZ21JY54BTSNkrB7mO9MIt+NPmW+T434g9pwjXeLqwPn9vNMjlDwIDAQABozIwMDAdBgNVHQ4EFgQUAiSCu6ZEkdGGrjqlINwtfX5B6ncwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCYJ/7raO8AXKrzJF9npX6m1mUuFIiPNrmznT/3GogAp/JEDW8keA7Mq+IuMV5zjeQ6jrHVToqCFDUPGd3/yMbwmDlQMYjuj+bNl5f5m2pjHKTX1B/QuUUUPLJ/kXiGOb2zml6uK4n5siqJB5Dhza1QKxnOe0RDyLEnlkVondXy6A==", "ServerSignature": "ZbnE26z/kUoafAYsNOaYAdifPsyY0NUimw56hYN83bmpUDLwVLP2BeWbnk3Mb+RyC7+/9H+auM6ptQK6ib0j+DbOdeQNsf+okOIez8zETDI0UKu51c+FUimCHgyZK+I5Z5tXrRFLS4JhVTH6rhdkluo83hNFkwm6R8TV62hDMtE=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Code function: 0_2_0ABC4E4C CryptFindOIDInfo,

0_2_0ABC4E4C

Source: DCwTjs2dTP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 182.186.88.126:6906 -> 192.168.2.3:49740

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: techandro.giize.com
Source: Malware configuration extractor	URLs: hsolic.duckdns.org

Source: Joe Sandbox View

ASN Name: PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK

Source: global traffic

TCP traffic: 192.168.2.3:49740 -> 182.186.88.126:6906

Source: sihost.exe, 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: sihost.exe, 0000000A.00000002.521463363.0000000000E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: sihost.exe, 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabw
Source: DCwTjs2dTP.exe, 00000000.00000002.533258191.0000000003196000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.531132514.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: unknown

DNS traffic detected: queries for: techandro.giize.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR

Source: sihost.exe, 0000000A.00000002.520705153.0000000000E4A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 10.2.sihost.exe.54d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 10.2.sihost.exe.3b4cbb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 10.2.sihost.exe.3b4cbb0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 10.2.sihost.exe.54d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.546757964.000000000A90A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.527734779.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000003.516805151.000000000A8F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.540094195.000000000478F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.526006194.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000003.516841569.000000000A90B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.521245478.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 10.2.sihost.exe.54d0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 10.2.sihost.exe.3b4cbb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 10.2.sihost.exe.3b4cbb0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 10.2.sihost.exe.54d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.546757964.000000000A90A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.527734779.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000003.516805151.000000000A8F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.540094195.000000000478F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.526006194.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000003.516841569.000000000A90B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.521245478.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01364138	0_2_01364138
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01361F10	0_2_01361F10
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01362D10	0_2_01362D10
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01363230	0_2_01363230
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01367C38	0_2_01367C38
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01362840	0_2_01362840
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_0136804F	0_2_0136804F
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01360448	0_2_01360448
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_013622B0	0_2_013622B0
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01365BA8	0_2_01365BA8
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01360390	0_2_01360390
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01365B99	0_2_01365B99
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_013641F9	0_2_013641F9
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_013641D1	0_2_013641D1
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01366231	0_2_01366231
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01366638	0_2_01366638
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01364227	0_2_01364227
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01366428	0_2_01366428
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01366628	0_2_01366628
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01367C28	0_2_01367C28
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01366419	0_2_01366419
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_0136420C	0_2_0136420C
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01367464	0_2_01367464
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01365068	0_2_01365068
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01367468	0_2_01367468
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01361268	0_2_01361268
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01361E58	0_2_01361E58
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01365058	0_2_01365058
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01366240	0_2_01366240
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01364040	0_2_01364040
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_013642F3	0_2_013642F3
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_00DF1BDD	10_2_00DF1BDD
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_00DF1F98	10_2_00DF1F98
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_00DF0E88	10_2_00DF0E88
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_00DF0E78	10_2_00DF0E78
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_0293322B	10_2_0293322B
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02937A50	10_2_02937A50
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02932840	10_2_02932840
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02930448	10_2_02930448
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_0293804F	10_2_0293804F
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02931F10	10_2_02931F10
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02932D10	10_2_02932D10
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02934138	10_2_02934138
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_029342F3	10_2_029342F3
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02936419	10_2_02936419
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_0293420C	10_2_0293420C
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02936231	10_2_02936231
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02931237	10_2_02931237
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02937A3A	10_2_02937A3A
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02936638	10_2_02936638
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02934227	10_2_02934227
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02936428	10_2_02936428
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02936628	10_2_02936628
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02931E58	10_2_02931E58
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02935058	10_2_02935058
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02937442	10_2_02937442
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02936240	10_2_02936240
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02934040	10_2_02934040
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02935068	10_2_02935068
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02937468	10_2_02937468
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02935B99	10_2_02935B99
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02935BA8	10_2_02935BA8
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_029341D1	10_2_029341D1
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_029341F9	10_2_029341F9
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_04B39458	10_2_04B39458
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_04B3DDF0	10_2_04B3DDF0
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_04B38330	10_2_04B38330
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_04B38320	10_2_04B38320
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_04B32BD0	10_2_04B32BD0

Source: DCwTjs2dTP.exe	Binary or memory string: OriginalFilename vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000002.540773912.00000000047DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000002.541024622.000000000482A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000000.250219025.0000000000B36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000002.540124638.0000000004791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe	Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe

Source: DCwTjs2dTP.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sihost.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DCwTjs2dTP.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

File read: C:\Users\user\Desktop\DCwTjs2dTP.exe:Zone.Identifier

Jump to behavior

Source: DCwTjs2dTP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DCwTjs2dTP.exe "C:\Users\user\Desktop\DCwTjs2dTP.exe"
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\sihost.exe "C:\Users\user\AppData\Roaming\sihost.exe"
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\sihost.exe "C:\Users\user\AppData\Roaming\sihost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

File created: C:\Users\user\AppData\Roaming\sihost.exe

Jump to behavior

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

File created: C:\Users\user\AppData\Local\Temp\tmp53F0.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.winEXE@14/6@1/1

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: DCwTjs2dTP.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3404:120:WilError_01
Source: C:\Users\user\AppData\Roaming\sihost.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_01

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat""

Source: C:\Users\user\AppData\Roaming\sihost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: DCwTjs2dTP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DCwTjs2dTP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_0ABB0EAE push 0000003Eh; retn 0000h	0_2_0ABB1208
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_0ABB2FD4 push eax; ret	0_2_0ABB2FDC
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_0ABB13C9 push eax; ret	0_2_0ABB13DD
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01367240 pushfd ; ret	0_2_01367241
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02937240 pushfd ; ret	10_2_02937241
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_0523C7F0 push eax; mov dword ptr [esp], edx	10_2_0523C802
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_0523E190 push eax; mov dword ptr [esp], edx	10_2_0523E1A4

Source: DCwTjs2dTP.exe

Static PE information: 0xF60FB06B [Tue Oct 26 08:42:19 2100 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.625943654905051
Source: initial sample	Static PE information: section name: .text entropy: 7.625943654905051

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

File created: C:\Users\user\AppData\Roaming\sihost.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"'

Source: C:\Users\user\AppData\Roaming\sihost.exe

Key value created or modified: HKEY_CURRENT_USER\Software\C4D93783EC1A25CC28F9 94E168CABBEA0702E60265D1291BE8FE7C37724D89001E7AE9A73817F84114EF

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sihost.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe TID: 5180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe TID: 5660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe TID: 5164	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe TID: 5192	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe TID: 5192	Thread sleep count: 90 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe TID: 1892	Thread sleep count: 9743 > 30	Jump to behavior

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\sihost.exe

Window / User API: threadDelayed 9743

Jump to behavior

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: sihost.exe, 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r\
Source: sihost.exe, 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Code function: 0_2_02EC9028 mov eax, dword ptr fs:[00000030h]

0_2_02EC9028

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\sihost.exe "C:\Users\user\AppData\Roaming\sihost.exe"	Jump to behavior

Source: sihost.exe, 0000000A.00000002.532020880.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.531872890.0000000002D49000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Queries volume information: C:\Users\user\Desktop\DCwTjs2dTP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Users\user\AppData\Roaming\sihost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\sihost.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: DCwTjs2dTP.exe, DCwTjs2dTP.exe, 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: DCwTjs2dTP.exe, DCwTjs2dTP.exe, 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: procexp.exe
Source: DCwTjs2dTP.exe, DCwTjs2dTP.exe, 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	2 Scheduled Task/Job	12 Process Injection	1 Masquerading	1 Input Capture	1 Query Registry	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Scheduled Task/Job	1 Modify Registry	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scripting	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	21 Virtualization/Sandbox Evasion	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Scripting	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Obfuscated Files or Information	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	3 Software Packing	Proc Filesystem	13 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
DCwTjs2dTP.exe	50%	ReversingLabs	ByteCode-MSIL.Backdoor.Crysan
DCwTjs2dTP.exe	100%	Avira	TR/Dropper.MSIL.Gen
DCwTjs2dTP.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\sihost.exe	100%	Avira	TR/Dropper.MSIL.Gen
C:\Users\user\AppData\Roaming\sihost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\sihost.exe	50%	ReversingLabs	ByteCode-MSIL.Backdoor.Crysan

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.DCwTjs2dTP.exe.b10000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
hsolic.duckdns.org	0%	Avira URL Cloud	safe
techandro.giize.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
techandro.giize.com	182.186.88.126	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
hsolic.duckdns.org	true	Avira URL Cloud: safe	unknown
techandro.giize.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DCwTjs2dTP.exe, 00000000.00000002.533258191.0000000003196000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.531132514.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
182.186.88.126	techandro.giize.com	Pakistan		45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679101
Start date and time: 05/08/202209:15:11	2022-08-05 09:15:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DCwTjs2dTP.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.winEXE@14/6@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 5.7% (good quality ratio 4.1%) Quality average: 53.9% Quality standard deviation: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 156 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 173.222.108.226, 20.189.173.21
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:16:25	Task Scheduler	Run new task: sihost path: "C:\Users\user\AppData\Roaming\sihost.exe"
09:16:44	API Interceptor	1x Sleep call for process: sihost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	xd.x86	Get hash	malicious	Browse	39.45.107.193
	dsUW8nBcj0	Get hash	malicious	Browse	182.184.188.9
	arm7	Get hash	malicious	Browse	182.184.178.45
	lge6y1mqre	Get hash	malicious	Browse	39.58.236.128
	hRqJDxXD2z	Get hash	malicious	Browse	39.32.23.211
	botx.mpsl	Get hash	malicious	Browse	39.36.156.29
	OqrBUGKdjo	Get hash	malicious	Browse	39.55.155.195
	SecuriteInfo.com.Linux.Siggen.9999.5381.26016	Get hash	malicious	Browse	39.36.70.206
	85bjW988pj	Get hash	malicious	Browse	182.179.188.143
	bHLdG1iUdO	Get hash	malicious	Browse	39.43.110.228
	ECoE9arear	Get hash	malicious	Browse	119.153.180.210
	tfrCRlebe7	Get hash	malicious	Browse	119.153.33.9
	iGV79YZMmb	Get hash	malicious	Browse	119.154.170.150
	1a2p2SA6xg	Get hash	malicious	Browse	119.157.251.131
	2vrW5rkBa6	Get hash	malicious	Browse	119.153.180.241
	047KCi3D28.dll	Get hash	malicious	Browse	182.185.176.223
	1RkKYhC6Ju.dll	Get hash	malicious	Browse	39.63.176.216
	HhDMZKWBi5.dll	Get hash	malicious	Browse	182.191.250.21
	home.mpsl	Get hash	malicious	Browse	39.40.43.255
	jTpjSXxHjt.dll	Get hash	malicious	Browse	39.52.47.76

Process:	C:\Users\user\AppData\Roaming\sihost.exe
File Type:	Microsoft Cabinet archive data, 61712 bytes, 1 file
Category:	dropped
Size (bytes):	61712
Entropy (8bit):	7.995044632446497
Encrypted:	true
SSDEEP:	1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
MD5:	589C442FC7A0C70DCA927115A700D41E
SHA1:	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
SHA-256:	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
SHA-512:	1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&\|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y\|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..\|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Roaming\sihost.exe
File Type:	data
Category:	modified
Size (bytes):	326
Entropy (8bit):	3.1358915940078615
Encrypted:	false
SSDEEP:	6:kKku+N+SkQlPlEGYRMY9z+4KlDA3RUeWlEZ21:rNkPlE99SNxAhUeE1
MD5:	CCCAC476B9113FEE393FAAE046C51F0B
SHA1:	C234350AFAE80DA95858F154CF4839421C1C2C62
SHA-256:	EE0601D893B6A6978040DCA0C315C7855E278DD1264DE7AF85B91CB2B4C33882
SHA-512:	81A9355BE6696ECBEAFD7ADA021F83E105AA42B61F981BCB597B6874C67847456CC7FD975348BC15E58DDDBAB64091E3DF0FE620FDCCB870FCC28C758E1CAB78
Malicious:	false
Reputation:	low
Preview:	p...... ...............(....................................................... .........L.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.f.4.c.9.6.9.8.b.d.8.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DCwTjs2dTP.exe.log

Download File

Process:	C:\Users\user\Desktop\DCwTjs2dTP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.340009400190196
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
MD5:	CC144808DBAF00E03294347EADC8E779
SHA1:	A3434FC71BA82B7512C813840427C687ADDB5AEA
SHA-256:	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
SHA-512:	A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat

Download File

Process:	C:\Users\user\Desktop\DCwTjs2dTP.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	150
Entropy (8bit):	5.092134229634079
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oWXp5cViEaKC5UWvSmqRDWXp5cViE2J5xAInTRI6WcZPy:hWKqTtT6WXp+NaZ5UWKmq1WXp+N23fTg
MD5:	F02730A3503455275DA10EFB33B82C09
SHA1:	76322B42303DBB065740A423FB414CEF653671E5
SHA-256:	09BE09339F9A333B4BA5580D3F6F6E9E928A5A13A1C6448631FAFB1AB0332D6D
SHA-512:	FE402C93721D335BFD90E8D1C2760D0BE95BA95F32FF7675F3B3A465192B5F766ECE30E472D91DAB5F262A4BDB2892854CB1C01E2BC84C6E20CB34EBBFEC96F4
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\sihost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp53F0.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\sihost.exe

Download File

Process:	C:\Users\user\Desktop\DCwTjs2dTP.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	144384
Entropy (8bit):	7.592025541663874
Encrypted:	false
SSDEEP:	1536:kbe1mZ5AK6G/WV+22ihLk3jb6B4LGt/XzNNu0oTj7A64MWy/ASOlvL4h59MfoZ+G:ZiLe+22iUXlGlXRN+zA6cQAp+ofoZ+G
MD5:	2ED2A1D6604AFEAA681F4C66DCD84194
SHA1:	6134D837220AFE9377CD78950C8ACA43DDE08D8C
SHA-256:	2A48FA5118BF1C97DE6A6B7B0A45BCC95BD678D54F31E2F2D003E5F3EA49C780
SHA-512:	B6DC02F1974D0D90B171432156B85044AB67B51C00C9A6F2CE98562342DD2AFB64AC36AE57E291D37DA0DB564C7191567183917971455969D9EB930C920E8979
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k............."...0.............I... ...`....@.. ....................................`..................................H..W....`............................................................................... ............... ..H............text....)... ..................... ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H...........$l......;....................................................i,.7.=.v.":.....`.t.......>D.5./dos..D+..w..5...<Dp..=?.{....3eKn...f.Q....y......,.>\..8..R:+^H..6..l..H.W"..Y...TVf./..,.w..p.!........S.....x&.1...f.V...u..3O.....X.6xmb.....x.T..IwEY.t.%5..5....1Ca....\|1.Z1.gW..sa..E..+.w..x7=..N...8QY5.y.H....L..OJ...2.......<=..=cx.M....s..F...^....S...5........O.....?S.AU.s......:..........@..(=.Nt...q.4!..I......j.R\|..t.b...GA.{.7..i(.I.G2..z.u..y.6

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.592025541663874
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DCwTjs2dTP.exe
File size:	144384
MD5:	2ed2a1d6604afeaa681f4c66dcd84194
SHA1:	6134d837220afe9377cd78950c8aca43dde08d8c
SHA256:	2a48fa5118bf1c97de6a6b7b0a45bcc95bd678d54f31e2f2d003e5f3ea49c780
SHA512:	b6dc02f1974d0d90b171432156b85044ab67b51c00c9a6f2ce98562342dd2afb64ac36ae57e291d37da0db564c7191567183917971455969d9eb930c920e8979
SSDEEP:	1536:kbe1mZ5AK6G/WV+22ihLk3jb6B4LGt/XzNNu0oTj7A64MWy/ASOlvL4h59MfoZ+G:ZiLe+22iUXlGlXRN+zA6cQAp+ofoZ+G
TLSH:	D4E36B9D366036DFC867C872CAA82CA8AA50747B471BD203A45715EEDE4D99BCF050F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k............."...0..*...........I... ...`....@.. ....................................`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x42490e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF60FB06B [Tue Oct 26 08:42:19 2100 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x248b4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x22914	0x22a00	False	0.8304095216606499	SysEx File - Victor	7.625943654905051	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x26000	0x596	0x600	False	0.412109375	data	4.024186334587364	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x260a0	0x30c	data
RT_MANIFEST	0x263ac	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
182.186.88.126192.168.2.36906497402848152 08/05/22-09:16:42.961653	TCP	2848152	ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)	6906	49740	182.186.88.126	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 09:16:42.343604088 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:42.507725000 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:42.507963896 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:42.793518066 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:42.961652994 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:42.980221033 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:43.147313118 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:43.202167988 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:46.467544079 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:46.836049080 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:46.836447001 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:47.193211079 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:58.082192898 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:58.449898958 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:58.450030088 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:58.612859011 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:58.734793901 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:58.906966925 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:58.953510046 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:59.070375919 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:59.440320969 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:59.441751003 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:59.811695099 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:05.920444012 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:05.969835997 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:06.131196976 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:06.173055887 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:10.167838097 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:10.545608044 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:10.545766115 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:10.730561972 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:10.782721996 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:10.952214003 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:11.004468918 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:11.991069078 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:12.361207008 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:12.361320972 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:12.723164082 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:21.618616104 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:21.978775024 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:21.979440928 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:22.142467022 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:22.189888000 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:22.352082014 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:22.379858017 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:22.742747068 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:22.743539095 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:23.120084047 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:33.216279030 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:33.586165905 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:33.586325884 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:33.750921965 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:33.878433943 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:34.040781975 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:34.080080032 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:34.441732883 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:34.442347050 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:34.888081074 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:35.953671932 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:36.003654957 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:36.184784889 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:36.237941027 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:44.886441946 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:45.245990038 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:45.247559071 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:45.411969900 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:45.504420042 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:45.665941000 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:45.682383060 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:46.049994946 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:46.050144911 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:46.436414957 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:56.406936884 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:56.767236948 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:56.767338991 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:56.949023008 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:57.146131992 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:57.307141066 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:57.372817039 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:57.735706091 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:57.735805988 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:58.094325066 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:05.973809958 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:06.146740913 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:06.311863899 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:06.443659067 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:08.011923075 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:08.389894009 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:08.390151978 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:08.563564062 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:08.740721941 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:08.901375055 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:08.914977074 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:09.280356884 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:09.280605078 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:09.526557922 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:09.647113085 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:09.808506966 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:09.869719028 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.230223894 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.230392933 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.584258080 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.586045027 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.587495089 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.588771105 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.589605093 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.589751005 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.591027975 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.647125006 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.753017902 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.753572941 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.753783941 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.755080938 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.756288052 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.756397009 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.757787943 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.758994102 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.759123087 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.809803963 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.811302900 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.811408043 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.916563034 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.917579889 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.917722940 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.918993950 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.920238018 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.921958923 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.922312021 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.923487902 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.923563957 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.925045013 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.926260948 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.927730083 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.927826881 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.929244995 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.929687977 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.930489063 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.932061911 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:10.933664083 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.004995108 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.006314039 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.006388903 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.007514954 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.009011984 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.009203911 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.082937956 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.084306955 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.084408998 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.085014105 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.086539984 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.086776972 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.087745905 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.089494944 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.089720964 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.090972900 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.092341900 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.093746901 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.093818903 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.094994068 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.095515013 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.096517086 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.097781897 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.097879887 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.099288940 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.100575924 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.100658894 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.101989985 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.103533030 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.103622913 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.104758978 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.106441975 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.106513023 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.107522011 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.109072924 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.109715939 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.111267090 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.112736940 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.112811089 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.114070892 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.115508080 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.115581989 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.172063112 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.183742046 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.185039043 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.185122013 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.186456919 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.187011957 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.187706947 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.189218044 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.189277887 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.190514088 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.192001104 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.192053080 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.246885061 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.248333931 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.249716043 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.249830008 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.250952959 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.251072884 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.252481937 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.253711939 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.253771067 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.255209923 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.256594896 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.257229090 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.258091927 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.259366989 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.259458065 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.260284901 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.261758089 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.261852026 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.268582106 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.270133972 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.270212889 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.271217108 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.272758007 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.275338888 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.285178900 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.286623001 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.286726952 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.287877083 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.289259911 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.290482044 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.290668964 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.291498899 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.291568041 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.292987108 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.294214964 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.294317961 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.295769930 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.296960115 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.297028065 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.298474073 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.299758911 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.300085068 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.301259995 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.302469015 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.304279089 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.351023912 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.352504969 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.352615118 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.353744984 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.355207920 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.355382919 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.364139080 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.365329981 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.365437031 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.367288113 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.368570089 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.372172117 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.412767887 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.414175034 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.414304018 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.415467978 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.416982889 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.417263031 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.418190956 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.419739962 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.420568943 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.420977116 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.422472954 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.422533035 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.424030066 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.425332069 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.425425053 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.426742077 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.427983999 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.428077936 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.435035944 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.436230898 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.437747002 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.437879086 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.439254999 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.439338923 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:11.449199915 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.450824976 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.451169968 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:11.451323032 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:20.183955908 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:20.545418978 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:20.545516014 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:20.660738945 CEST	49799	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:20.724066019 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:20.724600077 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:20.869071007 CEST	6906	49799	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:20.869306087 CEST	49799	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:20.870156050 CEST	49799	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:20.889235973 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:20.944876909 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:21.022531033 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:21.043155909 CEST	6906	49799	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:21.044353008 CEST	49799	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:21.395819902 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:21.395905018 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:21.424721003 CEST	6906	49799	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:21.772886038 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:22.096901894 CEST	49799	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:22.102404118 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:22.269476891 CEST	6906	49799	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:22.271547079 CEST	6906	49799	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:22.271667004 CEST	49799	6906	192.168.2.3	182.186.88.126

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 09:16:42.094877958 CEST	49316	53	192.168.2.3	8.8.8.8
Aug 5, 2022 09:16:42.273111105 CEST	53	49316	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 5, 2022 09:16:42.094877958 CEST	192.168.2.3	8.8.8.8	0xf053	Standard query (0)	techandro.giize.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 5, 2022 09:16:42.273111105 CEST	8.8.8.8	192.168.2.3	0xf053	No error (0)	techandro.giize.com		182.186.88.126	A (IP address)	IN (0x0001)

Target ID:	0
Start time:	09:16:16
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\DCwTjs2dTP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DCwTjs2dTP.exe"
Imagebase:	0xb10000
File size:	144384 bytes
MD5 hash:	2ED2A1D6604AFEAA681F4C66DCD84194
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.540094195.000000000478F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.526006194.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.521245478.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	09:16:24
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	09:16:24
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	09:16:24
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat""
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	09:16:25
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"'
Imagebase:	0x920000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	09:16:25
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	09:16:26
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x1360000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	09:16:29
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Roaming\sihost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sihost.exe"
Imagebase:	0x7a0000
File size:	144384 bytes
MD5 hash:	2ED2A1D6604AFEAA681F4C66DCD84194
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: 0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.546757964.000000000A90A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.527734779.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000003.516805151.000000000A8F3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000003.516841569.000000000A90B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	15.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.9%
Total number of Nodes:	102
Total number of Limit Nodes:	8

Executed Functions

Function 01362840 Relevance: 2.7, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A,:, xrefs: 01362970
A,:, xrefs: 01362969

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID: A,:$A,:
API String ID: 0-3023365590
Opcode ID: 57782421efe35a305428fe09f9bfa853c141a7584e78c30fd7221435bd3082c5
Instruction ID: 850f5a7bb7dac6d4d4176f8d429bff49d007193e7b37f3cc5dd97392def25593
Opcode Fuzzy Hash: 57782421efe35a305428fe09f9bfa853c141a7584e78c30fd7221435bd3082c5
Instruction Fuzzy Hash: 42514A70E052098FDB08CFAAC9406AEFFFAFF89305F15C06AD419A7255D77449018F95

Uniqueness

Uniqueness Score: -1.00%

Function 0ABC4E4C Relevance: 1.6, APIs: 1, Instructions: 64
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptFindOIDInfo.CRYPT32(?,00000000,?), ref: 0ABC57F3

Memory Dump Source

Source File: 00000000.00000002.542857565.000000000ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABB0000, based on PE: true

Associated: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_abb0000_DCwTjs2dTP.jbxd

Yara matches

Similarity

API ID: CryptFindInfo
String ID:
API String ID: 4232373045-0
Opcode ID: 802ac833146a035a7f0ff2a9cec606b2651ad166e2cfbf162d894b80c6243a11
Instruction ID: 2578a315b515557ef4a6ef3ef20064027df35b62fd37b3dba2fdb79c02331f3d
Opcode Fuzzy Hash: 802ac833146a035a7f0ff2a9cec606b2651ad166e2cfbf162d894b80c6243a11
Instruction Fuzzy Hash: E42113B0D00258EFCB24CFA9C484BDEBFF4AB48304F14816AE805A7351EB74A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01364227 Relevance: 1.4, Strings: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WS0c, xrefs: 0136422E

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID: WS0c
API String ID: 0-312049407
Opcode ID: 83b297a4b83f9a24c86770db2a6ea53f9ac800e34d4e6d9469bcc7fef59f2124
Instruction ID: a97d1c6e351ba1c20074734c4e3fa8c7e53d3cbf8c9ca2a4b92736c5bd1c3001
Opcode Fuzzy Hash: 83b297a4b83f9a24c86770db2a6ea53f9ac800e34d4e6d9469bcc7fef59f2124
Instruction Fuzzy Hash: 028148B0E1420ADFCB04CF95D4818AEFBBAFF89304B25D555C516AB618D734EA86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0136804F Relevance: 1.4, Strings: 1, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0136812E

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: aae3c5e93619c05abcfa98d886e990d9ecce4e038e8d2c91be23c3f16e17078e
Instruction ID: 78985af9fabb67cb1fff953b6ad3f69577b9e6f78052a5863e72775024606d8b
Opcode Fuzzy Hash: aae3c5e93619c05abcfa98d886e990d9ecce4e038e8d2c91be23c3f16e17078e
Instruction Fuzzy Hash: 12615BB4D0530DDFDB04CFA9C5856AEBBB5FB88304F20986AD105BB358E7349A46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01367C38 Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c{, xrefs: 01367CD4, 01367CD9

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID: c{
API String ID: 0-1832256588
Opcode ID: bcf9dac6cb50fc2d9341808c911ceae587beefe2ef448f69657a6fd62f40b8ad
Instruction ID: 8a507ab30691d6168a7c299e4a43a44eddb7e28a5da9aa2c74fefd0c9c5fbc4f
Opcode Fuzzy Hash: bcf9dac6cb50fc2d9341808c911ceae587beefe2ef448f69657a6fd62f40b8ad
Instruction Fuzzy Hash: 55614874E05209DFCF54CFA5C4406AEBBBAEF89308F50D829D412AB358DB789A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01367C28 Relevance: 1.4, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c{, xrefs: 01367CD4, 01367CD9

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID: c{
API String ID: 0-1832256588
Opcode ID: f60b837fea17ee5e5efb29c905aacdaed429584ee692ce5b603e544ad0092ef9
Instruction ID: a06734ed704a8fc5e72d9b83adf4bd17e6451ba7f1d0e0e5ce4fe2bd49449b3a
Opcode Fuzzy Hash: f60b837fea17ee5e5efb29c905aacdaed429584ee692ce5b603e544ad0092ef9
Instruction Fuzzy Hash: 20513A74E15209DFDF58CFB5C4406AEBBBAEF85308F40D86AD012AB668DB788945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01361E58 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdee86966984d38a0f5e439ba83b877541afaabc4adca5618708eef5379a2b59
Instruction ID: b0b3fee4308e9146dd64bf4f6d5a37b4ad62b4e1b37ab95e48040eb12a6f2801
Opcode Fuzzy Hash: fdee86966984d38a0f5e439ba83b877541afaabc4adca5618708eef5379a2b59
Instruction Fuzzy Hash: 96D13374E053198FDB58CFA9C9809EEBBF6FF89314F20856AD405AB258D7359A02CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01364040 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2975272c72300804901e755aefeab731d5e15c2dd0c14bf4cc68565cc494536
Instruction ID: 88b56ed946b99675370731443579efe425d4c7d82b1308ca52d482ace388990f
Opcode Fuzzy Hash: e2975272c72300804901e755aefeab731d5e15c2dd0c14bf4cc68565cc494536
Instruction Fuzzy Hash: EBC15A70D0430ADFCB54CFA5D4814AEFBBAFF85314B25C56AC455AB618D734AA82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01361F10 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f02a0fb393c28cc72fa5317da4a254bb615278e6ca5d49ca5c148a836d92665
Instruction ID: a4d35fc1fa9b2fc0d1fb5c9d9b0bc8e1867516ec8cb2ca10aa213e8e53c5eec3
Opcode Fuzzy Hash: 2f02a0fb393c28cc72fa5317da4a254bb615278e6ca5d49ca5c148a836d92665
Instruction Fuzzy Hash: 8CB1D0B4E052198FDB08CFA9C9849EEBBFABF89304F208529D805BB358D7359905CB54

Uniqueness

Uniqueness Score: -1.00%

Function 013622B0 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24a36237c84d91079c79efa3c3bb03355c37edcd942da1a6f38cf70590e6f5a
Instruction ID: 326281f8872b7da9dc5de01133df87f7de475d776f8700ce286ed6c42122a7ad
Opcode Fuzzy Hash: e24a36237c84d91079c79efa3c3bb03355c37edcd942da1a6f38cf70590e6f5a
Instruction Fuzzy Hash: 8DB11B74E1121A8FCB54DFA9D890ADEBBB6FF88304F108529D405AB758DB30AD46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01364138 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea455fc93be3af32d50168e046bd3e901d84dcaff08e917172498318aa2020d
Instruction ID: 4d2f6fec9386a2645f8c41fe998f3e3ee2d58e038246904d487f87b236056d03
Opcode Fuzzy Hash: eea455fc93be3af32d50168e046bd3e901d84dcaff08e917172498318aa2020d
Instruction Fuzzy Hash: 04A116B0E0420ADBCB04CF96D4818AEFBBAFF89304F15D555D516AB618D7349A86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013641D1 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdaadda505aa74124a444138496d597118da42923bc9d95dde948e3d1190346
Instruction ID: 82f1a2755e9585f763b452b54cff7260d11ca21931fd95e35f16767e1090120a
Opcode Fuzzy Hash: 9cdaadda505aa74124a444138496d597118da42923bc9d95dde948e3d1190346
Instruction Fuzzy Hash: CE9138B0E0420ADFCB04CF96D4818AEFBBAFF89304B25D555C516AB618D734DA86CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01360390 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82abf2e24ee70f0dc02c3ef4352630b03b8dde81c3ef3f4b8d1a9f13aaebcaed
Instruction ID: 1de104562ed5ec3f1b2c0f0cb88ee38e3adc4631a846e91e6540b3638df036e4
Opcode Fuzzy Hash: 82abf2e24ee70f0dc02c3ef4352630b03b8dde81c3ef3f4b8d1a9f13aaebcaed
Instruction Fuzzy Hash: 09314B71D0A7858FD71ACF76984169ABFF3AFC6304F09C0AAD444EA26AE7340846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013642F3 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0bd64b8bb96fcbd0c644413ce4742282dd3c90f4e0aea97602905696f561eb
Instruction ID: 174b8611a5ba0f1f67a0b0f60685a6ad517e1f6049759dfb9ef1566154fc3f7c
Opcode Fuzzy Hash: 2a0bd64b8bb96fcbd0c644413ce4742282dd3c90f4e0aea97602905696f561eb
Instruction Fuzzy Hash: EB8149B0E1420ADFCB04CF95D4818AEFBBAFF89304B25D555C516AB608D734EA86CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0136420C Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910b2a5ac0034b373a7e9e9bd7d2079e57c2a141b7d719a0aeee61d6636f5b4c
Instruction ID: e3180b7e6ee98c2ee6b3900080c74210c90ca467a80d622ceadb6a35298c739f
Opcode Fuzzy Hash: 910b2a5ac0034b373a7e9e9bd7d2079e57c2a141b7d719a0aeee61d6636f5b4c
Instruction Fuzzy Hash: A58148B0E0420ADFCB04CF95D4818AEFBBAFF89304B25D555C516AB608D734DA86CF94

Uniqueness

Uniqueness Score: -1.00%

Function 013641F9 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95dd5379c5ea0f9a6b04328b689fc894dc6a40c59892db3f59a3365ef24496ba
Instruction ID: 66471f995bc24952b684bfa33ee2dfb7a017efb160407a7db328646050c01a40
Opcode Fuzzy Hash: 95dd5379c5ea0f9a6b04328b689fc894dc6a40c59892db3f59a3365ef24496ba
Instruction Fuzzy Hash: 618148B0E1420ADFCB04CF95D4818AEFBBAFF89304B25D555C516AB618D734EA86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01362D10 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681b0bb715dd44ac651fbee5b4a43168a326680b61a54b3e7da48f3a347a95ac
Instruction ID: bd80be6eeaa48963807bc67b5c73724ddeef3b70c4b479ec4dad7caab4cb90ff
Opcode Fuzzy Hash: 681b0bb715dd44ac651fbee5b4a43168a326680b61a54b3e7da48f3a347a95ac
Instruction Fuzzy Hash: 95712474E0120ADFCB04CF99D5809EEFBBAFB89314F15D42AD915AB218D334A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01363230 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2946d0f53768b32693f738c184eea64d60d7382d3ddde5f09e013fe1d67fd32d
Instruction ID: aa3772305da754a2d142cbc778bf5b75ecffaf339f647a0e28ffc1c634425ea0
Opcode Fuzzy Hash: 2946d0f53768b32693f738c184eea64d60d7382d3ddde5f09e013fe1d67fd32d
Instruction Fuzzy Hash: CA31D671E006188BEB18CFABD8443DEFBB6AFC9314F14C16AD409AA268DB351A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01360448 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eaa10db56997daea667f5e8267dc60812ae241f7cf66d41510e78d3f39b1560
Instruction ID: 561b0361489e31e38aa9c0aa1f552e5619e5ae5fda30c43c88d8245263fa9aee
Opcode Fuzzy Hash: 2eaa10db56997daea667f5e8267dc60812ae241f7cf66d41510e78d3f39b1560
Instruction Fuzzy Hash: BE11DD71E016199BEB2CCFABD9446DEFAF7BFC8304F04C175D918A6218EB3045419E50

Uniqueness

Uniqueness Score: -1.00%

Function 02EC79E7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,00000000,00000002,?,02EC76B5,00000000), ref: 02EC79F5
VirtualProtect.KERNELBASE(00000000,0000000C,00000040,?,?,02EC76B5,00000000), ref: 02EC7A35
VirtualProtect.KERNELBASE(00000000,0000000C,?,?), ref: 02EC7A68
VirtualProtect.KERNELBASE(00000000,004014A4,00000040,?), ref: 02EC7A93
VirtualProtect.KERNELBASE(00000000,004014A4,?,?), ref: 02EC7ABD

Memory Dump Source

Source File: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_DCwTjs2dTP.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction ID: e97f5128f4928262a86e90a835053c18eef8a3c3d16d400714865687cded975e
Opcode Fuzzy Hash: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction Fuzzy Hash: 6F21C57224430A7FD7209AB48D48E7BBBECEB84304B18983DBE47D1455EB65E6068B60

Uniqueness

Uniqueness Score: -1.00%

Function 02EC7ACD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00000000,000016CC,00000040,?), ref: 02EC7B1B
VirtualProtect.KERNELBASE(00000000,000016CC,?,?), ref: 02EC7B4E
VirtualProtect.KERNELBASE(00000000,00402AD1,00000040,?), ref: 02EC7B79
VirtualProtect.KERNELBASE(00000000,00402AD1,?,?), ref: 02EC7BA3

Memory Dump Source

Source File: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_DCwTjs2dTP.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction ID: 0cd09961cf2c847272a88236c046d802a2e95b9fb6819e5217b35a0b6136c254
Opcode Fuzzy Hash: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction Fuzzy Hash: E121C8722447096FD320AAA1CE8CE7BB7EDEB84314B14583DBE97D2441EB74E5168E30

Uniqueness

Uniqueness Score: -1.00%

Function 02EC7537 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 02EC758F
LoadLibraryA.KERNELBASE(00000238), ref: 02EC762C

Memory Dump Source

Source File: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_DCwTjs2dTP.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction ID: 2b6e6f1ef7340955a4f3f08b6c665e366483194e034cd433e506c73ad372988a
Opcode Fuzzy Hash: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction Fuzzy Hash: B361B632480B06ABCB32AAE48E80BABF7ADFF05319F24A42DF55945540D735F162CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02EC83F9 Relevance: 3.2, APIs: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 02EC8521
SafeArrayDestroy.OLEAUT32(00000000), ref: 02EC85BB

Memory Dump Source

Source File: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_DCwTjs2dTP.jbxd

Yara matches

Similarity

API ID: ArraySafe$CreateDestroy
String ID:
API String ID: 2156726103-0
Opcode ID: 13055a546d3acc03fdeffe086f9be721a6484159b398ff6ac3d898ad76acf673
Instruction ID: d64d213f9ae8ece0a57fd4a68c8af75ce1d8051ea57b71adaee5a914317deb55
Opcode Fuzzy Hash: 13055a546d3acc03fdeffe086f9be721a6484159b398ff6ac3d898ad76acf673
Instruction Fuzzy Hash: 45618FB12402469FC721CF60CA80EEA77EAFF88705F24956DED49CB205D770E646CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01368489 Relevance: 1.3, APIs: 1, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 01368531

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8f5f8314e2adcbe31ed4f332e21e2f16f700a53aff0b781c72605d1832db69b7
Instruction ID: d86756a08e32767fa5c3d6c9ff3959854757fbd68413dee63ef625c02833d98f
Opcode Fuzzy Hash: 8f5f8314e2adcbe31ed4f332e21e2f16f700a53aff0b781c72605d1832db69b7
Instruction Fuzzy Hash: 1531A8B9D002589FCF01CFA9D980AEEFBB4BB09314F14906AE814B7311D334A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01368490 Relevance: 1.3, APIs: 1, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 01368531

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ae75d0744de455b50cf1b485f391df18f0bf51ec50bc8f7f4632fe329ca9105b
Instruction ID: d0a5c63a6d65e80a209cebc390f0e94d3b585dd07b06c90095cfd35d3794b8dc
Opcode Fuzzy Hash: ae75d0744de455b50cf1b485f391df18f0bf51ec50bc8f7f4632fe329ca9105b
Instruction Fuzzy Hash: CE3173B9D002589FCF10CFA9E984ADEFBB4BB09314F10902AE819B7714D774A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0130D558 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.523853291.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0fe81fde843e750b7311df333415288c67fb4dc05486ed8fe6a4518a3ade5d3
Instruction ID: 570e650ca89a3262c0f502fd33a22e661dde7287334a392b2d09e9b0f204bcd5
Opcode Fuzzy Hash: b0fe81fde843e750b7311df333415288c67fb4dc05486ed8fe6a4518a3ade5d3
Instruction Fuzzy Hash: 5121F571504244DFDB06DF98D9D0B26BFE5FB8832CF248569EC090BA96C336D856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0130D644 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.523853291.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e204321707f87e5eac1d9f24be47fa756d00b0de652189136428346da35c74
Instruction ID: 7a24d1ca802ecf8dbabbb23163f36ea45e8dd0563610a4dbddb81d6f258db785
Opcode Fuzzy Hash: 50e204321707f87e5eac1d9f24be47fa756d00b0de652189136428346da35c74
Instruction Fuzzy Hash: 29210375504248DFDB06CF94DDD0B26BFE5FB88728F248569E8090BA86C336D856CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0130D63F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.523853291.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction ID: 105bd834de4d4a95c324e688d8f9f23897cbd6f99b39a3214d38eca17437f1dd
Opcode Fuzzy Hash: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction Fuzzy Hash: 6B11D376404280CFCB16CF94D9D4B16BFB1FB84324F24C6A9D8484B657C336D456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0130D553 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.523853291.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction ID: 04d94651d01ffabea4d46387b4711c2b7c544306a44d07cf3048f1a47018eee4
Opcode Fuzzy Hash: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction Fuzzy Hash: C011D376404284DFCB12CF94D9C4B16BFB1FB84328F2886A9D8090B657C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0130D041 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.523853291.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc3d5f7185e147d797a2bbd6b329a12f3a5e29ca692da46a06b27de7c5f17d0
Instruction ID: 4041ba978e6f7c6e0f3b6f9be5f4a81169dd12c7ed465eae8a48a5a3f9714311
Opcode Fuzzy Hash: 9fc3d5f7185e147d797a2bbd6b329a12f3a5e29ca692da46a06b27de7c5f17d0
Instruction Fuzzy Hash: 370128710043849BE7128A95CD84767FFD8EF412ACF08811AED094AA83D3749845C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0130D040 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.523853291.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7390b1968f2ce12b3aa6696e71efc5ed2a2bce77c13168a34e5a013ae7897d81
Instruction ID: aef0a4eaba5875171d4e34a96de9ea22ddecff2c9c56843afbf719a2ca605e31
Opcode Fuzzy Hash: 7390b1968f2ce12b3aa6696e71efc5ed2a2bce77c13168a34e5a013ae7897d81
Instruction Fuzzy Hash: 7AF0C2714043849FE7118B59CC84B63FFE8EF41678F18C46AED085B687C379A844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01366231 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

1nz2, xrefs: 01366313
1nz2, xrefs: 0136631A

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID: 1nz2$1nz2
API String ID: 0-940600227
Opcode ID: 49911dea79bad9fb7136acaf6c47e415df3beeb9b77f6ed14e8a0d99e38af762
Instruction ID: eed8a9c9080fb0644d006d9dc2158496f97bbb67155bd02ff952276892b5fa29
Opcode Fuzzy Hash: 49911dea79bad9fb7136acaf6c47e415df3beeb9b77f6ed14e8a0d99e38af762
Instruction Fuzzy Hash: E841F5B0D0420A9FCB48CFAAC5815EEFBF6BF89354F24C16AC415A7258D7349A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01366240 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

1nz2, xrefs: 01366313
1nz2, xrefs: 0136631A

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID: 1nz2$1nz2
API String ID: 0-940600227
Opcode ID: a151f2c47c59d7d98178dd6caed8e44cbc151aca4e9bc99a96dabad5a40d6e67
Instruction ID: 4cff53eff43269005c450c757a42d84c6169d609be338a74e8907b6b4402d44b
Opcode Fuzzy Hash: a151f2c47c59d7d98178dd6caed8e44cbc151aca4e9bc99a96dabad5a40d6e67
Instruction Fuzzy Hash: C241C2B0D0460A9FCB48CFAAC5815EEFBF6BB88344F24D169C415B7258D7349A458FA4

Uniqueness

Uniqueness Score: -1.00%

Function 01367468 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

4diQ, xrefs: 013674F5

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID: 4diQ
API String ID: 0-3112198810
Opcode ID: aa978156bd07f392bc4a167f4fce86b2a7e95ca9e4e4893b4e2b6eb954e26514
Instruction ID: cdc9bdec5b56bc70f504fd2dc63e26b1e235e5e6a2d5f63581fbeb4b6e1833af
Opcode Fuzzy Hash: aa978156bd07f392bc4a167f4fce86b2a7e95ca9e4e4893b4e2b6eb954e26514
Instruction Fuzzy Hash: 0B911C74E001698FDB14DFAAD880A9DFBF6BF89308F24C169D418AB319DB30A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01367464 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

4diQ, xrefs: 013674F5

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID: 4diQ
API String ID: 0-3112198810
Opcode ID: e771788e2dfb175cb3fb86e0e469161808abd0f2fd314e98187123dddb736dac
Instruction ID: b04f123d88130431a2b57060c69a4c038941f55a53b1cfa69463228281fb6858
Opcode Fuzzy Hash: e771788e2dfb175cb3fb86e0e469161808abd0f2fd314e98187123dddb736dac
Instruction Fuzzy Hash: E6912C74E001698FDB14DF6AD880A9DFBF6BF88308F24C669D418AB319DB349946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01366419 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

x&QG, xrefs: 013665D3

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID: x&QG
API String ID: 0-4162311451
Opcode ID: e33a16a3229d1e89be7c1779bdbcf9299ba79d893f80695f74269b1465606c53
Instruction ID: 8982cc8079734650584ac4a5437992b4f99b8d3399d26baac54c1eae8a46cd8f
Opcode Fuzzy Hash: e33a16a3229d1e89be7c1779bdbcf9299ba79d893f80695f74269b1465606c53
Instruction Fuzzy Hash: 7451F2B0E05209CFCB08CFA9C5819EEFBF6FF89254F14956AD405B7328D7349A418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01366428 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

x&QG, xrefs: 013665D3

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID: x&QG
API String ID: 0-4162311451
Opcode ID: 73c88b524a53d23c855a5b0e1be987b10940334184372449618b1af7410227a8
Instruction ID: 3226ac6937838bff2fe3c99aa4f54a00de315aa7bb37028286db5fedb76d14a1
Opcode Fuzzy Hash: 73c88b524a53d23c855a5b0e1be987b10940334184372449618b1af7410227a8
Instruction Fuzzy Hash: 6E51E1B0E05219CFCB08CFAAD5819DEFBF6BB88254F24952AD515B7318D7309A418FA4

Uniqueness

Uniqueness Score: -1.00%

Function 01365068 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6100f951673354c9b9a1a129e1d8978d216bd8e71489d6f3cf20b0de554950ea
Instruction ID: 4c47ebf1f2c5c708fa4661218e50a9096944da812ddf7fb634f6350b677de66c
Opcode Fuzzy Hash: 6100f951673354c9b9a1a129e1d8978d216bd8e71489d6f3cf20b0de554950ea
Instruction Fuzzy Hash: E7810F74A1120ACFCB44CFA9C5848AEFBF5FF88354F248569D415AB728D730AA02CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01365058 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7489fc7543aaecf4a16b74897771824fef04b4857b391164479187ceddaa6b0f
Instruction ID: e317d412ed3b7de19b4b726341699248b436b5f2dde2a528ce1eb47d30a27083
Opcode Fuzzy Hash: 7489fc7543aaecf4a16b74897771824fef04b4857b391164479187ceddaa6b0f
Instruction Fuzzy Hash: 2E810374A15209CFCB44CFA9C58489EFBF5FF88354F24856AD415AB728D730AA42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01365BA8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4013b0b94b7acd3114b90147ab0c7c34b8e77898719a82bda0695854417c952e
Instruction ID: 54cb294334628054757563bb9bec45e23efff8511a507b035462d7da182251de
Opcode Fuzzy Hash: 4013b0b94b7acd3114b90147ab0c7c34b8e77898719a82bda0695854417c952e
Instruction Fuzzy Hash: 7571D0B4E1420ADFCB04CF99C4808AEFBB9FF58394F14C569D415AB218D770A982CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01365B99 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22811484f7c690eabf4ddb28c9d2e2203278e8a83bdb46a868d0149aceeac1c
Instruction ID: 1583437fb147b3f9cc6e5a5a16c7b2d1eaf96709121c689f25e8975e70082cf3
Opcode Fuzzy Hash: c22811484f7c690eabf4ddb28c9d2e2203278e8a83bdb46a868d0149aceeac1c
Instruction Fuzzy Hash: B561F4B4D0424A9FCB04CFA9C4808AEFFB6FF89394F18C566D415A7619C774A982CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01361268 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acaeb61e2c4464653413fe7dd37ea2cbf965fda1ae35fcc6e9b50b4aa5d8b5f
Instruction ID: 00b4777784b591d3fad989a6cbcafa6a4f4c36165659ca50c0a03f1502af62b0
Opcode Fuzzy Hash: 9acaeb61e2c4464653413fe7dd37ea2cbf965fda1ae35fcc6e9b50b4aa5d8b5f
Instruction Fuzzy Hash: 77515A71E053549FDB99CFA6C8506DAFBF2EF85310F18C0AED488A6225E7384A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01366628 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2dd9fcd9677b8dc71498b772e1621917ed6008b1d06e1e8a9bc784f8b5335cc
Instruction ID: 4eee0bd6ec5d04c0771c8172a44669461264bbcf072d6eaf36156cc23bad51fc
Opcode Fuzzy Hash: f2dd9fcd9677b8dc71498b772e1621917ed6008b1d06e1e8a9bc784f8b5335cc
Instruction Fuzzy Hash: 67411BB0E0520ADFCB44CFAAD5415AEFBFAFF88350F24C56AC405A7218D7349A418F95

Uniqueness

Uniqueness Score: -1.00%

Function 01366638 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.524349229.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_DCwTjs2dTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07aa6f4b2750d5d2335388806f7a8cf9ba3d0b0e13a083de890ea3eb21b8fd23
Instruction ID: 3bd97779eb5d6d719799917728981dc1515311b930d158f5c0091c0d86f6879e
Opcode Fuzzy Hash: 07aa6f4b2750d5d2335388806f7a8cf9ba3d0b0e13a083de890ea3eb21b8fd23
Instruction Fuzzy Hash: FE41E7B0E0520ADBCB44CFAAD5415AEFBFAFF88350F24C56AC805B7618D7349A418B94

Uniqueness

Uniqueness Score: -1.00%

Function 02EC9028 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_DCwTjs2dTP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction ID: ab7f1e5bc5249684e36d2e0b764534d9bad9d7d9a342f9da6b3fc2242ad8bde7
Opcode Fuzzy Hash: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction Fuzzy Hash: 5BF03932240114AFDF158F88CD42EBAB7E9EF08364B04806DFD09D7222E332ED219B80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sihost.exePID: 5352, Parent PID: 6128COMMON

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 04B3DDF0 Relevance: 3.8, Strings: 2, Instructions: 1305COMMON

Download Yara Rule

Strings

d, xrefs: 04B3E253
[-Gi, xrefs: 04B3E2FC

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID: [-Gi$d
API String ID: 0-338192110
Opcode ID: 3c7fb1e778fb4895161b6e56576745ca4fe97089a214c6046b6f651d9b1eb095
Instruction ID: 70e9ec86895b2c8b2c2ef23805a07490bde996a93e5aeed426646fea18e160ed
Opcode Fuzzy Hash: 3c7fb1e778fb4895161b6e56576745ca4fe97089a214c6046b6f651d9b1eb095
Instruction Fuzzy Hash: 99C23834A00214CFDB19DF65C894BA9B7B2FF88315F15819AE90A9B361DB35ED42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04B39458 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04dd0bd6725fbfa3f8b4e0025e3dcd0bccd805c117d0a87db406a55726556f4
Instruction ID: 7f66e0540a12270021bebffff82c2ad849772ca5b15d42a77330d7ddfda08c21
Opcode Fuzzy Hash: f04dd0bd6725fbfa3f8b4e0025e3dcd0bccd805c117d0a87db406a55726556f4
Instruction Fuzzy Hash: 62E15975600A049FD725CF79C884BDAB7E2FFC8315F148A68D4AA8B365DB70B845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0630 Relevance: 7.8, Strings: 6, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`b{, xrefs: 00DF0B1F
`b{, xrefs: 00DF0AB9
`b{, xrefs: 00DF0A50
`b{, xrefs: 00DF0AEC
`b{, xrefs: 00DF0A83
`b{, xrefs: 00DF08D8

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID: `b{$`b{$`b{$`b{$`b{$`b{
API String ID: 0-1368957477
Opcode ID: 9eea90d51ad4460a857add001b73bfadb8892e0d55fc4b164f966105a6943c45
Instruction ID: 99a6794ad770d6ca3a754a264d808fc266a35a93170cf5489f359dc4cf623033
Opcode Fuzzy Hash: 9eea90d51ad4460a857add001b73bfadb8892e0d55fc4b164f966105a6943c45
Instruction Fuzzy Hash: 3FD1A530B006089FDB24AB34D06477EBAE2FB84344F16C569D1469B792EF74EC85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B36EF8 Relevance: 2.7, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`b{, xrefs: 04B36F75
`b{, xrefs: 04B36F86

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID: `b{$`b{
API String ID: 0-259702225
Opcode ID: 6b0bfdf1b598cf29933e821c91bee0072670065a293a2bd5078d4c9f02e5a5f4
Instruction ID: 2c2599814f4485bc095e4347b7d1c9acbabe06297d98e91bc2fb19612b5a2a0f
Opcode Fuzzy Hash: 6b0bfdf1b598cf29933e821c91bee0072670065a293a2bd5078d4c9f02e5a5f4
Instruction Fuzzy Hash: F241B031B00214DFCB24DBBAD4506EEB7F5EF88625B1480AAE91DDB750DB30AD028B91

Uniqueness

Uniqueness Score: -1.00%

Function 04B3D190 Relevance: 1.7, Strings: 1, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04B3D6CF

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5074cc16ad74b0bbe856e55347a86ef3d647b7bb3da6adc4447ab232c8cf5d3a
Instruction ID: 54a316cb81bb4a501fa8f18f260956929cc2462eb1fc06df6e417ffed71c4e1c
Opcode Fuzzy Hash: 5074cc16ad74b0bbe856e55347a86ef3d647b7bb3da6adc4447ab232c8cf5d3a
Instruction Fuzzy Hash: CF126675A00605CFDB21CFAAC584AAEB7FAFF88305F10495AD45AD7240DB34F882CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0620 Relevance: 1.5, Strings: 1, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`b{, xrefs: 00DF08D8

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID: `b{
API String ID: 0-2100264562
Opcode ID: bed7838c1734505fc018d6b1193774e8a362cf1bb8994cadb2b8e6855ef1bed9
Instruction ID: ad9ec57096ca4237da1c7d4c17dc130463d5d2e4e3529f6a0f2310094777997b
Opcode Fuzzy Hash: bed7838c1734505fc018d6b1193774e8a362cf1bb8994cadb2b8e6855ef1bed9
Instruction Fuzzy Hash: 9E919130A00608DFEB24AF24C054B7ABBF1FB44314F1AC55AD2568B696DB74EC85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02938489 Relevance: 1.4, APIs: 1, Instructions: 175
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 02938531

Memory Dump Source

Source File: 0000000A.00000002.525388519.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2930000_sihost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9c0e7c9b307d4030fb22eee532eea2f6f8f3fc9d77a17c80b9024cacfa4515e8
Instruction ID: 357d229c55fa05fb211d133d78a6f6a6818375e79b62aa74b69e0f06b8fb27a4
Opcode Fuzzy Hash: 9c0e7c9b307d4030fb22eee532eea2f6f8f3fc9d77a17c80b9024cacfa4515e8
Instruction Fuzzy Hash: 1A71ABB8E05219DFCF05CFA9D984AEEBBB1BB49310F14942AE815B7310D734A905CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DF04C8 Relevance: 1.4, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`b{, xrefs: 00DF055B

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID: `b{
API String ID: 0-2100264562
Opcode ID: 34dc654fbf604d71430c801c420574de5392fe2aa75b0e91bdbd3b64537fc36a
Instruction ID: ae76a2d565cf8b46e720b11d673e97e3f376984e2eb0af0b087d023c57f7d18b
Opcode Fuzzy Hash: 34dc654fbf604d71430c801c420574de5392fe2aa75b0e91bdbd3b64537fc36a
Instruction Fuzzy Hash: F6310231304B544BD334E73AD4147ABBBD2AF85314F08886ED18A8B792EB75EC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02938490 Relevance: 1.3, APIs: 1, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 02938531

Memory Dump Source

Source File: 0000000A.00000002.525388519.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2930000_sihost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4dfecad7caaedbbb57b99cad74b9e6a8878078d1b3ea3652213922f33b336e40
Instruction ID: 982174f733d4863a6d6b9f462f2ab58e9b9871eb50243e06cbf87701f088b247
Opcode Fuzzy Hash: 4dfecad7caaedbbb57b99cad74b9e6a8878078d1b3ea3652213922f33b336e40
Instruction Fuzzy Hash: 013174B9D002589FCF10CFA9D984ADEFBB5BB09314F14902AE819B7310D774A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DF031F Relevance: 1.3, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`b{, xrefs: 00DF0379

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID: `b{
API String ID: 0-2100264562
Opcode ID: e9336a6417ec78152879fee859ded318aa54948f9f6263c63c8baee36f59ff56
Instruction ID: abd85c9b53de53c2a6d2de3ce68cb927b3edbde94da9876ce5ba7641a9f83261
Opcode Fuzzy Hash: e9336a6417ec78152879fee859ded318aa54948f9f6263c63c8baee36f59ff56
Instruction Fuzzy Hash: 2C11E6223042580B9625637E68602FF6BCECFC6539B05017AE749DB782ED158C0643B5

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0461 Relevance: 1.3, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`b{, xrefs: 00DF0493

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID: `b{
API String ID: 0-2100264562
Opcode ID: 97d1d75e70febf7f157c9cdc028380820189682cd6ed850f469814ef95298a9d
Instruction ID: 72d3ba79d90fbba86458fd64ffcecc8394a4d20648850b57992422d2ff28a9b5
Opcode Fuzzy Hash: 97d1d75e70febf7f157c9cdc028380820189682cd6ed850f469814ef95298a9d
Instruction Fuzzy Hash: 74210A612042444FD325E728D8607EABBD6EF81214F08846ED289CF792EB64EC45C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 00DF03B8 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

`b{, xrefs: 00DF0407

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID: `b{
API String ID: 0-2100264562
Opcode ID: 7052664b236323fe77ac931484fdd2c651390345094cea5a09bd75eb9a26093f
Instruction ID: daed6b5cc95d0015e3bef706a3ea69d4a1474b2554a5a1c025d8d0994237d442
Opcode Fuzzy Hash: 7052664b236323fe77ac931484fdd2c651390345094cea5a09bd75eb9a26093f
Instruction Fuzzy Hash: 3A01D6317042980FC71AA77999201AE3B969FC651931940FBC609CF353FF298C0B87A6

Uniqueness

Uniqueness Score: -1.00%

Function 04B3A438 Relevance: .7, Instructions: 724COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893a327c00d03bf51d4dfdacb0d562b5a2679b47e8a61b0fc51f37e6e054d09c
Instruction ID: ad773bb5b502bd5256760d0c7dd2d83304c39c815ad3e1d21da7e5bf2f1b2f57
Opcode Fuzzy Hash: 893a327c00d03bf51d4dfdacb0d562b5a2679b47e8a61b0fc51f37e6e054d09c
Instruction Fuzzy Hash: B2624974A006148FCB25DF66C594BAEBBF6FF8C305F208599E49A97251EB34AC42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B314D8 Relevance: .7, Instructions: 700COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4077f3d79bed006aa0ae2c2b876c244b912d508cea8765913389608cf27ea4
Instruction ID: fdf881355e276c2ddbbc95d20ffccf48dd318825dd44bae681109d3ecb43781b
Opcode Fuzzy Hash: 7d4077f3d79bed006aa0ae2c2b876c244b912d508cea8765913389608cf27ea4
Instruction Fuzzy Hash: 2162E334A00214CFDB24DF69C958BA9B7B6EF48305F1484E9E50AAB361DB35ED82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04B3C798 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8a3f442fb7b1904c26923242ba937bf369db70a771326aea7c7a7e93532139
Instruction ID: 4e1416803c5a87c77d783bfbd35c25286e81791ed1bf43e699cdfedfadb3040d
Opcode Fuzzy Hash: 3c8a3f442fb7b1904c26923242ba937bf369db70a771326aea7c7a7e93532139
Instruction Fuzzy Hash: 6E029F75A002169FCB14DF69C484AAEBBB2FF88315F048699E8199B365D730FC56CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 04B3BAE0 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55947813d3c82bd1119a46bd2d51c72a1d26ab4fe9ebab72521357ca9d5224e4
Instruction ID: 7984dfd57ddc7edb8e3bf779ab566829d01208d9126fba088838f81fc37d2fde
Opcode Fuzzy Hash: 55947813d3c82bd1119a46bd2d51c72a1d26ab4fe9ebab72521357ca9d5224e4
Instruction Fuzzy Hash: 2AD1AF707086108BD7259F7AC5947AAB7A6FB84306F00485AE45BDB256EB78FC42DB80

Uniqueness

Uniqueness Score: -1.00%

Function 04B35C79 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edf35a455c1192b029f05b74a440c68956d482fdbb0b511866fdba9a11244bc
Instruction ID: 4fe7b27f9d5c6c13ac74c1ab8e6bb2971009b1917b241d0df24f9c6d6ae3f95c
Opcode Fuzzy Hash: 4edf35a455c1192b029f05b74a440c68956d482fdbb0b511866fdba9a11244bc
Instruction Fuzzy Hash: 2DD13C34A01204DFDB24DFA5D998AADBBB2FF88306F548569E816DB350DB35AC46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04B34158 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846479652664ec138cd04dd4127f02e3d3716c4719b8eabf5d27409e30dbdf34
Instruction ID: 5eabe695ba4d1c7912246d2f640fa0b534c974d51cd53126c2055c631046e0b9
Opcode Fuzzy Hash: 846479652664ec138cd04dd4127f02e3d3716c4719b8eabf5d27409e30dbdf34
Instruction Fuzzy Hash: 6BA10730B002059FDB14CF66D4406AEBBF6EF85315F2285E9E4199B641EB35FC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B387A9 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d4f1f57332e4e3cecc228acbbc98a3bef7f159a0077eed51bb4234c98c173c
Instruction ID: 03f2dfd826cfbd6cafefe43721a55fcd99207ac9380201ae2cd3111c63fbeb56
Opcode Fuzzy Hash: a5d4f1f57332e4e3cecc228acbbc98a3bef7f159a0077eed51bb4234c98c173c
Instruction Fuzzy Hash: E9C1B8706006058FC714DF2AC584ADABBF2FF89315F148AA9E45A8B761E770FD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B3A428 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be14070b39803d9048aba849c407338accdc2a5f35d851a24b297d5a3d2f56e0
Instruction ID: f2e0f08ba47501309c8858eb275e06660b05e36335c328c81d9c35d89db1db02
Opcode Fuzzy Hash: be14070b39803d9048aba849c407338accdc2a5f35d851a24b297d5a3d2f56e0
Instruction Fuzzy Hash: 10B14A74A002148FDB25DF65C494AAABBF2FF88305F208599D49A9B355EB34F846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04B3B218 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c0e88b5ea13b8790281be6d90c2fba3f0936068f40d0d6b84a5a2dcda2de8f
Instruction ID: 7584b3da1702904bc29cbc730824016de9025da69fad3915f1d2f57a1eb080d5
Opcode Fuzzy Hash: 87c0e88b5ea13b8790281be6d90c2fba3f0936068f40d0d6b84a5a2dcda2de8f
Instruction Fuzzy Hash: 1F91CE70A046168FCB15CF69C580AAEF7F2FF88311F108659D45A9339ADB30BD51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B3CDB0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fac472a03346486f4b6c3f9d4c88cea687787d9ed37f26bb6c14936096f55c4
Instruction ID: 74d7201dc1867ebf6708bfd762a276082c6e1f5ebbecca24a09e389d52c46477
Opcode Fuzzy Hash: 3fac472a03346486f4b6c3f9d4c88cea687787d9ed37f26bb6c14936096f55c4
Instruction Fuzzy Hash: 15816B35B006118FCB18DFB5C4A496ABBB2FF89315B1085A9E906DB761DF35EC02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04B3422D Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c60b4a2ae9338768df773003c952357bef91342ac984ecbfe26f4db9737585a
Instruction ID: cd6e625539d6c200236b97f7d5c5fad38b0db1a4036739280221c152ae36f53e
Opcode Fuzzy Hash: 9c60b4a2ae9338768df773003c952357bef91342ac984ecbfe26f4db9737585a
Instruction Fuzzy Hash: E2813E74A01205DFDB14DFAAD990AAEB7B2FF48305F1485A9E505AB350DB34FC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B37AC8 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b1e06073fa42daa6ae5fb6a3fd1a9d2f61f2ee1c6e4884440bc9a91e79d4fd
Instruction ID: 3fe179b8598a9cb9533aa14ddc34d07bca8df04ac22aa97d6c35c31b69068253
Opcode Fuzzy Hash: e3b1e06073fa42daa6ae5fb6a3fd1a9d2f61f2ee1c6e4884440bc9a91e79d4fd
Instruction Fuzzy Hash: C67171B02007048FD314DF26D494B97B7E2FF84318F108A6DD49A4BB61EB75BD0A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0040 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da905cd0de1adba01ebbaff9e6ff56304fa3301eaf488f8fb8727d3594cd3d2c
Instruction ID: 4f0655add906770f8b741f761c5f7336003fc6208b43d2a8d3ca213537d38205
Opcode Fuzzy Hash: da905cd0de1adba01ebbaff9e6ff56304fa3301eaf488f8fb8727d3594cd3d2c
Instruction Fuzzy Hash: B1515B34710214CFCB58EB38D56566E37A6EF88304B258869D502DB7A6EF7ADC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0523E798 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b509a93ca297379d3ef5c265aeb98f8e23aa4ecd3c76396eaf82d89146658a
Instruction ID: b9591e5b7fb42728ccce57ea1eecd92707cc5d5cbe0ec23bb3ed3edb4782689f
Opcode Fuzzy Hash: 03b509a93ca297379d3ef5c265aeb98f8e23aa4ecd3c76396eaf82d89146658a
Instruction Fuzzy Hash: 4D51B6B5A1021ADFCB05DB64D889CEFBB7AFFC57007104519E502A7351EB349E09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B37EC8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad20fff6419a390b093b56c10b083688a7d507a8c51b0620c3a0ed7594c1972
Instruction ID: 4d3de852c42de19ddea258411ebd1a158b531a1c4ec539f466c585bb2b832e17
Opcode Fuzzy Hash: bad20fff6419a390b093b56c10b083688a7d507a8c51b0620c3a0ed7594c1972
Instruction Fuzzy Hash: AF515A727042959FDB11CF69E4406AABBE5FF88329F0880AAE84DD7341DB35BC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0012 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773097da2793e08070332b550996dac9c125982979011a08746e3c072f7d50e9
Instruction ID: 0aef23782c759dc73c8954dfa53bf30849b2571cc9031f2ebb4f5e990f35076d
Opcode Fuzzy Hash: 773097da2793e08070332b550996dac9c125982979011a08746e3c072f7d50e9
Instruction Fuzzy Hash: A2516C34710204CFCB58EB38D4656AE37B6EF89304B2544A9D402DB7A6EF39DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B39BC0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c8ca87b03f00dfc36ee1e3c8fa26a2c54882946f4030aef09698796b5a0eec
Instruction ID: 3c63f5952288f639c26acabd325289aa4ab2c95cf7eed78d63807d898366b3b7
Opcode Fuzzy Hash: 29c8ca87b03f00dfc36ee1e3c8fa26a2c54882946f4030aef09698796b5a0eec
Instruction Fuzzy Hash: 434146706082809FCB169B78D8946E97FB2EFC6309F1440FAD4859F262DB316C07DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B376B0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695280d0698a08a6e5291a129268678a4fb3ec6950341bede0d2acb89460eebb
Instruction ID: 391540e28def959499f83d352f847a42c232473320b3a66ab1adcda49a08a264
Opcode Fuzzy Hash: 695280d0698a08a6e5291a129268678a4fb3ec6950341bede0d2acb89460eebb
Instruction Fuzzy Hash: 49413C74A00619CFCB14DF6AC4849ADBBF2FF88315B158599D805AB720EB35FC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B3C290 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d700d266f66c35be2dfc89111494a2f4d5273b058e39a8de164cdaa92ae7164a
Instruction ID: 672468e3e350657846cf9013a880062195a460fb8b199faa5a44174d4a0a5ce3
Opcode Fuzzy Hash: d700d266f66c35be2dfc89111494a2f4d5273b058e39a8de164cdaa92ae7164a
Instruction Fuzzy Hash: 004109B5A002198FCB11DFA9C8809EFB7F9FF8C314B14466AD91AE7615DB30E901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B37161 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8ba828e9cb982d5b5eb102a064542f9131fe39d6ad32aaff9d126460363cbd
Instruction ID: 1ee8baec93eef94c9ae4f43c1173c69ad143dc81728186c182c9db1859b5f4d2
Opcode Fuzzy Hash: 9c8ba828e9cb982d5b5eb102a064542f9131fe39d6ad32aaff9d126460363cbd
Instruction Fuzzy Hash: A2213677B1011057EF2446BAB8013FE739ACBC4366F0084B6EA18D7680EE29996642D1

Uniqueness

Uniqueness Score: -1.00%

Function 0523F130 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ed2ba98d84ba1ce128cc09122803e9b4aff6ec742673726bf43a469fcd5c29
Instruction ID: 4eb9905f1912e27cc4c866fbf7bb37b8936abb9ce217552f1cd9c02f4bd69b9b
Opcode Fuzzy Hash: 40ed2ba98d84ba1ce128cc09122803e9b4aff6ec742673726bf43a469fcd5c29
Instruction Fuzzy Hash: F9418075B101059FCB04DF69E9848AEBBF6FF8C250B154469E809AB321DA30EC05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04B32970 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6940389bbdae9354fa2b13af41b949724d56be9a3f33bc9692b575bd52536b1d
Instruction ID: 63f59d41c3f113118f98ed3624f30bbc02e69ac2f8228dc9c8a426387f39811e
Opcode Fuzzy Hash: 6940389bbdae9354fa2b13af41b949724d56be9a3f33bc9692b575bd52536b1d
Instruction Fuzzy Hash: B53141703007008FD7389F26E594A2A73F6EF9525A7008AA9D88287B55FB34FC47DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0523F738 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914a8bde77d5cd00be21dfdd20d5ece584d2e48a6a95e924a60f91cbd5a491f4
Instruction ID: e4c623ed9fc0c60d0510d2962fbb5c0fc8f5180da9e44febfc7c151120eff463
Opcode Fuzzy Hash: 914a8bde77d5cd00be21dfdd20d5ece584d2e48a6a95e924a60f91cbd5a491f4
Instruction Fuzzy Hash: 99317E74B202018FCB54DF69E69996EBBF6FF88611B108569E10ACB7A1DB70DC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0523F9D0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3483b81af05383bd9d729ba16774dc6949ca36cd5e69aec8b33e00ac26444b21
Instruction ID: fed0d79de1561d9db05dfd9de1ffd5134a170086e4e3e268ba6637cca1d17601
Opcode Fuzzy Hash: 3483b81af05383bd9d729ba16774dc6949ca36cd5e69aec8b33e00ac26444b21
Instruction Fuzzy Hash: 25215675F242058FCB14CBA8E5629BEB7B2EFC5214B1480A9D80A97751EB35EC01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0523EF20 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a344ffb56301ed2382ac619d299b4f1d788de71a3777c91091d2df0adcafe46
Instruction ID: cda4269ad5f635ac0ecfb35e50a02d35d3d8bfc65aa88cb12fd66287d8b1799c
Opcode Fuzzy Hash: 4a344ffb56301ed2382ac619d299b4f1d788de71a3777c91091d2df0adcafe46
Instruction Fuzzy Hash: A7311E75B10119DFCB14DF69C4859AEBBF6FF88710F218069E919AB360D7709D09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0523EF11 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747e3cf466fd76bb654567ccba1bc045867eb45b6d3edc3ab0299eb299b103e4
Instruction ID: f1bcf349721f5bd7fbce7f7e5773ce3aec55fc98c3467a258adc6a73dce2e719
Opcode Fuzzy Hash: 747e3cf466fd76bb654567ccba1bc045867eb45b6d3edc3ab0299eb299b103e4
Instruction Fuzzy Hash: 34316F75A10119CFCB04DF69C4459AEBBFAFF88710F218069E809EB361DB749D09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B3E4AC Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1bf6243a858f16c379294830adcc148310b2ba791941e9081755aa3cff4f12
Instruction ID: c371296df12201eb4181906f5a8f1362591c4b4e85bf476ee82dc1838013eeaf
Opcode Fuzzy Hash: 7c1bf6243a858f16c379294830adcc148310b2ba791941e9081755aa3cff4f12
Instruction Fuzzy Hash: E8414F38A10514CFD754DF65D984E99B7B1FB88315F2580D6E80AAB362DA31ED42CF10

Uniqueness

Uniqueness Score: -1.00%

Function 04B3E5AC Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6338e6501804fd4b6239ebead9c05a9cc0da530d490f788740e931c2ec99a7a1
Instruction ID: d2c1fe1999aaa17a5fc8f8d9fc1b7cc2c34e00d5aaafb74f753cbb00d8c7a30b
Opcode Fuzzy Hash: 6338e6501804fd4b6239ebead9c05a9cc0da530d490f788740e931c2ec99a7a1
Instruction Fuzzy Hash: B4414F38A10514CFD714DF65D988E99B7B1FB88315F2580D6E80AAB361DB31ED41CF10

Uniqueness

Uniqueness Score: -1.00%

Function 04B3E501 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23cc7f674f67c42113dd0713272230cd92f8bea6bf56c77c809fb896c235ab9
Instruction ID: 3e55133771ad500b68c6376dc2d13725550ef0421b1bcfbb3afb1d3221214661
Opcode Fuzzy Hash: b23cc7f674f67c42113dd0713272230cd92f8bea6bf56c77c809fb896c235ab9
Instruction Fuzzy Hash: 61415038A10514CFD714DF65D984E99B7B1FF88315F2580D6E80AAB361DA31ED42CF20

Uniqueness

Uniqueness Score: -1.00%

Function 04B37657 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5cffa72cd76ce8ce7c0d7eff74baa88b3253a25a8dd583f7cd3ab37f946bca
Instruction ID: 7c61695ce15db462de5320aa51f2e8af92e683ded60b51e370abb4b312c96181
Opcode Fuzzy Hash: ca5cffa72cd76ce8ce7c0d7eff74baa88b3253a25a8dd583f7cd3ab37f946bca
Instruction Fuzzy Hash: 4D31C375600214CFDB00DF2AC9989D9B7B1FF49319B19C4DAD8519B722EB35E946CF80

Uniqueness

Uniqueness Score: -1.00%

Function 04B33F52 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984a393dfba14b1b8cddf1d202c7bb8514f1825253166fc34ca45010053ee4a3
Instruction ID: 6a4d735c2cca2e145ee4b00c1c560bf647458a1b26dda6fe59ff8fa32efcf661
Opcode Fuzzy Hash: 984a393dfba14b1b8cddf1d202c7bb8514f1825253166fc34ca45010053ee4a3
Instruction Fuzzy Hash: 8541E534A11219DFDB04DFA5E888E9DBBB1FF48306F148499E802AB7A1D775E845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04B3D0B0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e545c86b78548ba67a67a7cb0485f61e8f53f4aef555395ed66e08cb81e97ba
Instruction ID: 6ca6193d39b87eb1519c5282d17aaffd1d4a115908b0315da91f75b37161db9a
Opcode Fuzzy Hash: 1e545c86b78548ba67a67a7cb0485f61e8f53f4aef555395ed66e08cb81e97ba
Instruction Fuzzy Hash: 45216D31300A108FC315DF2AE884A96B7F9EF85721B0548AAE55ECB761DB35FC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0523F050 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b50f4d2d0953f33cc0193cbb0fcc264b723abaf20a57ac4fb45f96bc09878f5
Instruction ID: 6259bf21be0f1359e1e53126324a5caeb62f35b8e8e70d693ff27add2e453213
Opcode Fuzzy Hash: 0b50f4d2d0953f33cc0193cbb0fcc264b723abaf20a57ac4fb45f96bc09878f5
Instruction Fuzzy Hash: E7319E75F1011A8FDF05DFA8D5818EEBBF6BF8C210B058499E905BB321DA71AD058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B3CDA0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f940a150c8cae9785cdda0f8506b63e44d7303070c95346ed4afec67068873d8
Instruction ID: 22975c05bea147b9b4d727bdc013ff234ccd85927de97d22385a87d306145148
Opcode Fuzzy Hash: f940a150c8cae9785cdda0f8506b63e44d7303070c95346ed4afec67068873d8
Instruction Fuzzy Hash: C7313739B006059FCB04DF75D895C6ABB72FF89225B148499E906CB362DB35FC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0523F658 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65f53090a7f2f8f35de610c0ab596fb23a440528011553a555918f9ddc88569
Instruction ID: 875fe7f33348f8234eb12196cca515f089e1f7ac29d261ab86f5d1e0daff1b51
Opcode Fuzzy Hash: c65f53090a7f2f8f35de610c0ab596fb23a440528011553a555918f9ddc88569
Instruction Fuzzy Hash: B43181B5E002168FCB14DF68D5419AEBBB2FF88314B144569D419AB361E771ED06CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 0523E248 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851ac596a077274aa64262bd51e9a280607c36ebb0b863bbd4144c358eae9b18
Instruction ID: 8958bcd2f1c0d437af8dcb1e481c5d3de9c0fb41a6f04e1d75a0f190fdf752a6
Opcode Fuzzy Hash: 851ac596a077274aa64262bd51e9a280607c36ebb0b863bbd4144c358eae9b18
Instruction Fuzzy Hash: F02117B5B002199FCB10DBA9D844AAEFBF5FF88220B008525E919A7310D734AD54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0109D644 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.524547236.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_109d000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894a2ecce547e1b7fccd928c636bd1bb8cbfd81e437ba58d0fafc5d1d80ccc9b
Instruction ID: ecf91ae637f8634ae5a9667558bd4b614620e69ced954964fe86881ed4158dd4
Opcode Fuzzy Hash: 894a2ecce547e1b7fccd928c636bd1bb8cbfd81e437ba58d0fafc5d1d80ccc9b
Instruction Fuzzy Hash: 95214576544240EFCF01CF54D9D0B1ABFA1FB88328F2485A9E8890B606C336D856EBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0109D558 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.524547236.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_109d000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a18c2eda8663ed7376e9b0193b8c52891b29d858968e76e753d840d05b33f9c
Instruction ID: 6418554a69a169a38d6c7d2705b331caa9d53c061ad58e7d55ea14a8d97a1d3f
Opcode Fuzzy Hash: 5a18c2eda8663ed7376e9b0193b8c52891b29d858968e76e753d840d05b33f9c
Instruction Fuzzy Hash: 2D213771544240EFDF05DF58D9D0B1ABFA5FB88328F2485ADE84A0B606C336D856D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 04B376A0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f533f14768cb3614a961f3d8b0656143534e722861061a4d66df6ec99d40c837
Instruction ID: 433af233dc1caa5d9a64f1b3f91e10ee564af7ac2c89359dea955e0a98275ee7
Opcode Fuzzy Hash: f533f14768cb3614a961f3d8b0656143534e722861061a4d66df6ec99d40c837
Instruction Fuzzy Hash: 4E31F874A002198FCB04DF66C9849AEBBF1FF88315B1585A9E809AB311E734ED05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0523E237 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5ac4dd1b0391d185d33ab9422953e5535b457ca6383da3ebe3acbce2787c52
Instruction ID: 0713a5cc249dc3cd2e30f5d177930b275666da685c67257b0d6bd1eec5992cc5
Opcode Fuzzy Hash: bf5ac4dd1b0391d185d33ab9422953e5535b457ca6383da3ebe3acbce2787c52
Instruction Fuzzy Hash: 00216BB4B002199FCB10DF64C855AAEFBF5FF88210F008569E849A7311D7349D55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04B33E50 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb1e9f409132cdef51d453cff0bbd4794ad9c5cf3e4c3d55c7e8ef5ffb7a975
Instruction ID: 2af9a3606a335d1bafa8bc8f434b89d54c2034833f3863386c40edfef0e170cb
Opcode Fuzzy Hash: cbb1e9f409132cdef51d453cff0bbd4794ad9c5cf3e4c3d55c7e8ef5ffb7a975
Instruction Fuzzy Hash: F521C170901298AFDB15CFA6D444BDEBFF1AF45314F0815ADE841AB252DB705985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B34760 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cb839626d24e783a240509ab7bd8937cc22f61df4e050f013c12045f585c77
Instruction ID: d2c56b2808b3120236cfef30dd5685f83a53c04676dda76791f1202fcb3f5157
Opcode Fuzzy Hash: f9cb839626d24e783a240509ab7bd8937cc22f61df4e050f013c12045f585c77
Instruction Fuzzy Hash: 0F213535A00149DFCB04DFA9E549BEDBBF1EB48312F1480A9D905B7290DB71AE45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0523F031 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e52d4772b40ed7192262e8181388bcceb36ab9bd17e96acec4574586856b564
Instruction ID: 057f04d1378cf0e495bbaf8b5b6b277ae321ebe0f51aab2b6589ed6653db36e9
Opcode Fuzzy Hash: 4e52d4772b40ed7192262e8181388bcceb36ab9bd17e96acec4574586856b564
Instruction Fuzzy Hash: 51213876A101098FDF01DFA8D4828EDBBF6FF88214B158555E909AB221DB31AC06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04B34148 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb1321276fcf5b3fb6ef4f8e3b08f17eca56e3a54e87734d1e12f7e6d88453e
Instruction ID: 12a4cd5c396386f79ea41439ff31beeceb420b1fefda96970fa505c9d723abd3
Opcode Fuzzy Hash: 5fb1321276fcf5b3fb6ef4f8e3b08f17eca56e3a54e87734d1e12f7e6d88453e
Instruction Fuzzy Hash: 99215734A01109AFCB14CFA5D5889EEBBF6EF48315F2481A9E802E7350DB34ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B30839 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e81dcd9d3bd3cc6294726ce01c3ab4ea47eb97630b9407ed5a37d723c2a6ec
Instruction ID: 4569808a5aa26210ca2fd50b862166eefd0ad951f33f5886ee618d5b72880f6a
Opcode Fuzzy Hash: a4e81dcd9d3bd3cc6294726ce01c3ab4ea47eb97630b9407ed5a37d723c2a6ec
Instruction Fuzzy Hash: 3B11D6316006059FD310AB76D8A459BB7A6EFC1608B00C92DD18B8BB61DF30FC0ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04B30F68 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15cf0fca1a4df9c7a2adec58bf496504b217099fb80498990599bf5c93c366fb
Instruction ID: bb47ed3eb8521c44cf2ac5768e9ad7a995b38c5b57b757e03a0771e64af9fec8
Opcode Fuzzy Hash: 15cf0fca1a4df9c7a2adec58bf496504b217099fb80498990599bf5c93c366fb
Instruction Fuzzy Hash: 2B11AB313002044BD324AB7ADC90A9B7796FBD4655B048D3EE1458BB90FF70EC06C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0523FB00 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe607dea49011a550cc263601cdf2e919843de5940ce148c9b26b5206c89b706
Instruction ID: 1795b9c4f1bcc9fb5cbade6676f4d2451fbc96eb9707e776f2a2ebaf4a8bc80e
Opcode Fuzzy Hash: fe607dea49011a550cc263601cdf2e919843de5940ce148c9b26b5206c89b706
Instruction Fuzzy Hash: 0A119AB5E20219DFCB10DF98D995AAEBBB6FF4C210F10402AD909AB300D774AD01CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 04B381C8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf717233479a5ab5e7d1a119060e05281a2ca71a8b31e62fe1b875dbdbe50303
Instruction ID: 14592d8933491cebe1e57de1db300d1fd8b539b4e163a58aca4c4e4c847f5294
Opcode Fuzzy Hash: cf717233479a5ab5e7d1a119060e05281a2ca71a8b31e62fe1b875dbdbe50303
Instruction Fuzzy Hash: A221E435A00204CFDF28EFA0C499BEDBBF1EB88315F144469E8017B380DB746985DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0CB0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e114a51cd4a3d33eb820cba180bb5672d89870cb1c08274c772ac3ee96934c
Instruction ID: cb39ee327fb0c116ba2ed8fe95defb1f4d33dafa345350fcf1254fa4137001a3
Opcode Fuzzy Hash: 97e114a51cd4a3d33eb820cba180bb5672d89870cb1c08274c772ac3ee96934c
Instruction Fuzzy Hash: AC2115B2D006199BCB10CFAAC8447EEFBF4EB48324F15812AD518B7741D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0523FAF0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50602b2644fdc8888c835de2d261c07f1b2d4148cdb21d527ed19f0b11dd51e0
Instruction ID: 245689b2f97286bb17f122432ac5b528ac308afe2855fce21e672849a2b01114
Opcode Fuzzy Hash: 50602b2644fdc8888c835de2d261c07f1b2d4148cdb21d527ed19f0b11dd51e0
Instruction Fuzzy Hash: 2F218CB2E10219DFCB04DF98D995AEEBBB5FF4C210F10402AE909A7340D3749940CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 04B30848 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9858e0354b2c63f5d865d1d5b71967173af029e9d49ad6ad941321543414dd49
Instruction ID: 882affef2653682fecc4111cbbe67f6a40fc1aa3623c7d13656687a5f96cf326
Opcode Fuzzy Hash: 9858e0354b2c63f5d865d1d5b71967173af029e9d49ad6ad941321543414dd49
Instruction Fuzzy Hash: 541193307002059FD320AB66D89496BB7A6EFC4618B00C92DD19B9BB54EF30FC0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0523E0E8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c7a8cd8a63035b3348b305b5072f33d2a6ce43551e32ed7ef4118f58ff7501
Instruction ID: ec8263490ccdaaa9f43923c778bfda9a41c91be496fd1b27af74208d28a51e3a
Opcode Fuzzy Hash: 77c7a8cd8a63035b3348b305b5072f33d2a6ce43551e32ed7ef4118f58ff7501
Instruction Fuzzy Hash: 431121757202258FCB049B78E8A94AEBBB6FFC82217044559F546D73A2CF70AC02CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0CB8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28722ab51cd428156a44e2e9795ff6c99c1bf21738822822407e1cd06edbdc1
Instruction ID: a4fa84485036ae8269922cb90f4fdcdc2bcb21a3f261908244afb625f8b1fb63
Opcode Fuzzy Hash: d28722ab51cd428156a44e2e9795ff6c99c1bf21738822822407e1cd06edbdc1
Instruction Fuzzy Hash: 3D11F4B1D006599BCB10CFAAC8447EEBBF4AB48324F15812AD918B7740D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0109D63F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.524547236.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_109d000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction ID: 8b6d2ff317d7beaaaac44b8a7a74d3db522df46519653d303edadf60fc40c04b
Opcode Fuzzy Hash: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction Fuzzy Hash: 1F11E176404280CFCF12CF44D9D4B1ABFB1FB88324F2486A9D8480B616C336D456DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0109D553 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.524547236.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_109d000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction ID: 9b2be2ca5d0b9918c8c5e1ede1e78a65244ffa9c37109195f61cd55bebb624c4
Opcode Fuzzy Hash: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction Fuzzy Hash: 0011E172404280CFCF12CF44D5C4B16BFB1FB88324F2486A9D8490B616C336D456DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B32ABA Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8337a941ce4646ece8196ffc6848157ce5641da928abbd57e6f4e6dcd1b732c
Instruction ID: f802cdcc578193a3a85144ac824146a04ebbd5e0b45f644bec6f16c96d1640c5
Opcode Fuzzy Hash: a8337a941ce4646ece8196ffc6848157ce5641da928abbd57e6f4e6dcd1b732c
Instruction Fuzzy Hash: 2C0149323041436FE3288E6AAC903B63A5BD7C9214F0840FDF695DB746EC18AC035791

Uniqueness

Uniqueness Score: -1.00%

Function 0523E0F8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19da4704db884bce22b4b38d00a8345547179d40d3532df9052cefbde636a047
Instruction ID: 5afe43664d1603cadd7f3f8e092588d390d3c819c33ea1bd845513e72fc37828
Opcode Fuzzy Hash: 19da4704db884bce22b4b38d00a8345547179d40d3532df9052cefbde636a047
Instruction Fuzzy Hash: F41196757102259F8B049B69E4984AEBBF7FFC86213144559F506D73A1CF71AC01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0BD8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9242c825cef775a7e873eb70ff497c61595ea1e4ab1ce59b2c2cfd6440abbd0
Instruction ID: 02702e203bc1ec477124017bd070e3c971f4f900a48d8306a9bbca0b37851482
Opcode Fuzzy Hash: c9242c825cef775a7e873eb70ff497c61595ea1e4ab1ce59b2c2cfd6440abbd0
Instruction Fuzzy Hash: 0401A7227006544B8B24A67A58A11FE7A57DFC1168749867AD59ACF782EF28CC0847B2

Uniqueness

Uniqueness Score: -1.00%

Function 04B370A0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8347f5721394db1b4911a6ac2095107cf61651d8441adcc3404e31c0c8961d
Instruction ID: c045bc8684eedfd8eceba9323127da9c24685aaab048e977e97207d737da48bd
Opcode Fuzzy Hash: 8a8347f5721394db1b4911a6ac2095107cf61651d8441adcc3404e31c0c8961d
Instruction Fuzzy Hash: DA112171A005544BEB289FA9D0267FEBBF2DF88305F1484ADD841AB340EFB94D068BD1

Uniqueness

Uniqueness Score: -1.00%

Function 04B37A38 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea6005cb10ddd40b775aeba48dff2960e13999d1ba9e5d46832946e4ba54d48
Instruction ID: cb3d6a9ad119eb0fee1f91cd960ea2cc758fca3b1441c8133038f5066c92755c
Opcode Fuzzy Hash: 6ea6005cb10ddd40b775aeba48dff2960e13999d1ba9e5d46832946e4ba54d48
Instruction Fuzzy Hash: 4701B935300304AFDB109F66DC84F9A77A6EB84715F04C429F6468B690DBB0ED069790

Uniqueness

Uniqueness Score: -1.00%

Function 04B370B0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21eba801eba70b0d2e441819a9ff52c2bc6d229168d52b4f9950a9391cb59f0
Instruction ID: 645d784816ca83bdbc23b30f587e3c80b909fcff5d2fe3d8a4bf5399234037aa
Opcode Fuzzy Hash: e21eba801eba70b0d2e441819a9ff52c2bc6d229168d52b4f9950a9391cb59f0
Instruction Fuzzy Hash: 6D012631A005144BDB189FAAC4157FEBAF6DFC8305F04846DD401BB340EF795D058B91

Uniqueness

Uniqueness Score: -1.00%

Function 04B33DE8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf1885be63cd634bf0464215328fe111c856be396814bcdf018cd70a2c1574f
Instruction ID: d1fb548e7a08d812279ce73119003ca3596e2f650f496ba046df503b86cf08ed
Opcode Fuzzy Hash: fcf1885be63cd634bf0464215328fe111c856be396814bcdf018cd70a2c1574f
Instruction Fuzzy Hash: BAF04932B0425087D335492AA444727B7E6DBC8226F1C5DBDD50783240DB75A80BC3A0

Uniqueness

Uniqueness Score: -1.00%

Function 0109D041 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.524547236.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_109d000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bee9d131d6357de8c1a01fcab85ba327a94c1e20ec0e3ce40000d00a5a3782
Instruction ID: 2861e8d6036902a38582948292074a007f6f600e294346e87e0ea0b6557d9c76
Opcode Fuzzy Hash: c5bee9d131d6357de8c1a01fcab85ba327a94c1e20ec0e3ce40000d00a5a3782
Instruction Fuzzy Hash: 480147710083809AEF204A65CDC4767BFE8EF812A4F08815AFD845B643D3789885D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04B37A30 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f26830c57906f073477d6386d6731d8251ca3568112089fc41df6e165135854
Instruction ID: 17818c809ad5f8ca61934b1230f55d8720e860211cbebf052240441d0e6049bf
Opcode Fuzzy Hash: 8f26830c57906f073477d6386d6731d8251ca3568112089fc41df6e165135854
Instruction Fuzzy Hash: FF01A775300304ABDB149F66D884F9A77A6EF94715F04C92AF54A8B660EBB0ED078790

Uniqueness

Uniqueness Score: -1.00%

Function 0523F950 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587cc198d39a1bbb7c68339767e52704d3909dd853f342dc45a31c309afdb896
Instruction ID: 039233c8e848c922b108084c901fb94f2758713e73c43e62b29eddefd5391351
Opcode Fuzzy Hash: 587cc198d39a1bbb7c68339767e52704d3909dd853f342dc45a31c309afdb896
Instruction Fuzzy Hash: 04F02BB7B0D3D11FC302472868691AB7FB5EF86111B1940ABD445C3253D9284C06C796

Uniqueness

Uniqueness Score: -1.00%

Function 04B31028 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743de41106021b136c01e7a54f97894f0e698c8f31aba7a62ca777d88c2c247f
Instruction ID: daf7d10f16ae64212c044c26e56a120a30fe2e36e862fd2da02b319366f8a9fa
Opcode Fuzzy Hash: 743de41106021b136c01e7a54f97894f0e698c8f31aba7a62ca777d88c2c247f
Instruction Fuzzy Hash: BBF0E0317056601BE31107AA98A45BF7F96DBC9655B154176F745CB340D5119C0347E1

Uniqueness

Uniqueness Score: -1.00%

Function 04B33DD8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518d9616e9257ce9ceba71b0863c23cdb5586477bc0753e48875b013bcff14f1
Instruction ID: 1e427e77d18f7b69f6b7126f43633ff4c23f1dfade08db8ab4fbf6284e4461f6
Opcode Fuzzy Hash: 518d9616e9257ce9ceba71b0863c23cdb5586477bc0753e48875b013bcff14f1
Instruction Fuzzy Hash: B9F04C31B04390D7D7354A7B5448717BBEAEBC9319F1CA9BD984787282EB75A806C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 04B39CE2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f44af192eaf4f0f5d9a539f3f69a0d4f4dc9d46972ef96d8ed344a7a3b1ed7
Instruction ID: 923c1e23de86f82a98e3ede3f11772847facd6d6e78436f5f72fadd9c78e8950
Opcode Fuzzy Hash: d0f44af192eaf4f0f5d9a539f3f69a0d4f4dc9d46972ef96d8ed344a7a3b1ed7
Instruction Fuzzy Hash: 49017870624380CFC3198B39E888A557F70EF43325F080AD6EC964B7B2E634AC55CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04B37858 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f49ef8c28c9032f4fd5d3141fc5089e8899ea162b8c50f163310524d7d99e6
Instruction ID: 7448d435751a5132f36d25ede5908d795bd58690be7f8afd1034826d9bb611b3
Opcode Fuzzy Hash: f2f49ef8c28c9032f4fd5d3141fc5089e8899ea162b8c50f163310524d7d99e6
Instruction Fuzzy Hash: D501D6307042055FCB00EBA4EC5459EBBB5FFC5204F04892EE549A7651EB306D068791

Uniqueness

Uniqueness Score: -1.00%

Function 0523E328 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e1b12cfafe5c850b459085bce2c2da3f821f16604e9fe960a7d5b637a0b71a
Instruction ID: 0e16b099856e0071bca12d6b3bb2747cf5c38d23d26abecdde5a3070a93a34c0
Opcode Fuzzy Hash: 70e1b12cfafe5c850b459085bce2c2da3f821f16604e9fe960a7d5b637a0b71a
Instruction Fuzzy Hash: 19F06235A11219DFCB54DF65D98589FBBF5EF887147108029E90997211D730AA19CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0109D040 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.524547236.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_109d000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aae827beac25e5acd4bdd9f7f193d348f5bf33f9211c0a569db8c91cab5210e
Instruction ID: e9d008bb1ed80a694a8cee78dfb3dfc94c19bcb911f5df941d1a9bced7ce0945
Opcode Fuzzy Hash: 0aae827beac25e5acd4bdd9f7f193d348f5bf33f9211c0a569db8c91cab5210e
Instruction Fuzzy Hash: 02F0AF714042849AEB118A19C884B62FFE8EB813A4F18845AED485B287C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 04B30910 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f71a838c314b61b6ea04e4026ec134a0b558c069bcaa010d51f7764b42f3bf7
Instruction ID: b22e9def782ba5c6786cf71dc43d4ea48d9efdfe94e4cb67c303f79fb607bf5f
Opcode Fuzzy Hash: 2f71a838c314b61b6ea04e4026ec134a0b558c069bcaa010d51f7764b42f3bf7
Instruction Fuzzy Hash: A4F0C8352007406FD3049755C99098B77E6DFC8714B00C86AE28B8BB60DB30FC06C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 04B382C8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d411c24623ee5df0d18ef986406d76c8caa58cf2ca685f1c8e0b470cdecb8c6
Instruction ID: 167793bdc29740d322ba87d7ebe150c2492e9991defc21c4e029d5d33350bf58
Opcode Fuzzy Hash: 5d411c24623ee5df0d18ef986406d76c8caa58cf2ca685f1c8e0b470cdecb8c6
Instruction Fuzzy Hash: 02F05EB2B0C6114FC74DDA2DA85042A7BE3ABD8201B1AC8ADF888C3355EA319C068759

Uniqueness

Uniqueness Score: -1.00%

Function 04B31D35 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa862c42439273bf79b12e9233e18ff61558d542207e84dfed0a52b9d706643a
Instruction ID: 3683d72351091f4d47c0a6cfd79e4a98d91cee6c23a86d3d0f3d674c93903b49
Opcode Fuzzy Hash: aa862c42439273bf79b12e9233e18ff61558d542207e84dfed0a52b9d706643a
Instruction Fuzzy Hash: 9201F634A01228CFDB24CF59D988BA8B7B6FB04312F1080E5D50AAB251CB31EE85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 04B364A1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e611868885d4df51fc3461f05c3065d6534fc85b7fedf42fbb0edb9e7fb71fae
Instruction ID: 937f7ae3a36e3e87273ac059c0d1fc4b7a4da105c3797de4fbcadcc95b06fe19
Opcode Fuzzy Hash: e611868885d4df51fc3461f05c3065d6534fc85b7fedf42fbb0edb9e7fb71fae
Instruction Fuzzy Hash: D6F0E533B100308BD3248F5DE045914B7E9EB88662B0242A7EC06C7310DA60DC0287C0

Uniqueness

Uniqueness Score: -1.00%

Function 04B39D35 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128c726557e0844d442d58e1d8e594d7f3516a77ae7da6dc49d17c807fb00e26
Instruction ID: b4c04068c345556929060932934a1f0b5d8658e00cf0151de10a68ea8b2452ee
Opcode Fuzzy Hash: 128c726557e0844d442d58e1d8e594d7f3516a77ae7da6dc49d17c807fb00e26
Instruction Fuzzy Hash: FEF01D74704B05CBDB20CE36E8457EAB3A1FB44309F104C69D09BC6A50E7B9F845AB41

Uniqueness

Uniqueness Score: -1.00%

Function 04B39D40 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84058b4af6677eae52cf6ff6027650622ec7cdd5fa6611e72095a289a355b8f9
Instruction ID: 395a59c18f95e488f8c92dc929c210aac81ab117ae55cc9af231f42899dcf2a1
Opcode Fuzzy Hash: 84058b4af6677eae52cf6ff6027650622ec7cdd5fa6611e72095a289a355b8f9
Instruction Fuzzy Hash: 77F0B261A0E7C56FEB0386359DA5285BF708F43208B5D08EBC8C9CF493E91A940AD363

Uniqueness

Uniqueness Score: -1.00%

Function 0523F980 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c8a81d2c172fd7fc266736348c00de984121f682f6e3ce34f033fd1e04d1fe
Instruction ID: 872c1798244b803162353da70a04966742d2afe1faa1ddbfae5bf3b3079eb753
Opcode Fuzzy Hash: 74c8a81d2c172fd7fc266736348c00de984121f682f6e3ce34f033fd1e04d1fe
Instruction Fuzzy Hash: 15E04F72B042266B47045A6E798946FB7EEEBC9560710903AE90AE3300EE759C0247E0

Uniqueness

Uniqueness Score: -1.00%

Function 04B31038 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cb7bc1288b5d56e823d35ef092f80042d8ff7edbaf083a57338be47496cc57
Instruction ID: 4f5e11b0a4e0e38568343291c1c851ef6dd77baca91f2862a990562eafb32783
Opcode Fuzzy Hash: a5cb7bc1288b5d56e823d35ef092f80042d8ff7edbaf083a57338be47496cc57
Instruction Fuzzy Hash: B4E0D83630122167D7201BAFAC5497BBA9EEBC8762F444139F749C7340C9225C0297A1

Uniqueness

Uniqueness Score: -1.00%

Function 04B30920 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5b9793d570a57f5962c34888063e7deae37b6672ebbcf63ccacc78df8f4592
Instruction ID: a222347802d55140be09f41dc4e54f1126f38977b02271317f8292ee191b604d
Opcode Fuzzy Hash: 2d5b9793d570a57f5962c34888063e7deae37b6672ebbcf63ccacc78df8f4592
Instruction Fuzzy Hash: 42F089352006049BD314DB95D99499B77A6EFC8710B00C91DE65B87B50DF30FC0687E0

Uniqueness

Uniqueness Score: -1.00%

Function 04B3C228 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f926c337d0c6257fb25506fa23ae555cf4976762fb9ce78defdec575278738
Instruction ID: 7c1b9a0071cec5d898fae943524fe41e7d393381e7d5d9429d40af00752f1964
Opcode Fuzzy Hash: e7f926c337d0c6257fb25506fa23ae555cf4976762fb9ce78defdec575278738
Instruction Fuzzy Hash: E2F065316083155FD724CBE8E0447E67BE8EB84724F00407EE45ED3F81EBB568418790

Uniqueness

Uniqueness Score: -1.00%

Function 04B364B0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca80464fda778e1de2c08279821552cbc47183d65e58ca1406505bc35166cea
Instruction ID: 17a57b55f9e73947e6c3e3e8f2a4b5c9d25e0d2ab2ad6bc1a00f8a1f2c811cdc
Opcode Fuzzy Hash: 7ca80464fda778e1de2c08279821552cbc47183d65e58ca1406505bc35166cea
Instruction Fuzzy Hash: 52E04F37B005349F97349FAED448C19B7E9EB8966630642BAE906D7321CB61EC0187D0

Uniqueness

Uniqueness Score: -1.00%

Function 04B3D120 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520cff47ed0e9481e35a02f783dfc5b0f58db8d43ced33a76e9ac5c70676ab80
Instruction ID: f0d0159d3487d62d58b19498cdc8f464125d0e2a7ad5f7a5f943f7abbb340336
Opcode Fuzzy Hash: 520cff47ed0e9481e35a02f783dfc5b0f58db8d43ced33a76e9ac5c70676ab80
Instruction Fuzzy Hash: 54E0E5362409109FC324CF1AE488D56B7BAEF89761B1640AAE91DCB771DA32EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0523E1F9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040967736ff174d00549558eaff7c413ca404b99fa5a3a71b5717aceff158c57
Instruction ID: 40266609077b781ea10bd6d940248096002eb5b8580662516708d27e9b4d6810
Opcode Fuzzy Hash: 040967736ff174d00549558eaff7c413ca404b99fa5a3a71b5717aceff158c57
Instruction Fuzzy Hash: 6DE012713201545BC3148B5CB845A927BEDAF8D214B248059E445C7351DA64DC428B54

Uniqueness

Uniqueness Score: -1.00%

Function 04B32518 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6933231492906f4e902ab849287cc97567179b26e914503804de16efec2db6
Instruction ID: 08435f4bc01b1e52f7b479916c3962e17a03836ff09bc3fd6186a99f3dbc918e
Opcode Fuzzy Hash: 1a6933231492906f4e902ab849287cc97567179b26e914503804de16efec2db6
Instruction Fuzzy Hash: A5E01A357562208FC304DB78E445C557BF8EF4A62431680EAE919CB3B2DA65DC468B80

Uniqueness

Uniqueness Score: -1.00%

Function 04B38098 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2d37592e35d60b00a2cae5fc654d81e8af7f013c549c32178f3e51eb60b0b6
Instruction ID: 63502ad543ee0a87ed2523a674e5ea35ac7d63d316c2ea52300a25d91bb33961
Opcode Fuzzy Hash: 5c2d37592e35d60b00a2cae5fc654d81e8af7f013c549c32178f3e51eb60b0b6
Instruction Fuzzy Hash: 73E092E584E7C0CFC70646B1A5669943F21AA3A200F0B4ACBDCD04F293E9489C268397

Uniqueness

Uniqueness Score: -1.00%

Function 04B3F4BF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd093e27273249a1b92ecb21f4861432f26b0cd356b43c8b054ab9cc8f73aebe
Instruction ID: c7acf210664f5a5d05f5c25ef280bcc338b5d412f31a246065dd0ec584f8c93c
Opcode Fuzzy Hash: cd093e27273249a1b92ecb21f4861432f26b0cd356b43c8b054ab9cc8f73aebe
Instruction Fuzzy Hash: B9F03071D481889FCB80DFB994056AEBFF4AA19101F14819AE958D6241E23446128B91

Uniqueness

Uniqueness Score: -1.00%

Function 04B3D130 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e5460fbb158c004be776f22796a1999d5df85a9fc0b8aa8c3f0ac11160d870
Instruction ID: 3086e36aca630e87c0ca57a47edcb05b9bb969ea43d9195922f4e0b304f847c5
Opcode Fuzzy Hash: 86e5460fbb158c004be776f22796a1999d5df85a9fc0b8aa8c3f0ac11160d870
Instruction Fuzzy Hash: D2E0B6352009109F8314DF1AD888C56B7EAEF8A66271540AAEA09CB371DA31FC41CA50

Uniqueness

Uniqueness Score: -1.00%

Function 0523E0A9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6418923a88d1ee1c16c72c436d8071813329a05d3b569a9ccc3866d1c465f7b
Instruction ID: e0f8d3a520ed281e1a3c93ba1ec5e630ef069697c06fafb462c1af2e8638dfe4
Opcode Fuzzy Hash: d6418923a88d1ee1c16c72c436d8071813329a05d3b569a9ccc3866d1c465f7b
Instruction Fuzzy Hash: CBE086352255508FD318CB18E056BA67BA1EF5D300F1540DDE546CB395CF369C41CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0C71 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f079808ca2201a5f6afc006c919a19a813d04af81adcd8345e680d1e6f54f690
Instruction ID: 21a9a6b3bee2c7edd4f64f9e16fcf19800a00a8a79c64645c23ed7569a7fc809
Opcode Fuzzy Hash: f079808ca2201a5f6afc006c919a19a813d04af81adcd8345e680d1e6f54f690
Instruction Fuzzy Hash: C3E0CD3650425406D3649B68E5853EBBFC09F40224B04C46EC59987734DE15D840C750

Uniqueness

Uniqueness Score: -1.00%

Function 04B31EF6 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f1f669b26a2b345c39cbe1d33e48dd52b805c50ae3cd2fe4a48284fb78b2ee
Instruction ID: 22fb4c75482bfcc254c1133887b61cd98b4b001e50331fa71a63cbfdb895d7e4
Opcode Fuzzy Hash: 54f1f669b26a2b345c39cbe1d33e48dd52b805c50ae3cd2fe4a48284fb78b2ee
Instruction Fuzzy Hash: E8F0C231A01128CFDB60CF49D884BA8B7B2EB44312F01C1E6D509AB251CB31AEC9CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04B3F4D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41041464652b8c64847a1ebd78ad2073441f20bc67b4ceef267bcedd45449d50
Instruction ID: cf986bf50e5f1ffbc3d40221e24dab866ab3c375aa0c0d9678a1c85005b16116
Opcode Fuzzy Hash: 41041464652b8c64847a1ebd78ad2073441f20bc67b4ceef267bcedd45449d50
Instruction Fuzzy Hash: 64E0BF71D0415D9F8B90DFB998016BEBFF8AA19201F1081A6E958D2241E63496519FE1

Uniqueness

Uniqueness Score: -1.00%

Function 04B30981 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc04e645b24015dc5a18b419f501fbc2961973b06ff944c88fb09225005e6ff
Instruction ID: 2558e1fa9670bb9b60c3a59b005d9d5b06f08e486bccaa66d41d4f15692005da
Opcode Fuzzy Hash: 4bc04e645b24015dc5a18b419f501fbc2961973b06ff944c88fb09225005e6ff
Instruction Fuzzy Hash: 9DE02B73A041549FD704DBE894413DE7B65EF45318F0048FFD209CB641EB71255683E4

Uniqueness

Uniqueness Score: -1.00%

Function 00DF02F0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e03377324995820ad3960c0ae76027b9aa5b1326901a9e3c6ee929f430e3811
Instruction ID: 9776b6ea109c116da7c3fd4442384c1cb78a2e25c90b1d6691de04584c0ec79e
Opcode Fuzzy Hash: 8e03377324995820ad3960c0ae76027b9aa5b1326901a9e3c6ee929f430e3811
Instruction Fuzzy Hash: 90D0A9307200245BCB08A7B9E0268AE37DA9FCB66478001A9E146DF360DF3EEC004BD6

Uniqueness

Uniqueness Score: -1.00%

Function 04B364F1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b424fcee09ee4e4ce8f3c50964868aecff87e6f999cfb1ea5cd4162c4abfdc7d
Instruction ID: 81d3784f4b5594ea5cf4450a2dc8a5967a0993deff2c719a0c82fd26ad546b5d
Opcode Fuzzy Hash: b424fcee09ee4e4ce8f3c50964868aecff87e6f999cfb1ea5cd4162c4abfdc7d
Instruction Fuzzy Hash: 6BD05EA2E1524867D724CBF495126ADBB958B61205F000AEA9C06C7291FE754E2452C2

Uniqueness

Uniqueness Score: -1.00%

Function 0523EC26 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4371d92e4f20215017c09518f87a3eab5f4e6da2c0067919edbb8788a18e81f1
Instruction ID: 03927fdf5d637e312339de82fe75fba5585456798bf38c4e6b2f5cf36b158f8c
Opcode Fuzzy Hash: 4371d92e4f20215017c09518f87a3eab5f4e6da2c0067919edbb8788a18e81f1
Instruction Fuzzy Hash: 63D05E339100198B8F00DA84E8458EEB735EBC1711B100012D60237551D7302A1E8BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0523E9B1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3531867edd5d21e1b76cad8756fb58ad988a310b1a3a84b677fae595b3aff5b6
Instruction ID: 513a0413048960da8f4ce5f0ba90485408ebcdbf2e7d6039a87737ea7eda0d11
Opcode Fuzzy Hash: 3531867edd5d21e1b76cad8756fb58ad988a310b1a3a84b677fae595b3aff5b6
Instruction Fuzzy Hash: E4D05E339100198BCF00DA84E8458EEB739EBC1311B100012D60237511D7302A1E87A1

Uniqueness

Uniqueness Score: -1.00%

Function 0523EBA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b8a58054f50a6f5dd8c2eb043e425c7d45c75ee43b192c4f922021f8f9da31
Instruction ID: 872bca5974ef6126c456000d655b017ea1dfbe0d8e1cf1769cabd4e8689ce8b5
Opcode Fuzzy Hash: 73b8a58054f50a6f5dd8c2eb043e425c7d45c75ee43b192c4f922021f8f9da31
Instruction Fuzzy Hash: 3DD05E339100198B8F00DB84E8458EFB735EBC1611B104012D60237151D7302A1E8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0523EBF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fae2b29c2a5ef2b3e0fa010529287f64ccf0570a4cd85837d90cb92afd2d948
Instruction ID: d84a26b2539685b1ab50ccb66384ec4f974d076a315cbef446e8b6c879e59817
Opcode Fuzzy Hash: 4fae2b29c2a5ef2b3e0fa010529287f64ccf0570a4cd85837d90cb92afd2d948
Instruction Fuzzy Hash: 49D09E77914019CB8F04DA85E9858EEB735EBD5615B114412E60277551D7302A1ECBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0523EAE2 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a6f13ec569baeb0a17bd96efd51659695f9ae70048acfd02921853ac45458a
Instruction ID: aa3d3c2ce9d9773210e8a05e205a45cf218955adcab9c906953237170da22c8d
Opcode Fuzzy Hash: 25a6f13ec569baeb0a17bd96efd51659695f9ae70048acfd02921853ac45458a
Instruction Fuzzy Hash: 46D05E339100198B8F00DA84E8858EEB739EBC1311B100012D60237511D7302A1E87A1

Uniqueness

Uniqueness Score: -1.00%

Function 0523F9C1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6227ae7406943bb2b4d1615676eb5d585b9f9f276cbb0f8cb641e9360de9a88
Instruction ID: 0a77d8c6d0a160b82212fd3f36633273804cfcaa538826154a4ed7e41cb30cc7
Opcode Fuzzy Hash: c6227ae7406943bb2b4d1615676eb5d585b9f9f276cbb0f8cb641e9360de9a88
Instruction Fuzzy Hash: 60D0A75652514B1BCB0127C0B5676313F29EF86020F14D188EA8C01253FD518403C380

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0C80 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.520468459.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_df0000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222d38401575c7ff8db8a6fdc6c34b1f9cbdc82b766f7a4824b09c9177662a00
Instruction ID: c6ee1709fe635bfa8eb9175dac778eb85e040d266486de5a3af1e760ddb709fc
Opcode Fuzzy Hash: 222d38401575c7ff8db8a6fdc6c34b1f9cbdc82b766f7a4824b09c9177662a00
Instruction Fuzzy Hash: 13D02230B083480B4330A7AEE40045BBFCD9E82124304C47EC1AE87B00EE61EC008BE0

Uniqueness

Uniqueness Score: -1.00%

Function 04B3715F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bbd99064edc59bb6fc70ed9062949c37f288d66652436a17b4ac37586be80c
Instruction ID: 37010fba035440ce78afc354ecf60bda2bfa0c7b6f87df21978de19205ef0a41
Opcode Fuzzy Hash: 73bbd99064edc59bb6fc70ed9062949c37f288d66652436a17b4ac37586be80c
Instruction Fuzzy Hash: 05E012B195454ACFDB149F95D01A3FDBAB09B4834AF208899C002B5240CFBD1D55DF95

Uniqueness

Uniqueness Score: -1.00%

Function 04B36500 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9018288f793e39c70f57bfcd9df1b505ea0f430b749bf3c7bb860749e5ce6411
Instruction ID: fe125a42efdf4bea3343403f6a01e24bfd4adb0d2c966c6db2a7ac0e688a9c42
Opcode Fuzzy Hash: 9018288f793e39c70f57bfcd9df1b505ea0f430b749bf3c7bb860749e5ce6411
Instruction Fuzzy Hash: F8C08071A0024CA74B54DFF099134BE77DDC741204B0045DAD906D7301FE359F0052D1

Uniqueness

Uniqueness Score: -1.00%

Function 04B35F4C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf0bd5f702c0ea463c49a66a6e19a3a1b521a6089edf55a76a24f5f5e015438
Instruction ID: 49fe3a5b65cb7c06805c6c5fc0d59e2ba03a7033edf8aa47452b62aec2234ed7
Opcode Fuzzy Hash: 3bf0bd5f702c0ea463c49a66a6e19a3a1b521a6089edf55a76a24f5f5e015438
Instruction Fuzzy Hash: F7D0927094420AEBEB209F82C8997BEBB70FB00306F144459E002A9190CBB82684DF81

Uniqueness

Uniqueness Score: -1.00%

Function 04B35F30 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd84f2f8abc2ab0a9638ee9a7097384efb23efb246cbf36f90c794b44c3c4f7
Instruction ID: 7166174e5b0d20eddd0838ae6b8f0cbf444c66e690ba7b8a6881cd4ce241b8fe
Opcode Fuzzy Hash: dbd84f2f8abc2ab0a9638ee9a7097384efb23efb246cbf36f90c794b44c3c4f7
Instruction Fuzzy Hash: 15D0C9B094420AEBEF209F81D85D7FEBB70FB04306F104459E102A9190C7B91589CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04B39D28 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa76ed56abbc2048f82ca8f89a6f71267a2071343360d42e11e6f22770c84a39
Instruction ID: 6040c5337e4ce85e33a4987f28ecbb0948cc5a9ce760dfe7414c3ae400892212
Opcode Fuzzy Hash: fa76ed56abbc2048f82ca8f89a6f71267a2071343360d42e11e6f22770c84a39
Instruction Fuzzy Hash: 15B09277B448159BDE159695F8192FCF320EBA8266F5000B2D22A81841E73A1A2B6686

Uniqueness

Uniqueness Score: -1.00%

Function 04B39D1B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5accc2f16f106b4619db01ca3d8cad9d338b37b682717fbbfe62f4f1f1af55e
Instruction ID: d1851d3904be0efa7b2bf6307202a4dd036910bfe3debf2ddb64c969fc36afe7
Opcode Fuzzy Hash: b5accc2f16f106b4619db01ca3d8cad9d338b37b682717fbbfe62f4f1f1af55e
Instruction Fuzzy Hash: EFB09B77B444159BDE155595F8151FCB320DB94167F500072D11A85441D73B16275545

Uniqueness

Uniqueness Score: -1.00%

Function 0523F850 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.543424640.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5230000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d558a3bed439caefb011f3bd17deb3257f6df3e00fd58413b4f03f5ebf081b
Instruction ID: d4932052a3325a9c39ef9dbe7b918a06de09c653150f0a6cb610705ca1d7cb89
Opcode Fuzzy Hash: 45d558a3bed439caefb011f3bd17deb3257f6df3e00fd58413b4f03f5ebf081b
Instruction Fuzzy Hash: A3C09B321141C74DCE01D724F5167DC7F20D78A225F059991D0C855413D6255447CB44

Uniqueness

Uniqueness Score: -1.00%

Function 04B37080 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cd2a74748254b97ec6300c4d633248b8b48c719d670773a4a897d76ae49fe9
Instruction ID: ccf0ffa113be3c6da372d62fef09535644d6ebf8a13695d28df3fc7cdeed76ff
Opcode Fuzzy Hash: 64cd2a74748254b97ec6300c4d633248b8b48c719d670773a4a897d76ae49fe9
Instruction Fuzzy Hash: F5C02B61A4A2829EE3419741B41AB047F3D7B00306F0441CFF41E81891E38104308702

Uniqueness

Uniqueness Score: -1.00%

Function 04B39CD0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb33d10c0c21ad0077b5c7887525fb45c53ab04d5e0f88c87e742e9e97c39f3
Instruction ID: 334e3c56280a9bba47c9270b6a8092a53a7da204ef87e46f4af6154d497e28a2
Opcode Fuzzy Hash: ccb33d10c0c21ad0077b5c7887525fb45c53ab04d5e0f88c87e742e9e97c39f3
Instruction Fuzzy Hash: 36C09238240208CFC200DB5CD488C90B7E8EF49A1931580D8E60D8B332DB23FC42CA80

Uniqueness

Uniqueness Score: -1.00%

Function 04B380D0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6735369989e234930ec7e1f89ef6280cad707dc842535bcb7532f23eaab467
Instruction ID: 1426496952331ba7938a00083790ccd1e708a6bbeb572ae84d7eb690d36fcc27
Opcode Fuzzy Hash: 2e6735369989e234930ec7e1f89ef6280cad707dc842535bcb7532f23eaab467
Instruction Fuzzy Hash: 1EB092750942488BC601A7E8F4068647BADF298604700019AD959033428A283C14C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 04B37090 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.541543403.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b30000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6498f38417ae9a8e9397626f3a0d53e9eb611c9ab05608dc9feed1e8bebf0d9d
Instruction ID: a825d26a3d4fe2d7b40a41b98a34b062ea51670aa3946421c6a611bbe432748e
Opcode Fuzzy Hash: 6498f38417ae9a8e9397626f3a0d53e9eb611c9ab05608dc9feed1e8bebf0d9d
Instruction Fuzzy Hash: 52A0223008830CABC20022C2B80AB0C3B2CE300A22F008000F30E800800A83282000A2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DCwTjs2dTP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DCwTjs2dTP.exe.log

C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat

C:\Users\user\AppData\Roaming\sihost.exe

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
DCwTjs2dTP.exe

Function 01362840 Relevance: 2.7, Strings: 2, Instructions: 151
COMMON

Function 0ABC4E4C Relevance: 1.6, APIs: 1, Instructions: 64
encryptionCOMMON

Function 01364227 Relevance: 1.4, Strings: 1, Instructions: 192
COMMON

Function 0136804F Relevance: 1.4, Strings: 1, Instructions: 166
COMMON

Function 01367C38 Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Function 01367C28 Relevance: 1.4, Strings: 1, Instructions: 158
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre