Edit tour

Windows Analysis Report
HDPh51eN5s

Overview

General Information

Sample Name:	HDPh51eN5s (renamed file extension from none to exe)
Analysis ID:	679249
MD5:	1fb5d967f92174e0bbb15262f8cd209f
SHA1:	76fbd5b88154976887b5099c21666ca3be2cd76e
SHA256:	740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024
Tags:	exe
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Sigma detected: Schedule system process

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Yara detected Quasar RAT

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Drops executables to the windows directory (C:\Windows) and starts them

Uses schtasks.exe or at.exe to add and modify task schedules

PE file contains section with special chars

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Contains functionality to detect virtual machines (SGDT)

Classification

Process Tree

System is w10x64

HDPh51eN5s.exe (PID: 4684 cmdline: "C:\Users\user\Desktop\HDPh51eN5s.exe" MD5: 1FB5D967F92174E0BBB15262F8CD209F)

schtasks.exe (PID: 2916 cmdline: "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Users\user\Desktop\HDPh51eN5s.exe" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MpCmdRun.exe (PID: 4276 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RuntimeBroker.exe (PID: 5824 cmdline: C:\Windows\system32\Windows\RuntimeBroker.exe MD5: 1FB5D967F92174E0BBB15262F8CD209F)

schtasks.exe (PID: 6276 cmdline: "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Windows\system32\Windows\RuntimeBroker.exe" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

HDPh51eN5s.exe (PID: 6020 cmdline: C:\Users\user\Desktop\HDPh51eN5s.exe MD5: 1FB5D967F92174E0BBB15262F8CD209F)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.401638486.0000000012E41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.277374012.00000000134FA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000003.251870111.000000001584C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000006.00000003.289424719.0000000015501000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmp	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x41b939:$x1: Quasar.Common.Messages 0x41d00b:$x1: Quasar.Common.Messages
00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: HDPh51eN5s.exe PID: 4684	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 5824	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: HDPh51eN5s.exe PID: 6020	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.HDPh51eN5s.exe.1c3e0000.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x41b939:$x1: Quasar.Common.Messages 0x41d00b:$x1: Quasar.Common.Messages
0.2.HDPh51eN5s.exe.1c3e0000.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.HDPh51eN5s.exe.1c3e0000.3.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x419d39:$x1: Quasar.Common.Messages 0x41b40b:$x1: Quasar.Common.Messages
0.2.HDPh51eN5s.exe.1c3e0000.3.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Windows\system32\Windows\RuntimeBroker.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Windows\system32\Windows\RuntimeBroker.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\system32\Windows\RuntimeBroker.exe, ParentImage: C:\Windows\System32\Windows\RuntimeBroker.exe, ParentProcessId: 5824, ParentProcessName: RuntimeBroker.exe, ProcessCommandLine: "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Windows\system32\Windows\RuntimeBroker.exe" /rl HIGHEST /f, ProcessId: 6276, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: HDPh51eN5s.exe	Virustotal: Detection: 35%	Perma Link
Source: HDPh51eN5s.exe	Metadefender: Detection: 31%	Perma Link
Source: HDPh51eN5s.exe	ReversingLabs: Detection: 76%

Multi AV Scanner detection for dropped file

Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Virustotal: Detection: 35%	Perma Link
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Metadefender: Detection: 31%	Perma Link
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	ReversingLabs: Detection: 76%

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.HDPh51eN5s.exe.1c3e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HDPh51eN5s.exe.1c3e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.401638486.0000000012E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.277374012.00000000134FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.251870111.000000001584C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.289424719.0000000015501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HDPh51eN5s.exe PID: 4684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 5824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HDPh51eN5s.exe PID: 6020, type: MEMORYSTR

Machine Learning detection for sample

Source: HDPh51eN5s.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Windows\System32\Windows\RuntimeBroker.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

Unpacked PE file: 0.2.HDPh51eN5s.exe.ac0000.0.unpack

Source: HDPh51eN5s.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: HDPh51eN5s.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 82.211.246.53 ports 1,2,3,8,9,28391

Source: Joe Sandbox View

ASN Name: DK-DANSKKABELTVDK DK-DANSKKABELTVDK

Source: global traffic

TCP traffic: 192.168.2.3:49775 -> 82.211.246.53:28391

Source: unknown	TCP traffic detected without corresponding DNS query: 82.211.246.53
Source: unknown	TCP traffic detected without corresponding DNS query: 82.211.246.53
Source: unknown	TCP traffic detected without corresponding DNS query: 82.211.246.53
Source: unknown	TCP traffic detected without corresponding DNS query: 82.211.246.53
Source: unknown	TCP traffic detected without corresponding DNS query: 82.211.246.53
Source: unknown	TCP traffic detected without corresponding DNS query: 82.211.246.53
Source: unknown	TCP traffic detected without corresponding DNS query: 82.211.246.53
Source: unknown	TCP traffic detected without corresponding DNS query: 82.211.246.53
Source: unknown	TCP traffic detected without corresponding DNS query: 82.211.246.53
Source: unknown	TCP traffic detected without corresponding DNS query: 82.211.246.53
Source: unknown	TCP traffic detected without corresponding DNS query: 82.211.246.53
Source: unknown	TCP traffic detected without corresponding DNS query: 82.211.246.53

Source: HDPh51eN5s.exe, 00000007.00000002.388973873.0000000001084000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.michv
Source: HDPh51eN5s.exe, 00000000.00000002.270816823.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.512755863.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.HDPh51eN5s.exe.1c3e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HDPh51eN5s.exe.1c3e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.401638486.0000000012E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.277374012.00000000134FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.251870111.000000001584C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.289424719.0000000015501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HDPh51eN5s.exe PID: 4684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 5824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HDPh51eN5s.exe PID: 6020, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.HDPh51eN5s.exe.1c3e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.HDPh51eN5s.exe.1c3e0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects QuasarRAT malware Author: Florian Roth

PE file contains section with special chars

Source: HDPh51eN5s.exe	Static PE information: section name: 5+VE3vdj
Source: RuntimeBroker.exe.0.dr	Static PE information: section name: 5+VE3vdj

Source: HDPh51eN5s.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.HDPh51eN5s.exe.1c3e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.HDPh51eN5s.exe.1c3e0000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

File created: C:\Windows\system32\Windows

Jump to behavior

Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Code function: 0_2_00007FFC014004E0	0_2_00007FFC014004E0
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Code function: 0_2_00007FFC0140A4D0	0_2_00007FFC0140A4D0
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Code function: 6_2_00007FFC013F04E0	6_2_00007FFC013F04E0
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Code function: 6_2_00007FFC013FA4D0	6_2_00007FFC013FA4D0
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Code function: 6_2_00007FFC0166F374	6_2_00007FFC0166F374
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Code function: 7_2_00007FFC013F04E0	7_2_00007FFC013F04E0
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Code function: 7_2_00007FFC013FA4D0	7_2_00007FFC013FA4D0

Source: HDPh51eN5s.exe, 00000000.00000002.269916650.000000000158A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HDPh51eN5s.exe
Source: HDPh51eN5s.exe, 00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename> vs HDPh51eN5s.exe
Source: HDPh51eN5s.exe, 00000000.00000000.236203752.000000000109A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename> vs HDPh51eN5s.exe
Source: HDPh51eN5s.exe, 00000000.00000003.262680605.000000001CEBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename> vs HDPh51eN5s.exe
Source: HDPh51eN5s.exe, 00000007.00000002.388656963.000000000102A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HDPh51eN5s.exe
Source: HDPh51eN5s.exe	Binary or memory string: OriginalFilename> vs HDPh51eN5s.exe

Source: HDPh51eN5s.exe	Virustotal: Detection: 35%
Source: HDPh51eN5s.exe	Metadefender: Detection: 31%
Source: HDPh51eN5s.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

File read: C:\Users\user\Desktop\HDPh51eN5s.exe

Jump to behavior

Source: HDPh51eN5s.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HDPh51eN5s.exe "C:\Users\user\Desktop\HDPh51eN5s.exe"
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Users\user\Desktop\HDPh51eN5s.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process created: C:\Windows\System32\Windows\RuntimeBroker.exe C:\Windows\system32\Windows\RuntimeBroker.exe
Source: unknown	Process created: C:\Users\user\Desktop\HDPh51eN5s.exe C:\Users\user\Desktop\HDPh51eN5s.exe
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Windows\system32\Windows\RuntimeBroker.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Users\user\Desktop\HDPh51eN5s.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process created: C:\Windows\System32\Windows\RuntimeBroker.exe C:\Windows\system32\Windows\RuntimeBroker.exe	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Windows\system32\Windows\RuntimeBroker.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HDPh51eN5s.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/3@0/1

Source: HDPh51eN5s.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1320:120:WilError_01
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\a65c20d9-cf82-4bb4-8f7e-e90aff87b9b5

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: HDPh51eN5s.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: HDPh51eN5s.exe

Static file information: File size 6171136 > 1048576

Source: HDPh51eN5s.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HDPh51eN5s.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5d7000

Source: HDPh51eN5s.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

Unpacked PE file: 0.2.HDPh51eN5s.exe.ac0000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

Unpacked PE file: 0.2.HDPh51eN5s.exe.ac0000.0.unpack .text:ER;.rsrc:R;.reloc:R;5+VE3vdj:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;Unknown_Section3:R;

Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Code function: 0_2_00007FFC0140DA4C push E9D18B44h; iretd	0_2_00007FFC0140DA61
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Code function: 6_2_00007FFC013FDA4C push E9D18B44h; iretd	6_2_00007FFC013FDA61
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Code function: 6_2_00007FFC01670CF4 push edi; iretd	6_2_00007FFC01670461
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Code function: 6_2_00007FFC016672B8 push ebx; iretd	6_2_00007FFC0166731A
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Code function: 6_2_00007FFC016676A3 push ebx; retf	6_2_00007FFC0166771A
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Code function: 6_2_00007FFC0166AF68 push eax; ret	6_2_00007FFC0166AF8C
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Code function: 6_2_00007FFC01667F17 push ebx; ret	6_2_00007FFC01667F1A
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Code function: 7_2_00007FFC013FDA4C push E9D18B44h; iretd	7_2_00007FFC013FDA61

Source: HDPh51eN5s.exe	Static PE information: section name: 5+VE3vdj
Source: RuntimeBroker.exe.0.dr	Static PE information: section name: 5+VE3vdj

Source: RuntimeBroker.exe.0.dr	Static PE information: real checksum: 0xd85ebfc0 should be: 0x5ed5e4
Source: HDPh51eN5s.exe	Static PE information: real checksum: 0xd85ebfc0 should be: 0x5ed5e4

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

Executable created and started: C:\Windows\system32\Windows\RuntimeBroker.exe

Jump to behavior

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

File created: C:\Windows\System32\Windows\RuntimeBroker.exe

Jump to dropped file

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

File created: C:\Windows\System32\Windows\RuntimeBroker.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Users\user\Desktop\HDPh51eN5s.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\HDPh51eN5s.exe	File opened: C:\Users\user\Desktop\HDPh51eN5s.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	File opened: C:\Windows\system32\Windows\RuntimeBroker.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	File opened: C:\Windows\system32\Windows\RuntimeBroker.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\HDPh51eN5s.exe TID: 5276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe TID: 1104	Thread sleep time: -126000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe TID: 5300	Thread sleep time: -108000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe TID: 3516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\Windows\RuntimeBroker.exe

Code function: 6_2_00007FFC01472259 sgdt fword ptr [eax]

6_2_00007FFC01472259

Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: RuntimeBroker.exe, 00000006.00000002.542101257.000000001DE04000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Users\user\Desktop\HDPh51eN5s.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Process created: C:\Windows\System32\Windows\RuntimeBroker.exe C:\Windows\system32\Windows\RuntimeBroker.exe	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Windows\system32\Windows\RuntimeBroker.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Queries volume information: C:\Users\user\Desktop\HDPh51eN5s.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Queries volume information: C:\Windows\System32\Windows\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Windows\RuntimeBroker.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HDPh51eN5s.exe	Queries volume information: C:\Users\user\Desktop\HDPh51eN5s.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HDPh51eN5s.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.HDPh51eN5s.exe.1c3e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HDPh51eN5s.exe.1c3e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.401638486.0000000012E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.277374012.00000000134FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.251870111.000000001584C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.289424719.0000000015501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HDPh51eN5s.exe PID: 4684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 5824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HDPh51eN5s.exe PID: 6020, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.HDPh51eN5s.exe.1c3e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HDPh51eN5s.exe.1c3e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.401638486.0000000012E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.277374012.00000000134FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.251870111.000000001584C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.289424719.0000000015501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HDPh51eN5s.exe PID: 4684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 5824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HDPh51eN5s.exe PID: 6020, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	121 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HDPh51eN5s.exe	36%	Virustotal		Browse
HDPh51eN5s.exe	31%	Metadefender		Browse
HDPh51eN5s.exe	77%	ReversingLabs	ByteCode-MSIL.Trojan.Perseus
HDPh51eN5s.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\System32\Windows\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Windows\System32\Windows\RuntimeBroker.exe	36%	Virustotal		Browse
C:\Windows\System32\Windows\RuntimeBroker.exe	31%	Metadefender		Browse
C:\Windows\System32\Windows\RuntimeBroker.exe	77%	ReversingLabs	ByteCode-MSIL.Trojan.Perseus

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.HDPh51eN5s.exe.ac0000.0.unpack	100%	Avira	HEUR/AGEN.1230577		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://go.michv	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.michv	HDPh51eN5s.exe, 00000007.00000002.388973873.0000000001084000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	HDPh51eN5s.exe, 00000000.00000002.270816823.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.512755863.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
82.211.246.53	unknown	Denmark		15516	DK-DANSKKABELTVDK	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679249
Start date and time: 05/08/202213:13:10	2022-08-05 13:13:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	HDPh51eN5s (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/3@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 63% Number of executed functions: 85 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:14:22	Task Scheduler	Run new task: Google Update path: C:\Users\user\Desktop\HDPh51eN5s.exe
13:15:43	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DK-DANSKKABELTVDK	J3EShDEvwS	Get hash	malicious	Browse	217.20.62.237
	zovEUCpLad.dll	Get hash	malicious	Browse	87.73.61.22
	ghzxG4NHDZ.dll	Get hash	malicious	Browse	87.72.233.179
	M79quhE4YN.dll	Get hash	malicious	Browse	91.100.155.57
	39u0NEOL4v.dll	Get hash	malicious	Browse	87.72.136.180
	JVjvJDcyo7.dll	Get hash	malicious	Browse	91.100.68.73
	5KuDatpUtO.dll	Get hash	malicious	Browse	77.75.160.171
	hgsEnEfQVm.dll	Get hash	malicious	Browse	91.100.19.94
	ZG9zsh4	Get hash	malicious	Browse	91.100.152.103
	xd.arm7	Get hash	malicious	Browse	87.73.56.1
	KKveTTgaAAsecNNaaaa.x86	Get hash	malicious	Browse	82.147.238.32
	pKmNve3v89	Get hash	malicious	Browse	87.73.58.171
	fBPLxnorxK	Get hash	malicious	Browse	87.73.213.248
	MUcexAnMNj	Get hash	malicious	Browse	87.73.107.6
	2BEzrbbnqq	Get hash	malicious	Browse	82.147.226.16
	o88QFFDJnt	Get hash	malicious	Browse	87.73.118.92
	PriP1DsKsx	Get hash	malicious	Browse	81.161.130.26
	qK1I45UjfZ	Get hash	malicious	Browse	91.100.152.112
	ZhtkM8Dmjw	Get hash	malicious	Browse	91.100.152.117
	mQJnLaOZI1	Get hash	malicious	Browse	91.100.152.109

Process:	C:\Users\user\Desktop\HDPh51eN5s.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.367899416177239
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
MD5:	7115A3215A4C22EF20AB9AF4160EE8F5
SHA1:	A4CAB34355971C1FBAABECEFA91458C4936F2C24
SHA-256:	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
SHA-512:	2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.1654798503046924
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zw+b:j+s+v+b+P+m+0+Q+q+3+b
MD5:	2633F0F310DC0DDE5E42973AFEAF7F89
SHA1:	53FDDBA449DF28F68130EB11AF56BB3EE7300FF4
SHA-256:	8DE4072D371AD5704889A0539F005D9587226DB4686EF0C774266BB1754A1E85
SHA-512:	62B3F96C6C3308AA0232DC1F53BD8415934E0EB525223DBC8AAC86FAEB6953DF65E59501A274FA3169914E56855C7C90016D26CEDE2AAE90E50567A271EA5807
Malicious:	false
Reputation:	low
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\System32\Windows\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\HDPh51eN5s.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6171136
Entropy (8bit):	6.610162822007531
Encrypted:	false
SSDEEP:	98304:5Po4eyejblyJFeBLgYcNBUsBtzOevoMlda05+8pbVTnVp8DW1db7LAm0xVHzd6Wy:640sHwwakZpX1aYGHMaBq9DR5y03HQiB
MD5:	1FB5D967F92174E0BBB15262F8CD209F
SHA1:	76FBD5B88154976887B5099C21666CA3BE2CD76E
SHA-256:	740634ECEDD318AC8F84C360F5D253FF836C5E60DA6542C65A140B17B4BA8024
SHA-512:	A0FF48D7E219C71828D0CBDE56F59AF7326DFF4DA021789CEFC68D1EA90EA467EB98B7418070A3007A63F58AD5987DC9EFFE79BC143A33C5ECBE1A963A708EA9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 36%, Browse Antivirus: Metadefender, Detection: 31%, Browse Antivirus: ReversingLabs, Detection: 77%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..b.................p].........n.].. ........@.. ........................^.......^...@...................................].S.....].......................]...................................................... ............... ..H............text...tn].. ...p]................. ..`.rsrc.........]......t].............@..@.reloc........].......].............@..B5+VE3vdj(.....].......].............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.610162822007531
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	HDPh51eN5s.exe
File size:	6171136
MD5:	1fb5d967f92174e0bbb15262f8cd209f
SHA1:	76fbd5b88154976887b5099c21666ca3be2cd76e
SHA256:	740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024
SHA512:	a0ff48d7e219c71828d0cbde56f59af7326dff4da021789cefc68d1ea90ea467eb98b7418070a3007a63f58ad5987dc9effe79bc143a33c5ecbe1a963a708ea9
SSDEEP:	98304:5Po4eyejblyJFeBLgYcNBUsBtzOevoMlda05+8pbVTnVp8DW1db7LAm0xVHzd6Wy:640sHwwakZpX1aYGHMaBq9DR5y03HQiB
TLSH:	F15612A2A5449898FEFA0230F0E57B2CC3F53783B5ED686E0ECD194511A5A88FD3558F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..b.................p].........n.].. ........@.. ........................^.......^...@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x9d8e6e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62E1125A [Wed Jul 27 10:24:26 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5d8e18	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5da000	0xc00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5dc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5d6e74	0x5d7000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5da000	0xc00	0xc00	False	0.3567708333333333	data	5.263389654594389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5dc000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5+VE3vdj	0x5de000	0xa728	0xa800	False	0.8907412574404762	data	7.584538152941798	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x5da0a0	0x2e4	data
RT_MANIFEST	0x5da384	0x6d7	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 13:15:12.682216883 CEST	49775	28391	192.168.2.3	82.211.246.53
Aug 5, 2022 13:15:15.745399952 CEST	49775	28391	192.168.2.3	82.211.246.53
Aug 5, 2022 13:15:21.745737076 CEST	49775	28391	192.168.2.3	82.211.246.53
Aug 5, 2022 13:15:37.654670000 CEST	49780	28391	192.168.2.3	82.211.246.53
Aug 5, 2022 13:15:40.669297934 CEST	49780	28391	192.168.2.3	82.211.246.53
Aug 5, 2022 13:15:46.701088905 CEST	49780	28391	192.168.2.3	82.211.246.53
Aug 5, 2022 13:16:02.128798962 CEST	49812	28391	192.168.2.3	82.211.246.53
Aug 5, 2022 13:16:05.140202999 CEST	49812	28391	192.168.2.3	82.211.246.53
Aug 5, 2022 13:16:11.140929937 CEST	49812	28391	192.168.2.3	82.211.246.53
Aug 5, 2022 13:16:27.001981974 CEST	49840	28391	192.168.2.3	82.211.246.53
Aug 5, 2022 13:16:30.079967976 CEST	49840	28391	192.168.2.3	82.211.246.53
Aug 5, 2022 13:16:36.080517054 CEST	49840	28391	192.168.2.3	82.211.246.53

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 5, 2022 13:15:22.296092033 CEST	82.211.246.53	192.168.2.3	8da	(Host unreachable)	Destination Unreachable
Aug 5, 2022 13:15:39.636266947 CEST	82.211.246.53	192.168.2.3	8da	(Host unreachable)	Destination Unreachable
Aug 5, 2022 13:15:42.646208048 CEST	82.211.246.53	192.168.2.3	8da	(Host unreachable)	Destination Unreachable
Aug 5, 2022 13:16:11.306586981 CEST	82.211.246.53	192.168.2.3	8da	(Host unreachable)	Destination Unreachable
Aug 5, 2022 13:16:36.306998014 CEST	82.211.246.53	192.168.2.3	8da	(Host unreachable)	Destination Unreachable

Target ID:	0
Start time:	13:14:05
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\HDPh51eN5s.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HDPh51eN5s.exe"
Imagebase:	0xac0000
File size:	6171136 bytes
MD5 hash:	1FB5D967F92174E0BBB15262F8CD209F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.277374012.00000000134FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000003.251870111.000000001584C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	13:14:20
Start date:	05/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Users\user\Desktop\HDPh51eN5s.exe" /rl HIGHEST /f
Imagebase:	0x7ff744f70000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	13:14:21
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	13:14:21
Start date:	05/08/2022
Path:	C:\Windows\System32\Windows\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\Windows\RuntimeBroker.exe
Imagebase:	0x620000
File size:	6171136 bytes
MD5 hash:	1FB5D967F92174E0BBB15262F8CD209F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000003.289424719.0000000015501000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 36%, Virustotal, Browse Detection: 31%, Metadefender, Browse Detection: 77%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	7
Start time:	13:14:23
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\HDPh51eN5s.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\HDPh51eN5s.exe
Imagebase:	0x510000
File size:	6171136 bytes
MD5 hash:	1FB5D967F92174E0BBB15262F8CD209F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.401638486.0000000012E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	18
Start time:	13:14:48
Start date:	05/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Windows\system32\Windows\RuntimeBroker.exe" /rl HIGHEST /f
Imagebase:	0x7ff744f70000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	19
Start time:	13:14:48
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	24
Start time:	13:15:42
Start date:	05/08/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7b0320000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	26
Start time:	13:15:42
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFC014004E0 Relevance: 1.5, Strings: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]_H, xrefs: 00007FFC01400ACF

Memory Dump Source

Source File: 00000000.00000002.320470568.00007FFC01400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc01400000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID: ]_H
API String ID: 0-169817260
Opcode ID: ae26ee737eda86004e2b65916a8677b4413e72ec00c1119e5afea4c189438747
Instruction ID: b68a756d942f8e7f679a348abde95f6ea470c007e70a9ca1a0095e586435a6ed
Opcode Fuzzy Hash: ae26ee737eda86004e2b65916a8677b4413e72ec00c1119e5afea4c189438747
Instruction Fuzzy Hash: C391C071908A5D8FDB95DB68C895BA8B7F1FF59300F0441AAD00DD72A2DE34AD86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01403B83 Relevance: 1.8, APIs: 1, Instructions: 277
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFC01403D91

Memory Dump Source

Source File: 00000000.00000002.320470568.00007FFC01400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc01400000_HDPh51eN5s.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 82657ba50d8c3bf3818350a33785453c5c457684a78b7f50f2227d6bd326e020
Instruction ID: 00f78fb23596a0d23a0548588f82bd2f1b989cc3f2a427b0328889e4cf51b330
Opcode Fuzzy Hash: 82657ba50d8c3bf3818350a33785453c5c457684a78b7f50f2227d6bd326e020
Instruction Fuzzy Hash: 3F919A7280E7C54FD7079BB49C665A47FB0EF17220B0E42DBC0C5CB1A3D668595AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01401CD8 Relevance: 1.7, APIs: 1, Instructions: 156
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFC01401DD1

Memory Dump Source

Source File: 00000000.00000002.320470568.00007FFC01400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc01400000_HDPh51eN5s.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: bc89507733f570b35b7182a727d44c797a94a0fd0581343ab4ab2ba62c4a6f99
Instruction ID: ec092e67f27acd21dc9d7a21daa4e99bef3edff885df58049b4fa306ade311ad
Opcode Fuzzy Hash: bc89507733f570b35b7182a727d44c797a94a0fd0581343ab4ab2ba62c4a6f99
Instruction Fuzzy Hash: 7741C43094D7888FD70ADB6898456E87FF1EF57321F0442AFD089C71A3DA696846CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01480EFD Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320604086.00007FFC01480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc01480000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e602589139b49e974f1b73807a51eb1dae96ba76f33f0a6aa78d2a89038a2603
Instruction ID: a2fd1e0d354b68d165f3919151a2e641a66bf511eed1600c892555d76ece3ba4
Opcode Fuzzy Hash: e602589139b49e974f1b73807a51eb1dae96ba76f33f0a6aa78d2a89038a2603
Instruction Fuzzy Hash: 3131E32190DBD94FE75A966858261743FE1EF5B610B0901FFE089CB1E3DD4D6C0AC3A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01481FCD Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320604086.00007FFC01480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc01480000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8944629b1eb4396723e7005346af4090143e27cdd601e83f54afa004e56dae7
Instruction ID: 9b78d807230ae99af58452a8b6841e69166e56617ab2f861f5755a46fb12febe
Opcode Fuzzy Hash: d8944629b1eb4396723e7005346af4090143e27cdd601e83f54afa004e56dae7
Instruction Fuzzy Hash: 36318BA2A0EBE91FD75782782C291A47FB19F5752070E01EBD588CF1E3D9495C4BC362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01480BC0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320604086.00007FFC01480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc01480000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8155966376c97c66c549f92718119d1301c68aefb9e8c2d1e798d07cba3141a5
Instruction ID: bf409091a9aac046b73ff16eeaa0f9d8dd2989990db470aca624d2ce21fdc72e
Opcode Fuzzy Hash: 8155966376c97c66c549f92718119d1301c68aefb9e8c2d1e798d07cba3141a5
Instruction Fuzzy Hash: 5D21A121A1CBC94FD756CB6888646247FE1EF56215B0E41FBD488CB1F3EA599806C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01481151 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320604086.00007FFC01480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc01480000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ced89f92b0d610545049c94a7a8f45c498661d1cacaa74553bf88dae913296
Instruction ID: 900cf6acab3fd6c68ec3d80fa41ea998ec40cd4d4dcb5dd21e3b67853ec9a8f8
Opcode Fuzzy Hash: 81ced89f92b0d610545049c94a7a8f45c498661d1cacaa74553bf88dae913296
Instruction Fuzzy Hash: 0811F72284E7DA4FE7578B744C664A47FB1AE57A1070E41EBC889CB1A3E50D5C4BC3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01481B4D Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320604086.00007FFC01480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc01480000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be23cae45fd953ff1de890e188316d269b64be560f082edf4fe79e04ed095bef
Instruction ID: fecfe8093089af3062f1d056b8e6e5f21b789ef704d603543891537e8e9e22f5
Opcode Fuzzy Hash: be23cae45fd953ff1de890e188316d269b64be560f082edf4fe79e04ed095bef
Instruction Fuzzy Hash: 6D11A91290EBC94FD79387781C692A47FE0DF13521B0E02EBC084CB1A3EA0E580BC322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0148091B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.320604086.00007FFC01480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc01480000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb62d6df567544055a435bc7033f6645c0fcef7e615814d37ddcc5a834aaac8
Instruction ID: 1ca6178c503f759dc71910bf9de2961571f40c07b232b1430ad6078c9d152d5a
Opcode Fuzzy Hash: 0bb62d6df567544055a435bc7033f6645c0fcef7e615814d37ddcc5a834aaac8
Instruction Fuzzy Hash: C501C03161CB994FE799DB2C9818224BBE1EF56211B0A41FBE04CCB2B3D919CC0AC751

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFC0140A4D0 Relevance: 1.6, Strings: 1, Instructions: 366COMMON

Download Yara Rule

Strings

jtD_, xrefs: 00007FFC014108FE

Memory Dump Source

Source File: 00000000.00000002.320470568.00007FFC01400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc01400000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID: jtD_
API String ID: 0-1239862931
Opcode ID: ac34fde7348d68825b8e3d87dc1e76159e0c3c395530a0e460cd3627c55b0e73
Instruction ID: 3eef01e895b44d865a35f912bf6b81a36e55ed3cca878b4b229257834dce5ef1
Opcode Fuzzy Hash: ac34fde7348d68825b8e3d87dc1e76159e0c3c395530a0e460cd3627c55b0e73
Instruction Fuzzy Hash: 74B1393160C7894FE359DB28D8555B57BE1EF97720B0542BFD086C72A3ED29A803C791

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RuntimeBroker.exePID: 5824, Parent PID: 4684COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFC016687FA Relevance: 2.6, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6_^, xrefs: 00007FFC016687FA
6_^, xrefs: 00007FFC016688D2

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: 6_^$6_^
API String ID: 0-513604096
Opcode ID: 2dfc2da7011508c992184f9c410a226e64ec830cbc97a3dcf3f9f2570d00acfe
Instruction ID: f1051f80493e4a882852ab56a942c92d72a14f5d98f90bc846df0efe0c1193bc
Opcode Fuzzy Hash: 2dfc2da7011508c992184f9c410a226e64ec830cbc97a3dcf3f9f2570d00acfe
Instruction Fuzzy Hash: A2412BA391C65A8BF754E72D6C950E1B3D5FF7031870A027AD21CCB683FA19A447CAD2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC016688AA Relevance: 2.6, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6_^, xrefs: 00007FFC016688D2
6_^, xrefs: 00007FFC016688AA

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: 6_^$6_^
API String ID: 0-2455902397
Opcode ID: e0271b17d9785e4a4cab052e6d9f6b7e1b7b519df81f0e2b92d8a8ddf73257d5
Instruction ID: 0176c44ba3c7e07d6f469c09d574e7b0e65346299259682e7a78bd22dbaad052
Opcode Fuzzy Hash: e0271b17d9785e4a4cab052e6d9f6b7e1b7b519df81f0e2b92d8a8ddf73257d5
Instruction Fuzzy Hash: 05110A7295CA198BE708F72C5C950E073D1EF743197090179D21CCB293FE2AE987CA91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC013F3B83 Relevance: 1.8, APIs: 1, Instructions: 277
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFC013F3D91

Memory Dump Source

Source File: 00000006.00000002.543229478.00007FFC013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc013f0000_RuntimeBroker.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7ee259565d93b4fd6ab197f19acb045b4e0d3d3fdebddd307d83eaf6310b4dca
Instruction ID: 332826a493196653b57a3523b6ec273895f7b1f1fb542dba622d91bb68981c17
Opcode Fuzzy Hash: 7ee259565d93b4fd6ab197f19acb045b4e0d3d3fdebddd307d83eaf6310b4dca
Instruction Fuzzy Hash: FE91897280E7C54FD7079B749C665A47FB0EF17220B0E42EBC0C5CB1A3D668595AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC013F1CD8 Relevance: 1.7, APIs: 1, Instructions: 155
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFC013F1DD1

Memory Dump Source

Source File: 00000006.00000002.543229478.00007FFC013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc013f0000_RuntimeBroker.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: aff16ae8c9b516ce821d43f9999b4e060974313dfba61db38e87e396890f8cc8
Instruction ID: 337906a0b811ffbe805a26e1691bb90687157741fbd9ecba313740ea357422bc
Opcode Fuzzy Hash: aff16ae8c9b516ce821d43f9999b4e060974313dfba61db38e87e396890f8cc8
Instruction Fuzzy Hash: 6441D43094D7888FD70ADB6898456E87FF1EF57321F0842AFD089C71A3DB685856CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B03D Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G7_H, xrefs: 00007FFC0166B0D4

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: G7_H
API String ID: 0-1132971188
Opcode ID: 6c0c62f1f05395b8cdbd3f3a2097440f573a97ae9fb4626e4c0a3d1034aa7c0b
Instruction ID: ffbe5beab2ab0a45f84b09ec9e409c6a91c44ed3a464890407b1b41a11c141aa
Opcode Fuzzy Hash: 6c0c62f1f05395b8cdbd3f3a2097440f573a97ae9fb4626e4c0a3d1034aa7c0b
Instruction Fuzzy Hash: 08412721B0C7D9CFEB16937C58652A5BBE5EF86610B0901FBD049CB2E3DD195C06C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01670343 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFC01670361

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: fa8edda329355fd467d20a0c71aa318064d56f031d790d4422d57bca5ee85e47
Instruction ID: 3ea96bad6c6032d65ed6bbd341c5a239b1b1d5c78f77b595c54b2d77d565bfdf
Opcode Fuzzy Hash: fa8edda329355fd467d20a0c71aa318064d56f031d790d4422d57bca5ee85e47
Instruction Fuzzy Hash: 0D31C734A0861ECFFB659B24D8106B9B7E1FF55740F2004BDE409D7296DA35A942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B179 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

, xrefs: 00007FFC0166B17A

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3260bc4a3b71ce3208f27ce763bc38483393be111bbb40f379ec61943cafa63a
Instruction ID: dfa78a9ff7e5fe7fd261c0073296eeb02cb711bdd65b04a54b920add8e24ee3a
Opcode Fuzzy Hash: 3260bc4a3b71ce3208f27ce763bc38483393be111bbb40f379ec61943cafa63a
Instruction Fuzzy Hash: 0B21F155A0D9ADCBE760962888196BDFBD8EF95710F4800B8E04ECB9D3DD1E2807C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01670F03 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

y{0, xrefs: 00007FFC01670F8B

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: y{0
API String ID: 0-3534789396
Opcode ID: bf6927d37177768900df74cf35b6aa208bd3a95e563c730cc85d6346d81b2b89
Instruction ID: 3e8aa1b8b46cafdc73c0b6dd12d8b95223c90cf90f9c0afe1ec9b98f97a219b8
Opcode Fuzzy Hash: bf6927d37177768900df74cf35b6aa208bd3a95e563c730cc85d6346d81b2b89
Instruction Fuzzy Hash: 6E217C30A2855D8FDBA9DB28C8557A9B3F1FF49700F5000ADE08ED3296DA35AD42CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166AAD7 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705d88bbe571cc6c6f23190cd0ef6c51cfd2ad2461080eefeeef78b1ad0a799f
Instruction ID: e65d50dfd078054f5dd5a90c6f8d5007146ff3ff76ea90fc14d511b526c4383b
Opcode Fuzzy Hash: 705d88bbe571cc6c6f23190cd0ef6c51cfd2ad2461080eefeeef78b1ad0a799f
Instruction Fuzzy Hash: F271462294CAAE8FEB56A7685C511F4BBD5EFA2711B0900BAE04DC71D3DD1D6807C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166C23F Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be95e026c905a647d285b13b9180e72fa2f7ef4b4ce1d6f8222e372300a609c
Instruction ID: b1759d73a4fecfd2cad142a853080d5fde328f20d474f3e724f240d6464be661
Opcode Fuzzy Hash: 2be95e026c905a647d285b13b9180e72fa2f7ef4b4ce1d6f8222e372300a609c
Instruction Fuzzy Hash: ED618921A0DA998FE759A628AC41274B7D5EF46B10F1501BEE8CEC71D3EC1D6C07C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166A263 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e73ff73e1f0488fa6ebd424c38ab20ecbb3d13989f0c5868125c44a9733c1d
Instruction ID: 4d271792b60d187879a0f96a1efe392e9effdc490ebf0a338d708341f7311a95
Opcode Fuzzy Hash: 54e73ff73e1f0488fa6ebd424c38ab20ecbb3d13989f0c5868125c44a9733c1d
Instruction Fuzzy Hash: 7651F57190CA9E8FEB56A7B88C151B4BBE1EF52710B0801BBD049D71D3ED2A684BC361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01471FCD Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f2f6b123197b907c185dcca8600b9ac8c106660fece229c608766591987cc4
Instruction ID: 382de75bdcd79e673ce42e6b2e01997a09fd9652c9055bf9a4268e9478124648
Opcode Fuzzy Hash: 60f2f6b123197b907c185dcca8600b9ac8c106660fece229c608766591987cc4
Instruction Fuzzy Hash: F3314892A0EBEA1FD75782782C690A07FB19E5752030E02EBD1C4CB1F3D9495D5AC372

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01470EFD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4726794028ec772ef65d759be1065b07c531030f771d2f5a1e813d72f665f00a
Instruction ID: dcc3c5aa1512155d1e8e46fac53e4fb5a9674dabefe8cae3d1ba107894eb11f6
Opcode Fuzzy Hash: 4726794028ec772ef65d759be1065b07c531030f771d2f5a1e813d72f665f00a
Instruction Fuzzy Hash: 2B31061190EBD91FE35A926818261747FE1EF9B614B1901FFE08DC71A3DC496C17C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01470C61 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0402ebce74b7089abed2621d93c556fc911e98091e0d38ee11f0f3dac52237
Instruction ID: 66ffaa10f4ea451df0f4d8e85b0386e41185cfbd9869c124d9905e7f3c67e80f
Opcode Fuzzy Hash: ae0402ebce74b7089abed2621d93c556fc911e98091e0d38ee11f0f3dac52237
Instruction Fuzzy Hash: 9F31026160EBD94FD78AC77C8824161BFE1EF5B20170A41FBE488CB2B3DA149C06C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B755 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7807831c3d99ff94c9b9f79800976f65f094501166c17ad3c6c51dc28d6d5ea8
Instruction ID: 4dee34f29598ca7a77fab3422412bbd3d08bdef41432b70f81f31d59bfed4374
Opcode Fuzzy Hash: 7807831c3d99ff94c9b9f79800976f65f094501166c17ad3c6c51dc28d6d5ea8
Instruction Fuzzy Hash: 2F31D435A0CA1C8FDB58EE19D8456F973E5EB96711F04423AE44AC7292DE39AC13CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01475882 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5703aa4a6c683f0b151f5d53f7598432d7124a198ff13591f9b5fb3b891411e
Instruction ID: 64050cd794d55adb48bfd957c27802c649b4b5b94f9dd3c5e14ced752284c57e
Opcode Fuzzy Hash: b5703aa4a6c683f0b151f5d53f7598432d7124a198ff13591f9b5fb3b891411e
Instruction Fuzzy Hash: E6217A5294EBD90FE34783B82C65160BFA19F97611B1E01EBC088CF1E3E9499D5AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166A4EC Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8bf361cb6cdca917f3ec358bd2363122c092d5b05d7d66aa3d8f31b04b22eb
Instruction ID: 2936a7cfe07ad31e7cecc6c24c320cedf842e5ef457b356377cedecda1f31255
Opcode Fuzzy Hash: 8e8bf361cb6cdca917f3ec358bd2363122c092d5b05d7d66aa3d8f31b04b22eb
Instruction Fuzzy Hash: E021F831A08A2D8FE755E79948952F9B7D1FF99711F00027AE00EC72D3DD2DA806C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01470BA5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdc8d53da9331e625cef5ce3b3722ebfc7a6602513d0800e14ad4ce914fbd40
Instruction ID: f34602c17c140e591486d1af82af27f2c4902286c871775f7ed82fc7b97a6d5a
Opcode Fuzzy Hash: 1fdc8d53da9331e625cef5ce3b3722ebfc7a6602513d0800e14ad4ce914fbd40
Instruction Fuzzy Hash: 30218E61A0DBC94FD747CB788824224BFE0AF57215B0E41EBD0C8CB5F3EA599906C762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC014757DD Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16493906904b4e98fe105da9a718e36b729e71fad1e05058317ce7a27754f442
Instruction ID: a1677e9e60454c14fa315946b65c985dae33e9c74a31c4ad906f1f995219fc1b
Opcode Fuzzy Hash: 16493906904b4e98fe105da9a718e36b729e71fad1e05058317ce7a27754f442
Instruction Fuzzy Hash: AF118252A0E7C80FD34642782C651A47F60DF67515B1A01FBD488CF6A3E80A5D1B8772

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC014755F1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1257c57e4e0e4e51978a29ab882b698fbd13561bacda6fd94f9bd2cf08e8d56b
Instruction ID: 239aea82a71a2e3aed53f960907b79240f1ff38e7018656f1c6b60a34e7d38d8
Opcode Fuzzy Hash: 1257c57e4e0e4e51978a29ab882b698fbd13561bacda6fd94f9bd2cf08e8d56b
Instruction Fuzzy Hash: 9E112E4191E6D90FD74783781C295A1BFA19F57504B4E45FBD08CCF1E3E80A9A0AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166A624 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df599bb84b71742e6b81c4024f416d2e603609de822b746ac60cd77cdc3d79f
Instruction ID: ea51004c0b45b1e39b274eb70ed6cf233299b8359c1b6a4054af420052813da1
Opcode Fuzzy Hash: 5df599bb84b71742e6b81c4024f416d2e603609de822b746ac60cd77cdc3d79f
Instruction Fuzzy Hash: 7C21B03080D6EE8FEB52C7B48C181AA7FF5EF87210B0941E7D445CB1A3DA29594AC761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166A1CB Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ead00ba69b5d6b13e1e4dc085757c2c97ac6d7fddc7ecc14e4fc9235188ed7
Instruction ID: de80ccb0a43fa2f8ad3ed4858ada3ff969a27bdcaebbbd16f8359e3f31ec6b1f
Opcode Fuzzy Hash: f7ead00ba69b5d6b13e1e4dc085757c2c97ac6d7fddc7ecc14e4fc9235188ed7
Instruction Fuzzy Hash: 5F11A22050E7D98FE313A7644C64672BFB9DF82251F0A45FFD04AC71A3D9095849C362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01471151 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4fa8017e8ff56f8ac39894926cee7aa4b78124fc1bb4cc4121b795fadd44f7
Instruction ID: c08c7340b9d88f33c3b8ac603739f6650f15a51cddaa4a084bb4e2491bfd5ac1
Opcode Fuzzy Hash: 6d4fa8017e8ff56f8ac39894926cee7aa4b78124fc1bb4cc4121b795fadd44f7
Instruction Fuzzy Hash: AD11272284E7EA4FE75387745C650A0BFB19E1791030F42E7C485CB5B3E54D6D4AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B770 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc67414ce26040789fc546c16b6f5bd7d604e211cc37ba5f4308c34d2ed1ff9
Instruction ID: c2c5dcee6a542809418768f9ac89ad8a855d49841eedece55162a0584a61fac2
Opcode Fuzzy Hash: bcc67414ce26040789fc546c16b6f5bd7d604e211cc37ba5f4308c34d2ed1ff9
Instruction Fuzzy Hash: A7112671608A0C9FDB58EE19CC456BB73E9E78A311F00422EE45AD3250DE74EC138BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01472ADD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11e07403779448700e70ca698e164e644ca8fbfce8a14fdd11064b907a7aed7
Instruction ID: 217cb82fc93b25916b6a67185ebb60971ef16cee50c720f81b0e8d23a5befdbb
Opcode Fuzzy Hash: e11e07403779448700e70ca698e164e644ca8fbfce8a14fdd11064b907a7aed7
Instruction Fuzzy Hash: 86010C9184E7D60FE7578B781CA60A0BF70EE5750071E05DBC0C4CA4B3E54D696BD7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01471B4D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ecce990e97bc7b0cbc0c31acfb5698095e9c7c43b73bdddb01ae8da56c4ac2
Instruction ID: a287378c1e58ffa99a332a84afeca245878f253418da55be72a87c4526c41f52
Opcode Fuzzy Hash: d8ecce990e97bc7b0cbc0c31acfb5698095e9c7c43b73bdddb01ae8da56c4ac2
Instruction Fuzzy Hash: 08018C1290DAD94FD7A387B81C690A07FE1DE5781170D02E7C084CB1A3E91A690BC362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B619 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62954666cc8ae66817ad13435a587e67cf16241d36b02d8e44d01445200dabc9
Instruction ID: 9981a1935077ad1781195f999d95c6c5c103e99bf4f91b61a917717cb9a60f52
Opcode Fuzzy Hash: 62954666cc8ae66817ad13435a587e67cf16241d36b02d8e44d01445200dabc9
Instruction Fuzzy Hash: E2113D51A4E7EA8FE75797384864164BFE0EF17510B0A05FBD4C9CB1E3D8199C8B8326

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166EBBC Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cecc1f289b5ffc8f28653035aa58d1e251f736d80e6316deaf5573cd025c70
Instruction ID: aaba6afce01135d468d42a20c112b4f050bf44fcae8f486ff8fcef9f3ddb7f5d
Opcode Fuzzy Hash: 95cecc1f289b5ffc8f28653035aa58d1e251f736d80e6316deaf5573cd025c70
Instruction Fuzzy Hash: E901A705A0DEAA4FE79692AC2C551B4ABC5DB55911B0900F7D049C7196DC4E2C47C362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC016706F1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebee505d70ae5373845aad638b6b1712bea948c9c9060d2a5546534533da656
Instruction ID: 31001918f0a5b5ab32c1056c77d3bcbfdcb01ccb2ca01675229f42040f8bbf52
Opcode Fuzzy Hash: aebee505d70ae5373845aad638b6b1712bea948c9c9060d2a5546534533da656
Instruction Fuzzy Hash: 4A118E30918A6ECEEB999B185C517B8B6A1FF19B00F5000F9F40DD62C6DD362E85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166E68D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff52af461ea7ff5b978af1e80ca553c1b18d8c6752e665c271b41f908b8feb1
Instruction ID: 5f48ffd955d23c0d21bf5054dabf4fb537ae8ceeb3df838745c993a71abf5d2f
Opcode Fuzzy Hash: aff52af461ea7ff5b978af1e80ca553c1b18d8c6752e665c271b41f908b8feb1
Instruction Fuzzy Hash: 6B01F92260C66ECFF759E71C78111B8B7C5EB46B20B14427AE44DC72C7FC17684B8295

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166D420 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23dce937176f02db52a787af50e9dbaf60d5d450529a888788622ebb9e4e1f83
Instruction ID: bd47ba04ae36f96a95e737e5bc05a073526e994310ae257163754e540f9fa51f
Opcode Fuzzy Hash: 23dce937176f02db52a787af50e9dbaf60d5d450529a888788622ebb9e4e1f83
Instruction Fuzzy Hash: 5B01C0306186085BE36C9A58D8497A672DAE7C9720F24853EE48EC3296EDB47C038291

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0147091B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a33abda39eacfe7ea40751c086f077c7060a94e7a2c798867dfa85dd3d81d5
Instruction ID: 89d4ed1f76ac2490d10cb722b170c6c759fd419cc0612aaf4520087dac3a288a
Opcode Fuzzy Hash: e7a33abda39eacfe7ea40751c086f077c7060a94e7a2c798867dfa85dd3d81d5
Instruction Fuzzy Hash: 7701847160DBD94FE756D72C5819260BFE1EF5B111B0901FBE088CB2B3D9199C06C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01472E35 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003c20eadf20c1d54d2621757677f3f65b367782b3d333ee0aa3cb5e6971871b
Instruction ID: 84af7c9357ee80bd08813c1e5865c40fb1ed4c5eb71239a393b56356ef7419ef
Opcode Fuzzy Hash: 003c20eadf20c1d54d2621757677f3f65b367782b3d333ee0aa3cb5e6971871b
Instruction Fuzzy Hash: 8201D642B0DFCD0FD346516D3C652607FA4DBAB42571A02F7D488C72A7E8451D4B8362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166A458 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ce3fdc719cb0b6f4654ab37506a733bf4a40c53aba9d58b0f6fd1c1e9bbe7f
Instruction ID: e982b29ab07a54e3a68aaf5140942e1350a943dad6089f4a9c864a7737ec39b1
Opcode Fuzzy Hash: 65ce3fdc719cb0b6f4654ab37506a733bf4a40c53aba9d58b0f6fd1c1e9bbe7f
Instruction Fuzzy Hash: AF01AD3090995ECFEB40DB988C482FEB7E0FF45701F1042B6D409D7292EA796A46C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166CCE1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7077684a0471e0b16ae40f00ce3023206cf477ba682a6525f1b15c8721a6473
Instruction ID: 70593c6186472599d0db67ee572f4f30843779124eb5084fc5ccece4c87349e7
Opcode Fuzzy Hash: d7077684a0471e0b16ae40f00ce3023206cf477ba682a6525f1b15c8721a6473
Instruction Fuzzy Hash: 1001243261C3854FE3699A78A8131B5B7E2EFC3228F0485BED089C7193DD2A68038751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC016662BD Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5c7480ef19c03d3661a14d5ab9d3597f8451060d32a0f0e8fd2db373e719b0
Instruction ID: 2770a95693f0630346e46a136b42a796beb6b8e6e7a4238166288bb3e8d93348
Opcode Fuzzy Hash: da5c7480ef19c03d3661a14d5ab9d3597f8451060d32a0f0e8fd2db373e719b0
Instruction Fuzzy Hash: F5012B35A18A298BDF04FB1CD4854E4B3D1EF95325B04447BE04CD72D2DE29E88AC755

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B91C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee802fb8d73a137a9ad26278ac6e4226739290eb482403f063e5d9938fb020c
Instruction ID: 81eda5cde5e45d9d6d3adbf364cb2bf6612f27071b7cfd62bfa37b6bd3e114c0
Opcode Fuzzy Hash: 6ee802fb8d73a137a9ad26278ac6e4226739290eb482403f063e5d9938fb020c
Instruction Fuzzy Hash: 9DF03631B1C92ECEEB5AA66D68153FCA2C4EF45A24F000279E45FC21D2DE1AA813C195

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166EF70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905f95c3bb9a52710435f3d2f4f0ac0605b76bae26b11e70ee20221c8467b165
Instruction ID: ed2bcdea8d8e43d35820682c1052cb71629d3137b56010cda02264d27be19bca
Opcode Fuzzy Hash: 905f95c3bb9a52710435f3d2f4f0ac0605b76bae26b11e70ee20221c8467b165
Instruction Fuzzy Hash: F801522580EBDA8FE717977898100A1BFA1DF5761270905FBE089CB1E3D93A6846C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166F0F1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d34099f8b1930b5ccf8e44f5701b92a6928bc52964851eadff8fa79f0b13bfb
Instruction ID: eada9d579c77920f105cda637a0ab16ec38b180957034ee4fcb2bb2d2d180599
Opcode Fuzzy Hash: 8d34099f8b1930b5ccf8e44f5701b92a6928bc52964851eadff8fa79f0b13bfb
Instruction Fuzzy Hash: 8301F232A0C259CFE3159B10D824769B3D6EF96715F0902BAE04ECB2D1CF3DA943C615

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01670D22 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b0c9a1a8bb1ecb8b93c41217300af20ea4a46a8dab8f60bb3a502986734544
Instruction ID: 2a3dbce2a1a2f84fab4eb04bd33421bee9752ccb48cb42d58255061e335a046b
Opcode Fuzzy Hash: 41b0c9a1a8bb1ecb8b93c41217300af20ea4a46a8dab8f60bb3a502986734544
Instruction Fuzzy Hash: 8011A8709187588FCB54DF48C881A9EFBF1FF98710F10865AE489E3214CB30A985CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01670CF4 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2970a4634c70e503510764bb41c1ab63b6bf9827e1a4c858f865414ad38fd851
Instruction ID: ff7655d244d593fb95d554d8cb8089d8b23a92f6342759a96a0b571c2115ffac
Opcode Fuzzy Hash: 2970a4634c70e503510764bb41c1ab63b6bf9827e1a4c858f865414ad38fd851
Instruction Fuzzy Hash: 8401D824A0C65ECFEB55EB684811678B691FF86700F20047DE40DD7287DC369D87CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166BBD5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10907885842dd328a241386921be7f7b5945353ad00faaad3eb6b77902d63fa7
Instruction ID: 5ee1e3c68160ddc9537d0f0b90d7bceb9f191dec31580e21221b193b688c2d57
Opcode Fuzzy Hash: 10907885842dd328a241386921be7f7b5945353ad00faaad3eb6b77902d63fa7
Instruction Fuzzy Hash: DDF0B4B150D21C9FE718AE46DC46AFA77A8FB8A220F00012EE489C2152E5327863C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166C344 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c715c49499550394ad4b7867b55f146c24120a127eb2c25ee2f2e0f5d9a3e0
Instruction ID: 1a97fe5125e0f6ffe48ebae19f5f570e69393e0df634bf4ed0865a7fe8d64a28
Opcode Fuzzy Hash: 46c715c49499550394ad4b7867b55f146c24120a127eb2c25ee2f2e0f5d9a3e0
Instruction Fuzzy Hash: 0DF0E23274C62D4EF718E658BC415F8B3C6DB81730F04827BE48EC2196EC2BA9478189

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166CD9C Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3639c7b401bacfbfe3cd1fecafee71918e00c260aae19e302e39e6a4d709e758
Instruction ID: 00afb3f5602306747ea231d735db56b7318b8df0e04f023cd5730f5db54af87e
Opcode Fuzzy Hash: 3639c7b401bacfbfe3cd1fecafee71918e00c260aae19e302e39e6a4d709e758
Instruction Fuzzy Hash: 2C014B7061C7858BD369DB288896365BBE5FB89745F04047EF4CEC3292CE356C42CB16

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B20A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389ca91c876c2c8e726e7aac9099c4c65c791f9aa6d411e11d2ea5860e3989c8
Instruction ID: 3160dd9742b2d2b39f257bdf52c666b6ac254b317c00fa9b54541221909fe2d4
Opcode Fuzzy Hash: 389ca91c876c2c8e726e7aac9099c4c65c791f9aa6d411e11d2ea5860e3989c8
Instruction Fuzzy Hash: 10F04F51F08829CFE798961884597BCA7D5EB98711F040176E00EC7296DC1A6C438761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B650 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd62943eacea679082521e56318332c2c5cd9e7e8e599712b37457397899699
Instruction ID: 8a2c45e9bc43d7ffb7119ce164b426b7c60704db309cc34779019fab3e2268d8
Opcode Fuzzy Hash: 0fd62943eacea679082521e56318332c2c5cd9e7e8e599712b37457397899699
Instruction Fuzzy Hash: 69F02E20B1869E4BE755A63C5404274B6C5FF45615F1505BDD889C71E2DD25CCC38355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B8DC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750ed46ac290d335c773d93b70fa0e9baa10f214c73979fe49afc7ef1e56b1ce
Instruction ID: 91af331dbcd619c79a9794770e24f32d2e0b00ee4c5fe9ba4d12183e715639d4
Opcode Fuzzy Hash: 750ed46ac290d335c773d93b70fa0e9baa10f214c73979fe49afc7ef1e56b1ce
Instruction Fuzzy Hash: E9F09630A5C92ECBE759EA1CC8506BCB2D5FB56701F200339E04BC32D1DD79A843C644

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166D89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57dbd1b0b915b6c96c34c3bdcf2651724d3d504ca63be06ed5c07a2fa17dac4e
Instruction ID: 9e97f2a453d633465987ed23c88d455f529df13c7790160d4bfcae1b8e94ca03
Opcode Fuzzy Hash: 57dbd1b0b915b6c96c34c3bdcf2651724d3d504ca63be06ed5c07a2fa17dac4e
Instruction Fuzzy Hash: F6F05460B197198FE794E6684845279A3C6DFD9B40F148439E48EC72D3DD3ABC07C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166F889 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa93103113b6053612b4d3ee07e39ddf78584e4370f5b4ca7a1a38e624db325
Instruction ID: 6311dc75a96494c1a3ed33364d3d13a32f553c37cbd8f8b421a9610287e0cfc0
Opcode Fuzzy Hash: faa93103113b6053612b4d3ee07e39ddf78584e4370f5b4ca7a1a38e624db325
Instruction Fuzzy Hash: BEF0963070861DCFE798EB18D8547A9B3E6FB94701F2081B8D00ED3295DE34E942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B515 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0e89a2ff55ec61e0474d7ca1a45b62f2df30618f84ab1587b435e48f75ec8a
Instruction ID: 2137ffea65a053e27e57a71e607051464d7a9f03908d7f6c1cb6b8a82ed3075c
Opcode Fuzzy Hash: 6d0e89a2ff55ec61e0474d7ca1a45b62f2df30618f84ab1587b435e48f75ec8a
Instruction Fuzzy Hash: A0E09B3174E7948FCB19EA2988594547FD0EF6A70534942FEC045CB693DA2ADC46C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166FF5E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f719355e7ebf77e23c89d9e5add853cb7a6f26ead75d6e45bf147a61a37f0c63
Instruction ID: 2f0c4c0bfc5f1810183a4600263dc8f6b5a8771c7b67d1328745eebc1e88c285
Opcode Fuzzy Hash: f719355e7ebf77e23c89d9e5add853cb7a6f26ead75d6e45bf147a61a37f0c63
Instruction Fuzzy Hash: 29F0B460A0C55DCFEB51D768D81476DB7A1EF46300F1000BAD409D72E2CA346802CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166C066 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8d1ca5f150b013ea6b4cabdcaf7d0061e01a57e327bf59a6e55f8b86e1fe98
Instruction ID: b94c0e33e1f0f3c1d39adc1b5f50c0b648e6e29b296fc7bcbd7caaafd805e236
Opcode Fuzzy Hash: 7d8d1ca5f150b013ea6b4cabdcaf7d0061e01a57e327bf59a6e55f8b86e1fe98
Instruction Fuzzy Hash: B7E09230E7C7A9CAD3688E584482239F7D8EB89F09F10613DAACBC2350CA356403C986

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B485 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526984018759da3432517df137d3cb0aea36bf62938995e492732341679f14e5
Instruction ID: acea587a28a3debc13c801a7c3eb1a699e921b337070d2bd7942f6ca948a6d56
Opcode Fuzzy Hash: 526984018759da3432517df137d3cb0aea36bf62938995e492732341679f14e5
Instruction Fuzzy Hash: 0CE0487154A6988FCB45DB24C899D547F90DF6A21074E41DDD009CF5A3D51AD945C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166EFA0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c61c9ff46dd6d8a15e4d7e4ebf9b138409c5574d4b0563fea3d23629d32ba83
Instruction ID: be7c6acfa62f98d0e7216fa6429d7126c0b90f46a6f7f9fc76363769e3d24706
Opcode Fuzzy Hash: 0c61c9ff46dd6d8a15e4d7e4ebf9b138409c5574d4b0563fea3d23629d32ba83
Instruction Fuzzy Hash: 42E02630504D1D4E8369B33A94044B572D2EF94303340007ED40EC22A5CD3998C3CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166CEF0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357299bf46155a152e0e073ef7d6c612d3488b33c88ec46b85f52424cc4e05eb
Instruction ID: 46b0d1c06a722e13607b9d29cd903a275179e8945e916f5b5488f8bdefd4769f
Opcode Fuzzy Hash: 357299bf46155a152e0e073ef7d6c612d3488b33c88ec46b85f52424cc4e05eb
Instruction Fuzzy Hash: 04F0823152C7619FE3758A48C4437A5B3A1FF85620F150469D4CE87181CE297C03C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166C017 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0c8bbbd1d6309701f1168da069a32e1e16e51aeb9683209b24415fdb5e8157
Instruction ID: 3317eb677ff5dcf4b9795921107bbc2630ce7bd587a1fdfcf89c6ae6b2f96260
Opcode Fuzzy Hash: 5a0c8bbbd1d6309701f1168da069a32e1e16e51aeb9683209b24415fdb5e8157
Instruction Fuzzy Hash: 9AE0CD31B0C91D8FE724B518A4016B472C5EB59710F118279D89BC32E3FD2DD85345C6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166E555 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029479058106ff8d82d297621bd3a0d4359f7d671e6cad3d7061beb91e7f097f
Instruction ID: 54d715567f2776e8d3736dd433890e2f777254dae3a92d10227e3add440bb51f
Opcode Fuzzy Hash: 029479058106ff8d82d297621bd3a0d4359f7d671e6cad3d7061beb91e7f097f
Instruction Fuzzy Hash: ECE05B3164C52FCBE754F654F8406B972C9E795B11F10833AD04EC23C6FD2E599A8298

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01670225 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32bd5f288e2128f6abd8cdfe8cd8b34271bb217cf7c7a3682da265f1a3e58c42
Instruction ID: 789433e955dd12c3fe717de377231959c4f7dafad47b1d42fa5fc2e99ff2a401
Opcode Fuzzy Hash: 32bd5f288e2128f6abd8cdfe8cd8b34271bb217cf7c7a3682da265f1a3e58c42
Instruction Fuzzy Hash: 15E04674A0472DCFEB64EF198840AA9F7B0FB58700F2041EAC84C93264DE34A982CF21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B1ED Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678a7aa6b1ebfd045453005ce02c0e84e30899ceb03cec53eb79e323d94bb094
Instruction ID: 91d8c6e1a3176f743d5d2295368c61e35ab147c8f63f66449d912e3cf374b866
Opcode Fuzzy Hash: 678a7aa6b1ebfd045453005ce02c0e84e30899ceb03cec53eb79e323d94bb094
Instruction Fuzzy Hash: D1E0C245A1E5ADCAE39091284C0527DFBCCEF04B50F8841B8F06DC78E2D80E381BC221

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166F18D Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149fe73cee6dceb01d6d5f73fcdfe71e0f45b73fff2f9d95442221055af75673
Instruction ID: cd32b510b807da8a6f5cd44e9bf06f8646b8ea96d7904202f9e5fa65192a1854
Opcode Fuzzy Hash: 149fe73cee6dceb01d6d5f73fcdfe71e0f45b73fff2f9d95442221055af75673
Instruction Fuzzy Hash: 48D0C23170C519CBE701E604D8506ADB243E7D2720F040376D00AC72D4DD69E5428380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01667448 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef87354d59d052090147026c95d703e11214433aa8df94b608a6353eda848b4b
Instruction ID: 01f3bd9ec91860d39cc3aba11c60076106723ac313bbedfaec582828f33e4222
Opcode Fuzzy Hash: ef87354d59d052090147026c95d703e11214433aa8df94b608a6353eda848b4b
Instruction Fuzzy Hash: B0D0C73061580C8F8B48E71DC899D6073D1E76D2157954165D009C7274D959DD89CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01670CAD Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa0334d2f38accb87e3c9f7534328d8f352b6f4145d4eb91549557ba87039fa
Instruction ID: 1b0febf086f41507b2ea60b732e9382807d73453f6c48785a22eee3ee43df419
Opcode Fuzzy Hash: 7fa0334d2f38accb87e3c9f7534328d8f352b6f4145d4eb91549557ba87039fa
Instruction Fuzzy Hash: C7D05E60E09229CAE708DA2A58106BD7A95DB42700F0081FDA08DC31C2CA386906ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166F1B0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55bd638c4e1dff35983126819ebb4d77476387a6e33c7f417896f7ebe5e2413b
Instruction ID: fe293c4a0be1f20ae35733794f50fa0ea6b0e80d7b3a8f8ad14f41688ec69ed6
Opcode Fuzzy Hash: 55bd638c4e1dff35983126819ebb4d77476387a6e33c7f417896f7ebe5e2413b
Instruction Fuzzy Hash: E5B09B2564992D464545614D74810DDB241D7C4510B441B75D449D5186D95D568343C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166B903 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2611f4f0b45151cd4bf797f65fa268368a6f3c58342520dbf6d3bf26d67436
Instruction ID: ef3b7f4d1eec43ff08e2036619644e0e43a4acbf27d3c327cc38447d8bf85457
Opcode Fuzzy Hash: ed2611f4f0b45151cd4bf797f65fa268368a6f3c58342520dbf6d3bf26d67436
Instruction Fuzzy Hash: 82B09221B2C82A9AE309612C290227860C8DB0CB44F100178F84FC23C2E80D681381AA

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0166D61C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a61c4b1ac1d28b7058bbbacad7d9103656a11e76e241438766aea330202801
Instruction ID: f26d28253bcb33f0873381a2308d42b0c67cd346db2e7f1a0df3fe316be07850
Opcode Fuzzy Hash: 07a61c4b1ac1d28b7058bbbacad7d9103656a11e76e241438766aea330202801
Instruction Fuzzy Hash: E1B09260F2931A9BE3556A64850127BA18BABC4F05F208439E08EC63D6ED3ABC03C291

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01670E14 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae51e5e89d5f6f29e5999a0b49f88dbe257e0ef62582d22ad597b6c4150260b
Instruction ID: 2fe2fa39f99c675cbb9ff16a5ccd6f7ecbbb1ddeb843f55a00968974f068a98d
Opcode Fuzzy Hash: 3ae51e5e89d5f6f29e5999a0b49f88dbe257e0ef62582d22ad597b6c4150260b
Instruction Fuzzy Hash: 4BC04C34A0862ECFEB91DE15C850BADB365EF49740F5044F5A50DE7295CE35AD42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01670020 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2515b79a7c2c93a174029b2b5c5b713231d99d0fe350b0c384ce79c3a61a3e88
Instruction ID: bf884279187c5ca3b35fe2404c62398a37d4d8e69daa3db0fc39f0c436ea2ae0
Opcode Fuzzy Hash: 2515b79a7c2c93a174029b2b5c5b713231d99d0fe350b0c384ce79c3a61a3e88
Instruction Fuzzy Hash: 0AC04C60E1C52DDEE7949B28981176DA5A5DB09700F1040B9A50ED2282DD3919458F64

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFC01472259 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.543658884.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01470000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c21d13129f13ff47a612e0cd86e25d48fb43969829db01419df0908da0009c5
Instruction ID: 083da864e6b225d8b087e43fb7a1fbbd2334641df4536f29260fd1a81e0c2b70
Opcode Fuzzy Hash: 2c21d13129f13ff47a612e0cd86e25d48fb43969829db01419df0908da0009c5
Instruction Fuzzy Hash: A021C31294EAD90FD387837848219A0BFF1AF57501B0E41EBC088CB1F7D94DAD1AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC016685AA Relevance: 5.1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

Strings

6_^, xrefs: 00007FFC01668672
6_^, xrefs: 00007FFC01668622
6_^, xrefs: 00007FFC016685D2
6_^, xrefs: 00007FFC016685AA

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: 6_^$6_^$6_^$6_^
API String ID: 0-3760766968
Opcode ID: 5da07a26be1193f4db98d9ec5a31a43e0e072634907f8f6b6fcb6d48b9254c6d
Instruction ID: 09e1d5c5afadea37d9c576703f962f4b4eca3c934e368ae468d4f536708fd329
Opcode Fuzzy Hash: 5da07a26be1193f4db98d9ec5a31a43e0e072634907f8f6b6fcb6d48b9254c6d
Instruction Fuzzy Hash: 7821FC97D8D67BC7FB9462682C9A0F573C8DF10725B040071E6ACCB2D3BD096D86C9A5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC016683A2 Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

6_^, xrefs: 00007FFC016683DA
6_^, xrefs: 00007FFC0166842A
6_^, xrefs: 00007FFC01668479
6_^, xrefs: 00007FFC016683A2

Memory Dump Source

Source File: 00000006.00000002.546927262.00007FFC01660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc01660000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: 6_^$6_^$6_^$6_^
API String ID: 0-408421816
Opcode ID: 2c01280250deb2e93ab1f404183d6969af6aa951d7b7955e82b6f51c02c3c876
Instruction ID: e1a553202dfb40c535a91866813dcfa86b723a5943764a6edce0f296c0adf594
Opcode Fuzzy Hash: 2c01280250deb2e93ab1f404183d6969af6aa951d7b7955e82b6f51c02c3c876
Instruction Fuzzy Hash: 7F21D753C8CA7ACBFB61B77828450E5B7C5DF20314B050076E26C9B2D3BD187946C6A5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: HDPh51eN5s.exePID: 6020, Parent PID: 848COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFC013F3B83 Relevance: 1.8, APIs: 1, Instructions: 277
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFC013F3D91

Memory Dump Source

Source File: 00000007.00000002.427648566.00007FFC013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffc013f0000_HDPh51eN5s.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7ee259565d93b4fd6ab197f19acb045b4e0d3d3fdebddd307d83eaf6310b4dca
Instruction ID: 332826a493196653b57a3523b6ec273895f7b1f1fb542dba622d91bb68981c17
Opcode Fuzzy Hash: 7ee259565d93b4fd6ab197f19acb045b4e0d3d3fdebddd307d83eaf6310b4dca
Instruction Fuzzy Hash: FE91897280E7C54FD7079B749C665A47FB0EF17220B0E42EBC0C5CB1A3D668595AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC013F1CD8 Relevance: 1.7, APIs: 1, Instructions: 155
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFC013F1DD1

Memory Dump Source

Source File: 00000007.00000002.427648566.00007FFC013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffc013f0000_HDPh51eN5s.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: aff16ae8c9b516ce821d43f9999b4e060974313dfba61db38e87e396890f8cc8
Instruction ID: 337906a0b811ffbe805a26e1691bb90687157741fbd9ecba313740ea357422bc
Opcode Fuzzy Hash: aff16ae8c9b516ce821d43f9999b4e060974313dfba61db38e87e396890f8cc8
Instruction Fuzzy Hash: 6441D43094D7888FD70ADB6898456E87FF1EF57321F0842AFD089C71A3DB685856CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01471FCD Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.427840649.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffc01470000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f45d6dbe39c30e4ec1f788faa1cc4c19084472afb4d56fe0199de3d3a52a0b
Instruction ID: 3031382e170912ae307ec0b60de3a639793c19b58da87a1350cbb37f85312bba
Opcode Fuzzy Hash: 53f45d6dbe39c30e4ec1f788faa1cc4c19084472afb4d56fe0199de3d3a52a0b
Instruction Fuzzy Hash: 69419EA2A0EBD90FE75786781C654A07FB1AF6761070E01EBD184CB1F3E5499E0AC372

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01470EFD Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.427840649.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffc01470000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf2ca6adf12f9259fbd7fdc89ad5852fce5c35e2c0b20ad8858b6959ebe11d1
Instruction ID: dd38c4f06a521a91cace1796cbfe95f113065078b289359a07661509ef41f909
Opcode Fuzzy Hash: 3cf2ca6adf12f9259fbd7fdc89ad5852fce5c35e2c0b20ad8858b6959ebe11d1
Instruction Fuzzy Hash: FE31276190EBD91FE31A922828262747F91EF9B610B1901FFE08DC71D3DC49681AC3A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01470BA5 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.427840649.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffc01470000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3487d4e8e6c6b7de772402382314d8d9033f20ea1b70026c70df65af8fe8b84b
Instruction ID: 0df8dea3c81ad2300a33f7ac5f8ba73829cf23b67ca218d2a430db6db04cd498
Opcode Fuzzy Hash: 3487d4e8e6c6b7de772402382314d8d9033f20ea1b70026c70df65af8fe8b84b
Instruction Fuzzy Hash: 4921D171A0DBC94FD747CB788824124BFE0EF67211B0A41EBD088CB5F3EA589806C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC014708DD Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.427840649.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffc01470000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f0b141ccb1ff978ada2e67ef1a68cf284b37414670db2684da1823f96c1b68
Instruction ID: cf624224963cb2a8d22648a26adc07fcdfb59be204095e62112fc36e86d41c97
Opcode Fuzzy Hash: 61f0b141ccb1ff978ada2e67ef1a68cf284b37414670db2684da1823f96c1b68
Instruction Fuzzy Hash: C52184B160EBD94FDB87C73858241A0BFE1EF6761170A01EBE088CB1B3E5599D46C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01471B4D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.427840649.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffc01470000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9753dce7ea43c6bd8fe8d94355806f5f31b865710a03f56e97787512f396017e
Instruction ID: fc2c558253a34b9184b576b79a4b5675eef79c0800fe4e82672323b07c7ba76a
Opcode Fuzzy Hash: 9753dce7ea43c6bd8fe8d94355806f5f31b865710a03f56e97787512f396017e
Instruction Fuzzy Hash: 5D019E52D0DBC54FD7A38B781C690A07FB1EE6752070D02E7C084CB1A3F91A6A0BC362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01471151 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.427840649.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffc01470000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf2ddc638f473862ca6344b961f284568287e24f2cd38f47b9dff7cf9c18745
Instruction ID: 84c89b448ef3436c897d9e226a977f8bc616d4cb9c3b13aa5910bae30e39aa19
Opcode Fuzzy Hash: 3cf2ddc638f473862ca6344b961f284568287e24f2cd38f47b9dff7cf9c18745
Instruction Fuzzy Hash: C3115B2284E7DA4FE7578B745C650A07FB1AE17A0030F42E7C485CB1B3E54D6D0AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0147091B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.427840649.00007FFC01470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffc01470000_HDPh51eN5s.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6bfe6f156d33b2257f26b9746a9e63d696c6f06c02ca505f8d195dcd05d501
Instruction ID: 6a366c46d0256b745e25d86eae7f8553fbb01f3c455d821f3d7b8d45ee984af1
Opcode Fuzzy Hash: ed6bfe6f156d33b2257f26b9746a9e63d696c6f06c02ca505f8d195dcd05d501
Instruction Fuzzy Hash: 07015E7160DA994FE756D62C5819260BBD1EF57111B0A01FBE088CB2B3E9159D06C751

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HDPh51eN5s

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HDPh51eN5s.exe.log

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

C:\Windows\System32\Windows\RuntimeBroker.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
HDPh51eN5s

Function 00007FFC014004E0 Relevance: 1.5, Strings: 1, Instructions: 268
COMMON

Function 00007FFC01403B83 Relevance: 1.8, APIs: 1, Instructions: 277
memoryCOMMON

Function 00007FFC01401CD8 Relevance: 1.7, APIs: 1, Instructions: 156
memoryCOMMON

Function 00007FFC016687FA Relevance: 2.6, Strings: 2, Instructions: 124
COMMON

Function 00007FFC016688AA Relevance: 2.6, Strings: 2, Instructions: 66
COMMON

Function 00007FFC013F3B83 Relevance: 1.8, APIs: 1, Instructions: 277
memoryCOMMON

Function 00007FFC013F1CD8 Relevance: 1.7, APIs: 1, Instructions: 155
memoryCOMMON

Function 00007FFC0166B03D Relevance: 1.4, Strings: 1, Instructions: 130
COMMON