Edit tour

Windows Analysis Report
SecuriteInfo.com.PWSX-gen.32561.14552.exe

Overview

General Information

Sample name:	SecuriteInfo.com.PWSX-gen.32561.14552.exe
Analysis ID:	1427764
MD5:	8ae8e59f0df6887a86d8ac303d004095
SHA1:	9cd99884369adfd6bb5d9f3426c91b25f4979281
SHA256:	30e181e98cb75e4324746fd2d27fcc9987a51dfd0182b45eab54781df26c1d33
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.PWSX-gen.32561.14552.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe" MD5: 8AE8E59F0DF6887A86D8AC303D004095)

powershell.exe (PID: 7092 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7364 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6744 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecuriteInfo.com.PWSX-gen.32561.14552.exe (PID: 7196 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe" MD5: 8AE8E59F0DF6887A86D8AC303D004095)

tiucdfZoOi.exe (PID: 7384 cmdline: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe MD5: 8AE8E59F0DF6887A86D8AC303D004095)

schtasks.exe (PID: 7508 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp6B88.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tiucdfZoOi.exe (PID: 7552 cmdline: "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe" MD5: 8AE8E59F0DF6887A86D8AC303D004095)

boqXv.exe (PID: 7688 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 8AE8E59F0DF6887A86D8AC303D004095)

schtasks.exe (PID: 7876 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp97D8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

boqXv.exe (PID: 7928 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 8AE8E59F0DF6887A86D8AC303D004095)

boqXv.exe (PID: 7044 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 8AE8E59F0DF6887A86D8AC303D004095)

schtasks.exe (PID: 6284 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmpB88F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

boqXv.exe (PID: 7100 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 8AE8E59F0DF6887A86D8AC303D004095)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3103520162.0000000002C72000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3107567072.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000002.3107557708.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.3107557708.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000002.3107557708.000000000341A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.2116074967.0000000002A3A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3107567072.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3107567072.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000002.3107557708.0000000003412000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.2116074967.0000000002A32000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.3103520162.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3107567072.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.2116074967.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2116074967.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.3103520162.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3103520162.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 6884	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 6884	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 6884	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 7196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 7196	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: tiucdfZoOi.exe PID: 7384	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tiucdfZoOi.exe PID: 7384	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tiucdfZoOi.exe PID: 7384	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: tiucdfZoOi.exe PID: 7552	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tiucdfZoOi.exe PID: 7552	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: boqXv.exe PID: 7688	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: boqXv.exe PID: 7688	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: boqXv.exe PID: 7688	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: boqXv.exe PID: 7928	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: boqXv.exe PID: 7928	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: boqXv.exe PID: 7044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: boqXv.exe PID: 7044	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: boqXv.exe PID: 7100	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: boqXv.exe PID: 7100	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 40 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.boqXv.exe.4ecfb08.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.boqXv.exe.4ecfb08.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.boqXv.exe.4ecfb08.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.tiucdfZoOi.exe.41a6420.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.tiucdfZoOi.exe.41a6420.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.tiucdfZoOi.exe.41a6420.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.boqXv.exe.4f0ab28.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.boqXv.exe.4f0ab28.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.boqXv.exe.4f0ab28.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.tiucdfZoOi.exe.41e1440.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.tiucdfZoOi.exe.41e1440.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.tiucdfZoOi.exe.41e1440.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
19.2.boqXv.exe.4e3f650.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.boqXv.exe.4e3f650.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.boqXv.exe.4e3f650.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
19.2.boqXv.exe.4e7a670.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.boqXv.exe.4e7a670.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.boqXv.exe.4e7a670.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
16.2.boqXv.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.boqXv.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.boqXv.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
19.2.boqXv.exe.4e7a670.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.boqXv.exe.4e7a670.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.boqXv.exe.4e7a670.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e91c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e98e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ea18:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eaaa:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6eb14:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6eb86:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ec1c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6ecac:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6eb1c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa993c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6eb8e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa99ae:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ec18:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa9a38:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ecaa:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa9aca:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ed14:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9b34:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ed86:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9ba6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ee1c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9c3c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
12.2.boqXv.exe.4f0ab28.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.boqXv.exe.4f0ab28.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.boqXv.exe.4f0ab28.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e91c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e98e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ea18:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eaaa:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6eb14:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6eb86:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ec1c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6ecac:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e91c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e98e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ea18:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eaaa:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6eb14:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6eb86:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ec1c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6ecac:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e91c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e98e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ea18:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eaaa:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6eb14:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6eb86:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ec1c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6ecac:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
19.2.boqXv.exe.4e3f650.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.boqXv.exe.4e3f650.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.boqXv.exe.4e3f650.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6eb1c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa993c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6eb8e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa99ae:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ec18:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa9a38:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ecaa:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa9aca:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ed14:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9b34:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ed86:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9ba6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ee1c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9c3c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
12.2.boqXv.exe.4ecfb08.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.boqXv.exe.4ecfb08.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.boqXv.exe.4ecfb08.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6eb1c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa993c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6eb8e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa99ae:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ec18:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa9a38:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ecaa:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa9aca:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ed14:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9b34:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ed86:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9ba6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ee1c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9c3c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 40 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe, ParentProcessId: 6884, ParentProcessName: SecuriteInfo.com.PWSX-gen.32561.14552.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe", ProcessId: 7092, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe, ProcessId: 7196, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp6B88.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp6B88.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe, ParentImage: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe, ParentProcessId: 7384, ParentProcessName: tiucdfZoOi.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp6B88.tmp", ProcessId: 7508, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 50.87.253.239, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe, Initiated: true, ProcessId: 7196, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe, ParentProcessId: 6884, ParentProcessName: SecuriteInfo.com.PWSX-gen.32561.14552.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp", ProcessId: 6744, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe, ParentProcessId: 6884, ParentProcessName: SecuriteInfo.com.PWSX-gen.32561.14552.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe", ProcessId: 7092, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe, ParentProcessId: 6884, ParentProcessName: SecuriteInfo.com.PWSX-gen.32561.14552.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp", ProcessId: 6744, ProcessName: schtasks.exe

Snort Signatures

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:43.708857
SID:	2839723
Source Port:	49743
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:35.407459
SID:	2851779
Source Port:	49740
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:35.407459
SID:	2840032
Source Port:	49740
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:24.532684
SID:	2840032
Source Port:	49736
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:24.532587
SID:	2839723
Source Port:	49736
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:24.532684
SID:	2851779
Source Port:	49736
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:20.348141
SID:	2855542
Source Port:	49733
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:20.348141
SID:	2855245
Source Port:	49733
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:43.708939
SID:	2840032
Source Port:	49743
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:20.348027
SID:	2030171
Source Port:	49733
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:35.407401
SID:	2030171
Source Port:	49740
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:43.708857
SID:	2030171
Source Port:	49743
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:24.532684
SID:	2855542
Source Port:	49736
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:24.532684
SID:	2855245
Source Port:	49736
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:35.407459
SID:	2855542
Source Port:	49740
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:35.407459
SID:	2855245
Source Port:	49740
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:43.708939
SID:	2851779
Source Port:	49743
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:20.348027
SID:	2839723
Source Port:	49733
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:35.407401
SID:	2839723
Source Port:	49740
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:20.348141
SID:	2840032
Source Port:	49733
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:24.532587
SID:	2030171
Source Port:	49736
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:20.348141
SID:	2851779
Source Port:	49733
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:43.708939
SID:	2855542
Source Port:	49743
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.253.239

Timestamp:	04/18/24-06:25:43.708939
SID:	2855245
Source Port:	49743
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Avira: detection malicious, Label: HEUR/AGEN.1308640
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Avira: detection malicious, Label: HEUR/AGEN.1308640

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Virustotal: Detection: 38%	Perma Link
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Virustotal: Detection: 38%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe	ReversingLabs: Detection: 26%
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe	Virustotal: Detection: 38%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 4x nop then jmp 074E5CD1h	0_2_074E5738
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 4x nop then jmp 024850F9h	8_2_02484B60
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 4x nop then jmp 0D334FC9h	12_2_0D334A30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 4x nop then jmp 076A4FC9h	19_2_076A4A30

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49740 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49740 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49740 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49740 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49740 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49740 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49743 -> 50.87.253.239:587

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 50.87.253.239:587

Source: Joe Sandbox View

IP Address: 50.87.253.239 50.87.253.239

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 50.87.253.239:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: mail.clslk.com

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000006.00000002.3103520162.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, tiucdfZoOi.exe, 0000000B.00000002.3107567072.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.2116074967.0000000002A3A000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000016.00000002.3107557708.000000000341A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.clslk.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893332055.0000000002C58000.00000004.00000800.00020000.00000000.sdmp, tiucdfZoOi.exe, 00000008.00000002.1937145335.0000000002729000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 0000000C.00000002.2051696888.0000000003448000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000013.00000002.2134532225.00000000033B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, tiucdfZoOi.exe.0.dr, boqXv.exe.6.dr	String found in binary or memory: http://weather.yahooapis.com/forecastrss?w=4118
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, tiucdfZoOi.exe.0.dr, boqXv.exe.6.dr	String found in binary or memory: http://www.ctvnews.ca/rss/business/ctv-news-business-headlines-1.867648
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, tiucdfZoOi.exe.0.dr, boqXv.exe.6.dr	String found in binary or memory: http://www.ctvnews.ca/rss/ctvnews-ca-top-stories-public-rss-1.822009
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897743761.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, tiucdfZoOi.exe.0.dr, boqXv.exe.6.dr	String found in binary or memory: http://xml.weather.yahoo.com/ns/rss/1.0
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp, tiucdfZoOi.exe, 00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, boqXv.exe, 00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, umlRMRbjNqD.cs

.Net Code: fKv0R

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.boqXv.exe.4ecfb08.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.tiucdfZoOi.exe.41a6420.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.boqXv.exe.4f0ab28.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.tiucdfZoOi.exe.41e1440.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.boqXv.exe.4e3f650.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.boqXv.exe.4e7a670.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.boqXv.exe.4e7a670.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.boqXv.exe.4f0ab28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.boqXv.exe.4e3f650.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.boqXv.exe.4ecfb08.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.29f397c.0.raw.unpack, LoginForm.cs	Large array initialization: : array initializer size 33603
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.52a0000.4.raw.unpack, LoginForm.cs	Large array initialization: : array initializer size 33603

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_07261190	0_2_07261190
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_072602E0	0_2_072602E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_07262030	0_2_07262030
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_07263258	0_2_07263258
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_072634A0	0_2_072634A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_07262EE8	0_2_07262EE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_00FFDDCC	0_2_00FFDDCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_074E7410	0_2_074E7410
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_074E1308	0_2_074E1308
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_074E12F8	0_2_074E12F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_050AD658	6_2_050AD658
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_050AA3D8	6_2_050AA3D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_050A3EB8	6_2_050A3EB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_050A4AD0	6_2_050A4AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_050A4200	6_2_050A4200
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_0625B5A0	6_2_0625B5A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_06259F7C	6_2_06259F7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_06260E60	6_2_06260E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_06269F80	6_2_06269F80
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_06265B80	6_2_06265B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_06263398	6_2_06263398
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_062643F8	6_2_062643F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_0626902A	6_2_0626902A
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_0626C1A0	6_2_0626C1A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_0626E190	6_2_0626E190
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_062654A0	6_2_062654A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 6_2_06263ADB	6_2_06263ADB
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 8_2_0095DDCC	8_2_0095DDCC
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 8_2_02481308	8_2_02481308
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 8_2_02486708	8_2_02486708
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 8_2_024877D0	8_2_024877D0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 8_2_04C9D9C8	8_2_04C9D9C8
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 8_2_04C9FBD8	8_2_04C9FBD8
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 8_2_04C9FBC8	8_2_04C9FBC8
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_014CA3D0	11_2_014CA3D0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_014CD650	11_2_014CD650
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_014C9810	11_2_014C9810
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_014C4AD0	11_2_014C4AD0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_014C3EB8	11_2_014C3EB8
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_014C4200	11_2_014C4200
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064DB5A0	11_2_064DB5A0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064D9F7C	11_2_064D9F7C
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064E0E60	11_2_064E0E60
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064E9F80	11_2_064E9F80
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064E43F8	11_2_064E43F8
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064E5B80	11_2_064E5B80
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064E9038	11_2_064E9038
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064EC1A0	11_2_064EC1A0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064EE1A0	11_2_064EE1A0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064E54A0	11_2_064E54A0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064E3AF0	11_2_064E3AF0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064E3398	11_2_064E3398
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_0138DDCC	12_2_0138DDCC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_077502E0	12_2_077502E0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_077541E8	12_2_077541E8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07751190	12_2_07751190
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07753ED0	12_2_07753ED0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_0775F568	12_2_0775F568
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07753491	12_2_07753491
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07758378	12_2_07758378
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07753258	12_2_07753258
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_0775324B	12_2_0775324B
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_077502D3	12_2_077502D3
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07755150	12_2_07755150
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_0775F130	12_2_0775F130
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_077541D8	12_2_077541D8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07752030	12_2_07752030
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07752020	12_2_07752020
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_077510A0	12_2_077510A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07751E3B	12_2_07751E3B
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07752EE8	12_2_07752EE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07752ED8	12_2_07752ED8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07753EC1	12_2_07753EC1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_0775ECF8	12_2_0775ECF8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_0775ECE3	12_2_0775ECE3
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_0775ECDB	12_2_0775ECDB
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_0775F9A0	12_2_0775F9A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_0775F990	12_2_0775F990
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_077568B8	12_2_077568B8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_077568AB	12_2_077568AB
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_0D336710	12_2_0D336710
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_0D331308	12_2_0D331308
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_04E64200	16_2_04E64200
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_04E63EB8	16_2_04E63EB8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_04E69F68	16_2_04E69F68
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_04E64AD0	16_2_04E64AD0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_04E6D4F0	16_2_04E6D4F0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_04E6E46F	16_2_04E6E46F
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_04E69F61	16_2_04E69F61
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_05DEB400	16_2_05DEB400
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_05DE9DCC	16_2_05DE9DCC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_05DF9F80	16_2_05DF9F80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_05DF0E60	16_2_05DF0E60
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_05DFE1A0	16_2_05DFE1A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_05DF9038	16_2_05DF9038
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_05DF43F8	16_2_05DF43F8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_05DF3398	16_2_05DF3398
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_05DF5B80	16_2_05DF5B80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_05DF54A0	16_2_05DF54A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_05DFC1A0	16_2_05DFC1A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 16_2_05DF3AF0	16_2_05DF3AF0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_0166DDCC	19_2_0166DDCC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_057AD9C8	19_2_057AD9C8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_057AFBD8	19_2_057AFBD8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_057AFBC8	19_2_057AFBC8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DCF568	19_2_05DCF568
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC3491	19_2_05DC3491
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC41D8	19_2_05DC41D8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC41E8	19_2_05DC41E8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC1190	19_2_05DC1190
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC5150	19_2_05DC5150
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DCF130	19_2_05DCF130
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC10A0	19_2_05DC10A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC2030	19_2_05DC2030
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC2020	19_2_05DC2020
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC8378	19_2_05DC8378
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC02D2	19_2_05DC02D2
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC02E0	19_2_05DC02E0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC3258	19_2_05DC3258
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC324A	19_2_05DC324A
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DCECDC	19_2_05DCECDC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DCECF8	19_2_05DCECF8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC2ED8	19_2_05DC2ED8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC3ED0	19_2_05DC3ED0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC3EC1	19_2_05DC3EC1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC2EE8	19_2_05DC2EE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC1E3A	19_2_05DC1E3A
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DCF990	19_2_05DCF990
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DCF9A0	19_2_05DCF9A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC68B8	19_2_05DC68B8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC68AA	19_2_05DC68AA
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_076A6710	19_2_076A6710
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_076A1308	19_2_076A1308
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 22_2_01A04200	22_2_01A04200
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 22_2_01A04AD0	22_2_01A04AD0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 22_2_01A09EA8	22_2_01A09EA8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 22_2_01A03EB8	22_2_01A03EB8

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1890929928.000000000093E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897433222.00000000052A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1900625854.000000000A070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893332055.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893332055.0000000002C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000000.1836436871.00000000004EA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGVTR.exe0 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893998929.000000000437E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000006.00000002.3098208191.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe	Binary or memory string: OriginalFilenameGVTR.exe0 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.2.boqXv.exe.4ecfb08.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.tiucdfZoOi.exe.41a6420.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.boqXv.exe.4f0ab28.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.tiucdfZoOi.exe.41e1440.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.boqXv.exe.4e3f650.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.boqXv.exe.4e7a670.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.boqXv.exe.4e7a670.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.boqXv.exe.4f0ab28.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.boqXv.exe.4e3f650.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.boqXv.exe.4ecfb08.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tiucdfZoOi.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, v9Lsz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, VFo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, 5FJ0H20tobu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, NtdoTGO.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, XBsYgp.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, AwxUa2Na.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, 19C9FfZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, 19C9FfZ.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, soCD8XkwU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, soCD8XkwU.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, UBZDfSvn1N5VCoRKKR.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, UBZDfSvn1N5VCoRKKR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, UBZDfSvn1N5VCoRKKR.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, UBZDfSvn1N5VCoRKKR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, UBZDfSvn1N5VCoRKKR.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, UBZDfSvn1N5VCoRKKR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@28/16@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

File created: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Mutant created: \Sessions\1\BaseNamedObjects\hBlThTfTaEtA
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp

Jump to behavior

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe	ReversingLabs: Detection: 26%
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe	Virustotal: Detection: 38%

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe C:\Users\user\AppData\Roaming\tiucdfZoOi.exe
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp6B88.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process created: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp97D8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmpB88F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp6B88.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process created: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp97D8.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmpB88F.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.29f397c.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	.Net Code: QV6iCsNyFN System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.52a0000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	.Net Code: QV6iCsNyFN System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	.Net Code: QV6iCsNyFN System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_07253757 push 3861A8E5h; iretd	0_2_0725375C
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_072515BA push ds; retf	0_2_072515BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_07254DE9 pushfd ; ret	0_2_07254DEA
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_07252AF7 pushad ; retf	0_2_07252B05
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Code function: 0_2_074E8865 push FFFFFF8Bh; iretd	0_2_074E8867
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Code function: 11_2_064DFD30 push es; ret	11_2_064DFD40
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07750BE7 pushad ; retf	12_2_07750BE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_07750BDD pushad ; retf	12_2_07750BDE
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 12_2_0D337B65 push FFFFFF8Bh; iretd	12_2_0D337B67
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC0BDD pushad ; retf	19_2_05DC0BDE
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DC0BE7 pushad ; retf	19_2_05DC0BE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_05DCEAA7 push ss; iretd	19_2_05DCEAA8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_076A7B65 push FFFFFF8Bh; iretd	19_2_076A7B67
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Code function: 19_2_076A502B push 00000007h; iretd	19_2_076A5034

Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe	Static PE information: section name: .text entropy: 7.94386929990432
Source: tiucdfZoOi.exe.0.dr	Static PE information: section name: .text entropy: 7.94386929990432

Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, jWpHGA0DfRyfU60dN8.cs	High entropy of concatenated method names: 'TQKExR61of', 'UiDEhsSH7N', 'dE0Efp2yDf', 'wqSEZtGgYF', 'IrYEQufbOE', 'nWbE2trLGT', 'DRhmoWYLOl5b3fSgjC', 'qcpadr9nGje6RTeBJW', 'oWVEEEAP11', 'clyEmn3oLm'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, KoVNS2QPr0D8xYKS6t.cs	High entropy of concatenated method names: 'APN0MFD4Jo', 'w0i0oYUAl5', 'NL50l6Vdqb', 'eSB0TNtY24', 'uE70QyCxmt', 'Iim021tc0W', 'uvq0W4Nv7F', 'f410rtxWdO', 's5h0doIO0m', 'iyr0nPXyG7'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, OaibpBK1bvahCIVHhB.cs	High entropy of concatenated method names: 'hKRKe2pYbc', 'bxfKBhByKQ', 'a01KFWnrTu', 'B9pKxNhKh6', 'bpAKh0DBXd', 'UQtFOs3M0n', 'ChPFq8XnWP', 'VHTFXQZvrA', 'wwXF7N1hEP', 'FK3Fj1mjnY'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, SfjqglIIaYp2yKY8rg.cs	High entropy of concatenated method names: 'um2xLTZvZJ', 'V8SxaetNWR', 'x78xCDvf2a', 'qJkxM45IGA', 'FLNxJQo5Z7', 'ixrxoN6eO5', 'luGxvbxxsR', 'cMMxl6SjXN', 'TEYxTYxbsy', 'Kq1xtMVTGh'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, vP7EpM1GqhThhI2umb.cs	High entropy of concatenated method names: 'jAJrNZ3NqI', 'XGTrBrNXcs', 'vvir0eFfqj', 'GofrFK5Eaw', 'I69rK0vTN0', 'PW5rx6WoXQ', 'jD1rhtLgvp', 'v4prS9R4Md', 'KeArf6h9Fg', 'HBorZI56dE'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, X0nIyHPWpr2jFPUHUZ0.cs	High entropy of concatenated method names: 'crVdL9Hi66', 'm4gdayKRUt', 'KDPdC0PiN6', 'aENdMZZnHL', 'dg3dJX4PDS', 'nsddoRuDba', 'onodvaLUtL', 'ULGdla9pRV', 'tCVdT0J4qL', 'J8cdt7ZVjH'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, l3eqVArlDZPW5WaULi.cs	High entropy of concatenated method names: 'svAglVqdoi', 'LB2gT3HGhC', 'mugg35R1CQ', 'gkag4o91ip', 'Dragb8FYCa', 'Jj0gAv6Z5k', 'z33gHEcPfy', 'mkrgIF5XeS', 'BRugwPbKRq', 'Nn6gUHk4va'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, Nl9pgWNbVilv1BBdx0.cs	High entropy of concatenated method names: 'cO2FJVpT4N', 'bwQFvsUpcU', 'Jb20sBnFPf', 'GHV0bo5Kkl', 'WyK0Ah2MII', 'EFX0YtQmFc', 'OP20HKRjyc', 'njZ0I4xPyA', 'xJA0psSloF', 'Tdb0wkrKwH'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, bfXI8LBDuwM5MDXjHi.cs	High entropy of concatenated method names: 'VH9K8pXRx0', 'xLfK65KEX1', 'IwIKOHsTI3', 'ToString', 'XYVKqCmuyk', 'inpKXvMQBi', 'VcqeJtvmNKESuE3746V', 'rqiwHZvU0c39QLCECri', 'jg2HZwvKJNExp516xKk', 'HqwG7DveKgxDRVqW9FP'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, sl7bPKUPIshOXOM697.cs	High entropy of concatenated method names: 'Dispose', 'HF3EjKo7wC', 'luGR4o6OFN', 'tuUGGeuyEq', 'oFVEcqoqsq', 'jNCEzQrX2s', 'ProcessDialogKey', 'hlrRDYcl1J', 'qLJREHkuU2', 'jMeRRgbHhJ'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	High entropy of concatenated method names: 'fOmmeZrPYu', 'QEZmNneaEp', 'kHKmBgyJfG', 'Kq9m0bNbUq', 'YdYmF8oYWp', 'yf9mKJtp73', 'KLAmxtOpUV', 'E0cmh6FywU', 'r26mS0RXSy', 'oUymfT8PJ8'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, xcnE113lWKEtGGOGjl.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'prgRj842Jb', 'J6nRcHd7C6', 'SDtRzUkXdW', 'Bb5mDH22PD', 'iT2mEJAANN', 'opNmRs2V5M', 'K2Omm7yVOb', 's95ZcfciLCKKX2xUqOh'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, Ir1kGbTicf0UUXiQMy.cs	High entropy of concatenated method names: 'J2rW79ixaJ', 'F94Wc1DuNd', 'i9drD4KYWW', 'IqCrEaIABk', 'tuOWUvgdOk', 'qtTW5jFOBu', 'hADW9riuiG', 'MEPW1LqgZQ', 'r9QWkfowna', 'BeXW8JkdyZ'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, DGFItyE8JVDxUwV3ep.cs	High entropy of concatenated method names: 'BvWCS6uR5', 'jCWM0RBXC', 'oBFoJU41j', 'ndAvKKt97', 'SZATpCqoH', 'DsetsVWln', 'qEqcKvp75lTGYTtKiV', 'PB4R4MgRbxbJbWLtc6', 'PwQrKgrfK', 'fx1nQGiD1'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, iIjX2YPPkaL15b1JJTX.cs	High entropy of concatenated method names: 'ToString', 'PQOnmiOryd', 'qJ1nifmsCO', 'v3lneeipGA', 'JOhnNqHMdV', 'wVdnB3IVaB', 'rBWn0pO63u', 'Q3PnFwxAGs', 'QKcgjWiysxsANj55xrB', 'MZKU6IipCsJbuf8I6YW'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, uonbnmLG0MiFhH5EdT.cs	High entropy of concatenated method names: 'ijudEYmRdg', 'ns9dmAyOn3', 'L0Gdiyh8T7', 'rOodNwDI8V', 'rhtdBYAvMN', 'rpedFVKfBH', 'u8wdKMcq9o', 'g6jrXsw9WC', 'k3Pr7GdSIN', 'kqIrjCFbaK'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, XuqtffC1mjMy4V4QNS.cs	High entropy of concatenated method names: 'G1SWf8KLlr', 'nLrWZml4Iw', 'ToString', 'wKiWNyO6UK', 'U6GWB5LQFU', 'Og0W0FIgbi', 'QYyWFr3ukK', 'HJVWKpjj9H', 'fdbWxElkl9', 'pobWhruA64'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, ym5hm3Pbv9EBhKIXh85.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pobn1bsLNG', 'SKonkEu9Dl', 'OOIn8VKfcW', 'eDLn6dMKCv', 'De9nOK0rJy', 'gy3nqiHe3A', 'njVnX5OULX'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, OpHZEfAsiWMwvLMccU.cs	High entropy of concatenated method names: 'ToString', 'By82UingMr', 'sTa24pxnws', 'K692s8VmXn', 'Uah2bwsDnL', 'Bsy2AIjN22', 'BvZ2YBXPnO', 'XNx2HZEr5F', 'baP2IZuLwE', 'U2K2peKvMT'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, UBZDfSvn1N5VCoRKKR.cs	High entropy of concatenated method names: 'wo8B199eAO', 'DmMBkwggyg', 'iwtB8Txkyb', 'CTiB6iXjxP', 'FsaBO14qLV', 'tyABqML2xB', 'HyHBXBTIqU', 'dx4B7fMkC2', 'uOVBjIXp1O', 'MpTBcWHlt8'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, JQ6Bl2FiGQCC0cdEjA.cs	High entropy of concatenated method names: 'OTNr3SsWpu', 'riBr4NEB27', 'Rpjrs1xTsr', 'YiyrbpTiit', 'YG3r1J1b7V', 'XX8rAhGUsx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, jWpHGA0DfRyfU60dN8.cs	High entropy of concatenated method names: 'TQKExR61of', 'UiDEhsSH7N', 'dE0Efp2yDf', 'wqSEZtGgYF', 'IrYEQufbOE', 'nWbE2trLGT', 'DRhmoWYLOl5b3fSgjC', 'qcpadr9nGje6RTeBJW', 'oWVEEEAP11', 'clyEmn3oLm'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, KoVNS2QPr0D8xYKS6t.cs	High entropy of concatenated method names: 'APN0MFD4Jo', 'w0i0oYUAl5', 'NL50l6Vdqb', 'eSB0TNtY24', 'uE70QyCxmt', 'Iim021tc0W', 'uvq0W4Nv7F', 'f410rtxWdO', 's5h0doIO0m', 'iyr0nPXyG7'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, OaibpBK1bvahCIVHhB.cs	High entropy of concatenated method names: 'hKRKe2pYbc', 'bxfKBhByKQ', 'a01KFWnrTu', 'B9pKxNhKh6', 'bpAKh0DBXd', 'UQtFOs3M0n', 'ChPFq8XnWP', 'VHTFXQZvrA', 'wwXF7N1hEP', 'FK3Fj1mjnY'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, SfjqglIIaYp2yKY8rg.cs	High entropy of concatenated method names: 'um2xLTZvZJ', 'V8SxaetNWR', 'x78xCDvf2a', 'qJkxM45IGA', 'FLNxJQo5Z7', 'ixrxoN6eO5', 'luGxvbxxsR', 'cMMxl6SjXN', 'TEYxTYxbsy', 'Kq1xtMVTGh'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, vP7EpM1GqhThhI2umb.cs	High entropy of concatenated method names: 'jAJrNZ3NqI', 'XGTrBrNXcs', 'vvir0eFfqj', 'GofrFK5Eaw', 'I69rK0vTN0', 'PW5rx6WoXQ', 'jD1rhtLgvp', 'v4prS9R4Md', 'KeArf6h9Fg', 'HBorZI56dE'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, X0nIyHPWpr2jFPUHUZ0.cs	High entropy of concatenated method names: 'crVdL9Hi66', 'm4gdayKRUt', 'KDPdC0PiN6', 'aENdMZZnHL', 'dg3dJX4PDS', 'nsddoRuDba', 'onodvaLUtL', 'ULGdla9pRV', 'tCVdT0J4qL', 'J8cdt7ZVjH'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, l3eqVArlDZPW5WaULi.cs	High entropy of concatenated method names: 'svAglVqdoi', 'LB2gT3HGhC', 'mugg35R1CQ', 'gkag4o91ip', 'Dragb8FYCa', 'Jj0gAv6Z5k', 'z33gHEcPfy', 'mkrgIF5XeS', 'BRugwPbKRq', 'Nn6gUHk4va'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, Nl9pgWNbVilv1BBdx0.cs	High entropy of concatenated method names: 'cO2FJVpT4N', 'bwQFvsUpcU', 'Jb20sBnFPf', 'GHV0bo5Kkl', 'WyK0Ah2MII', 'EFX0YtQmFc', 'OP20HKRjyc', 'njZ0I4xPyA', 'xJA0psSloF', 'Tdb0wkrKwH'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, bfXI8LBDuwM5MDXjHi.cs	High entropy of concatenated method names: 'VH9K8pXRx0', 'xLfK65KEX1', 'IwIKOHsTI3', 'ToString', 'XYVKqCmuyk', 'inpKXvMQBi', 'VcqeJtvmNKESuE3746V', 'rqiwHZvU0c39QLCECri', 'jg2HZwvKJNExp516xKk', 'HqwG7DveKgxDRVqW9FP'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, sl7bPKUPIshOXOM697.cs	High entropy of concatenated method names: 'Dispose', 'HF3EjKo7wC', 'luGR4o6OFN', 'tuUGGeuyEq', 'oFVEcqoqsq', 'jNCEzQrX2s', 'ProcessDialogKey', 'hlrRDYcl1J', 'qLJREHkuU2', 'jMeRRgbHhJ'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	High entropy of concatenated method names: 'fOmmeZrPYu', 'QEZmNneaEp', 'kHKmBgyJfG', 'Kq9m0bNbUq', 'YdYmF8oYWp', 'yf9mKJtp73', 'KLAmxtOpUV', 'E0cmh6FywU', 'r26mS0RXSy', 'oUymfT8PJ8'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, xcnE113lWKEtGGOGjl.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'prgRj842Jb', 'J6nRcHd7C6', 'SDtRzUkXdW', 'Bb5mDH22PD', 'iT2mEJAANN', 'opNmRs2V5M', 'K2Omm7yVOb', 's95ZcfciLCKKX2xUqOh'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, Ir1kGbTicf0UUXiQMy.cs	High entropy of concatenated method names: 'J2rW79ixaJ', 'F94Wc1DuNd', 'i9drD4KYWW', 'IqCrEaIABk', 'tuOWUvgdOk', 'qtTW5jFOBu', 'hADW9riuiG', 'MEPW1LqgZQ', 'r9QWkfowna', 'BeXW8JkdyZ'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, DGFItyE8JVDxUwV3ep.cs	High entropy of concatenated method names: 'BvWCS6uR5', 'jCWM0RBXC', 'oBFoJU41j', 'ndAvKKt97', 'SZATpCqoH', 'DsetsVWln', 'qEqcKvp75lTGYTtKiV', 'PB4R4MgRbxbJbWLtc6', 'PwQrKgrfK', 'fx1nQGiD1'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, iIjX2YPPkaL15b1JJTX.cs	High entropy of concatenated method names: 'ToString', 'PQOnmiOryd', 'qJ1nifmsCO', 'v3lneeipGA', 'JOhnNqHMdV', 'wVdnB3IVaB', 'rBWn0pO63u', 'Q3PnFwxAGs', 'QKcgjWiysxsANj55xrB', 'MZKU6IipCsJbuf8I6YW'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, uonbnmLG0MiFhH5EdT.cs	High entropy of concatenated method names: 'ijudEYmRdg', 'ns9dmAyOn3', 'L0Gdiyh8T7', 'rOodNwDI8V', 'rhtdBYAvMN', 'rpedFVKfBH', 'u8wdKMcq9o', 'g6jrXsw9WC', 'k3Pr7GdSIN', 'kqIrjCFbaK'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, XuqtffC1mjMy4V4QNS.cs	High entropy of concatenated method names: 'G1SWf8KLlr', 'nLrWZml4Iw', 'ToString', 'wKiWNyO6UK', 'U6GWB5LQFU', 'Og0W0FIgbi', 'QYyWFr3ukK', 'HJVWKpjj9H', 'fdbWxElkl9', 'pobWhruA64'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, ym5hm3Pbv9EBhKIXh85.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pobn1bsLNG', 'SKonkEu9Dl', 'OOIn8VKfcW', 'eDLn6dMKCv', 'De9nOK0rJy', 'gy3nqiHe3A', 'njVnX5OULX'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, OpHZEfAsiWMwvLMccU.cs	High entropy of concatenated method names: 'ToString', 'By82UingMr', 'sTa24pxnws', 'K692s8VmXn', 'Uah2bwsDnL', 'Bsy2AIjN22', 'BvZ2YBXPnO', 'XNx2HZEr5F', 'baP2IZuLwE', 'U2K2peKvMT'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, UBZDfSvn1N5VCoRKKR.cs	High entropy of concatenated method names: 'wo8B199eAO', 'DmMBkwggyg', 'iwtB8Txkyb', 'CTiB6iXjxP', 'FsaBO14qLV', 'tyABqML2xB', 'HyHBXBTIqU', 'dx4B7fMkC2', 'uOVBjIXp1O', 'MpTBcWHlt8'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, JQ6Bl2FiGQCC0cdEjA.cs	High entropy of concatenated method names: 'OTNr3SsWpu', 'riBr4NEB27', 'Rpjrs1xTsr', 'YiyrbpTiit', 'YG3r1J1b7V', 'XX8rAhGUsx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, jWpHGA0DfRyfU60dN8.cs	High entropy of concatenated method names: 'TQKExR61of', 'UiDEhsSH7N', 'dE0Efp2yDf', 'wqSEZtGgYF', 'IrYEQufbOE', 'nWbE2trLGT', 'DRhmoWYLOl5b3fSgjC', 'qcpadr9nGje6RTeBJW', 'oWVEEEAP11', 'clyEmn3oLm'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, KoVNS2QPr0D8xYKS6t.cs	High entropy of concatenated method names: 'APN0MFD4Jo', 'w0i0oYUAl5', 'NL50l6Vdqb', 'eSB0TNtY24', 'uE70QyCxmt', 'Iim021tc0W', 'uvq0W4Nv7F', 'f410rtxWdO', 's5h0doIO0m', 'iyr0nPXyG7'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, OaibpBK1bvahCIVHhB.cs	High entropy of concatenated method names: 'hKRKe2pYbc', 'bxfKBhByKQ', 'a01KFWnrTu', 'B9pKxNhKh6', 'bpAKh0DBXd', 'UQtFOs3M0n', 'ChPFq8XnWP', 'VHTFXQZvrA', 'wwXF7N1hEP', 'FK3Fj1mjnY'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, SfjqglIIaYp2yKY8rg.cs	High entropy of concatenated method names: 'um2xLTZvZJ', 'V8SxaetNWR', 'x78xCDvf2a', 'qJkxM45IGA', 'FLNxJQo5Z7', 'ixrxoN6eO5', 'luGxvbxxsR', 'cMMxl6SjXN', 'TEYxTYxbsy', 'Kq1xtMVTGh'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, vP7EpM1GqhThhI2umb.cs	High entropy of concatenated method names: 'jAJrNZ3NqI', 'XGTrBrNXcs', 'vvir0eFfqj', 'GofrFK5Eaw', 'I69rK0vTN0', 'PW5rx6WoXQ', 'jD1rhtLgvp', 'v4prS9R4Md', 'KeArf6h9Fg', 'HBorZI56dE'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, X0nIyHPWpr2jFPUHUZ0.cs	High entropy of concatenated method names: 'crVdL9Hi66', 'm4gdayKRUt', 'KDPdC0PiN6', 'aENdMZZnHL', 'dg3dJX4PDS', 'nsddoRuDba', 'onodvaLUtL', 'ULGdla9pRV', 'tCVdT0J4qL', 'J8cdt7ZVjH'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, l3eqVArlDZPW5WaULi.cs	High entropy of concatenated method names: 'svAglVqdoi', 'LB2gT3HGhC', 'mugg35R1CQ', 'gkag4o91ip', 'Dragb8FYCa', 'Jj0gAv6Z5k', 'z33gHEcPfy', 'mkrgIF5XeS', 'BRugwPbKRq', 'Nn6gUHk4va'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, Nl9pgWNbVilv1BBdx0.cs	High entropy of concatenated method names: 'cO2FJVpT4N', 'bwQFvsUpcU', 'Jb20sBnFPf', 'GHV0bo5Kkl', 'WyK0Ah2MII', 'EFX0YtQmFc', 'OP20HKRjyc', 'njZ0I4xPyA', 'xJA0psSloF', 'Tdb0wkrKwH'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, bfXI8LBDuwM5MDXjHi.cs	High entropy of concatenated method names: 'VH9K8pXRx0', 'xLfK65KEX1', 'IwIKOHsTI3', 'ToString', 'XYVKqCmuyk', 'inpKXvMQBi', 'VcqeJtvmNKESuE3746V', 'rqiwHZvU0c39QLCECri', 'jg2HZwvKJNExp516xKk', 'HqwG7DveKgxDRVqW9FP'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, sl7bPKUPIshOXOM697.cs	High entropy of concatenated method names: 'Dispose', 'HF3EjKo7wC', 'luGR4o6OFN', 'tuUGGeuyEq', 'oFVEcqoqsq', 'jNCEzQrX2s', 'ProcessDialogKey', 'hlrRDYcl1J', 'qLJREHkuU2', 'jMeRRgbHhJ'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, pkU6ym2vK1iQp8Na4g.cs	High entropy of concatenated method names: 'fOmmeZrPYu', 'QEZmNneaEp', 'kHKmBgyJfG', 'Kq9m0bNbUq', 'YdYmF8oYWp', 'yf9mKJtp73', 'KLAmxtOpUV', 'E0cmh6FywU', 'r26mS0RXSy', 'oUymfT8PJ8'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, xcnE113lWKEtGGOGjl.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'prgRj842Jb', 'J6nRcHd7C6', 'SDtRzUkXdW', 'Bb5mDH22PD', 'iT2mEJAANN', 'opNmRs2V5M', 'K2Omm7yVOb', 's95ZcfciLCKKX2xUqOh'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, Ir1kGbTicf0UUXiQMy.cs	High entropy of concatenated method names: 'J2rW79ixaJ', 'F94Wc1DuNd', 'i9drD4KYWW', 'IqCrEaIABk', 'tuOWUvgdOk', 'qtTW5jFOBu', 'hADW9riuiG', 'MEPW1LqgZQ', 'r9QWkfowna', 'BeXW8JkdyZ'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, DGFItyE8JVDxUwV3ep.cs	High entropy of concatenated method names: 'BvWCS6uR5', 'jCWM0RBXC', 'oBFoJU41j', 'ndAvKKt97', 'SZATpCqoH', 'DsetsVWln', 'qEqcKvp75lTGYTtKiV', 'PB4R4MgRbxbJbWLtc6', 'PwQrKgrfK', 'fx1nQGiD1'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, iIjX2YPPkaL15b1JJTX.cs	High entropy of concatenated method names: 'ToString', 'PQOnmiOryd', 'qJ1nifmsCO', 'v3lneeipGA', 'JOhnNqHMdV', 'wVdnB3IVaB', 'rBWn0pO63u', 'Q3PnFwxAGs', 'QKcgjWiysxsANj55xrB', 'MZKU6IipCsJbuf8I6YW'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, uonbnmLG0MiFhH5EdT.cs	High entropy of concatenated method names: 'ijudEYmRdg', 'ns9dmAyOn3', 'L0Gdiyh8T7', 'rOodNwDI8V', 'rhtdBYAvMN', 'rpedFVKfBH', 'u8wdKMcq9o', 'g6jrXsw9WC', 'k3Pr7GdSIN', 'kqIrjCFbaK'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, XuqtffC1mjMy4V4QNS.cs	High entropy of concatenated method names: 'G1SWf8KLlr', 'nLrWZml4Iw', 'ToString', 'wKiWNyO6UK', 'U6GWB5LQFU', 'Og0W0FIgbi', 'QYyWFr3ukK', 'HJVWKpjj9H', 'fdbWxElkl9', 'pobWhruA64'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, ym5hm3Pbv9EBhKIXh85.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pobn1bsLNG', 'SKonkEu9Dl', 'OOIn8VKfcW', 'eDLn6dMKCv', 'De9nOK0rJy', 'gy3nqiHe3A', 'njVnX5OULX'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, OpHZEfAsiWMwvLMccU.cs	High entropy of concatenated method names: 'ToString', 'By82UingMr', 'sTa24pxnws', 'K692s8VmXn', 'Uah2bwsDnL', 'Bsy2AIjN22', 'BvZ2YBXPnO', 'XNx2HZEr5F', 'baP2IZuLwE', 'U2K2peKvMT'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, UBZDfSvn1N5VCoRKKR.cs	High entropy of concatenated method names: 'wo8B199eAO', 'DmMBkwggyg', 'iwtB8Txkyb', 'CTiB6iXjxP', 'FsaBO14qLV', 'tyABqML2xB', 'HyHBXBTIqU', 'dx4B7fMkC2', 'uOVBjIXp1O', 'MpTBcWHlt8'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, JQ6Bl2FiGQCC0cdEjA.cs	High entropy of concatenated method names: 'OTNr3SsWpu', 'riBr4NEB27', 'Rpjrs1xTsr', 'YiyrbpTiit', 'YG3r1J1b7V', 'XX8rAhGUsx', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	File created: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	File created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp"

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tiucdfZoOi.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7688, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: 7990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: 8990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: 8B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: 9B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: A0F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: B0F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: C0F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory allocated: 950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory allocated: 7200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory allocated: 8200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory allocated: 83A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory allocated: 93A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory allocated: 9900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory allocated: 7200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory allocated: 14C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory allocated: 2F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 1380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 3190000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 1650000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 7AB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 8AB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 8C50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 9C50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: A320000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: B320000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: C320000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 2930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 29E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 2930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 1660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 3100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 5100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 7D00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 8D00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 8EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 9EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: A3F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: B3F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: C3F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 16C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 33C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 53C0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8120	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1531	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Window / User API: threadDelayed 1518	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Window / User API: threadDelayed 2063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Window / User API: threadDelayed 521
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Window / User API: threadDelayed 2668
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Window / User API: threadDelayed 1076
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Window / User API: threadDelayed 2109
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Window / User API: threadDelayed 416
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Window / User API: threadDelayed 2370

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 6956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7300	Thread sleep count: 1518 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -99873s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7300	Thread sleep count: 2063 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -99764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -99655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -98997s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -98666s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -98546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -98325s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7444	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7648	Thread sleep count: 521 > 30
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -99873s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7648	Thread sleep count: 2668 > 30
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -98671s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -98544s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -98437s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -98328s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7708	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8060	Thread sleep count: 1076 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -99871s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8060	Thread sleep count: 2109 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -98999s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -98670s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -98545s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -98418s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052	Thread sleep time: -98312s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7108	Thread sleep count: 416 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7108	Thread sleep count: 2370 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -99516s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -99406s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -99063s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -98938s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -98828s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -98719s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -98594s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 99873	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 99764	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 99655	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 98997	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 98666	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 98546	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 98325	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 99873
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 99546
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 99218
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 98671
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 98544
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 98437
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 98328
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99871
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99546
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99218
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98999
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98670
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98545
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98418
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98312
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99516
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99406
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 99063
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98938
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98828
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98719
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98594
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477

Source: boqXv.exe, 00000010.00000002.2113005667.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllatform Interface
Source: boqXv.exe.6.dr	Binary or memory string: 5VMCi
Source: boqXv.exe, 0000000C.00000002.2059048401.000000000A220000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: boqXv.exe, 00000016.00000002.3100539202.00000000017B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: boqXv.exe, 0000000C.00000002.2059048401.000000000A220000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SAs
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000006.00000002.3098512051.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, tiucdfZoOi.exe, 0000000B.00000002.3153521405.00000000063A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Memory written: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory written: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory written: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp6B88.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Process created: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp97D8.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmpB88F.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Queries volume information: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Queries volume information: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 12.2.boqXv.exe.4ecfb08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tiucdfZoOi.exe.41a6420.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.boqXv.exe.4f0ab28.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tiucdfZoOi.exe.41e1440.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.boqXv.exe.4e3f650.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.boqXv.exe.4e7a670.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.boqXv.exe.4e7a670.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.boqXv.exe.4f0ab28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.boqXv.exe.4e3f650.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.boqXv.exe.4ecfb08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3103520162.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3107567072.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3107557708.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3107557708.000000000341A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2116074967.0000000002A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3107567072.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3107557708.0000000003412000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2116074967.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3103520162.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3107567072.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2116074967.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3103520162.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tiucdfZoOi.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tiucdfZoOi.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7100, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 12.2.boqXv.exe.4ecfb08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tiucdfZoOi.exe.41a6420.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.boqXv.exe.4f0ab28.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tiucdfZoOi.exe.41e1440.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.boqXv.exe.4e3f650.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.boqXv.exe.4e7a670.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.boqXv.exe.4e7a670.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.boqXv.exe.4f0ab28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.boqXv.exe.4e3f650.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.boqXv.exe.4ecfb08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.3107557708.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3107567072.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2116074967.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3103520162.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tiucdfZoOi.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tiucdfZoOi.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7100, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 12.2.boqXv.exe.4ecfb08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tiucdfZoOi.exe.41a6420.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.boqXv.exe.4f0ab28.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tiucdfZoOi.exe.41e1440.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.boqXv.exe.4e3f650.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.boqXv.exe.4e7a670.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.boqXv.exe.4e7a670.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.boqXv.exe.4f0ab28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.boqXv.exe.4e3f650.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.boqXv.exe.4ecfb08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3103520162.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3107567072.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3107557708.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3107557708.000000000341A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2116074967.0000000002A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3107567072.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3107557708.0000000003412000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2116074967.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3103520162.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3107567072.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2116074967.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3103520162.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tiucdfZoOi.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tiucdfZoOi.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: boqXv.exe PID: 7100, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	3 Obfuscated Files or Information	1 Credentials in Registry	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.PWSX-gen.32561.14552.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.Barys
SecuriteInfo.com.PWSX-gen.32561.14552.exe	38%	Virustotal		Browse
SecuriteInfo.com.PWSX-gen.32561.14552.exe	100%	Avira	HEUR/AGEN.1308640
SecuriteInfo.com.PWSX-gen.32561.14552.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	100%	Avira	HEUR/AGEN.1308640
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	100%	Avira	HEUR/AGEN.1308640
C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.Barys
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	38%	Virustotal		Browse
C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.Barys
C:\Users\user\AppData\Roaming\tiucdfZoOi.exe	38%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mail.clslk.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse
http://mail.clslk.com	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.clslk.com	50.87.253.239	true	true	2%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.clslk.com	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000006.00000002.3103520162.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, tiucdfZoOi.exe, 0000000B.00000002.3107567072.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.2116074967.0000000002A3A000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000016.00000002.3107557708.000000000341A000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://www.ctvnews.ca/rss/business/ctv-news-business-headlines-1.867648	SecuriteInfo.com.PWSX-gen.32561.14552.exe, tiucdfZoOi.exe.0.dr, boqXv.exe.6.dr	false		high
http://www.fontbureau.com/designers/?	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://account.dyn.com/	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp, tiucdfZoOi.exe, 00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, boqXv.exe, 00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ctvnews.ca/rss/ctvnews-ca-top-stories-public-rss-1.822009	SecuriteInfo.com.PWSX-gen.32561.14552.exe, tiucdfZoOi.exe.0.dr, boqXv.exe.6.dr	false		high
http://xml.weather.yahoo.com/ns/rss/1.0	SecuriteInfo.com.PWSX-gen.32561.14552.exe, tiucdfZoOi.exe.0.dr, boqXv.exe.6.dr	false		high
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://weather.yahooapis.com/forecastrss?w=4118	SecuriteInfo.com.PWSX-gen.32561.14552.exe, tiucdfZoOi.exe.0.dr, boqXv.exe.6.dr	false		high
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893332055.0000000002C58000.00000004.00000800.00020000.00000000.sdmp, tiucdfZoOi.exe, 00000008.00000002.1937145335.0000000002729000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 0000000C.00000002.2051696888.0000000003448000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000013.00000002.2134532225.00000000033B9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897743761.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.253.239	mail.clslk.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427764
Start date and time:	2024-04-18 06:24:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.PWSX-gen.32561.14552.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@28/16@1/1
EGA Information:	Successful, ratio: 87.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 419 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target boqXv.exe, PID 7100 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:25:17	Task Scheduler	Run new task: tiucdfZoOi path: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe
05:25:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run boqXv C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
05:25:27	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run boqXv C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
06:25:13	API Interceptor	19x Sleep call for process: SecuriteInfo.com.PWSX-gen.32561.14552.exe modified
06:25:16	API Interceptor	15x Sleep call for process: powershell.exe modified
06:25:18	API Interceptor	17x Sleep call for process: tiucdfZoOi.exe modified
06:25:29	API Interceptor	32x Sleep call for process: boqXv.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
50.87.253.239	2UHM2qaBWc.exe	Get hash	malicious	FormBook	Browse	www.nzhorrorfan.com/g22y/?7nr=UlSpjty&DVo=duzldioexDDlB4DMbPZnZ3oFioc8ODg8sXLpFdRenDAB6KcB0Wl7OltmwVmSQUiOOLKB
	SD 1476187 85250296 MV ORIENT GLORY.xlsx	Get hash	malicious	FormBook	Browse	www.180cliniconline.com/aky/?pL08=Cv0e5xcycHu/jj9c+Bm6TZuJ2sSpc7+qQNv7jFIv1TirEUN5Q8TsPaCd/DQVlMEaxK1KhA==&PJ=zXd8_XtXO
	yaQjVEGNEb.exe	Get hash	malicious	FormBook	Browse	www.180cliniconline.com/aky/?3fcl7=Cv0e5xc3cAu7jzxQ8Bm6TZuJ2sSpc7+qQN3r/GUuxziqElh/XsCgZe6f8m8p+swp+Lg6&9r4LE=B8xX4PgPJ2gdf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.clslk.com	DN.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	SecuriteInfo.com.Win32.TrojanX-gen.32302.18886.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	SecuriteInfo.com.Trojan.MulDropNET.68.28054.3825.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	Consignment 5059367692.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	DHL - 1ST PAYMENT REMINDER - 1003671162.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	5059367692.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	5059367692.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.253.239
	SecuriteInfo.com.Heur.21175.21812.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	consignment.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.253.239
	DHL_AWB#203875102901.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exe	Get hash	malicious	AgentTesla	Browse	192.185.35.67
	SecuriteInfo.com.Win32.MalwareX-gen.3610.30636.exe	Get hash	malicious	AgentTesla	Browse	50.87.219.149
	invoice & packing list.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30
	Draft Sales contract.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30
	Bank slip.exe	Get hash	malicious	AgentTesla	Browse	50.87.219.149
	https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FQuantexa/IpoXF42991IpoXF42991IpoXF/bWFzc2ltb2JvcnJlbGxpQHF1YW50ZXhhLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	192.185.104.70
	QUOTATION-#170424.exe	Get hash	malicious	AgentTesla	Browse	192.254.225.136
	PURCHASE ORDER LISTS GREEN VALLY CORP.bat	Get hash	malicious	GuLoader	Browse	173.254.31.34
	draft bl_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	signed documents and BOL.exe	Get hash	malicious	AgentTesla	Browse	162.241.123.30

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boqXv.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tiucdfZoOi.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\tiucdfZoOi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3785452578096224
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YUyus:fLHyIFKL3IZ2KRH9Oug8s
MD5:	4897D2475B73213149111181CA8EE5D7
SHA1:	19EBC1EFEC16445ABB8A15B27EB3F7E3A5DA1648
SHA-256:	3376C9D4B3535663BD7F30F1BA697174D0E5F87A243312105E330AE5E8597CD9
SHA-512:	FD1C1AAF6E9F88F3D75CD11716354A1E73AB13DB7DDC50E3C294F36D8066E096F8F0A3F9C6D06EEA894CA46318642529F41BC3C3A220DC3CF4C6ADC52B4B5230
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ig3bnmw.fcy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1k2zn34i.jdo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_roccajcr.unl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_unusszsa.jub.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.105422186622942
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtarxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTkv
MD5:	51CF49D848CFEB4AA78957A383BCD124
SHA1:	D802B63978B97ECFF214C3FF060C73A9D5B5441C
SHA-256:	A84DC22BAA54820D66331390340C75A70B8FC27459CE610085ED1138C283E597
SHA-512:	A218F8ACF65E0603ECF459523799CD2FF1D85BA6F7B840B7835026AACACDCECF4317CD99D5F3181599C1E86B235ECD4467C30EE294F743CC7C77A74DF5821F99
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp6B88.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\tiucdfZoOi.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.105422186622942
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtarxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTkv
MD5:	51CF49D848CFEB4AA78957A383BCD124
SHA1:	D802B63978B97ECFF214C3FF060C73A9D5B5441C
SHA-256:	A84DC22BAA54820D66331390340C75A70B8FC27459CE610085ED1138C283E597
SHA-512:	A218F8ACF65E0603ECF459523799CD2FF1D85BA6F7B840B7835026AACACDCECF4317CD99D5F3181599C1E86B235ECD4467C30EE294F743CC7C77A74DF5821F99
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp97D8.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.105422186622942
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtarxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTkv
MD5:	51CF49D848CFEB4AA78957A383BCD124
SHA1:	D802B63978B97ECFF214C3FF060C73A9D5B5441C
SHA-256:	A84DC22BAA54820D66331390340C75A70B8FC27459CE610085ED1138C283E597
SHA-512:	A218F8ACF65E0603ECF459523799CD2FF1D85BA6F7B840B7835026AACACDCECF4317CD99D5F3181599C1E86B235ECD4467C30EE294F743CC7C77A74DF5821F99
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpB88F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.105422186622942
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtarxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTkv
MD5:	51CF49D848CFEB4AA78957A383BCD124
SHA1:	D802B63978B97ECFF214C3FF060C73A9D5B5441C
SHA-256:	A84DC22BAA54820D66331390340C75A70B8FC27459CE610085ED1138C283E597
SHA-512:	A218F8ACF65E0603ECF459523799CD2FF1D85BA6F7B840B7835026AACACDCECF4317CD99D5F3181599C1E86B235ECD4467C30EE294F743CC7C77A74DF5821F99
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	897024
Entropy (8bit):	7.532209462117228
Encrypted:	false
SSDEEP:	12288:hWK/pbMHRwwAFD3XhWLBuFdTu9LcIfwC2ybQ+er3eTdmL7Dk69QlY+GauXxD1GI9:hWiMHgLOILTuCITKORCnIlSaYxR
MD5:	8AE8E59F0DF6887A86D8AC303D004095
SHA1:	9CD99884369ADFD6BB5D9F3426C91B25F4979281
SHA-256:	30E181E98CB75E4324746FD2D27FCC9987A51DFD0182B45EAB54781DF26C1D33
SHA-512:	3D84661139FC7C474CF338857E0571CA4321BFC00B0FD091B307D96FB85ABD1F6B945F995EEB42AB25BE58E2E2D45A3CE52E6AF217B102021FB73C670D5E267B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26% Antivirus: Virustotal, Detection: 38%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{ f..............0..`...@.......}... ........@.. ....................................@..................................\|..O........)........................................................................... ............... ..H............text...4]... ...`.................. ..`.rsrc....).......0...p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\tiucdfZoOi.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	897024
Entropy (8bit):	7.532209462117228
Encrypted:	false
SSDEEP:	12288:hWK/pbMHRwwAFD3XhWLBuFdTu9LcIfwC2ybQ+er3eTdmL7Dk69QlY+GauXxD1GI9:hWiMHgLOILTuCITKORCnIlSaYxR
MD5:	8AE8E59F0DF6887A86D8AC303D004095
SHA1:	9CD99884369ADFD6BB5D9F3426C91B25F4979281
SHA-256:	30E181E98CB75E4324746FD2D27FCC9987A51DFD0182B45EAB54781DF26C1D33
SHA-512:	3D84661139FC7C474CF338857E0571CA4321BFC00B0FD091B307D96FB85ABD1F6B945F995EEB42AB25BE58E2E2D45A3CE52E6AF217B102021FB73C670D5E267B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26% Antivirus: Virustotal, Detection: 38%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{ f..............0..`...@.......}... ........@.. ....................................@..................................\|..O........)........................................................................... ............... ..H............text...4]... ...`.................. ..`.rsrc....).......0...p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\tiucdfZoOi.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.532209462117228
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.PWSX-gen.32561.14552.exe
File size:	897'024 bytes
MD5:	8ae8e59f0df6887a86d8ac303d004095
SHA1:	9cd99884369adfd6bb5d9f3426c91b25f4979281
SHA256:	30e181e98cb75e4324746fd2d27fcc9987a51dfd0182b45eab54781df26c1d33
SHA512:	3d84661139fc7c474cf338857e0571ca4321bfc00b0fd091b307d96fb85abd1f6b945f995eeb42ab25be58e2e2d45a3ce52e6af217b102021fb73c670d5e267b
SSDEEP:	12288:hWK/pbMHRwwAFD3XhWLBuFdTu9LcIfwC2ybQ+er3eTdmL7Dk69QlY+GauXxD1GI9:hWiMHgLOILTuCITKORCnIlSaYxR
TLSH:	DD15025276C14B17D4384FF981B242982376BCA76163DB8F6F8072DD18767804E8BA7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{ f..............0..`...@.......}... ........@.. ....................................@................................

File Icon


Icon Hash:	4f49230323237d17

Static PE Info

General

Entrypoint:	0x4b7d2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66207BD2 [Thu Apr 18 01:48:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7cdc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0x22908	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb5d34	0xb6000	a3e68ab28ec71295d378c50922e13483	False	0.9434693724244505	data	7.94386929990432	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0x22908	0x23000	76788012475ee2dc1e8f440c00aac6bd	False	0.271435546875	data	4.09533713506459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x1000	cb625e758e305785780174b914dc9674	False	0.009033203125	data	0.016408464515625623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb8238	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.4973404255319149
RT_ICON	0xb86a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.48811475409836064
RT_ICON	0xb9028	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.42847091932457787
RT_ICON	0xba0d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.3561203319502075
RT_ICON	0xbc678	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.32185876239962213
RT_ICON	0xc08a0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	0.2682888375026277
RT_ICON	0xc9d48	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.23581864426830712
RT_GROUP_ICON	0xda570	0x68	data	0.7307692307692307
RT_GROUP_ICON	0xda5d8	0x14	data	1.05
RT_VERSION	0xda5ec	0x31c	data	0.4510050251256281

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/18/24-06:25:43.708857	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49743	587	192.168.2.4	50.87.253.239
04/18/24-06:25:35.407459	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49740	587	192.168.2.4	50.87.253.239
04/18/24-06:25:35.407459	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49740	587	192.168.2.4	50.87.253.239
04/18/24-06:25:24.532684	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49736	587	192.168.2.4	50.87.253.239
04/18/24-06:25:24.532587	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49736	587	192.168.2.4	50.87.253.239
04/18/24-06:25:24.532684	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49736	587	192.168.2.4	50.87.253.239
04/18/24-06:25:20.348141	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49733	587	192.168.2.4	50.87.253.239
04/18/24-06:25:20.348141	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49733	587	192.168.2.4	50.87.253.239
04/18/24-06:25:43.708939	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49743	587	192.168.2.4	50.87.253.239
04/18/24-06:25:20.348027	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49733	587	192.168.2.4	50.87.253.239
04/18/24-06:25:35.407401	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49740	587	192.168.2.4	50.87.253.239
04/18/24-06:25:43.708857	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49743	587	192.168.2.4	50.87.253.239
04/18/24-06:25:24.532684	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49736	587	192.168.2.4	50.87.253.239
04/18/24-06:25:24.532684	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49736	587	192.168.2.4	50.87.253.239
04/18/24-06:25:35.407459	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49740	587	192.168.2.4	50.87.253.239
04/18/24-06:25:35.407459	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49740	587	192.168.2.4	50.87.253.239
04/18/24-06:25:43.708939	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49743	587	192.168.2.4	50.87.253.239
04/18/24-06:25:20.348027	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49733	587	192.168.2.4	50.87.253.239
04/18/24-06:25:35.407401	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49740	587	192.168.2.4	50.87.253.239
04/18/24-06:25:20.348141	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49733	587	192.168.2.4	50.87.253.239
04/18/24-06:25:24.532587	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49736	587	192.168.2.4	50.87.253.239
04/18/24-06:25:20.348141	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49733	587	192.168.2.4	50.87.253.239
04/18/24-06:25:43.708939	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49743	587	192.168.2.4	50.87.253.239
04/18/24-06:25:43.708939	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49743	587	192.168.2.4	50.87.253.239

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 06:25:18.758374929 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:18.911547899 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:18.911627054 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:19.256635904 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:19.258940935 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:19.412864923 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:19.413676977 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:19.567620993 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:19.571614981 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:19.765373945 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:19.816417933 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:19.817184925 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:19.970247984 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:19.970514059 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:19.970830917 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:20.164454937 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:20.193850040 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:20.194011927 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:20.347044945 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:20.347404003 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:20.348026991 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:20.348140955 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:20.348196030 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:20.348196030 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:20.501240015 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:20.501400948 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:20.503160954 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:20.556483984 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:23.022427082 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:23.175767899 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:23.175925016 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:23.541575909 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:23.541841030 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:23.695462942 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:23.695791006 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:23.849546909 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:23.849889994 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:24.004735947 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:24.004998922 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:24.158622980 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:24.158828974 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:24.354006052 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:24.378242016 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:24.378401995 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:24.531955004 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:24.531969070 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:24.532587051 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:24.532684088 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:24.532684088 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:24.532849073 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:24.686127901 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:24.686142921 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:24.687370062 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:24.728542089 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:33.902781963 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:34.056080103 CEST	587	49740	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:34.056183100 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:34.419581890 CEST	587	49740	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:34.419832945 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:34.573415995 CEST	587	49740	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:34.573806047 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:34.727725029 CEST	587	49740	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:34.729830980 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:34.885180950 CEST	587	49740	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:34.885385036 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:35.038809061 CEST	587	49740	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:35.039006948 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:35.232868910 CEST	587	49740	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:35.252760887 CEST	587	49740	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:35.253078938 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:35.406434059 CEST	587	49740	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:35.406774044 CEST	587	49740	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:35.407401085 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:35.407459021 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:35.407474995 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:35.407499075 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:35.561624050 CEST	587	49740	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:35.564552069 CEST	587	49740	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:35.634598017 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:42.344213963 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:42.497112036 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:42.497215033 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:42.723316908 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:42.724714041 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:42.878333092 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:42.878659964 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:42.974885941 CEST	49740	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:43.032186985 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:43.032455921 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:43.187619925 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:43.188024998 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:43.341844082 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:43.342206001 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:43.537354946 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:43.554310083 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:43.554497004 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:43.707668066 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:43.708151102 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:43.708857059 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:43.708939075 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:43.708972931 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:43.708972931 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:25:43.861717939 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:43.862006903 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:43.863547087 CEST	587	49743	50.87.253.239	192.168.2.4
Apr 18, 2024 06:25:43.915860891 CEST	49743	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:26:58.846204042 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:26:59.040457964 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:26:59.201999903 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:26:59.202166080 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:26:59.202250004 CEST	49733	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:26:59.355370998 CEST	587	49733	50.87.253.239	192.168.2.4
Apr 18, 2024 06:27:03.026768923 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:27:03.221751928 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:27:03.381427050 CEST	587	49736	50.87.253.239	192.168.2.4
Apr 18, 2024 06:27:03.381587029 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:27:03.381839037 CEST	49736	587	192.168.2.4	50.87.253.239
Apr 18, 2024 06:27:03.535073996 CEST	587	49736	50.87.253.239	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 06:25:18.621309042 CEST	60169	53	192.168.2.4	1.1.1.1
Apr 18, 2024 06:25:18.749891043 CEST	53	60169	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 06:25:18.621309042 CEST	192.168.2.4	1.1.1.1	0xaa06	Standard query (0)	mail.clslk.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 06:25:18.749891043 CEST	1.1.1.1	192.168.2.4	0xaa06	No error (0)	mail.clslk.com		50.87.253.239	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 18, 2024 06:25:19.256635904 CEST	587	49733	50.87.253.239	192.168.2.4	220-box2224.bluehost.com ESMTP Exim 4.96.2 #2 Wed, 17 Apr 2024 22:25:19 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 06:25:19.258940935 CEST	49733	587	192.168.2.4	50.87.253.239	EHLO 179605
Apr 18, 2024 06:25:19.412864923 CEST	587	49733	50.87.253.239	192.168.2.4	250-box2224.bluehost.com Hello 179605 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 06:25:19.413676977 CEST	49733	587	192.168.2.4	50.87.253.239	AUTH login Z21AY2xzbGsuY29t
Apr 18, 2024 06:25:19.567620993 CEST	587	49733	50.87.253.239	192.168.2.4	334 UGFzc3dvcmQ6
Apr 18, 2024 06:25:19.816417933 CEST	587	49733	50.87.253.239	192.168.2.4	235 Authentication succeeded
Apr 18, 2024 06:25:19.817184925 CEST	49733	587	192.168.2.4	50.87.253.239	MAIL FROM:<gm@clslk.com>
Apr 18, 2024 06:25:19.970514059 CEST	587	49733	50.87.253.239	192.168.2.4	250 OK
Apr 18, 2024 06:25:19.970830917 CEST	49733	587	192.168.2.4	50.87.253.239	RCPT TO:<devendra@syncro-group.xyz>
Apr 18, 2024 06:25:20.193850040 CEST	587	49733	50.87.253.239	192.168.2.4	250 Accepted
Apr 18, 2024 06:25:20.194011927 CEST	49733	587	192.168.2.4	50.87.253.239	DATA
Apr 18, 2024 06:25:20.347404003 CEST	587	49733	50.87.253.239	192.168.2.4	354 Enter message, ending with "." on a line by itself
Apr 18, 2024 06:25:20.348196030 CEST	49733	587	192.168.2.4	50.87.253.239	.
Apr 18, 2024 06:25:20.503160954 CEST	587	49733	50.87.253.239	192.168.2.4	250 OK id=1rxJKq-002eDC-0r
Apr 18, 2024 06:25:23.541575909 CEST	587	49736	50.87.253.239	192.168.2.4	220-box2224.bluehost.com ESMTP Exim 4.96.2 #2 Wed, 17 Apr 2024 22:25:23 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 06:25:23.541841030 CEST	49736	587	192.168.2.4	50.87.253.239	EHLO 179605
Apr 18, 2024 06:25:23.695462942 CEST	587	49736	50.87.253.239	192.168.2.4	250-box2224.bluehost.com Hello 179605 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 06:25:23.695791006 CEST	49736	587	192.168.2.4	50.87.253.239	AUTH login Z21AY2xzbGsuY29t
Apr 18, 2024 06:25:23.849546909 CEST	587	49736	50.87.253.239	192.168.2.4	334 UGFzc3dvcmQ6
Apr 18, 2024 06:25:24.004735947 CEST	587	49736	50.87.253.239	192.168.2.4	235 Authentication succeeded
Apr 18, 2024 06:25:24.004998922 CEST	49736	587	192.168.2.4	50.87.253.239	MAIL FROM:<gm@clslk.com>
Apr 18, 2024 06:25:24.158622980 CEST	587	49736	50.87.253.239	192.168.2.4	250 OK
Apr 18, 2024 06:25:24.158828974 CEST	49736	587	192.168.2.4	50.87.253.239	RCPT TO:<devendra@syncro-group.xyz>
Apr 18, 2024 06:25:24.378242016 CEST	587	49736	50.87.253.239	192.168.2.4	250 Accepted
Apr 18, 2024 06:25:24.378401995 CEST	49736	587	192.168.2.4	50.87.253.239	DATA
Apr 18, 2024 06:25:24.531969070 CEST	587	49736	50.87.253.239	192.168.2.4	354 Enter message, ending with "." on a line by itself
Apr 18, 2024 06:25:24.532849073 CEST	49736	587	192.168.2.4	50.87.253.239	.
Apr 18, 2024 06:25:24.687370062 CEST	587	49736	50.87.253.239	192.168.2.4	250 OK id=1rxJKu-002eFK-1R
Apr 18, 2024 06:25:34.419581890 CEST	587	49740	50.87.253.239	192.168.2.4	220-box2224.bluehost.com ESMTP Exim 4.96.2 #2 Wed, 17 Apr 2024 22:25:34 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 06:25:34.419832945 CEST	49740	587	192.168.2.4	50.87.253.239	EHLO 179605
Apr 18, 2024 06:25:34.573415995 CEST	587	49740	50.87.253.239	192.168.2.4	250-box2224.bluehost.com Hello 179605 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 06:25:34.573806047 CEST	49740	587	192.168.2.4	50.87.253.239	AUTH login Z21AY2xzbGsuY29t
Apr 18, 2024 06:25:34.727725029 CEST	587	49740	50.87.253.239	192.168.2.4	334 UGFzc3dvcmQ6
Apr 18, 2024 06:25:34.885180950 CEST	587	49740	50.87.253.239	192.168.2.4	235 Authentication succeeded
Apr 18, 2024 06:25:34.885385036 CEST	49740	587	192.168.2.4	50.87.253.239	MAIL FROM:<gm@clslk.com>
Apr 18, 2024 06:25:35.038809061 CEST	587	49740	50.87.253.239	192.168.2.4	250 OK
Apr 18, 2024 06:25:35.039006948 CEST	49740	587	192.168.2.4	50.87.253.239	RCPT TO:<devendra@syncro-group.xyz>
Apr 18, 2024 06:25:35.252760887 CEST	587	49740	50.87.253.239	192.168.2.4	250 Accepted
Apr 18, 2024 06:25:35.253078938 CEST	49740	587	192.168.2.4	50.87.253.239	DATA
Apr 18, 2024 06:25:35.406774044 CEST	587	49740	50.87.253.239	192.168.2.4	354 Enter message, ending with "." on a line by itself
Apr 18, 2024 06:25:35.407499075 CEST	49740	587	192.168.2.4	50.87.253.239	.
Apr 18, 2024 06:25:35.564552069 CEST	587	49740	50.87.253.239	192.168.2.4	250 OK id=1rxJL5-002eQu-12
Apr 18, 2024 06:25:42.723316908 CEST	587	49743	50.87.253.239	192.168.2.4	220-box2224.bluehost.com ESMTP Exim 4.96.2 #2 Wed, 17 Apr 2024 22:25:42 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 06:25:42.724714041 CEST	49743	587	192.168.2.4	50.87.253.239	EHLO 179605
Apr 18, 2024 06:25:42.878333092 CEST	587	49743	50.87.253.239	192.168.2.4	250-box2224.bluehost.com Hello 179605 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 06:25:42.878659964 CEST	49743	587	192.168.2.4	50.87.253.239	AUTH login Z21AY2xzbGsuY29t
Apr 18, 2024 06:25:43.032186985 CEST	587	49743	50.87.253.239	192.168.2.4	334 UGFzc3dvcmQ6
Apr 18, 2024 06:25:43.187619925 CEST	587	49743	50.87.253.239	192.168.2.4	235 Authentication succeeded
Apr 18, 2024 06:25:43.188024998 CEST	49743	587	192.168.2.4	50.87.253.239	MAIL FROM:<gm@clslk.com>
Apr 18, 2024 06:25:43.341844082 CEST	587	49743	50.87.253.239	192.168.2.4	250 OK
Apr 18, 2024 06:25:43.342206001 CEST	49743	587	192.168.2.4	50.87.253.239	RCPT TO:<devendra@syncro-group.xyz>
Apr 18, 2024 06:25:43.554310083 CEST	587	49743	50.87.253.239	192.168.2.4	250 Accepted
Apr 18, 2024 06:25:43.554497004 CEST	49743	587	192.168.2.4	50.87.253.239	DATA
Apr 18, 2024 06:25:43.708151102 CEST	587	49743	50.87.253.239	192.168.2.4	354 Enter message, ending with "." on a line by itself
Apr 18, 2024 06:25:43.708972931 CEST	49743	587	192.168.2.4	50.87.253.239	.
Apr 18, 2024 06:25:43.863547087 CEST	587	49743	50.87.253.239	192.168.2.4	250 OK id=1rxJLD-002eYB-21
Apr 18, 2024 06:26:58.846204042 CEST	49733	587	192.168.2.4	50.87.253.239	QUIT
Apr 18, 2024 06:26:59.201999903 CEST	587	49733	50.87.253.239	192.168.2.4	221 box2224.bluehost.com closing connection
Apr 18, 2024 06:27:03.026768923 CEST	49736	587	192.168.2.4	50.87.253.239	QUIT
Apr 18, 2024 06:27:03.381427050 CEST	587	49736	50.87.253.239	192.168.2.4	221 box2224.bluehost.com closing connection

Target ID:	0
Start time:	06:25:12
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe"
Imagebase:	0x410000
File size:	897'024 bytes
MD5 hash:	8AE8E59F0DF6887A86D8AC303D004095
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:25:15
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"
Imagebase:	0xd30000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:25:15
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:25:15
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp"
Imagebase:	0x730000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:25:15
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:25:16
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe"
Imagebase:	0x850000
File size:	897'024 bytes
MD5 hash:	8AE8E59F0DF6887A86D8AC303D004095
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3103520162.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3103520162.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3103520162.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3103520162.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	06:25:17
Start date:	18/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:25:17
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\tiucdfZoOi.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\tiucdfZoOi.exe
Imagebase:	0x260000
File size:	897'024 bytes
MD5 hash:	8AE8E59F0DF6887A86D8AC303D004095
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs Detection: 38%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:25:20
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp6B88.tmp"
Imagebase:	0x730000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:25:20
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:25:20
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\tiucdfZoOi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"
Imagebase:	0xad0000
File size:	897'024 bytes
MD5 hash:	8AE8E59F0DF6887A86D8AC303D004095
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3107567072.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3107567072.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3107567072.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3107567072.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	06:25:27
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Imagebase:	0xcc0000
File size:	897'024 bytes
MD5 hash:	8AE8E59F0DF6887A86D8AC303D004095
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs Detection: 38%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:25:31
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp97D8.tmp"
Imagebase:	0x730000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:25:31
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:25:31
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Imagebase:	0x620000
File size:	897'024 bytes
MD5 hash:	8AE8E59F0DF6887A86D8AC303D004095
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.2116074967.0000000002A3A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.2116074967.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.2116074967.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.2116074967.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:25:37
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Imagebase:	0xd60000
File size:	897'024 bytes
MD5 hash:	8AE8E59F0DF6887A86D8AC303D004095
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	06:25:39
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmpB88F.tmp"
Imagebase:	0x730000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	06:25:39
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	06:25:40
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Imagebase:	0xf90000
File size:	897'024 bytes
MD5 hash:	8AE8E59F0DF6887A86D8AC303D004095
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.3107557708.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.3107557708.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.3107557708.000000000341A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.3107557708.0000000003412000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	173
Total number of Limit Nodes:	12

Executed Functions

Function 07261190 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

tIh, xrefs: 07261545

Memory Dump Source

Source File: 00000000.00000002.1898963850.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: true

Associated: 00000000.00000002.1898907449.0000000007250000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: 1cc7620fd13186291b82d8af1910dd318e9d000bd13055e5f4d02965eec10299
Instruction ID: 836b8c7004a3ec4e3c1b6e195fa6440afa95f83a9b22f728064353dde4bf0e90
Opcode Fuzzy Hash: 1cc7620fd13186291b82d8af1910dd318e9d000bd13055e5f4d02965eec10299
Instruction Fuzzy Hash: A8D14CB0D2521ADFCB08CF99D4898AEFBB2FF4A301B10D516D412AB254D734A992CF94

Uniqueness

Uniqueness Score: -1.00%

Function 072602E0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898963850.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: true

Associated: 00000000.00000002.1898907449.0000000007250000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c9fdbf90066795f3f8f71e3e08e38c92d5d62e2bc8bd363b6d6f014b5a1951
Instruction ID: 2bea058e9f55e9c92bf1b6ab340e52c069357c44117f37d8bbb729516c109c7a
Opcode Fuzzy Hash: f6c9fdbf90066795f3f8f71e3e08e38c92d5d62e2bc8bd363b6d6f014b5a1951
Instruction Fuzzy Hash: 7221E9B1E016188BEB18CFABD9446DEFBF7AFC8310F14C07AD408A6258DB701A95CA50

Uniqueness

Uniqueness Score: -1.00%

Function 074E5738 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ef53ef49d675266ce52093fb4180fbd51dd88e082b53ac9c7d3a041fa82d4c
Instruction ID: 84e012c4d8abde5e5dae70aacf729d9f5a04cbf800f093723f78359c9d808514
Opcode Fuzzy Hash: 44ef53ef49d675266ce52093fb4180fbd51dd88e082b53ac9c7d3a041fa82d4c
Instruction Fuzzy Hash: BFD0ECB496E514DBC7006AA498591F8F6BCAB1721AF0028A6940E96111D67089514F18

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD2C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FFD33E
GetCurrentThread.KERNEL32 ref: 00FFD37B
GetCurrentProcess.KERNEL32 ref: 00FFD3B8
GetCurrentThreadId.KERNEL32 ref: 00FFD411

Memory Dump Source

Source File: 00000000.00000002.1892977765.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4d9798423077750130854178ee2d9365c5aadd78047dfa780448392de82e88c8
Instruction ID: be517a4ca76efa9c7b7f15be7081ae10a004d97d7df536343bfdcda988d7f4ff
Opcode Fuzzy Hash: 4d9798423077750130854178ee2d9365c5aadd78047dfa780448392de82e88c8
Instruction Fuzzy Hash: 555178B09002098FDB14DFAAD548BAEBBF1FF88314F24C019E119A7360DB75A844CF66

Uniqueness

Uniqueness Score: -1.00%

Function 072617D0 Relevance: 2.6, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3H5, xrefs: 0726186E
3H5, xrefs: 07261860

Memory Dump Source

Source File: 00000000.00000002.1898963850.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: true

Associated: 00000000.00000002.1898907449.0000000007250000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 3H5$3H5
API String ID: 0-2752242361
Opcode ID: 786605cef80701fe2467f37b98d20bdaa547e096bac1b6dccb2519c8ee3e0883
Instruction ID: e0051e056eeca3eb38ebe57709144b693922783277812feee6d2b69286ec6efc
Opcode Fuzzy Hash: 786605cef80701fe2467f37b98d20bdaa547e096bac1b6dccb2519c8ee3e0883
Instruction Fuzzy Hash: 9C2119B0D2120ADFDB44CFA9D5449AEFBF1FF89300F14C56AD508A7254E730AA95CB91

Uniqueness

Uniqueness Score: -1.00%

Function 074E1A7C Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074E1CBE

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5a3c4eab5568229d08af00d83618ee67a31e246371be56d6ee268201cf710f82
Instruction ID: 94938633da3d6b69fc16de771e4026d971f9595479f0a9855039d36d7649fb5a
Opcode Fuzzy Hash: 5a3c4eab5568229d08af00d83618ee67a31e246371be56d6ee268201cf710f82
Instruction Fuzzy Hash: 2CA17DB1D4021DCFDB10CFA8C941BEEBBB6AF48311F1481AAD859A7290DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 074E1A88 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074E1CBE

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 55acc159a064cf4c576e8a3403326debb49e7a34ef7a8ae919a3d83cda3c2cbb
Instruction ID: 9d441b345e53ce3905e8ad1c6575c8a9abe067bffa5ad4106f93b43b24147a0b
Opcode Fuzzy Hash: 55acc159a064cf4c576e8a3403326debb49e7a34ef7a8ae919a3d83cda3c2cbb
Instruction Fuzzy Hash: 22915CB1D0021DCFDB10CFA8CD41BEEBBB6AF48311F1485AAD859A7250DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB028 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FFB27E

Memory Dump Source

Source File: 00000000.00000002.1892977765.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3a39e258c970ef1709b191537797da6082eb42a9fecdf9c856b2514aac4eb06e
Instruction ID: e12259804c901ee66fb06a2519a5ca41f7aed7eb657f280168586fcfa58c7042
Opcode Fuzzy Hash: 3a39e258c970ef1709b191537797da6082eb42a9fecdf9c856b2514aac4eb06e
Instruction Fuzzy Hash: 577143B0A00B098FD724DF2AD45576BBBF1FF88310F008A29D19AD7A60DB75E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00FF59C9

Memory Dump Source

Source File: 00000000.00000002.1892977765.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d640270c1c42d1b47d09bd0473c29224760b1a8cf000357b3bb07c91395fe3a4
Instruction ID: 2bbad76ffe698c1c629c2a3cd941473312fe70a7f5254ae411f2ae8116e117f3
Opcode Fuzzy Hash: d640270c1c42d1b47d09bd0473c29224760b1a8cf000357b3bb07c91395fe3a4
Instruction Fuzzy Hash: F041F4B0C0071DCFDB24CFA9C98479DBBB5BF48704F24816AD508AB265DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF44C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00FF59C9

Memory Dump Source

Source File: 00000000.00000002.1892977765.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6760ec9fb6c0b50f31e0bf050855c6d8599c138b6e3a846dfb464358ff9afa59
Instruction ID: a7763b582fdb46f7751e1f62723abb6fb99b58fd56ee9d1faf232dba01086cdc
Opcode Fuzzy Hash: 6760ec9fb6c0b50f31e0bf050855c6d8599c138b6e3a846dfb464358ff9afa59
Instruction Fuzzy Hash: 6441F2B0C0071DCFDB24CFA9C984B9EBBB5BF48704F20816AD508AB265DBB56945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 074E17F8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074E1890

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5c6c28f6271de234909baa2d9ddd09fb000f4b754276213f1a7657b083c2b92a
Instruction ID: 267817fc4021419ab47f5bf16d79786ba7249d0d1ed0a54b8b11a2e2ac49b505
Opcode Fuzzy Hash: 5c6c28f6271de234909baa2d9ddd09fb000f4b754276213f1a7657b083c2b92a
Instruction Fuzzy Hash: FF2135B5D003199FCB10DFA9C981BEEBBF5FF48320F10882AE559A7251C7789544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 074E1800 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074E1890

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a89cfcfab113ed975fb815d1872415a0faf9c238ab4c4a4447c61df0acae9372
Instruction ID: 4afbf83dc3babbdcc67fd3f2cfb18d043eeef6380607f4efa0e1297f063186fa
Opcode Fuzzy Hash: a89cfcfab113ed975fb815d1872415a0faf9c238ab4c4a4447c61df0acae9372
Instruction Fuzzy Hash: D52127B1D003599FCB10CFA9C885BEEBBF5FF48320F10842AE959A7250C7789944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 074E1228 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074E12AE

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cd821b5188ad3d3b30d6bfd76438a2a4080c37de908a85749a05a245af45a7ec
Instruction ID: 1741ffee7a07963f976748615e53bec6801f1adae2c3e160dc78f175486887f7
Opcode Fuzzy Hash: cd821b5188ad3d3b30d6bfd76438a2a4080c37de908a85749a05a245af45a7ec
Instruction Fuzzy Hash: 292159B59002098FDB10DFA9C885BEEBBF4AF48324F14842AD559A7340CB789545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 074E18E8 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074E1970

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a76f90b7b0289d594cb903acff1b1ecf5a4f60d918e8623d31c7f5ac982b4528
Instruction ID: 9a5eac7643fd45394f95c194f0bea884e941d720b1d55a772d71c1d8d80a7702
Opcode Fuzzy Hash: a76f90b7b0289d594cb903acff1b1ecf5a4f60d918e8623d31c7f5ac982b4528
Instruction Fuzzy Hash: D92116B59003599FCB10DFA9C941AEEBBF5BF48320F10842AE559A7250C7389544DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 074E1230 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074E12AE

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 16f8966abe1e553e3fab2abcdfa602158618d85531389b113edbcb68e553fc92
Instruction ID: e46e1387a9a61c567682ddf7db195611e5f31d542b576b003c2f8c601302bf44
Opcode Fuzzy Hash: 16f8966abe1e553e3fab2abcdfa602158618d85531389b113edbcb68e553fc92
Instruction Fuzzy Hash: 5C2118B19003099FDB10DFAAC885BEEBBF4EF48324F14842AD559A7240CB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 074E18F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074E1970

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 248f1b8149c6af928d469d5b4e8f5e5d17358f7b134611619bc9e5fd8f3cb145
Instruction ID: 593d9b9db2fad76987b339854275c3e29ad27bbe9a43b7e64ae00c97360fa184
Opcode Fuzzy Hash: 248f1b8149c6af928d469d5b4e8f5e5d17358f7b134611619bc9e5fd8f3cb145
Instruction Fuzzy Hash: A621F5B19003599FDB10DFAAC885AEEFBF5FF48320F10842AE559A7250C7789944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD508 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FFD58F

Memory Dump Source

Source File: 00000000.00000002.1892977765.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e132a78676d2a6fa55d603684126e73c16b02bd896211ace045efd33fe4c4825
Instruction ID: 9e5cb4bb7279d43c2d16c65a5652fcc44e610d580d58127ea459133dfb7734a3
Opcode Fuzzy Hash: e132a78676d2a6fa55d603684126e73c16b02bd896211ace045efd33fe4c4825
Instruction Fuzzy Hash: DD21E4B59002189FDB10CF9AD984AEEBBF5EF48324F14841AE958A7310D378A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB498 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FFB2F9,00000800,00000000,00000000), ref: 00FFB50A

Memory Dump Source

Source File: 00000000.00000002.1892977765.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0b5df2477ec4683e0975bdfeb98161bf8fb587f49910a19edc9496930b82a044
Instruction ID: b6ae65f40046b49c6cc7c7e4004ab4ac51470ec8f88de710ca3448b830f760dc
Opcode Fuzzy Hash: 0b5df2477ec4683e0975bdfeb98161bf8fb587f49910a19edc9496930b82a044
Instruction Fuzzy Hash: EF1137B6C003499FDB10CFAAC444AEEFBF4EF89320F14842AD559A7210C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 074E1738 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074E17AE

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 82adf22809af40e842268f6e48346eb9d3286d309557b74b8d35d7aac4fde963
Instruction ID: fe7c9028a2600aab9d6472ca23c1b62aec578cf58408844a6efe09dadf47ecff
Opcode Fuzzy Hash: 82adf22809af40e842268f6e48346eb9d3286d309557b74b8d35d7aac4fde963
Instruction Fuzzy Hash: C9117CB6800249DFCB20DFA9C945BDFBBF5EF48324F14881AD559A7250C7399544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFACDC Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FFB2F9,00000800,00000000,00000000), ref: 00FFB50A

Memory Dump Source

Source File: 00000000.00000002.1892977765.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1d270792c505f630ff2695146bb03836ff7e704856dc14ca948083d3a52e849e
Instruction ID: 648a6431068ed1a0cdf40422e35413da321202da6c50682d61b165995b704b2c
Opcode Fuzzy Hash: 1d270792c505f630ff2695146bb03836ff7e704856dc14ca948083d3a52e849e
Instruction Fuzzy Hash: 3911E4B6D003099FDB20CF9AC544AEEFBF4EF48324F14842AD559A7211C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 074E1740 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074E17AE

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7e756c358752c3fd7aa08da164a1b630f24c23aa7c7bc257873e3fd24e6055ab
Instruction ID: 16e0b0b2015ede56057e4f7b828d2bd1603ea594ac9673e85bfc6b98529a0efc
Opcode Fuzzy Hash: 7e756c358752c3fd7aa08da164a1b630f24c23aa7c7bc257873e3fd24e6055ab
Instruction Fuzzy Hash: AA1159B18002499FCB10DFA9C844ADFBBF5EF48320F108419D555A7250C7399940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 074E1178 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 074E11E2

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 355758ce65bd06d5268fe8b041a9ddb12bcf6a5a1a0c27970b14a13ff9b1b4bb
Instruction ID: 9ebcd4761a5829b0295badcbcdaa7470e749280d20944fa3d88e796e832f82ba
Opcode Fuzzy Hash: 355758ce65bd06d5268fe8b041a9ddb12bcf6a5a1a0c27970b14a13ff9b1b4bb
Instruction Fuzzy Hash: 41116AB5D003598FCB20DFA9C4457EEFBF4AF48324F24882AD459A7250CB385544CF94

Uniqueness

Uniqueness Score: -1.00%

Function 074E1180 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 074E11E2

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 93e7c158e7721f3da3a84d03622e7b2a09712ef4733bdf8763870237398c20f5
Instruction ID: 57c759301a3240235c8846fe963aff6bd571985f60e95484cb932ef0fae68e6c
Opcode Fuzzy Hash: 93e7c158e7721f3da3a84d03622e7b2a09712ef4733bdf8763870237398c20f5
Instruction Fuzzy Hash: 591128B19003498FDB20DFAAC4457DEFBF8AF88324F20841AD459A7250CB79A544CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB218 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FFB27E

Memory Dump Source

Source File: 00000000.00000002.1892977765.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5e3daf4e155f23f5b52741397e09ab558f219fbb3a4bccee8808a9aefa4efda7
Instruction ID: 1b586109b0f67b24e35641b7079f5b866e6a5cebfcaa4d7ed4c5ba3e773d0a79
Opcode Fuzzy Hash: 5e3daf4e155f23f5b52741397e09ab558f219fbb3a4bccee8808a9aefa4efda7
Instruction Fuzzy Hash: 2E11E0B5C003498FDB20CF9AC844ADEFBF4EF88324F10842AD569A7210C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 074E420C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 074E629D

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 25d65ae463142841f2e46ac50ad3d6805f11a7d821296327c3793b5b31be4662
Instruction ID: 12bd539bf12d6bcd795789e95f5c30a8959a3a2218b2fb65151204451eb09ab2
Opcode Fuzzy Hash: 25d65ae463142841f2e46ac50ad3d6805f11a7d821296327c3793b5b31be4662
Instruction Fuzzy Hash: 341106B5800349DFDB10DF9AD545BDEBBF8EB58324F10841AE958B7200C379A944CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 07263920 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

O};5, xrefs: 07263958

Memory Dump Source

Source File: 00000000.00000002.1898963850.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: true

Associated: 00000000.00000002.1898907449.0000000007250000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: O};5
API String ID: 0-3558557551
Opcode ID: fe50e67655ef8d2801928cc3264553818bd538fc8d85f0ff6cda8666974408ad
Instruction ID: e911fe20256311ec2b471fe3b94a7eea6420ba6f5d9331cd690bba6165aeac06
Opcode Fuzzy Hash: fe50e67655ef8d2801928cc3264553818bd538fc8d85f0ff6cda8666974408ad
Instruction Fuzzy Hash: C1419FB0A26219EFC744CF95E5884ADBFF2FF89200F60D496D059A7354E7309A50CB14

Uniqueness

Uniqueness Score: -1.00%

Function 07263AA8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898963850.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: true

Associated: 00000000.00000002.1898907449.0000000007250000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45225ff1af8bd1a22a15171a6f8d27ba171224c9410c045fd1019efb2ef067d
Instruction ID: 722218cf0b528866abd143af9fd7c652f1455f9a7b466068140d96974226486b
Opcode Fuzzy Hash: f45225ff1af8bd1a22a15171a6f8d27ba171224c9410c045fd1019efb2ef067d
Instruction Fuzzy Hash: 4E416BB4E1020ADFCB04CF99D8459EEBBB2FF89310F109526E505AB364D7709A81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891646192.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4cfc202286f20f5a8a660616e84f2c346d80c7b8f39cc2596dbf3555c3ea67
Instruction ID: e8285ebb092b687d1986085e516fa4fda3dbc86662ebbb39e554225232c47f59
Opcode Fuzzy Hash: 4f4cfc202286f20f5a8a660616e84f2c346d80c7b8f39cc2596dbf3555c3ea67
Instruction Fuzzy Hash: 4D213A71500208DFDB05DF14D9C4B36BFA6FB94314F20C5A9DA094B356C336E85AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891646192.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0082501532e85612a3306df7f973ad46f055165dd2bfda1b209c4933b3a11237
Instruction ID: 650974cd44cad47241e0f9cb87faa4a274a721187f9a5b8213ee080d4a32e1c7
Opcode Fuzzy Hash: 0082501532e85612a3306df7f973ad46f055165dd2bfda1b209c4933b3a11237
Instruction Fuzzy Hash: 0B213A71500248DFDB05DF14D9C0B3BBFA6FBA4318F20C5A9DA050B256C336D85AD7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C0D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891822832.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef51e2e1029e206f13cafde664dbf1af290f7f48256f396a491bc587a1117978
Instruction ID: 969b743ff61acaac55e3cb204b370f83e85ece50a81b6fffe3ef5b3815d283bd
Opcode Fuzzy Hash: ef51e2e1029e206f13cafde664dbf1af290f7f48256f396a491bc587a1117978
Instruction Fuzzy Hash: 36212671504300EFDB05DF94D9C0B26BBA5FB84314F20C6ADE90A4B2D6C336DC46CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00C0D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891822832.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59904c6e07be71f50db743f37e63bd99f5cb9cf00a7b53ba2df7c8728598b8bf
Instruction ID: b52ed4c53bb4b0dd7c3a506d9543d6b014bb37da53761b7986e01d942dd29e38
Opcode Fuzzy Hash: 59904c6e07be71f50db743f37e63bd99f5cb9cf00a7b53ba2df7c8728598b8bf
Instruction Fuzzy Hash: 4221F271604200DFDB14DF54D9C4B26BBA5EB84318F20C569E84E4B296C33AD847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00C0D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891822832.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3512bc45127a4e7108c519b57c238b92bffc758c7e26bf028940664885e87c5
Instruction ID: 015bc97ac2d3c978e0149dbfedd1deb557598ee32836a657cf3653ad40056579
Opcode Fuzzy Hash: f3512bc45127a4e7108c519b57c238b92bffc758c7e26bf028940664885e87c5
Instruction Fuzzy Hash: E4218E755093808FCB02CF24D994715BF71EB46318F28C5EAD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 07263848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898963850.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: true

Associated: 00000000.00000002.1898907449.0000000007250000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e04ec434499cbc13ae0b6e2d587651479d90e58d73a0d29f203f2101768eff0
Instruction ID: 9ce4d2a701ead5369046071f31bab407f8e0c429b54032992b3a460dfd928a78
Opcode Fuzzy Hash: 3e04ec434499cbc13ae0b6e2d587651479d90e58d73a0d29f203f2101768eff0
Instruction Fuzzy Hash: 2B2190B4A11918DFD704DF9AE188999BFF1FF8C310F5280D5E8489B365DB31A9A4CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891646192.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 6ab11d5bd91d4f5cfbe7de4655abf76b6d3f15515fb61fb07ba303b477529d20
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 6911D676504244CFCB15CF14D5C4B26BFB2FBA4314F24C5A9D9450B656C336D45ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891646192.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 445676e33e137ef48ce56f5aa0eb09314808af1b7891226ee10aa1261e543852
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 20110372504244CFCB02CF00D5C4B26BFB2FB94324F24C2A9D9090B756C33AE85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C0D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891822832.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: dbfcbfef60a3dd5bda19df8bcbe7ebd6abc81718bc832fc2c834791ee985285a
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4111BB75504280DFCB02CF54C5C4B15BBA1FB84314F24C6AAD84A4B696C33AD94ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 07263ED0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898963850.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: true

Associated: 00000000.00000002.1898907449.0000000007250000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f853ab110d850eeba44fec01cce8860421625e888c22957a049e73d50b34f5b9
Instruction ID: 9b380fa44e16a3f8b4c8ff55e4c0d0138568dc0e9007ab62c8b38acd87c419ee
Opcode Fuzzy Hash: f853ab110d850eeba44fec01cce8860421625e888c22957a049e73d50b34f5b9
Instruction Fuzzy Hash: AE012DB5E10219CBDB04CF9AD4097EEBBB6AFC9310F04C02AD515A3390DB7459568A91

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891646192.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ca6cc84aa45ace0aa509f286b625a0ca27e5d1ac52c1d3e2688f70ccb1a5ad
Instruction ID: 10c7fe1ff8b61f27c83ea782794d74acbbfda973de69790d73b735d3e0bce859
Opcode Fuzzy Hash: b8ca6cc84aa45ace0aa509f286b625a0ca27e5d1ac52c1d3e2688f70ccb1a5ad
Instruction Fuzzy Hash: F101D4310083489AE7116A25CDC4B77FFD9DF41324F18C5AAEE090F296D6799C44C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891646192.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18ebb0e1babd9f3e8977b6b92be3ad6f967831bb9771d3477d4fd4998d08dc3
Instruction ID: 5ff1b233110db673855ad3c9500270ef011d0e8b7f75a6d5b53b4e92a197d2c8
Opcode Fuzzy Hash: a18ebb0e1babd9f3e8977b6b92be3ad6f967831bb9771d3477d4fd4998d08dc3
Instruction Fuzzy Hash: 53F04F714043449AE7109E16DC88B62FFE8EB95724F18C59AED484F296C2799C44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 072618C8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898963850.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: true

Associated: 00000000.00000002.1898907449.0000000007250000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b9ab34cae675234143086400cef6293717cd9160bb1674d8d3605d3b11a955
Instruction ID: fad22dc35467909d5a4e6754ea59a75c93b344330454c6482a3c0953a6229635
Opcode Fuzzy Hash: 37b9ab34cae675234143086400cef6293717cd9160bb1674d8d3605d3b11a955
Instruction Fuzzy Hash: 6101B674A00208AFDB04DFA9D589A9DFFF1EF48300F05C095A4089B365DA30AA40CF40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 074E7410 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PHkq, xrefs: 074E76D3
PHkq, xrefs: 074E75FB

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PHkq$PHkq
API String ID: 0-119726883
Opcode ID: 724c9b8d164cf4bf942d7f21a79ad7c2b5aa4a119eeb9219362d4ca2d17079ea
Instruction ID: 07c73effad3ae9bbc567710ad2bc993c77db4fbd3a4aaccf145c00484640276d
Opcode Fuzzy Hash: 724c9b8d164cf4bf942d7f21a79ad7c2b5aa4a119eeb9219362d4ca2d17079ea
Instruction Fuzzy Hash: 05D1C0B4A002058FDB09DF69C598AE9B7F5BF89325F2580A9E405AB371DB31AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 074E1308 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9cc28fee7f8b9378ffcd189ad94a1e78aaf47982bf574da0ba0fba81e80e975
Instruction ID: 2d132cc7b1c12f4c52b9d028a0ff08e52340c3661f4017c90aff23f528fa9a9a
Opcode Fuzzy Hash: a9cc28fee7f8b9378ffcd189ad94a1e78aaf47982bf574da0ba0fba81e80e975
Instruction Fuzzy Hash: EDE10BB4E001198FDB14DFA9C5809AEFBF6FF89315F24816AD418AB356D730A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFDDCC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1892977765.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1699c82ede1ca1376cb3dced4146eecb91dfc399c07497d60df263c3e8ff255f
Instruction ID: 63ac7383571276502b66752a81f6e05f62e2cd439ca7824eea094906ab407c91
Opcode Fuzzy Hash: 1699c82ede1ca1376cb3dced4146eecb91dfc399c07497d60df263c3e8ff255f
Instruction Fuzzy Hash: D9A15C32E002098FCF15DFB4C8845AEB7B2FF85300B15457AE906AB265EB75ED5ADB40

Uniqueness

Uniqueness Score: -1.00%

Function 07262030 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898963850.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: true

Associated: 00000000.00000002.1898907449.0000000007250000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb5b866f308bcca5add390b25a85ac5b946f7fe636f56aa707ce25f1c51d723
Instruction ID: 3e2cee9a92897c4bde6e03011aa410f65ac66287bd392064ccb840ebc739fd1f
Opcode Fuzzy Hash: acb5b866f308bcca5add390b25a85ac5b946f7fe636f56aa707ce25f1c51d723
Instruction Fuzzy Hash: 8981F1B4E20219CFCB44CF99C58899EFBF2FF89210F14955AD815AB325D370AA82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 072634A0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898963850.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: true

Associated: 00000000.00000002.1898907449.0000000007250000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f4210fe91bd6865299da76a9f1b9b033bbfff3c69fe1e8647cfc3efc0f1c21
Instruction ID: b40150b75af6e6d48d7b784b87c0184595a7c3a4468cd85f4418572974b8d6d2
Opcode Fuzzy Hash: 06f4210fe91bd6865299da76a9f1b9b033bbfff3c69fe1e8647cfc3efc0f1c21
Instruction Fuzzy Hash: 256190B4A36609EFC705CF91F58E269BFF6FB8A300F20D496C08597199DB7486A5CB04

Uniqueness

Uniqueness Score: -1.00%

Function 07262EE8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898963850.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: true

Associated: 00000000.00000002.1898907449.0000000007250000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826b0323be28d947823563eb6a37f76cdb837d326f3d3f2cd994f68ea6cb985e
Instruction ID: 66bc258107be32e058e6f43877a2cd6ab4e8e4062ae2cc58017cbc1a62a03362
Opcode Fuzzy Hash: 826b0323be28d947823563eb6a37f76cdb837d326f3d3f2cd994f68ea6cb985e
Instruction Fuzzy Hash: D861F5B0E2520ADFCB04CFAAC5855AEFBF6BF89300F14845AE415A7240D7749A86CF95

Uniqueness

Uniqueness Score: -1.00%

Function 074E12F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899768984.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3f0802b2ccfa1717b27006ecf7320357a9461af66f9026f38f13e2be441f93
Instruction ID: 8560baeab2cf7da0704e14d7541f5ad04a83e9e12a1c7084f197ff9c7fa7ffeb
Opcode Fuzzy Hash: 7a3f0802b2ccfa1717b27006ecf7320357a9461af66f9026f38f13e2be441f93
Instruction Fuzzy Hash: 81513EB4E042198FDB14CFA9C6805AEFBF6BF89311F24C16AD418AB356D7305942CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07263258 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898963850.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: true

Associated: 00000000.00000002.1898907449.0000000007250000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d570a889d7312ee3a75d71d980232552e4f4e663c0d155cf2a2645f0e81383
Instruction ID: 8210b460ef2cbdf235c314314544c80e57b10f692304ce2c59a1220be402e682
Opcode Fuzzy Hash: 88d570a889d7312ee3a75d71d980232552e4f4e663c0d155cf2a2645f0e81383
Instruction Fuzzy Hash: D841E5B0E2560ADBDB04CFAAC4855EEFBF2BF89300F14D02AC415A7245D774AA818F94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.PWSX-gen.32561.14552.exePID: 7196, Parent PID: 6884COMMON

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	150
Total number of Limit Nodes:	15

Executed Functions

Function 062529B6 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06252A36
GetCurrentThread.KERNEL32 ref: 06252A73
GetCurrentProcess.KERNEL32 ref: 06252AB0
GetCurrentThreadId.KERNEL32 ref: 06252B09

Memory Dump Source

Source File: 00000006.00000002.3153605415.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6250000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bae6b9f66a05cbaca3cf30fa72d31964580fd10864725fa49ce76e382355daf5
Instruction ID: 16c33da81057e743995a18003fd2fc6fa57207902139a9a6ad678e32576b074b
Opcode Fuzzy Hash: bae6b9f66a05cbaca3cf30fa72d31964580fd10864725fa49ce76e382355daf5
Instruction Fuzzy Hash: F35146B0911309CFDB54DFA9D948BDEBBF1AB48304F248059E819A72A0DB749984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 062529B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06252A36
GetCurrentThread.KERNEL32 ref: 06252A73
GetCurrentProcess.KERNEL32 ref: 06252AB0
GetCurrentThreadId.KERNEL32 ref: 06252B09

Memory Dump Source

Source File: 00000006.00000002.3153605415.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6250000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 062402af3c9b8044e48d2561ca269cfdf6f22e6807f37dd2c19bb58530602ad8
Instruction ID: 976ce1e447920285cacdf585c95f12da98b3ac634f4062430424948cb62ad631
Opcode Fuzzy Hash: 062402af3c9b8044e48d2561ca269cfdf6f22e6807f37dd2c19bb58530602ad8
Instruction Fuzzy Hash: D15156B0D11309CFDB54DFAAD948B9EBBF1BB48304F248059E819A73A0DB749984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0625AEB8 Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0625B11E

Memory Dump Source

Source File: 00000006.00000002.3153605415.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6250000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dac1fa18da38cda233ade5df2653c9ec99017786041cbec1c7267d6d6977f52c
Instruction ID: 954c1d7294fbb92c983d2668c79b90efbe4fefd1646796b7c6e0cd23ea961eba
Opcode Fuzzy Hash: dac1fa18da38cda233ade5df2653c9ec99017786041cbec1c7267d6d6977f52c
Instruction Fuzzy Hash: 17816870A20B058FD7A4DF29D44579ABBF1FF88304F108A2EE896D7A50D775E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0625D065 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0625D1C2

Memory Dump Source

Source File: 00000006.00000002.3153605415.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6250000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e24f3a44734af964ca5c5bad10728e1a7f88e9fe9ac4c0299d91006d329d73fe
Instruction ID: e5639e24de1dccec783cf0ece88b1d1b6b4ba9d25b56cbb296b65bf4029899ce
Opcode Fuzzy Hash: e24f3a44734af964ca5c5bad10728e1a7f88e9fe9ac4c0299d91006d329d73fe
Instruction Fuzzy Hash: 0F51E0B1C10249EFDF15CF99C984ADDBFB6BF48310F15856AE818AB220D7719881CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0626E629 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3154111055.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6260000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0f4ef070bf6b07d3012fa15239f0347c1273ef892aa7e22060aa19500a31e7
Instruction ID: 4580cc9fd52535a07001b9e2e6ccccafb50b9d3ab5551d6c73ecc114fea9a8b9
Opcode Fuzzy Hash: be0f4ef070bf6b07d3012fa15239f0347c1273ef892aa7e22060aa19500a31e7
Instruction Fuzzy Hash: DC415672E1439A9FCB04CF7AD8146EABFF5AF89310F15856BE514A7241DB349880CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0625D0A4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0625D1C2

Memory Dump Source

Source File: 00000006.00000002.3153605415.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6250000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 45865422b6c9a1a9d687c4937190a4641e6b34a1278e66a010764e1979310817
Instruction ID: ecc5c4bb111728d18ebc55b786a9d796b1b558a06f168a17eb9a683255229cb1
Opcode Fuzzy Hash: 45865422b6c9a1a9d687c4937190a4641e6b34a1278e66a010764e1979310817
Instruction Fuzzy Hash: 2C51D0B0D103499FDB14CF9AC984ADEFBF5BF48310F24852AE819AB210D7719881CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0625D0B0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0625D1C2

Memory Dump Source

Source File: 00000006.00000002.3153605415.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6250000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: be32fa58f34137c4f58366979b651a4ffd00ee0c055d10d6607a1003762c0662
Instruction ID: 69158c4b994e7c3feb9cb2fda2516444206ca8af2c95dccbf405653900452fe8
Opcode Fuzzy Hash: be32fa58f34137c4f58366979b651a4ffd00ee0c055d10d6607a1003762c0662
Instruction Fuzzy Hash: 6641CEB5D103099FDB14CF9AC984ADEBBF5BF48310F24852AE819AB250D771A885CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0625A33C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0625F8B1

Memory Dump Source

Source File: 00000006.00000002.3153605415.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6250000_SecuriteInfo.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f54558892c56b65e4b0306f285061c2956247bc5f9d9cf23aa71dcf41129e96d
Instruction ID: 219eeaafda642fa1f561be1c2420e75c54e0c6796c51c0e978114224ec523eb7
Opcode Fuzzy Hash: f54558892c56b65e4b0306f285061c2956247bc5f9d9cf23aa71dcf41129e96d
Instruction Fuzzy Hash: CE416AB4910305CFDB54CF9AC588AAABBF5FF88314F25C459D819AB320C774A840CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06252BF8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06252C87

Memory Dump Source

Source File: 00000006.00000002.3153605415.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6250000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f4d1daaec7cfd602650fa086201f9e909373b7d80fd78991f893f6c21cf38727
Instruction ID: 5096bb212b9fd297a5d483916aa13cefe92ad486ea479960776ff4d44cb22fb3
Opcode Fuzzy Hash: f4d1daaec7cfd602650fa086201f9e909373b7d80fd78991f893f6c21cf38727
Instruction Fuzzy Hash: 2721E3B5D01209DFDB10CFAAD984ADEFBF8EB48320F14841AE958A7351D375A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06252C00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06252C87

Memory Dump Source

Source File: 00000006.00000002.3153605415.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6250000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 657d38bd6c96a97507ab63c3b9fa7f5705b040ab1abf28325059fa1268bf7e77
Instruction ID: 57bf9899ff9607f418ca37f43c2b9dc6ae7964efda54e5b1df2e38a65cdb4c27
Opcode Fuzzy Hash: 657d38bd6c96a97507ab63c3b9fa7f5705b040ab1abf28325059fa1268bf7e77
Instruction Fuzzy Hash: AD21E2B5901209DFDB10CFAAD984ADEFBF8EB48320F14801AE918A7350C375A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 050A7348 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 050A73C0

Memory Dump Source

Source File: 00000006.00000002.3142223988.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50a0000_SecuriteInfo.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: bcf81bbd9d513bed542829a165930e8c88c6d0f43f39e35bb0afca7cb2229c09
Instruction ID: 651c251b696b1f037cb8839c12b25ce3b85213738d7da16d201458d8e3b3c717
Opcode Fuzzy Hash: bcf81bbd9d513bed542829a165930e8c88c6d0f43f39e35bb0afca7cb2229c09
Instruction Fuzzy Hash: B12156B2C0065A9BCB20CF9AD544BDEFBF4FB48320F15812AD858A7240D338A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 050A7350 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 050A73C0

Memory Dump Source

Source File: 00000006.00000002.3142223988.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50a0000_SecuriteInfo.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 7c525ab3782fec8417e74f31d0febc1ec0991cc0c612a043671ab9a6ad18276e
Instruction ID: 9fc480fa4bd9389896a4b38b559c3bd23520f6b4b67116f3a0682e729a47761f
Opcode Fuzzy Hash: 7c525ab3782fec8417e74f31d0febc1ec0991cc0c612a043671ab9a6ad18276e
Instruction Fuzzy Hash: 3C1133B6C0061A9BCB20CF9AD544B9EFBF4FB48320F11812AD858A7240D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0625A0D8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0625B199,00000800,00000000,00000000), ref: 0625B38A

Memory Dump Source

Source File: 00000006.00000002.3153605415.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6250000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cb9fd9e1281d3bc11de78fc95dc85928f576f505b755e2dbb1a210c6f38ea02a
Instruction ID: 1b1c3957f1c25c606da44f8018c822e60a96afe3fe93deec25d8b668a86b8e8e
Opcode Fuzzy Hash: cb9fd9e1281d3bc11de78fc95dc85928f576f505b755e2dbb1a210c6f38ea02a
Instruction Fuzzy Hash: 8911F6B6D003499FDB20CF9AD844ADEFBF4EB48310F11846AE919B7210C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0625B31B Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0625B199,00000800,00000000,00000000), ref: 0625B38A

Memory Dump Source

Source File: 00000006.00000002.3153605415.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6250000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f469abd3d724ae6235b3b0f2752664b83e4a683639244c45d22b1d13b8b14092
Instruction ID: 5f117501efe043025bd6848d03c63acf3f5dc7e4921fd695d5475360f8cf3db7
Opcode Fuzzy Hash: f469abd3d724ae6235b3b0f2752664b83e4a683639244c45d22b1d13b8b14092
Instruction Fuzzy Hash: 2511F3B6D003499FDB20CFAAD844ADEFBF4EB48320F14842AE859B7210C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0626E710 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0626E777

Memory Dump Source

Source File: 00000006.00000002.3154111055.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6260000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a5fb6672c6e9704bdf96bc969c39649be60ece3724d0577da6ec8a2416718c0c
Instruction ID: 6630d857b4789459464965050bcd89c9bba298f1d5e9703558a2baafc2006a44
Opcode Fuzzy Hash: a5fb6672c6e9704bdf96bc969c39649be60ece3724d0577da6ec8a2416718c0c
Instruction Fuzzy Hash: 511123B5C00259DBCB10CF9AC444BDEFBF4AF48320F11812AE818B7251D378A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0625B0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0625B11E

Memory Dump Source

Source File: 00000006.00000002.3153605415.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6250000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 44a21ef3e7866445c92c83f3412488c6e5f469be2a9ea33b8a6b5cbe212c4068
Instruction ID: 15dbc3c43492f10f91eb4229bdae527ed502f1779beeea9dab8e5566c3fddffe
Opcode Fuzzy Hash: 44a21ef3e7866445c92c83f3412488c6e5f469be2a9ea33b8a6b5cbe212c4068
Instruction Fuzzy Hash: D811E0B5C002498FCB20CF9AD844ADEFBF4AB88324F11C52AD859A7210D375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3102770702.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11fd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c660eacfd2794f07f38b3ffc577a685d16ff9dd9746fa2fbcf930823df89c3df
Instruction ID: ca32de7b5cc74a33c216bfd5bc69f511c2d0cd0b190af41d0cc11b839e37ec0e
Opcode Fuzzy Hash: c660eacfd2794f07f38b3ffc577a685d16ff9dd9746fa2fbcf930823df89c3df
Instruction Fuzzy Hash: CC212271604200DFDF19DF58E984B26BFA5EB84314F20C66DEA0A4B256C33AD447CA62

Uniqueness

Uniqueness Score: -1.00%

Function 011FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3102770702.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11fd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5547d7d5285b0d8542d34195360bf877371a491cf5b45ba842c3889f37962ae
Instruction ID: 97c352b623e070e0b9346a939b467439feec3263ae7f4333c6c6c56ac5ef3024
Opcode Fuzzy Hash: d5547d7d5285b0d8542d34195360bf877371a491cf5b45ba842c3889f37962ae
Instruction Fuzzy Hash: 3121AE755093808FDB07CF24D994B15BF71EB46214F28C5EED9498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tiucdfZoOi.exePID: 7384, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	18.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	513
Total number of Limit Nodes:	14

Executed Functions

Function 0095D2B1 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0095D33E
GetCurrentThread.KERNEL32 ref: 0095D37B
GetCurrentProcess.KERNEL32 ref: 0095D3B8
GetCurrentThreadId.KERNEL32 ref: 0095D411

Memory Dump Source

Source File: 00000008.00000002.1935276089.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_tiucdfZoOi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 421ff2f5ddad25440651fb835b14db52453617e621fafe08532ff9ce3ab55767
Instruction ID: bd15af9e132882a94d2002e6b34a0eddcad56a44d3b78512114e1d95407c5022
Opcode Fuzzy Hash: 421ff2f5ddad25440651fb835b14db52453617e621fafe08532ff9ce3ab55767
Instruction Fuzzy Hash: 965168B0901349CFDB24DFAAD5487AEBBF1EF88304F208459E419A73A0D7749984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0095D2C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0095D33E
GetCurrentThread.KERNEL32 ref: 0095D37B
GetCurrentProcess.KERNEL32 ref: 0095D3B8
GetCurrentThreadId.KERNEL32 ref: 0095D411

Memory Dump Source

Source File: 00000008.00000002.1935276089.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_tiucdfZoOi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e234b6059ef6b67752f4907e63a1ce2617aa17fe9cc908299b5dbf87b57a9350
Instruction ID: b196c3ec65ba4ca9e6bf47649a9d3b6d21d4bcf822b2791b592ddd2be52a1574
Opcode Fuzzy Hash: e234b6059ef6b67752f4907e63a1ce2617aa17fe9cc908299b5dbf87b57a9350
Instruction Fuzzy Hash: 185157B0901349CFDB24DFAAD548BAEBBF1EF48304F208459E459A73A0D774A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02481A7C Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02481CBE

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f6372d528321faa0f1298c0ea69ac7b2eeeeb55017cd15fcca8789f2c25a49ae
Instruction ID: 1abe549eaadf530e414c8d278105324bcaffb63ab42666ca5a147e39a22363f7
Opcode Fuzzy Hash: f6372d528321faa0f1298c0ea69ac7b2eeeeb55017cd15fcca8789f2c25a49ae
Instruction Fuzzy Hash: 56A15B71D10219CFDB10DFA8C9417EEBBF2AF48314F1485AAE80DA7250EB749986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02481A88 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02481CBE

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: dddd42d4160569dd02df9e1b7d8cab58f5e593b4bd107bbbf6668edc3dadc9f7
Instruction ID: 541cac0c859b21fb0219ed8876921d723b4d9e82f7c3d51d01e7eaa9617b2432
Opcode Fuzzy Hash: dddd42d4160569dd02df9e1b7d8cab58f5e593b4bd107bbbf6668edc3dadc9f7
Instruction Fuzzy Hash: 2A914B71D10219CFDB10DFA8C9417EEBBF2AF48314F1485AAE80DA7250EB749986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0095B028 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0095B27E

Memory Dump Source

Source File: 00000008.00000002.1935276089.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_tiucdfZoOi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a0c5f640cc85ddee4bc59818d605e31680659219ef6ec6df71d6ce966b093030
Instruction ID: 5dc284bafcb776194aed73f54f6b2ed0936c02245504f8ace667fd0c7d10656d
Opcode Fuzzy Hash: a0c5f640cc85ddee4bc59818d605e31680659219ef6ec6df71d6ce966b093030
Instruction Fuzzy Hash: 2C712370A00B058FDB64DF2AD45576ABBF5FF88300F108A2AD49AD7A50DB35E849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0095590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 009559C9

Memory Dump Source

Source File: 00000008.00000002.1935276089.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_tiucdfZoOi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ac7a4f08746e5253bbcb43b1da57b0692fd7707a5df81e5475db7f5130cdde4b
Instruction ID: 9a444cbd576650a702ef2985e519a195ce742dd1f79a0d3daf39b6e9fb97f10d
Opcode Fuzzy Hash: ac7a4f08746e5253bbcb43b1da57b0692fd7707a5df81e5475db7f5130cdde4b
Instruction Fuzzy Hash: 214116B0C00719CFDB24CFA9C9947DDBBB5BF48304F24816AD409AB251D7756989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009544C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 009559C9

Memory Dump Source

Source File: 00000008.00000002.1935276089.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_tiucdfZoOi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6ab49da757915a06065536a9ba4d5be6a07ffc18b1ca796361ac5480e2077b6e
Instruction ID: 305928ed8d4d50ed44c01dd9567668a16d8f1f7d8cb93a4d8abd81ecb34827b0
Opcode Fuzzy Hash: 6ab49da757915a06065536a9ba4d5be6a07ffc18b1ca796361ac5480e2077b6e
Instruction Fuzzy Hash: 9F41F2B0C0071DCBDB24DFAAC94479EBBB5BF88304F24806AD408AB255DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 024817F8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02481890

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 26b3664351abb4bce0ace28edb9e445bba9a9195fc5c1b17733858a3988b723c
Instruction ID: 7abab53a72da3179bb49d64df0a5a374ccb7de450364a50e8ffacdd601ab6096
Opcode Fuzzy Hash: 26b3664351abb4bce0ace28edb9e445bba9a9195fc5c1b17733858a3988b723c
Instruction Fuzzy Hash: 7E2146B1D003599FCB10DFA9C882BDEBBF5FF48310F10842AE959A7250C778A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02481800 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02481890

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 46f4a102134f3b8f147467709d395919b27b2c495568036fa4a3f4b5e832125f
Instruction ID: a6b0db8cd8b41dcaa832618716c8dc30ac2ca7811fb2c133f4295a5f655cf7de
Opcode Fuzzy Hash: 46f4a102134f3b8f147467709d395919b27b2c495568036fa4a3f4b5e832125f
Instruction Fuzzy Hash: 272126B19003599FCB10DFA9C985BDEBBF5FF48310F10842AE959A7250C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02481228 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 024812AE

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7aec708a70718369800afeaa164ddaef15351a050943b968fe8733f9ccc81f00
Instruction ID: cf76c09c065a66e86ecca1c7a5d65f6238fba00a0c4d78583d6e748451a6b340
Opcode Fuzzy Hash: 7aec708a70718369800afeaa164ddaef15351a050943b968fe8733f9ccc81f00
Instruction Fuzzy Hash: 9E2157B19003098FDB10DFAAC485BEEBBF4EB48324F14842AD559B7240CB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 024818E8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02481970

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 92b7a2f505d3323f68025720ad2333a764aebaf29e8e9dcf39d2d3fb94d83992
Instruction ID: 21304a36bf0830c2151f5c1f075edc8334593728633859b70258a7b3936f4ec9
Opcode Fuzzy Hash: 92b7a2f505d3323f68025720ad2333a764aebaf29e8e9dcf39d2d3fb94d83992
Instruction Fuzzy Hash: 802116B19003599FDB10DFAAC985AEEFBF5FF48320F50842AE559A7250C738A544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0095D501 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0095D58F

Memory Dump Source

Source File: 00000008.00000002.1935276089.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_tiucdfZoOi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d430c8ecf580a464c4e61db820ea319c63476e07e1908b109c46ec9aef2ecd17
Instruction ID: b6d35029d842ca11b8ac1eaccb5d8675d52e1f70cf0fd0a0ca3d2040624ad1ea
Opcode Fuzzy Hash: d430c8ecf580a464c4e61db820ea319c63476e07e1908b109c46ec9aef2ecd17
Instruction Fuzzy Hash: BB2114B59012189FDB10CF9AD584ADEFFF8FB48324F14801AE914A3310D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02481230 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 024812AE

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b259d4d8acfc0829cc0796e09f29e7243b83c51d6c3ec8f81d5a83d42282c33d
Instruction ID: ce4218000c78658187a90bc43b98151e352d4a61a6510fd66cbe224b5415eaf0
Opcode Fuzzy Hash: b259d4d8acfc0829cc0796e09f29e7243b83c51d6c3ec8f81d5a83d42282c33d
Instruction Fuzzy Hash: C22115B19103098FDB10DFAAC585BEEBBF4EF48324F14842AD559A7240CB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 024818F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02481970

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 55363bdd65580ce2f067bbf21e64ef2cf71c3a52e9122701ff664abd3265ca64
Instruction ID: 3c2be98c806424cb27110dbda19c4d50bb2bf0266777fedccd8687f4d4eebdf1
Opcode Fuzzy Hash: 55363bdd65580ce2f067bbf21e64ef2cf71c3a52e9122701ff664abd3265ca64
Instruction Fuzzy Hash: 262128B19003599FCB10DFAAC940ADEFBF5FF48320F10842AE559A7250C7389544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0095D508 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0095D58F

Memory Dump Source

Source File: 00000008.00000002.1935276089.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_tiucdfZoOi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b93b7670646ab761b90220898810716a3fa85cd29a7347f30130c522b5fbbc79
Instruction ID: d346ab021f81b5adafe658c1068588b75565a5d4558dc0d4b82e6114a1d5ad73
Opcode Fuzzy Hash: b93b7670646ab761b90220898810716a3fa85cd29a7347f30130c522b5fbbc79
Instruction Fuzzy Hash: 1321E4B59012189FDB10CF9AD584ADEFFF8EB48310F14841AE954A3310D374A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02481738 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 024817AE

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 68b83fb163ec0a28d65d11896b8847158f88b5fbe9273a19d1f7b70cad44ee24
Instruction ID: fab4676a25bc421c605b5754488e63f0dee414ce1e4a6769733ac93c855a03a2
Opcode Fuzzy Hash: 68b83fb163ec0a28d65d11896b8847158f88b5fbe9273a19d1f7b70cad44ee24
Instruction Fuzzy Hash: DD1156B2900249DFDB10DFAAC845BDFBFF5EB88324F14881AE559A7250C735A540CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0095ACDC Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0095B2F9,00000800,00000000,00000000), ref: 0095B50A

Memory Dump Source

Source File: 00000008.00000002.1935276089.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_tiucdfZoOi.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 65a12571c48d9f30c9e129a0c795b31c0535fde18e3146ba93e659897c40fc35
Instruction ID: 25a848fb658b3b66eaf07179f7e14948af1834db025078a166fa35c807ddc26d
Opcode Fuzzy Hash: 65a12571c48d9f30c9e129a0c795b31c0535fde18e3146ba93e659897c40fc35
Instruction Fuzzy Hash: 091126B69003088FCB20CF9AC444BEEFBF4EB48310F14842EE919A7210C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0095B498 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0095B2F9,00000800,00000000,00000000), ref: 0095B50A

Memory Dump Source

Source File: 00000008.00000002.1935276089.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_tiucdfZoOi.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 71030859e4949e621286fffc2a94c38c9748650fbacb15c474d23d851bb39ec3
Instruction ID: a8ab1982cddf3403e46c92e93e96473b81d825174e0e5c250dd032079bca2dd1
Opcode Fuzzy Hash: 71030859e4949e621286fffc2a94c38c9748650fbacb15c474d23d851bb39ec3
Instruction Fuzzy Hash: F01126B6D003099FCB24CFAAD544ADEFBF4EB89310F14842AD919A7210C375A645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02481178 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 024811E2

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 55b1145ed123d14c2e6f3f48267c106524a604d7e391ca93e1e1b0c7ea39ef4b
Instruction ID: f2ea99463468a912494f77da853f2899f03db4228e416b7fbbd94ad076eec6ff
Opcode Fuzzy Hash: 55b1145ed123d14c2e6f3f48267c106524a604d7e391ca93e1e1b0c7ea39ef4b
Instruction Fuzzy Hash: E81146B1D002598BDB10DFAAC8457EFFBF4AB88324F24881AD559A7250CB39A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02481740 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 024817AE

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3fb90bd00caf6521583a86010f9159a3c9a30efd19b892c909d91737d63dc741
Instruction ID: 03dc803d12b6410b5cb258e9a021ecdfae66b38ac3e2beecde52933d216d2282
Opcode Fuzzy Hash: 3fb90bd00caf6521583a86010f9159a3c9a30efd19b892c909d91737d63dc741
Instruction Fuzzy Hash: DB112675900249DFCB10DFAAC944ADFBFF5EB48324F14841AE559A7250C775A544CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02481180 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 024811E2

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0492485f72f80a30be4488ebe59f1a891f4679307d5df743d222159ab75bd7d3
Instruction ID: db3348ff74967205e60633b8d2e308d37951b28043f856c32cae48588ddd8d4b
Opcode Fuzzy Hash: 0492485f72f80a30be4488ebe59f1a891f4679307d5df743d222159ab75bd7d3
Instruction Fuzzy Hash: B51128B19002498BCB10DFAAC5457EEFBF4AB88324F24841AD559A7250CB75A544CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0095B218 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0095B27E

Memory Dump Source

Source File: 00000008.00000002.1935276089.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_950000_tiucdfZoOi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 35bd41e9f17d8847b3db72e8664db0da3a3c718806cb8b52e9bddee55786fc82
Instruction ID: 1997515f8ce8e1291a256f5634233b00b0ac5362dfbacf89733b238d3fdae2fd
Opcode Fuzzy Hash: 35bd41e9f17d8847b3db72e8664db0da3a3c718806cb8b52e9bddee55786fc82
Instruction Fuzzy Hash: F711E0B5C007498FCB20CF9AD444ADEFBF8EB88324F14846AD969A7210C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02483894 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 024856C5

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4b4f527f42618113c148cea9c4e4fe6a062cb4698d7d9dfe332bbf346675678f
Instruction ID: fcd52a798d47121385ec9cb80bd5179563618f8171f5e2e48c4cdac7d23e4de3
Opcode Fuzzy Hash: 4b4f527f42618113c148cea9c4e4fe6a062cb4698d7d9dfe332bbf346675678f
Instruction Fuzzy Hash: 4E11E0B58003489FCB10DF9AC544BDEBFF8EB48324F24845AE558A7210C375A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02485660 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 024856C5

Memory Dump Source

Source File: 00000008.00000002.1936420232.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2480000_tiucdfZoOi.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c2c792f71e685637bdf5505b4befd399b882766c363ec4900623ff64b9331faf
Instruction ID: cf16b5bee52bf37131dbd59ad4f8b3d1258a2ed1835fa4741ac0d72e6a2051f3
Opcode Fuzzy Hash: c2c792f71e685637bdf5505b4befd399b882766c363ec4900623ff64b9331faf
Instruction Fuzzy Hash: 7311F2B5800349DFDB10DF9AC945BDEBFF8EB48324F24845AE558A7210C379A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 008ED1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1934953589.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8ed000_tiucdfZoOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c464c1e0ff3073eef24e0deef728e93ef2eaeed2b7cd3c99f7cf84c0a1515d3
Instruction ID: a5823294fb52f4bf5224523bfe0cb81c30f4481ce867b101c971a7415987f119
Opcode Fuzzy Hash: 3c464c1e0ff3073eef24e0deef728e93ef2eaeed2b7cd3c99f7cf84c0a1515d3
Instruction Fuzzy Hash: 56213371500384DFCB05DF15D9C0B2ABF65FB89314F20C169EE098B256C336E81ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1935029352.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8fd000_tiucdfZoOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c97e77f110a0c173486c8e44e58f122ff4be602f29d4b8cfe577216ef6c2e75
Instruction ID: 419fff927b7d1e2f2e67b815db0a6f8000a29acfd0dbfd396e1d7343e9dadf39
Opcode Fuzzy Hash: 4c97e77f110a0c173486c8e44e58f122ff4be602f29d4b8cfe577216ef6c2e75
Instruction Fuzzy Hash: 5221F571504708DFDB14DF24D584B26BB66FBC4314F20C569DB098B356CB3AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 008FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1935029352.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8fd000_tiucdfZoOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6ab55c67468b1de90a98ba807916626707911eee36b25b40d5faa9ce51f18c
Instruction ID: 8870051f791399723db60cd4a628c567c502f68e1f8be95a597935cb3e1e66e7
Opcode Fuzzy Hash: 0d6ab55c67468b1de90a98ba807916626707911eee36b25b40d5faa9ce51f18c
Instruction Fuzzy Hash: 4E210771504308DFDB05DF24D5C4B36BBA6FB84318F20C56DDB098B255C336E846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 008ED1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1934953589.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8ed000_tiucdfZoOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction ID: 0fc2fa670c2f07ef02e01056e9964eade5a54d6bd92ea9b4926437a4ce58edb2
Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction Fuzzy Hash: 7621CD76404280CFCB06CF10D9C4B16BF62FB84314F24C1A9DD084B256C33AE82ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1935029352.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8fd000_tiucdfZoOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 2626c95c78107abf64b95225c5b6695220254304b8c310642941d797f0a3205d
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 7211BE75504344DFCB02CF20C5C4B25BB62FB84314F24C6AADA498B256C33AE80ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 008FD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1935029352.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8fd000_tiucdfZoOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: d2cfdcd8f217cc85eaa34925b9b3920171c4983938793c1bba417af50da9b747
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4A11BE75504784CFCB15CF24D5C4B25FB62FB84314F24C6AADA098B656C33AD80ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 008ED745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1934953589.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8ed000_tiucdfZoOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d8d9af7d5134f80d66f08242a3663faa116085eb1d35ce3eca21842c719c15
Instruction ID: 4699559b1232008ac548e11f7f5fee4a2a9431f1d9b65b4856b37a0ec790815a
Opcode Fuzzy Hash: 87d8d9af7d5134f80d66f08242a3663faa116085eb1d35ce3eca21842c719c15
Instruction Fuzzy Hash: B201DB710093849AE7105F2BCD84B67FF98FF42364F18C52AED198E286D679D848CA71

Uniqueness

Uniqueness Score: -1.00%

Function 008ED744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1934953589.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8ed000_tiucdfZoOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534cd4a186b6d326dba5012075ea48669b5d5dbedf6685ba309ffa07c9d1937f
Instruction ID: 0e7e13deec1354f65ebde7fec5e42d985bb34677c93b4557a38902fb0761fd19
Opcode Fuzzy Hash: 534cd4a186b6d326dba5012075ea48669b5d5dbedf6685ba309ffa07c9d1937f
Instruction Fuzzy Hash: 3CF062714083849AE7108F1ACC88B62FFA8EB92734F18C45AED484A286C2799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tiucdfZoOi.exePID: 7552, Parent PID: 7384COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	152
Total number of Limit Nodes:	15

Executed Functions

Function 064D29AE Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 064D2A2E
GetCurrentThread.KERNEL32 ref: 064D2A6B
GetCurrentProcess.KERNEL32 ref: 064D2AA8
GetCurrentThreadId.KERNEL32 ref: 064D2B01

Memory Dump Source

Source File: 0000000B.00000002.3155732367.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64d0000_tiucdfZoOi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0f3c6abc90f324acd3364d456e1ec9e9aa078d35605d50b678bf8a78d4b3a624
Instruction ID: f471ade4a37862848a2930baa89cf2c0237945e4dab2eb754bb49fe86c2f458d
Opcode Fuzzy Hash: 0f3c6abc90f324acd3364d456e1ec9e9aa078d35605d50b678bf8a78d4b3a624
Instruction Fuzzy Hash: D75177B0D002098FDB54DFAAD948BDEBBF1EF88304F20801AE509AB3A0D7749944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 064D29B0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 064D2A2E
GetCurrentThread.KERNEL32 ref: 064D2A6B
GetCurrentProcess.KERNEL32 ref: 064D2AA8
GetCurrentThreadId.KERNEL32 ref: 064D2B01

Memory Dump Source

Source File: 0000000B.00000002.3155732367.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64d0000_tiucdfZoOi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6cf047c106b1c6c30e7f7be86a9132deb2b39a51461a08d857c7c46775b950ce
Instruction ID: c2394461d2177535cc0b9d1c86a717d6042a0dcda7031696160923b8c6152e3b
Opcode Fuzzy Hash: 6cf047c106b1c6c30e7f7be86a9132deb2b39a51461a08d857c7c46775b950ce
Instruction Fuzzy Hash: 725177B0D002098FDB54DFAAD948BDEBBF1EF88304F20801AE509AB3A0D7749944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 064DAEB8 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 064DB11E

Memory Dump Source

Source File: 0000000B.00000002.3155732367.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64d0000_tiucdfZoOi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ce6d5891280ef2e59b5c7cfe783673346efe58dd45cc8b1fe0da68a0144e5f1a
Instruction ID: c752a0cd6f078803e655e78414980852e1088fd4014bed172dfe41d0911aafda
Opcode Fuzzy Hash: ce6d5891280ef2e59b5c7cfe783673346efe58dd45cc8b1fe0da68a0144e5f1a
Instruction Fuzzy Hash: 1D8142B0A00B058FDBA5DF2AD45475ABBF1FF88344F008A6ED48697B50D735E886CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064DD065 Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064DD1C2

Memory Dump Source

Source File: 0000000B.00000002.3155732367.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64d0000_tiucdfZoOi.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c6794a12745c2a2895413c58bbfb4b175a0e1e3f0fceea0184fcd978c51ef7ba
Instruction ID: 645bb843d2d9a9d5660b19ba4f4fe5a650e9f7ce43ebf9adb87f50c622319477
Opcode Fuzzy Hash: c6794a12745c2a2895413c58bbfb4b175a0e1e3f0fceea0184fcd978c51ef7ba
Instruction Fuzzy Hash: B351E171D00249AFDF15CF99C994ADEBFB6FF49314F24816AE818AB220D7719885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 064EE638 Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3155990442.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64e0000_tiucdfZoOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c720dbccb11b70259de55ea897bffcd95c3ba7352984206f396d152d039fefdd
Instruction ID: ae64acf0872f3dc595e896fd089aed132a28e7db35f4757b4875e09458492770
Opcode Fuzzy Hash: c720dbccb11b70259de55ea897bffcd95c3ba7352984206f396d152d039fefdd
Instruction Fuzzy Hash: 1C410372D043998FCB04DFBAD8146AEBBF5AF89310F19856BD504A7351DB349841CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 064DD0A4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064DD1C2

Memory Dump Source

Source File: 0000000B.00000002.3155732367.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64d0000_tiucdfZoOi.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5c311a40654bf44fdccd80f87cc30095d871d88029bdad8612cfeffb6b2508ed
Instruction ID: 808936afc3de5407c76cde82079b22a38835ade747ab76553349f61ea1c84b24
Opcode Fuzzy Hash: 5c311a40654bf44fdccd80f87cc30095d871d88029bdad8612cfeffb6b2508ed
Instruction Fuzzy Hash: 0251CEB1D003499FDB14CF99C994ADEBFB6FF48310F24812AE819AB210D771A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 064DD0B0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064DD1C2

Memory Dump Source

Source File: 0000000B.00000002.3155732367.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64d0000_tiucdfZoOi.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ffe0b0f7bff4d55be5b717d1129b38e458630be35f0b66da443fe24ba7597a83
Instruction ID: 634da0ab242832926b96fb0e2446cc809338bb32a7514371feb92a571d748cb4
Opcode Fuzzy Hash: ffe0b0f7bff4d55be5b717d1129b38e458630be35f0b66da443fe24ba7597a83
Instruction Fuzzy Hash: 1941BEB1D003599FDB14CF99C994ADEBFB5FF48310F24852AE819AB210D771A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 064DA33C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 064DF8B1

Memory Dump Source

Source File: 0000000B.00000002.3155732367.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64d0000_tiucdfZoOi.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6d0f31e7530638e4346fc165f835c91998f9902280e9d31d1bcb50a0630f1d68
Instruction ID: 89f35f2ef0200ade62f4d0a2c973a4011fdec8e4d4665bc946d8b75b468a1571
Opcode Fuzzy Hash: 6d0f31e7530638e4346fc165f835c91998f9902280e9d31d1bcb50a0630f1d68
Instruction Fuzzy Hash: 7A4129B4D00345DFCB54CF9AC848AAABBF5FB88314F24C459E419AB321C734A845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 064D2BF0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 064D2C7F

Memory Dump Source

Source File: 0000000B.00000002.3155732367.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64d0000_tiucdfZoOi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6e602956581d343100d9f6467d9e07c8bc9e2dfd41754455f1efa66dd316e620
Instruction ID: d6ef3fa1b97ed0ef8f4f7960f9d0d183948bd5eb40f01a3770809b67e0246f56
Opcode Fuzzy Hash: 6e602956581d343100d9f6467d9e07c8bc9e2dfd41754455f1efa66dd316e620
Instruction Fuzzy Hash: 9321E5B5D002589FDB10CFA9D984ADEBBF8EB48710F14811AE954A7310D375A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 064D2BF8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 064D2C7F

Memory Dump Source

Source File: 0000000B.00000002.3155732367.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64d0000_tiucdfZoOi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c5f5bb9c3d3cb2f7866438e9924a5b32b7ee2ed5f3ccafbc57a99048c22f3b1c
Instruction ID: d0f9b31221ecc886b216302c7b492e166038ba6cea1faaf56a17399c4ed1ab75
Opcode Fuzzy Hash: c5f5bb9c3d3cb2f7866438e9924a5b32b7ee2ed5f3ccafbc57a99048c22f3b1c
Instruction Fuzzy Hash: 8A21E2B5D002589FDB10CFAAD984ADEFBF8FB48320F14801AE958A7310D374A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 014C7348 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 014C73C0

Memory Dump Source

Source File: 0000000B.00000002.3103636601.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_14c0000_tiucdfZoOi.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1b5e857ba1b5e808d08293499f953915ee6c7eb62217e7edf196f0b57a7b662c
Instruction ID: 0c555e4239b803618609741aea7b48eef96ec86ce75e29f3585b5f701416d7d7
Opcode Fuzzy Hash: 1b5e857ba1b5e808d08293499f953915ee6c7eb62217e7edf196f0b57a7b662c
Instruction Fuzzy Hash: 9D2158B5C0061A9BCB14CF9AC445BDEFBF4FB48720F10812AD858A7350D734A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 064DB31A Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,064DB199,00000800,00000000,00000000), ref: 064DB38A

Memory Dump Source

Source File: 0000000B.00000002.3155732367.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64d0000_tiucdfZoOi.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4f712fa2c3fcb038dd4289d182e2cfe4100766b4bde14034a8f24a2e0e82308c
Instruction ID: 13fc88b24c7b2423830399d9f17253eed519c56a9c0e17172cb490c8eb2d2719
Opcode Fuzzy Hash: 4f712fa2c3fcb038dd4289d182e2cfe4100766b4bde14034a8f24a2e0e82308c
Instruction Fuzzy Hash: AD1103B6C002499FCB10CF9AD444ADEFBF8EB48310F10842ED859A7610C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 014C7350 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 014C73C0

Memory Dump Source

Source File: 0000000B.00000002.3103636601.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_14c0000_tiucdfZoOi.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 66389b0416031bec2b9af3a8d9bfaf14fc369669b149ab578a168dc710e7dedc
Instruction ID: 0b3846e44df0f3727b64cd4cb18aafcd6b1340fcc4963677ffc94f35e6724564
Opcode Fuzzy Hash: 66389b0416031bec2b9af3a8d9bfaf14fc369669b149ab578a168dc710e7dedc
Instruction Fuzzy Hash: 201133B5C0065A9BCB14CF9AD545BAEFBF4BB48720F10812AD858A7250D738A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 064EDE54 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,064EE68A), ref: 064EE777

Memory Dump Source

Source File: 0000000B.00000002.3155990442.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64e0000_tiucdfZoOi.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 48bb243b644ae2ce99316bbcd12503c1590a73449f758108d1a8190340ad8999
Instruction ID: c2b8a9009e565029ad089e26829bfe14e14f3a1103182785c6798f54a66da2b4
Opcode Fuzzy Hash: 48bb243b644ae2ce99316bbcd12503c1590a73449f758108d1a8190340ad8999
Instruction Fuzzy Hash: AF1100B1C006699BCB10DF9AC444BAEFBF4AB48320F10816AE818B7251D378A940CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 064DA0D8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,064DB199,00000800,00000000,00000000), ref: 064DB38A

Memory Dump Source

Source File: 0000000B.00000002.3155732367.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64d0000_tiucdfZoOi.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7aa1f15e9caaf3d0c409a0423197b3f049970afb0a28c7e42e78fcc74d5b88e3
Instruction ID: bfa70c0a9b68e40b74ccc69c9be037ca37d17d5a50763f4f1b661a75a739cd52
Opcode Fuzzy Hash: 7aa1f15e9caaf3d0c409a0423197b3f049970afb0a28c7e42e78fcc74d5b88e3
Instruction Fuzzy Hash: 8F1100B6D003488FDB10CF9AD844AAEFBF4EB48310F10842EE959A7610C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 064EE708 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,064EE68A), ref: 064EE777

Memory Dump Source

Source File: 0000000B.00000002.3155990442.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64e0000_tiucdfZoOi.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 34524a36369b8ed04c1717737b87cc3717e1a156f3a90347c782582a38f25d36
Instruction ID: 2166f9cfd40547f565a6f60497f7211f1dd0a3ed4f3e4c7550d7393974015ee4
Opcode Fuzzy Hash: 34524a36369b8ed04c1717737b87cc3717e1a156f3a90347c782582a38f25d36
Instruction Fuzzy Hash: 021130B1C002698BCB10DF9AD444BEEFBF4AB48320F20816AD818A7250D338A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 064DB0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 064DB11E

Memory Dump Source

Source File: 0000000B.00000002.3155732367.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_64d0000_tiucdfZoOi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cd82d01da25c106e8bc8571c12716965453cb69c6b978c1d6c0379bb7472aa3e
Instruction ID: 256f4330627d68cad8cd76282220baa974472f1e91e28a53047cabb6f79c2329
Opcode Fuzzy Hash: cd82d01da25c106e8bc8571c12716965453cb69c6b978c1d6c0379bb7472aa3e
Instruction Fuzzy Hash: 291110B5C003498FCB10CF9AD844ADEFBF4EB88324F10842AD859A7310C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0146D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3103171165.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_146d000_tiucdfZoOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a62f9226e6a896afdfcbc45e04f3fa517753e1c718f068973f72e08c08e23a
Instruction ID: fa7c049d367d9170cf146c740a420d4f47a9305e5d3889c93e60b4899df0b9d4
Opcode Fuzzy Hash: a8a62f9226e6a896afdfcbc45e04f3fa517753e1c718f068973f72e08c08e23a
Instruction Fuzzy Hash: ED2125B1A04200DFCB15DF58D984B26BFA9EB8431CF20C56ED98A4B366C337D447CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0146D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3103171165.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_146d000_tiucdfZoOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac1d73e238e883730164c7b00073e524807cd8979846bb87a629e1159ae1bf5
Instruction ID: 6df5bd68708351c886a16254de2abcefb0cef9006de41ae72f778f483f11cac1
Opcode Fuzzy Hash: 5ac1d73e238e883730164c7b00073e524807cd8979846bb87a629e1159ae1bf5
Instruction Fuzzy Hash: D82180755093808FDB03CF24D594716BF71EB46218F28C5DBD8898F2A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: boqXv.exePID: 7688, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	215
Total number of Limit Nodes:	13

Executed Functions

Function 077510A0 Relevance: 1.7, Strings: 1, Instructions: 436COMMON

Download Yara Rule

Strings

tIh, xrefs: 07751545

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: b04c09bd27a521596ff8f8b5d41cc7c509961ea167c482b1bdc611c73fd70132
Instruction ID: 1c9e51e82e0b8aa3796062bfd55d325638018255eb93ac7b30cc25a80b76765d
Opcode Fuzzy Hash: b04c09bd27a521596ff8f8b5d41cc7c509961ea167c482b1bdc611c73fd70132
Instruction Fuzzy Hash: B1F1B0B0E1020ADFCB04CFA5D4849EEFBB1FF4A392B50D556D815AB211D7749A82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07751190 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

tIh, xrefs: 07751545

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: 664300ebfb39452a941239094340f9c4c0bf1403386aa009190f8920d6627e63
Instruction ID: 25ab4385e4790459b6cf689cc1a3db96978ccdfe4f7db0b2b97daf5d5208ad58
Opcode Fuzzy Hash: 664300ebfb39452a941239094340f9c4c0bf1403386aa009190f8920d6627e63
Instruction Fuzzy Hash: 99D139B0E1420ADFCB08DF99C4859AEFBB2FF8A342F50D555D812AB215D734A942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 077541E8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5b0ccd1ec9955e2d1795c441660f99ffbe71961455642ba73d40f669e00013
Instruction ID: 26763f4be454a3100a5b0e95b89ca41d3740b67523fb1550a3fa95f0e4329af7
Opcode Fuzzy Hash: 2b5b0ccd1ec9955e2d1795c441660f99ffbe71961455642ba73d40f669e00013
Instruction Fuzzy Hash: F29118B0D15259DFCB08CFE5D580A9DFBB2FB8A340F20A41AE816BB224D7749985CF14

Uniqueness

Uniqueness Score: -1.00%

Function 077541D8 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c34b2ff7e61008ada2f5036b6e2cea4529604f5b9fb5b5b506d1172f1ead37f
Instruction ID: 03a26ad4763b4afb2e8b2989ac678ebbc92a4a4679fb4b44810424377fa6a112
Opcode Fuzzy Hash: 1c34b2ff7e61008ada2f5036b6e2cea4529604f5b9fb5b5b506d1172f1ead37f
Instruction Fuzzy Hash: A0914AB4D15259DFCB08CFE5D580A9DFBB2BF8A340F20A41AE415BB224D7749982CF14

Uniqueness

Uniqueness Score: -1.00%

Function 07753EC1 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d10f334f27dc6d7a8edbddb226907955a9a3da3bbb01c091f267234226940a
Instruction ID: 54490d7528fb7836b2bf9f79f9df8906a0ad6702d248aae1a966d8ba0acc8bc7
Opcode Fuzzy Hash: 31d10f334f27dc6d7a8edbddb226907955a9a3da3bbb01c091f267234226940a
Instruction Fuzzy Hash: A58124B4E14219CFCF04CFA9C840AEEFBB2FB89244F00955AE811A7264D7759902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07753ED0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374884259fdea09c07409784b83fa49cd726aed7a456c92018fd5ffbf8e34280
Instruction ID: fe316f3796733a74d0204e4b446110e38f3470ab2dd7dcf3a83df2e46c176a51
Opcode Fuzzy Hash: 374884259fdea09c07409784b83fa49cd726aed7a456c92018fd5ffbf8e34280
Instruction Fuzzy Hash: 4B8110B4E14219CFCF04CFA9D980AEEFBB2FB89244F10A55AE801B7264D7759942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 077502E0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d834a5061382343d9890cadfc2a7e20de22e3dc0574ea6e57a12f0de081050
Instruction ID: ae52bbd9ed1fc655dfa4f1de6b8269d2afb4e4fd3591e7554f03e838cf9fe366
Opcode Fuzzy Hash: 25d834a5061382343d9890cadfc2a7e20de22e3dc0574ea6e57a12f0de081050
Instruction Fuzzy Hash: 6E21E8B1E006188BEB18CFABD9442DEFBF7AFC8310F14C07AD408A6258DB701A46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 077502D3 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aae08fb4c47046273fa54812c6256f3d9f0bbfbcb39c0e10834cca2a17aeac8
Instruction ID: 6a6a8d9be7b222003812d7b4fc2aa6e94207b20af7be5098d2471066a45d7e1f
Opcode Fuzzy Hash: 8aae08fb4c47046273fa54812c6256f3d9f0bbfbcb39c0e10834cca2a17aeac8
Instruction Fuzzy Hash: 2821ECB1E016588BDB18CFABCD452DEBFF3AFC9300F14C06A9408A6258DB741A45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0138D2B1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0138D33E
GetCurrentThread.KERNEL32 ref: 0138D37B
GetCurrentProcess.KERNEL32 ref: 0138D3B8
GetCurrentThreadId.KERNEL32 ref: 0138D411

Strings

-Z.W, xrefs: 0138D2DC

Memory Dump Source

Source File: 0000000C.00000002.2048484245.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1380000_boqXv.jbxd

Similarity

API ID: Current$ProcessThread
String ID: -Z.W
API String ID: 2063062207-3963604706
Opcode ID: 928439dacafe503f9e8e790a738021dc48241dc453db1016e126a29b61e57fac
Instruction ID: 7432554b677e22a198041d4a8f962f8b71dc1989f1b7cfb9377488da887430f1
Opcode Fuzzy Hash: 928439dacafe503f9e8e790a738021dc48241dc453db1016e126a29b61e57fac
Instruction Fuzzy Hash: 655155B09013498FDB14DFAAD548B9EBBF1AF88304F24C459E419A73A0DB749988CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0138D2C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0138D33E
GetCurrentThread.KERNEL32 ref: 0138D37B
GetCurrentProcess.KERNEL32 ref: 0138D3B8
GetCurrentThreadId.KERNEL32 ref: 0138D411

Strings

-Z.W, xrefs: 0138D2DC

Memory Dump Source

Source File: 0000000C.00000002.2048484245.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1380000_boqXv.jbxd

Similarity

API ID: Current$ProcessThread
String ID: -Z.W
API String ID: 2063062207-3963604706
Opcode ID: 2bf16e254c66f4d71da8320b81d0723146d9e615417b7b0c0da0384941f648de
Instruction ID: 10e35131be648d24acbded7a1fb698fdbd3121d3faac6858544c9c1a8ff0ea3b
Opcode Fuzzy Hash: 2bf16e254c66f4d71da8320b81d0723146d9e615417b7b0c0da0384941f648de
Instruction Fuzzy Hash: B75145B09013098FDB14DFAAD548B9EBBF5EF48304F20C459E419A73A0DB749988CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0D331A7C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0D331CBE

Strings

-Z.W, xrefs: 0D331AF2
-Z.W, xrefs: 0D331AC3

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: CreateProcess
String ID: -Z.W$-Z.W
API String ID: 963392458-643988704
Opcode ID: 04343dc83e6497108d6b745db2410031487d0bea850810f15a1b0d2f3bfd59b7
Instruction ID: 47e634aff14d879c81720bf0807cfa0be2c96f5d7d22b403de13db70bb9b5319
Opcode Fuzzy Hash: 04343dc83e6497108d6b745db2410031487d0bea850810f15a1b0d2f3bfd59b7
Instruction Fuzzy Hash: 69A17C71D00319DFDB20CFA8C941BEDBBB2BF49310F1485A9E819A7294DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0D331A88 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0D331CBE

Strings

-Z.W, xrefs: 0D331AF2
-Z.W, xrefs: 0D331AC3

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: CreateProcess
String ID: -Z.W$-Z.W
API String ID: 963392458-643988704
Opcode ID: dba5c7aeb3abfc66e0fa9394e534dafbf442156836b48d78d6e14af250b9d84c
Instruction ID: de6c48c195be0f607fb5eceed335400b9249ff75db5634aceb6376d56b3f08ca
Opcode Fuzzy Hash: dba5c7aeb3abfc66e0fa9394e534dafbf442156836b48d78d6e14af250b9d84c
Instruction Fuzzy Hash: 17916B71D00319DFDB10CFA8C941BEEBBB2BF49314F1485A9E809A7294EB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07755688 Relevance: 3.9, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8oq, xrefs: 077557A0
Tekq, xrefs: 077558B3
8oq, xrefs: 0775570A

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: 8oq$8oq$Tekq
API String ID: 0-1538163075
Opcode ID: 55cf7df5ec2f2c28f151c45786b3a46de307db516a41145fb5ad0cbe8b22b2f8
Instruction ID: ddf21c88be9cf41332ec5e1df5d89d35c246e846f4478601e4a213e2dbb51436
Opcode Fuzzy Hash: 55cf7df5ec2f2c28f151c45786b3a46de307db516a41145fb5ad0cbe8b22b2f8
Instruction Fuzzy Hash: 6841CE74B00215CFC7008B69C844ABE7BF3EB85744F2488AAD9099B391DBB98D5687A1

Uniqueness

Uniqueness Score: -1.00%

Function 0138B028 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0138B27E

Strings

-Z.W, xrefs: 0138B237

Memory Dump Source

Source File: 0000000C.00000002.2048484245.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1380000_boqXv.jbxd

Similarity

API ID: HandleModule
String ID: -Z.W
API String ID: 4139908857-3963604706
Opcode ID: 9410e325c855f8823dda9b85150b13c815c65ee49e49a194bd1c862e67a8d4f0
Instruction ID: 4d190852faa3f79544b981912ba5670cfac8cb91df2d2588adde78cc6e1b3bad
Opcode Fuzzy Hash: 9410e325c855f8823dda9b85150b13c815c65ee49e49a194bd1c862e67a8d4f0
Instruction Fuzzy Hash: 5B713470A00B068FDB24EF6AD44075ABBF5FF88308F008929D49ADBB54DB75E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0138590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013859C9

Strings

-Z.W, xrefs: 0138594C

Memory Dump Source

Source File: 0000000C.00000002.2048484245.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1380000_boqXv.jbxd

Similarity

API ID: Create
String ID: -Z.W
API String ID: 2289755597-3963604706
Opcode ID: 61e3bed6258d8bae91adb482df914be344be3ffa211212aa5a0a4022b7566e28
Instruction ID: 669363e7280912d304e3ba8f61a89be20b79bcb32da6bca7a4f406f21d09850a
Opcode Fuzzy Hash: 61e3bed6258d8bae91adb482df914be344be3ffa211212aa5a0a4022b7566e28
Instruction Fuzzy Hash: 4741E0B0C0171DCFDB24DFA9C984B8EBBB5BF49304F24806AD408AB255DB75598ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 013844C4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013859C9

Strings

-Z.W, xrefs: 0138594C

Memory Dump Source

Source File: 0000000C.00000002.2048484245.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1380000_boqXv.jbxd

Similarity

API ID: Create
String ID: -Z.W
API String ID: 2289755597-3963604706
Opcode ID: 597e51de6e62c5debe1d7b6ec6f336116e74e07b16bce9696ed078921cdbb7c0
Instruction ID: dd9e50a0ddf32bb22360c4fa17d5fba35d4cd566d16185a9ecc5ac1db6da5fbc
Opcode Fuzzy Hash: 597e51de6e62c5debe1d7b6ec6f336116e74e07b16bce9696ed078921cdbb7c0
Instruction Fuzzy Hash: 4741CFB0C0171DDBDB24DFA9C884B9EBBF5BF49304F24806AD408AB255DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0D3317F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0D331890

Strings

-Z.W, xrefs: 0D33181F

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: -Z.W
API String ID: 3559483778-3963604706
Opcode ID: d1599a1ee344dbb9f6fe0dc5252b4980bdd4a2230eff010dc006699cf55f7348
Instruction ID: 95f98b7fed1ae66e2fa88431e701b26579de4cbe19ec547ffe36020e3d67a628
Opcode Fuzzy Hash: d1599a1ee344dbb9f6fe0dc5252b4980bdd4a2230eff010dc006699cf55f7348
Instruction Fuzzy Hash: 192146B5D003099FCB10CFA9C985BEEBBF5FF48310F10882AE958A7251C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0D331800 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0D331890

Strings

-Z.W, xrefs: 0D33181F

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: -Z.W
API String ID: 3559483778-3963604706
Opcode ID: fa8aed1bc0ef43090bf2d4023123838b0c5c6d4f21ce24b3950276155064285e
Instruction ID: f37300f0a8b7ff12b64779a3272d171bd2e6d462a9a183cb2d6bdd35111cd733
Opcode Fuzzy Hash: fa8aed1bc0ef43090bf2d4023123838b0c5c6d4f21ce24b3950276155064285e
Instruction Fuzzy Hash: 9C2157B5D003099FCB10CFAAC981BEEBBF5FF48310F108429E958A7250C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0D3318E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0D331970

Strings

-Z.W, xrefs: 0D33190F

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: MemoryProcessRead
String ID: -Z.W
API String ID: 1726664587-3963604706
Opcode ID: eded9d24d295fa0242b463e82372288b247089ec08e2c46435b2e8999241a4c4
Instruction ID: c1e544f625c3d6f4e3a64d1e1c96ef5b2ab579234af0f85ae35d07d9be218964
Opcode Fuzzy Hash: eded9d24d295fa0242b463e82372288b247089ec08e2c46435b2e8999241a4c4
Instruction Fuzzy Hash: 872105B5D003599FCB10CFAAC985AEEBBF5FF48310F10842AE958A7250C7789545CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0D331228 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0D3312AE

Strings

-Z.W, xrefs: 0D33124C

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: ContextThreadWow64
String ID: -Z.W
API String ID: 983334009-3963604706
Opcode ID: 8bbce138eabc7a1c3d6c409696c4a2b6e4270a23fdbda2ddb1860ae37e77e6a0
Instruction ID: 4db336b82931b2a9cef81ad7454ada5247ac147487789b0f64ff7a3b6b6b5837
Opcode Fuzzy Hash: 8bbce138eabc7a1c3d6c409696c4a2b6e4270a23fdbda2ddb1860ae37e77e6a0
Instruction Fuzzy Hash: 102154B5D003088FCB10CFAAC585BEEBBF4AB48364F14842AD569A7241CB789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0D3318F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0D331970

Strings

-Z.W, xrefs: 0D33190F

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: MemoryProcessRead
String ID: -Z.W
API String ID: 1726664587-3963604706
Opcode ID: a3a41b8ef26bcc18979c9e7c54e6dd3a91138ecffce0dd33417a3c8a17098688
Instruction ID: 469c1bfe1089cf75e7b36400e8110ec2425084ff113f21ba2edad83a456ce75f
Opcode Fuzzy Hash: a3a41b8ef26bcc18979c9e7c54e6dd3a91138ecffce0dd33417a3c8a17098688
Instruction Fuzzy Hash: 132139B1C003599FCB10DFAAC981AEEFBF5FF48320F108429E558A7250C7749544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0D331230 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0D3312AE

Strings

-Z.W, xrefs: 0D33124C

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: ContextThreadWow64
String ID: -Z.W
API String ID: 983334009-3963604706
Opcode ID: d7032e6102156d859a425e9a27f45c1a8e50749843a3ae1bf9cbe997f151ec43
Instruction ID: 8ec637df2bc49a010d302b238f7c34e0d545c9a4a9579f8bcc8673d23e4c3cea
Opcode Fuzzy Hash: d7032e6102156d859a425e9a27f45c1a8e50749843a3ae1bf9cbe997f151ec43
Instruction Fuzzy Hash: 112147B19003098FDB10DFAAC5857EEBBF4EF48364F10842AD559A7241CB78A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0138D508 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0138D58F

Strings

-Z.W, xrefs: 0138D527

Memory Dump Source

Source File: 0000000C.00000002.2048484245.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1380000_boqXv.jbxd

Similarity

API ID: DuplicateHandle
String ID: -Z.W
API String ID: 3793708945-3963604706
Opcode ID: 77f0aaaf108ae781091ce086ad6ae2f42d7036464db944f885401676eb93ffc7
Instruction ID: b701d054ababafc7d80071166695179e9c1b4c4af3ec1f51a071e4f7041a38b6
Opcode Fuzzy Hash: 77f0aaaf108ae781091ce086ad6ae2f42d7036464db944f885401676eb93ffc7
Instruction Fuzzy Hash: D421E4B5900218EFDB10CF9AD984ADEFFF8EB48314F14841AE958A3350D374A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0138D501 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0138D58F

Strings

-Z.W, xrefs: 0138D527

Memory Dump Source

Source File: 0000000C.00000002.2048484245.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1380000_boqXv.jbxd

Similarity

API ID: DuplicateHandle
String ID: -Z.W
API String ID: 3793708945-3963604706
Opcode ID: 27831ddf4a921cc1831013fd1f558fb3bb1f2d78892349dc39dc71aa777f2b8a
Instruction ID: 1d86a098fb960ec38419dd03da6c178ea89e717434c5860283848e7d3e747d08
Opcode Fuzzy Hash: 27831ddf4a921cc1831013fd1f558fb3bb1f2d78892349dc39dc71aa777f2b8a
Instruction Fuzzy Hash: D621E2B5900218EFDB10CFAAD984ADEBBF5EB48324F14841AE958A7351D374AA44CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0D331738 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0D3317AE

Strings

-Z.W, xrefs: 0D331757

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: AllocVirtual
String ID: -Z.W
API String ID: 4275171209-3963604706
Opcode ID: ea959887aa45d82a6df57deb6d69c2cf5cfd75822c716c3c611ed38b127c2180
Instruction ID: 1c72dd27a0b4c492a049d4b0b55a63df1b39e610574f766ce1b4025a1087aa73
Opcode Fuzzy Hash: ea959887aa45d82a6df57deb6d69c2cf5cfd75822c716c3c611ed38b127c2180
Instruction Fuzzy Hash: 7D1159B5800248DFCB10CFA9C945BEEBBF5EF48324F248819E559A7250C7359544CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0138B498 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0138B2F9,00000800,00000000,00000000), ref: 0138B50A

Strings

-Z.W, xrefs: 0138B4BF

Memory Dump Source

Source File: 0000000C.00000002.2048484245.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1380000_boqXv.jbxd

Similarity

API ID: LibraryLoad
String ID: -Z.W
API String ID: 1029625771-3963604706
Opcode ID: a2ee7970935c0cc7cbb2fff4a60fed2da3d53fa713a1da55966946b84d8ee53d
Instruction ID: 4fec7ecf34e13d38ab79af52b8078467f23aa5d56912ddb67953cf9858e7a8a3
Opcode Fuzzy Hash: a2ee7970935c0cc7cbb2fff4a60fed2da3d53fa713a1da55966946b84d8ee53d
Instruction Fuzzy Hash: 792103B68003099FDB24CFAAD444ADEFBF4EB89314F14842AD519A7210C375A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0138ACDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0138B2F9,00000800,00000000,00000000), ref: 0138B50A

Strings

-Z.W, xrefs: 0138B4BF

Memory Dump Source

Source File: 0000000C.00000002.2048484245.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1380000_boqXv.jbxd

Similarity

API ID: LibraryLoad
String ID: -Z.W
API String ID: 1029625771-3963604706
Opcode ID: eac8ff37b75bb3f306e15b29f38e168ce67aa101446d85839b6e974c3984e08d
Instruction ID: 68ac3ac74e91995468bc20190680252613816931ab6adf23b014e46e2a51d4ee
Opcode Fuzzy Hash: eac8ff37b75bb3f306e15b29f38e168ce67aa101446d85839b6e974c3984e08d
Instruction Fuzzy Hash: 3F1114B6900309DFDB10DF9AC444ADEFBF8EB48324F10842AD519A7211C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0D331740 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0D3317AE

Strings

-Z.W, xrefs: 0D331757

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: AllocVirtual
String ID: -Z.W
API String ID: 4275171209-3963604706
Opcode ID: db4fcf5edc842ef1b03002becde87091ee6fb8a190d829c6d5c94618546017d9
Instruction ID: 57af6f7af013a1b78a566824f1169fb7d5d4fbf298f89dea109dcba4eead3ba6
Opcode Fuzzy Hash: db4fcf5edc842ef1b03002becde87091ee6fb8a190d829c6d5c94618546017d9
Instruction Fuzzy Hash: D31156758002489FCB10DFAAC845AEEBBF5EB48320F248819E559A7250C735A540CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0D331178 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0D3311E2

Strings

-Z.W, xrefs: 0D331197

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: ResumeThread
String ID: -Z.W
API String ID: 947044025-3963604706
Opcode ID: c1e1cfe956efc35e33a0569bc58c36288528406f30faf4f176f09300afbc0ce9
Instruction ID: 8c1108d809b2fa51386c94e5710127cc95646fdba0451f34632bc249cb5412b8
Opcode Fuzzy Hash: c1e1cfe956efc35e33a0569bc58c36288528406f30faf4f176f09300afbc0ce9
Instruction Fuzzy Hash: 121158B5D003488FCB20DFAAC9457EEFBF4AF88324F24881AD559A7250C7749945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0D331180 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0D3311E2

Strings

-Z.W, xrefs: 0D331197

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: ResumeThread
String ID: -Z.W
API String ID: 947044025-3963604706
Opcode ID: fc626f94ea40f2da28b506281028e9e1a993892d24d5fbdb91a2539271e7418a
Instruction ID: b7eaf816907cf9616ef6afb84c52affa462b7afa8cbea3cc295bcf4ac520d069
Opcode Fuzzy Hash: fc626f94ea40f2da28b506281028e9e1a993892d24d5fbdb91a2539271e7418a
Instruction Fuzzy Hash: 35113AB5D003498FCB20DFAAC5457EEFBF8EB88324F208419D559A7250CB75A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0D335530 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0D335595

Strings

-Z.W, xrefs: 0D335552

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: MessagePost
String ID: -Z.W
API String ID: 410705778-3963604706
Opcode ID: 9f3070464105652ef6656e7daebd287faa78b1d79a964d1f28b7229fa495c9d4
Instruction ID: 999569b071748d625b57942f0138128d823cc40ca0d28bf5c5b2f805467826dd
Opcode Fuzzy Hash: 9f3070464105652ef6656e7daebd287faa78b1d79a964d1f28b7229fa495c9d4
Instruction Fuzzy Hash: B011F5B58103499FDB10DF9AD585BDEBFF8EB48324F10881AE558A7210C375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0D333760 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0D335595

Strings

-Z.W, xrefs: 0D335552

Memory Dump Source

Source File: 0000000C.00000002.2059994266.000000000D330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d330000_boqXv.jbxd

Similarity

API ID: MessagePost
String ID: -Z.W
API String ID: 410705778-3963604706
Opcode ID: 2d1252761db0aa5addf1faaf3c846f616cb833f9e01e9870edc340862327b0d4
Instruction ID: 58776c8a9303e2aa094962e926c25633f459f50f0f5dc81ec16a587e17769155
Opcode Fuzzy Hash: 2d1252761db0aa5addf1faaf3c846f616cb833f9e01e9870edc340862327b0d4
Instruction Fuzzy Hash: 2C11F2B58003489FDB10DF9AD985BEEBBF8EB48324F10845AE959A7600C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0138B218 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0138B27E

Strings

-Z.W, xrefs: 0138B237

Memory Dump Source

Source File: 0000000C.00000002.2048484245.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1380000_boqXv.jbxd

Similarity

API ID: HandleModule
String ID: -Z.W
API String ID: 4139908857-3963604706
Opcode ID: 06517e7d7d941cd0a58a2c3cdff96832dff9285c296f0da2d573b30b3db599a9
Instruction ID: c4bf1a3b708a8ff3dee27c39f61528a4fecb0748aedf59f7cb94ec16cc8e22e2
Opcode Fuzzy Hash: 06517e7d7d941cd0a58a2c3cdff96832dff9285c296f0da2d573b30b3db599a9
Instruction Fuzzy Hash: 5B11F2B5C003498FDB10DF9AD444ADEFBF4EF88324F10842AD969A7210D379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 077517D0 Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

3H5, xrefs: 0775186E
3H5, xrefs: 07751860

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: 3H5$3H5
API String ID: 0-2752242361
Opcode ID: 5e0e9d70d956f03529177ea16cefe60b5c57776bb17be0c036e795cae3af1aab
Instruction ID: 8b7b092a0eb0261971cb8295efecafb3235710855c5236fe6360b643c5cb0fa7
Opcode Fuzzy Hash: 5e0e9d70d956f03529177ea16cefe60b5c57776bb17be0c036e795cae3af1aab
Instruction Fuzzy Hash: 612148B0D11209DFCB54CFA9C540AAEFBF1FF89311F50C5AAD508A7214E770AA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 07755928 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

Tekq, xrefs: 07755A89

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: c98d8961f2e873380080bbd1ae027366eb4c20dcf652c5cefb11d140eb54862c
Instruction ID: 79d721b55ec399274e98840a547b72c59449e51aebbd91c085eb0059aa98e59f
Opcode Fuzzy Hash: c98d8961f2e873380080bbd1ae027366eb4c20dcf652c5cefb11d140eb54862c
Instruction Fuzzy Hash: 52519F71B002168FCB15DB79D88887EBBF7FFC42607248969E455DB391DB709C058790

Uniqueness

Uniqueness Score: -1.00%

Function 0775B2D8 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0775B40B

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: aacd8e513f7987569dce7275e8106caa6a0993ec661f688d332fc123aeb2fd1d
Instruction ID: 5a9ceec7d6ef56e995d5ee6d6eaffa203e2a7e879aef67ab33f7d7348c15a798
Opcode Fuzzy Hash: aacd8e513f7987569dce7275e8106caa6a0993ec661f688d332fc123aeb2fd1d
Instruction Fuzzy Hash: E251F5F4E15208CFDB14CFAAD8846FDBBF6AF8A340F14902AD809BB264DB745945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0775B2C9 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0775B40B

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: ee2c7cc992735d78103ca6cd1da21bd55929e4a6f694eb28e553aa3e4972560b
Instruction ID: 9b75f5d2118ec95a7240d36dc5529e550b3642b92b5db181dfd1046fa465423a
Opcode Fuzzy Hash: ee2c7cc992735d78103ca6cd1da21bd55929e4a6f694eb28e553aa3e4972560b
Instruction Fuzzy Hash: F84106F0E15208CBDB14DFA5D9846AEBBF6BF8A340F14902AD809BB264DBB45905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0775390F Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

O};5, xrefs: 07753958

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: O};5
API String ID: 0-3558557551
Opcode ID: 916f96a1febaaf86a8a67a3002a913afe7ec5d5894613b4a2abb1390c4672ca9
Instruction ID: c553a3e159e51812a8edc3ac1621f4e4b2706c808c14345f1d280560c6f2e165
Opcode Fuzzy Hash: 916f96a1febaaf86a8a67a3002a913afe7ec5d5894613b4a2abb1390c4672ca9
Instruction Fuzzy Hash: 1A41EFB0A1524ADFCB80CFA8D9844ADFFB1FF8A254F608496D455AB364D7309A11CB10

Uniqueness

Uniqueness Score: -1.00%

Function 07753920 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

O};5, xrefs: 07753958

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: O};5
API String ID: 0-3558557551
Opcode ID: ccb06c8f1968e968b0fcdd91bbed2fb74178597db26077fd9fdb406e3f18875f
Instruction ID: 3b714f84403e82dc9374377d5f89e74d870f90b4fac44fc8dd1448258b110dd2
Opcode Fuzzy Hash: ccb06c8f1968e968b0fcdd91bbed2fb74178597db26077fd9fdb406e3f18875f
Instruction Fuzzy Hash: 3A419FB0A25209EFCB84CF99D9849AEFFB1FF89340F60D495D459A7328D7309A51CB14

Uniqueness

Uniqueness Score: -1.00%

Function 077572F0 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

-Z.W, xrefs: 07757377

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: -Z.W
API String ID: 0-3963604706
Opcode ID: b57acc62a5f93544802adec7cb505f4398e81a5b3532c4a0b0d76080edd0d9d8
Instruction ID: f649b0ede325bbb3df4fc59bc3d8798820ec0d97e8330fd4584bb7f6aaf4c711
Opcode Fuzzy Hash: b57acc62a5f93544802adec7cb505f4398e81a5b3532c4a0b0d76080edd0d9d8
Instruction Fuzzy Hash: DA3138B5900249AFCB14CFA9D844ADEBFF9EF49360F10846AE919E7311D774A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07755ACC Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

-Z.W, xrefs: 07755AFD

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: -Z.W
API String ID: 0-3963604706
Opcode ID: b5db9bb55e5818f67b9244e70457aa36c4d50e09b5da98a9e676c96e168bfac6
Instruction ID: cac2a96fee0c4e898d88e6be7f45fc8ec9b1b5d7ecc8de91590ede2815d8cd0e
Opcode Fuzzy Hash: b5db9bb55e5818f67b9244e70457aa36c4d50e09b5da98a9e676c96e168bfac6
Instruction Fuzzy Hash: D13100B0C01218DFDB20CF99C988B9DBFF5AB09314F24885AE808BB251C7B55885CF95

Uniqueness

Uniqueness Score: -1.00%

Function 077517C0 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

3H5, xrefs: 0775186E

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: 3H5
API String ID: 0-3899204960
Opcode ID: 323f1f04d81fd79d4f33aa34a5af895ea31195006c7e7e3aad67e9610dc10ea3
Instruction ID: 7b9cff607b1f6145c6e3c6b0f303c45865cf7ba50eeb99ab691b074723fda120
Opcode Fuzzy Hash: 323f1f04d81fd79d4f33aa34a5af895ea31195006c7e7e3aad67e9610dc10ea3
Instruction Fuzzy Hash: 6521ACB0D1120ACFCB15CFA9C5806AEFFF1EF8A211F24C5AAD504AB350D7309A45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07755AD8 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

-Z.W, xrefs: 07755AFD

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: -Z.W
API String ID: 0-3963604706
Opcode ID: 66b01827e4a1bc7434ace98fbb1b6fabd3f2ae72ae758c7b80c7489710e71121
Instruction ID: 2e9b27156e971b0c4d89e84c7233304e28c61fba9d3b9852da26734cbeb9946e
Opcode Fuzzy Hash: 66b01827e4a1bc7434ace98fbb1b6fabd3f2ae72ae758c7b80c7489710e71121
Instruction Fuzzy Hash: 0721D0B0C11218DFDB20DF99C988B8EBFF5AB09714F24845AE808BB250C7B55885CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 077561E4 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

-Z.W, xrefs: 07757377

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: -Z.W
API String ID: 0-3963604706
Opcode ID: b222604a91f4917c52e1fe44cfde8e67d21e80e0c417c845c1ae302bf789abaf
Instruction ID: 81c4f348b3af5b8e9decee8bf708bd1bf40efb57797d375327378e3b2a1007bc
Opcode Fuzzy Hash: b222604a91f4917c52e1fe44cfde8e67d21e80e0c417c845c1ae302bf789abaf
Instruction Fuzzy Hash: 672100B59003499FCB10CF9AD884ADEBFF8FB48360F54842AE919A7211C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0775B353 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0775B363

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: c03243ad2c233a0989b8dfafb5d3262019a8b6d8a13a2c7a53c2708da8293216
Instruction ID: aa9bb8ea793a63c0dc80b848557e08d8b18d66c8246ce4559f4d2ba19fdfce5e
Opcode Fuzzy Hash: c03243ad2c233a0989b8dfafb5d3262019a8b6d8a13a2c7a53c2708da8293216
Instruction Fuzzy Hash: 6F117F75E002098FCB04DFE8C9849ADBBB2FB88314F208129E919AB354C635A916CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07757C0D Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2b0ea35e5e9192b2e879d52cd51dea176841884a4127d94092098547a749651
Instruction ID: b7b478a4c6fd0275b68abff30afcee3c22d644b0b45ff4756f433892a380ab2c
Opcode Fuzzy Hash: e2b0ea35e5e9192b2e879d52cd51dea176841884a4127d94092098547a749651
Instruction Fuzzy Hash: 0E519DB0E1020A9FDB089FA9C840BBEBBB2BF55344F108526E915973C5CBB49942CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0775E53A Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef104721ea044c0581796ce7533ddfa432d09fc6f3c47d0335cad7423911045
Instruction ID: 27a997b9b657e733cd15763f0c546ac429014625f50bfca5aaac417671cf5916
Opcode Fuzzy Hash: 8ef104721ea044c0581796ce7533ddfa432d09fc6f3c47d0335cad7423911045
Instruction Fuzzy Hash: B0515FB0D25205CFCB14DFA9D544AADBBF5FF4A341B00A565F81A9B252DBF0AD81CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0775CBE0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2869a7a446f9a54278dbbafdfa61b600d33911ac7cf773b37b91753e278535e7
Instruction ID: dcf8574fad7601ca3f91dad868763b8e0313c5fc392a7bac78b5fe929ea8a03f
Opcode Fuzzy Hash: 2869a7a446f9a54278dbbafdfa61b600d33911ac7cf773b37b91753e278535e7
Instruction Fuzzy Hash: F4511CB4D1430ACFCB05DF99D4846AEFBB5BF4E340F15A554D809AB206D774A981CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0775CBD3 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004c507e50b5f59acc8bfaa7c2f12bae470fad0be5b02724c9b094aab76416bc
Instruction ID: 11416ea358fcde14d9a24a78850d9fa6c22960e874c102053582f8ef676c136d
Opcode Fuzzy Hash: 004c507e50b5f59acc8bfaa7c2f12bae470fad0be5b02724c9b094aab76416bc
Instruction Fuzzy Hash: 2E513DB491430ACFCB05CFA9D4846ADBFB5BF4E340F14A555D805AB216D770A982CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 077537B8 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfaf6b350223e93abfee48b83c2de75b3b1e79a17d40a1d19e4eb721d993a934
Instruction ID: 931f4bddf5ffd200e17403216f9f88aa67cd1d8a4d6bd68e37658aa5adea0cb9
Opcode Fuzzy Hash: bfaf6b350223e93abfee48b83c2de75b3b1e79a17d40a1d19e4eb721d993a934
Instruction Fuzzy Hash: 9141C0B89197848FC716CBA9D840988BFB0EF8A211F1A80D6D480DF3B3C7359956CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0775BA78 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8db77b16115d29ea7daa4cd3bf31f8833f1f3fb1affcad229781705d2d5ee8d
Instruction ID: 61bf5d0c31bbfb98801280e678463825029d173ba397a22c243f698edec61af2
Opcode Fuzzy Hash: c8db77b16115d29ea7daa4cd3bf31f8833f1f3fb1affcad229781705d2d5ee8d
Instruction Fuzzy Hash: B5411AF0D18209CFDB04CFAAC4406BEBBF6AF8E340F14D069E819A3265DBB45941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 07753AA8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc32fa9508c3445a18865cbb93bf9828a3300d20c449ee8d2c496cf69255c3fe
Instruction ID: 0c575e37c641f94e8adb191cf84f6b30c081ab5d85889a45e5d0bd1da3f1c6de
Opcode Fuzzy Hash: cc32fa9508c3445a18865cbb93bf9828a3300d20c449ee8d2c496cf69255c3fe
Instruction Fuzzy Hash: 65415BB4E1020A9FCB04CF95D8419EEBBB2FF89350F109529E905BB364D7709A51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07753A98 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6577198cf0d7b38810967b1f523f6dc0fb7ab82fc71e57ca3d327a92c8b63b88
Instruction ID: 4963bdcd1dd49e848ccdd3808f991ff010aa376d6e9fdcff3e4bd56899fdd086
Opcode Fuzzy Hash: 6577198cf0d7b38810967b1f523f6dc0fb7ab82fc71e57ca3d327a92c8b63b88
Instruction Fuzzy Hash: DC416CB5E1020A9FCB05CFA5D8419AEBBB2FF89350F14952AE505BB364D7709A41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0775BA6B Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2da5ee77ac8c6b663ffaade9f9faeac5a2aaf8fc66ccd1c45fdc68773e0028
Instruction ID: ae62897aeae81e5a2c7ebab2013a136273890174c6bd8b3b3924b56da2b4b88b
Opcode Fuzzy Hash: 0a2da5ee77ac8c6b663ffaade9f9faeac5a2aaf8fc66ccd1c45fdc68773e0028
Instruction Fuzzy Hash: 10312AF4D192488FDB04CFAAD4446BEBBF6AB8E341F14D06AE819A7265DBB40901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07758908 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bccc7352cf5d45409a35ce4cddfb5845d43e4d966807c9e534aa60a63585cd
Instruction ID: ffa24d04cc19db82292cc7bf98a851d38b06fc5ce5a2dedec7c7383bda61dee2
Opcode Fuzzy Hash: 54bccc7352cf5d45409a35ce4cddfb5845d43e4d966807c9e534aa60a63585cd
Instruction Fuzzy Hash: D3319EB1E14126CFCB148F69D8446BEB7F1FF45390F058126E866D72A1D378E841CAA3

Uniqueness

Uniqueness Score: -1.00%

Function 0775CC4B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60a66f4c3c69addfd08d28159aba9799ece50f6fe13249fefe8ee7dd18dce48
Instruction ID: e094974f0e1f62b41b49ec15124c30737db4158f1f9913e6bee0b07384538967
Opcode Fuzzy Hash: d60a66f4c3c69addfd08d28159aba9799ece50f6fe13249fefe8ee7dd18dce48
Instruction Fuzzy Hash: E131E5B5D1930ACFCB49CFAAC9446EDBBF6BF8E240F14A069D809A6211D7745542CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0775619C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d193ef4a71a9b7e63ce87d6dffe5b1f8bc246deb1fbd538277855f2160005f78
Instruction ID: f0475ea0e7f6ece99a60bc4c6a545b8a7f7c0774d9281070e47c4f3fdc6b6f52
Opcode Fuzzy Hash: d193ef4a71a9b7e63ce87d6dffe5b1f8bc246deb1fbd538277855f2160005f78
Instruction Fuzzy Hash: 7021C0B0A09385AFCB1ACBB48C585AD7FB9DF53150B1448EAFC40CB253E9B18D0593A2

Uniqueness

Uniqueness Score: -1.00%

Function 077587E8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834403ddc65f2b0aa11e63be43b571bb1fbc734239121789e31b6b4856569df4
Instruction ID: 06033a5f5c346856cb868df9db407d682214eb0a8668147d5ab33f2fad9fd47d
Opcode Fuzzy Hash: 834403ddc65f2b0aa11e63be43b571bb1fbc734239121789e31b6b4856569df4
Instruction Fuzzy Hash: A2210870F65245DFC7248B55880572A3B62FB86740F24C47AE8164F3D2DAB6EC41C793

Uniqueness

Uniqueness Score: -1.00%

Function 0132D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2048204661.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_132d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79be8f9227ea0dc2dedc056ee1ddb49f114a779e0e928c59dc6ca599270a826d
Instruction ID: aa8875d231cd00b64f4fb2690f6840fba98e54836876d3a9210e7c6df70266c8
Opcode Fuzzy Hash: 79be8f9227ea0dc2dedc056ee1ddb49f114a779e0e928c59dc6ca599270a826d
Instruction Fuzzy Hash: B7210371504344DFDB06EF98D9C4B2ABF65FB89328F20C569ED094B256C336D416CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0133D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2048268644.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_133d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c54c9955a625653cabf24cf83d220199208f0455ff328071b19937fe3b0ce7
Instruction ID: 96a3e36c00acaf914168ae2d4f670b302668814325bfbf2629d4c1e141b3baae
Opcode Fuzzy Hash: 46c54c9955a625653cabf24cf83d220199208f0455ff328071b19937fe3b0ce7
Instruction Fuzzy Hash: 62214671504204EFDB01DF98D9C0B26BBA5FBC4328F60C66DE8098B352C33AD446CA65

Uniqueness

Uniqueness Score: -1.00%

Function 0133D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2048268644.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_133d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0138f3b46d11c4a3377743f1c87bf6b4599671b1109656db98025e0da4b4cb1
Instruction ID: 8e79623eba891b7e394f7cf88e156b51aa5882292475c47046b0a43dba2b7369
Opcode Fuzzy Hash: f0138f3b46d11c4a3377743f1c87bf6b4599671b1109656db98025e0da4b4cb1
Instruction Fuzzy Hash: A3213070604204DFCB11DF68D980B26FBA5FB84B18F60C569E80A4B256C33AC446CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0775E5FD Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5a802cb737b2fe9a9fe6587c1d608d22a41e9ff254ec0d6441e3e092b248b5
Instruction ID: 3e8edfb35b384a457acc8bc9626bae7991ab85cc509785f6ac5399b69fc2843b
Opcode Fuzzy Hash: ec5a802cb737b2fe9a9fe6587c1d608d22a41e9ff254ec0d6441e3e092b248b5
Instruction Fuzzy Hash: D1313734A11218CFDB519FA4DA84FAC7BB6FB99300F0086D9E50AA7394DB705E86CF11

Uniqueness

Uniqueness Score: -1.00%

Function 077587D8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4176bd7256cdfa55e094f17b38898939d1cffe88873c19bb404e0544d232a51
Instruction ID: d974e5863bdb59e367820ba5f603d0dd488846da6faef2bfbf41aee6dcf5c823
Opcode Fuzzy Hash: e4176bd7256cdfa55e094f17b38898939d1cffe88873c19bb404e0544d232a51
Instruction Fuzzy Hash: E9210470F25241EFD7248B45C80172A7762FB86745F25C4BBE8154F292CAB6EC82C783

Uniqueness

Uniqueness Score: -1.00%

Function 0775BC18 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb40ef345b38643330e5e03e7ac0ed17d8ee27081786575244e9096b4c4b563
Instruction ID: d3ecafa3eccaa156d8611a1b7e5d1a97bf03be9aca4670143e56ba332067a92e
Opcode Fuzzy Hash: beb40ef345b38643330e5e03e7ac0ed17d8ee27081786575244e9096b4c4b563
Instruction Fuzzy Hash: FF21E9F4E08209CFCB40CF94C1815FDBBF5AB49341F605495E809A7721DB709E41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0133D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2048268644.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_133d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beab6543dc73b4be326283cd59cb534281c5d8f532dceed4d6695b83762cc6a3
Instruction ID: 4919f45769813ed1bcba44b682825ea4165a7a91937a41b9f43e935a09243363
Opcode Fuzzy Hash: beab6543dc73b4be326283cd59cb534281c5d8f532dceed4d6695b83762cc6a3
Instruction Fuzzy Hash: FD2153755083809FDB02CF64D994711BF71EB86618F24C5DAD8498F2A7C33A9856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 07755917 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7f49ffe547b39ac403c71888da068788236e6e7d8a208320476c8168f220e0
Instruction ID: c45ec9ab038751ad22a306af2d0112e8a37fc0c0be1fbbe528f9f96ccaee7881
Opcode Fuzzy Hash: cf7f49ffe547b39ac403c71888da068788236e6e7d8a208320476c8168f220e0
Instruction Fuzzy Hash: 1711C1B1B002165B8B21DB7988449BFBBF7EFC4260725896AE865D7341EF709D0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 07752DEC Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46f08414b6121821311d6c4b68a456e24c751be8df4e5ae25b7606e28884f38
Instruction ID: 8b6a7c1790827e8733cc99282bf432f58fdc1c6762e66e123f7204fdcb62c84f
Opcode Fuzzy Hash: c46f08414b6121821311d6c4b68a456e24c751be8df4e5ae25b7606e28884f38
Instruction Fuzzy Hash: 902167F5E0029A8FCB05CFA8C4445EEBBF0FF48340F108456E950A7242DB74AE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07753848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95814094430db3fac901df00492cfee0df614a296faf0e595c64c4b4cd3b9fc6
Instruction ID: 35ebbe5a15a852d0cf358149f38921bb1bf0158c5b222467a68268d74bf9dd5a
Opcode Fuzzy Hash: 95814094430db3fac901df00492cfee0df614a296faf0e595c64c4b4cd3b9fc6
Instruction Fuzzy Hash: 6A219FB4A10908DFC744DF9AE48499DBFF1FF88310F5280D5E8489B365DB31A9A5CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0775FE38 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10b7d6f189f8def6514fe4f113d8cb002080ef19e6e137cc49f49d2f256a5a0
Instruction ID: 65add4056f9535e862bae59f024eeee7be65e5c44e19db5ea978211ce5805c43
Opcode Fuzzy Hash: e10b7d6f189f8def6514fe4f113d8cb002080ef19e6e137cc49f49d2f256a5a0
Instruction Fuzzy Hash: 7511C6B0B00219DBCB58AF79991067F7AA6FB85790F14892DEC15D7381EFB48D4087D0

Uniqueness

Uniqueness Score: -1.00%

Function 077587F3 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368d48c42c3822cdd65a06f7d96a485b0dcf149cc11e197a00d07c6ff0a7d7d6
Instruction ID: efc199c7c0e361c8118ee5061b73377817d0356ad21c8f63f4ac20d6c7849b48
Opcode Fuzzy Hash: 368d48c42c3822cdd65a06f7d96a485b0dcf149cc11e197a00d07c6ff0a7d7d6
Instruction Fuzzy Hash: 0811D370B65241EFD7248B40C901B297762FB85745F25C47AE8154F292C6B6E882C743

Uniqueness

Uniqueness Score: -1.00%

Function 0775BC28 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1f384e1f2aa0b21eb02cb0a84a22765403deda50f84f1af3329c857d6545de
Instruction ID: 678fbd6efc835814f69446a0ea25fa239293893885376ac3430b90cab1fe56a3
Opcode Fuzzy Hash: bc1f384e1f2aa0b21eb02cb0a84a22765403deda50f84f1af3329c857d6545de
Instruction Fuzzy Hash: F621C8F4D14209CFCB44CF99C1819BEBBF5EB49340F609055E809A7721DB709A41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0775C1A0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa5ba013a4255e6dec500334beb079aa4f50e26823834209cd7e47ac9c1f485
Instruction ID: c251f1b9165afa659f76a268a68815e3437d4832fc061a0a5384c10d73b5bbbe
Opcode Fuzzy Hash: caa5ba013a4255e6dec500334beb079aa4f50e26823834209cd7e47ac9c1f485
Instruction Fuzzy Hash: 982129B1D006198BEB19CF96D9043DEFFF2AFC9300F04C46AD808B6264DBB409468F90

Uniqueness

Uniqueness Score: -1.00%

Function 0132D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2048204661.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_132d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction ID: 145794acbedfca65071a7f9fa85b12142c7ed40247d9be0cf04b622ec19def9e
Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction Fuzzy Hash: 0B21CD76404240CFDB06DF44D9C4B16BF62FB85324F24C1A9DD080A256C33AD42ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0775B232 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1853352311da5d4bc6775d808499933ba2e7c635299a3122e9f41f16c99fb0db
Instruction ID: 211fffab2dce36640547e959f1d3ed3bbb9f758d8ea90a896b0c7c9845b16124
Opcode Fuzzy Hash: 1853352311da5d4bc6775d808499933ba2e7c635299a3122e9f41f16c99fb0db
Instruction Fuzzy Hash: 5111706180D3C64FCB139B78D9661ADBFB05A07220F1846D7D994CF1F3D6181A86CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0133D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2048268644.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_133d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 759507945bc8f8997bd666a632b1bf77b5d2ad21792a0372d736e69618f1b5af
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A311BB75504280DFDB02CF54C5C4B15BFB1FB84228F24C6AAD8498B296C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0775BCD0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6fe2e3c55dc312373605d7fe29679cc32ba65980bb50206ee8239a695836e0
Instruction ID: 003494dde4c222c2ba5c86d80fed06368762e5ed585bad5645e8889179e1eee7
Opcode Fuzzy Hash: 9c6fe2e3c55dc312373605d7fe29679cc32ba65980bb50206ee8239a695836e0
Instruction Fuzzy Hash: 3E116DF0A09349DFCB04CF98C5805ADBFF5AF8A350F1485D5D858AB366C370AA41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0775BCE0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73da165769aa0c033d585583f1cdaa9cdf62910b0c410628bb717ab4006b03b
Instruction ID: 97e12dbd5761972f975d3f213aa7be9e37a26e477332c81e9ed12a027bc3fcc1
Opcode Fuzzy Hash: d73da165769aa0c033d585583f1cdaa9cdf62910b0c410628bb717ab4006b03b
Instruction Fuzzy Hash: 2511F7F4E19209DFCB04DFA9C5809BEBBF9FB89350F1095959818A7325D7B0AA51CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0775C1B0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd6bd1b9ea3bcf079229ce0f04bca4421368c3db3df5ad99c2da686b1781277
Instruction ID: 182621dc5fad7af2b6b6a2c7ca1ab47216678c1224a4ccd7e509f281aa456c1e
Opcode Fuzzy Hash: 6fd6bd1b9ea3bcf079229ce0f04bca4421368c3db3df5ad99c2da686b1781277
Instruction Fuzzy Hash: 9811B3B1D006198BEB18CF9BC9457DEFEF6AFC9300F04C46AD809B6264DBB509468F90

Uniqueness

Uniqueness Score: -1.00%

Function 0775CFB8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4d24a3b794bb479c6b31c27e66784f67ae52bf8ae824584c10d6f0c6d1208f
Instruction ID: 7d13e77a7a2592e0cab3728bb5788ef617ba6495dfcae30e750da0f493daea83
Opcode Fuzzy Hash: ae4d24a3b794bb479c6b31c27e66784f67ae52bf8ae824584c10d6f0c6d1208f
Instruction Fuzzy Hash: BB01F7B1A1D242DFC712CB64C550AEDBFB8EF4B284F049895D80C9B193C7704906CB90

Uniqueness

Uniqueness Score: -1.00%

Function 077518B9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452016a0364718e85890740978bc3196592cb8e432b9392eedf9658fa17bbd35
Instruction ID: ef2caea5f8d25b3d8c666e47706c08a18d9402263ba6d65c8120051fd46b5ef7
Opcode Fuzzy Hash: 452016a0364718e85890740978bc3196592cb8e432b9392eedf9658fa17bbd35
Instruction Fuzzy Hash: 96116DB4E00248AFCB11DFA9C944A9DFFF1AF09215F08C1E5E9149B362D775A941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0775D030 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16857e5a92eaa8e75bb31bc98c748910ec2127ee9a7d0d37bc4a96e67053589
Instruction ID: a9a8cd41efb92e5da221870f47f945979e3268d7130b32d79d2d06e7fe204f48
Opcode Fuzzy Hash: a16857e5a92eaa8e75bb31bc98c748910ec2127ee9a7d0d37bc4a96e67053589
Instruction Fuzzy Hash: BE01B574609244DFCB21DBA8C584AADBFF1AF4A350F15C1C5D8099B2A2C7709D02DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0132D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2048204661.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_132d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7782ae40a598289a5c6284e6b226fe2725297a8c5e7fda3b94d25c06c03e45
Instruction ID: d4db0a1e09469fd2ecdf99e4c5ddd88ca6fd99c8005583e4d915dbac9a3b6e29
Opcode Fuzzy Hash: bd7782ae40a598289a5c6284e6b226fe2725297a8c5e7fda3b94d25c06c03e45
Instruction Fuzzy Hash: 4D01DB710083949AE7116F6ECDC4B67BFDCDF41328F18C52AED194A286D67DD841C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 07752E58 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032d0b52d3030433a0738cc2501b278f8c0d2f6c1a92681d8e1846b5c98b6e5b
Instruction ID: 80b8d22757a6a89b212e360c8f5b0130c96776420ff1fa480994f1e56b463f60
Opcode Fuzzy Hash: 032d0b52d3030433a0738cc2501b278f8c0d2f6c1a92681d8e1846b5c98b6e5b
Instruction Fuzzy Hash: 5F1109B5E0025A9FCB00DFA8D4449EEBBF5BF48311F148166E954A7241DB74AE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 077503C0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd77c76e530c0c921ae69f36aa1a0841062b0f86362291cbfcc22942dc439b0
Instruction ID: 1c0032dae8c2bf391c41b2eef2ddd17f6c1887f9fe1a48f1132457360ebb95c6
Opcode Fuzzy Hash: 0dd77c76e530c0c921ae69f36aa1a0841062b0f86362291cbfcc22942dc439b0
Instruction Fuzzy Hash: D2119374E01258CFCB65CFA9C580A9DBBF2BB4C301F1484A9E909A7315DB359E81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0775583B Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f85d12f7c26832effa9206f74a6b5eafeab02ea6b3707f787780e6263c4826
Instruction ID: 2f30d642d04f4a162517b0a7342de7ef04de9c9728f9a9ed530d1d2e77070d8c
Opcode Fuzzy Hash: e6f85d12f7c26832effa9206f74a6b5eafeab02ea6b3707f787780e6263c4826
Instruction Fuzzy Hash: 220186B1F0530E8ACB14EFB994005EEBBB5EF89355F10407AC904E7200E775A626CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0775CFC8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ad68af519ca496ecbde24df09b658e70ca2b485c2e21a5cf4a153f9b99c832
Instruction ID: 5c904ec9242996b001138872c9cee4675a96052591baceaf923aff1c1d726c4c
Opcode Fuzzy Hash: 51ad68af519ca496ecbde24df09b658e70ca2b485c2e21a5cf4a153f9b99c832
Instruction Fuzzy Hash: 0EF0C2B0A1D209DFCB14CF99C540ABDFBBCEF4A340F0095A4A8089B252D7B08A46DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0775D040 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d927cb105b411ecbc28d0b8468cef396b1a29c02ad2dd0e0b59ca5890ac9321
Instruction ID: 81fe2922381fba5bb25345cafe6a0ebae78a2f4320eef49cbdeeb270207a0f4d
Opcode Fuzzy Hash: 9d927cb105b411ecbc28d0b8468cef396b1a29c02ad2dd0e0b59ca5890ac9321
Instruction Fuzzy Hash: F001F6B4A15208EFCB14DFA8C688AADBBF5AF4D300F15C094E8099B361DB709E41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 07755E8D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d12735cddffbbf39c70f2122e71c93e7c68a8cd7e167667607e16a6fcb7a8a
Instruction ID: b2a7fe92073a9ae05254a6570648371f300df3485dd608f656f25d12c0a02d99
Opcode Fuzzy Hash: 12d12735cddffbbf39c70f2122e71c93e7c68a8cd7e167667607e16a6fcb7a8a
Instruction Fuzzy Hash: 3301E1B0C0421ADFDB25CF59C5083AEBBF2FF45394F248655E824AE194D7B44955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0775E4F0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc30f9952b36d5769baac039d3145be3935282caf4fb48172c8257542ff66b2d
Instruction ID: 95b9819ea61171efa050b3a60b96746ad52fcb1355dd0e4395a73029149da8f2
Opcode Fuzzy Hash: dc30f9952b36d5769baac039d3145be3935282caf4fb48172c8257542ff66b2d
Instruction Fuzzy Hash: 8FF0C2B0926209CFCB41EBE9E5047AD7BB9EF89340F009A31A8056B355DFF06E45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0775E4EB Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5969db3acc84976003c8ad145ef05961923faf738a8f033b7eab11c06cbd3744
Instruction ID: e3b99e5971fab785aa459c74aece5bc512174d5f5e482145651a3a2da74b97cf
Opcode Fuzzy Hash: 5969db3acc84976003c8ad145ef05961923faf738a8f033b7eab11c06cbd3744
Instruction Fuzzy Hash: 89F0F4B0926145CFCB41EBF8E5447AD7FB5AF89340F009A26A4056B355DFF01A45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0775EA29 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b446b24bdfff2118dd80056ff0368399ece58d6e9a77399a1a3cde9226b285
Instruction ID: 6badd0a5375af857d169ce33c9c52fc0339864c4466c5559894dbc330a9f9a0f
Opcode Fuzzy Hash: 38b446b24bdfff2118dd80056ff0368399ece58d6e9a77399a1a3cde9226b285
Instruction Fuzzy Hash: C601A574E5424ACFCB00DFE4D94469DBBB6FF45340F108615E8159B398DBB49D45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 077572E0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13221c5adc5a19f19d3230ca38fa6edbfcf3436942f1f82f880b3b85bba284ca
Instruction ID: 3b1fb53d7c06874f34702b3d7957dfe21897981faf2fc02b22b3d48babd7a835
Opcode Fuzzy Hash: 13221c5adc5a19f19d3230ca38fa6edbfcf3436942f1f82f880b3b85bba284ca
Instruction Fuzzy Hash: 04F0B4B2A44245AFCB09CB58D8018FE7FB6EF4526070480ABF804C7212D6B09D4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0132D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2048204661.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_132d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0042d9fcd80f4243dfda850ae0c5f8609e4b79e90566690eef8da695e59a358f
Instruction ID: 5952d78a0ae5bee8748ac693ac8ef0b82917f5d58de79b15ee516fdb9e6bb255
Opcode Fuzzy Hash: 0042d9fcd80f4243dfda850ae0c5f8609e4b79e90566690eef8da695e59a358f
Instruction Fuzzy Hash: A1F062714083949AE7119E1ACCC8B62FFA8EF41738F18C45AED484A287C2799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 07755F28 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5713d3ef2291b242e161126075f352f0ce3f44bde72e5078dbdbb99be5a68a8
Instruction ID: 97b2749c909d4cf8927062adbebd84b842f831ee4599bd8d867cb0ee04a2e292
Opcode Fuzzy Hash: f5713d3ef2291b242e161126075f352f0ce3f44bde72e5078dbdbb99be5a68a8
Instruction Fuzzy Hash: 71F082B6B082246FD305DA7DDC88A6BBBE9FF8D264315816AE548D7355D9309C01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 07755E98 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5621a0d3cd728d182bb2fcf76b424c43bf8128f9f66c11ccfd7241e56606ab45
Instruction ID: 6036a680dc4345d9b19107c52b41b3b21aef005971dc5999c2eb9abbf03c66ed
Opcode Fuzzy Hash: 5621a0d3cd728d182bb2fcf76b424c43bf8128f9f66c11ccfd7241e56606ab45
Instruction Fuzzy Hash: 3F01BFB0804219DFDB14DF59C4047AEBBF6FF45364F248625E824AA290D7B44A55CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 077518C8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d004c1e00290b2d4142079a262ced4a2bf60c9caa137c839344e4c72c24fb0f5
Instruction ID: 20848ac5a038c556b477261727bf4e99d2d946695ec4f49952587accf1297d8d
Opcode Fuzzy Hash: d004c1e00290b2d4142079a262ced4a2bf60c9caa137c839344e4c72c24fb0f5
Instruction Fuzzy Hash: 0C01B678A00208AFCB04DFA9C584A9DFFF1EF48311F05C0A5E9089B365DA34E941CF40

Uniqueness

Uniqueness Score: -1.00%

Function 077561D4 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fbaba40cefd26cd8679e4336c8ed8ca12928a6c0d88118c885ff6f28cfcc09
Instruction ID: 3ae5c6d55d877be86b97c797aebab57ca677ae75c63e4deededce5e5b8028f34
Opcode Fuzzy Hash: 95fbaba40cefd26cd8679e4336c8ed8ca12928a6c0d88118c885ff6f28cfcc09
Instruction Fuzzy Hash: 0BF0A072600109BF8F08DF58D8859AEBFBAEF44360B00C47AF909D7321EA70ED408B94

Uniqueness

Uniqueness Score: -1.00%

Function 07755F38 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e571933aca768847c35e8d15730177a08ee69f2a1bb6960d7f4eefd1cdd06756
Instruction ID: 8b01cce37a429c9f33c4726b0bfabe982dc648473b662ba58cfa63dc021043c2
Opcode Fuzzy Hash: e571933aca768847c35e8d15730177a08ee69f2a1bb6960d7f4eefd1cdd06756
Instruction Fuzzy Hash: F2E0ED767042286F9314DA6EDC84D6BBBEDFBDD674355817AF508C7350D9319C01C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0775CF6F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c72adae4008ede21a2607eea1752ab6bd297dd3cb309df28183aa01d3497515
Instruction ID: e86f0a5d7adc0b553f993c95a9734f3b276e6fa00e2b856b9b5c3280de837d5e
Opcode Fuzzy Hash: 6c72adae4008ede21a2607eea1752ab6bd297dd3cb309df28183aa01d3497515
Instruction Fuzzy Hash: 84F055B180A3889FC717CFB4E6062DD7FB09B07341F2080EAE80487291C6354A07DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0775FDC8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e23d689f0a99fb2d99f227a9ad2b87ec3a45998d23986554dc4ce10065bade5
Instruction ID: cb6c348e8b654b61d023388e270686490be4e10a17448ac5296e683aa67ff240
Opcode Fuzzy Hash: 2e23d689f0a99fb2d99f227a9ad2b87ec3a45998d23986554dc4ce10065bade5
Instruction Fuzzy Hash: BAF03474E0920CAFCF51EFA8D8456DCBFB0EF49310F10C0AAE848A7260EB345A58DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0775C73E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182e5cdc95e79d75ec1a0bf53383502a963f65eee499c2a288db1e0a0492f31b
Instruction ID: a05d87a0c90aa5bf328d7ae578f33676b8836a1ce98d97046da96f7381462acf
Opcode Fuzzy Hash: 182e5cdc95e79d75ec1a0bf53383502a963f65eee499c2a288db1e0a0492f31b
Instruction Fuzzy Hash: 1CF01CB0525301CFC715CB24C1487787776FB0F386F505A99E80B6A251CBB19D82CF20

Uniqueness

Uniqueness Score: -1.00%

Function 0775FDD8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9d4a2f15ee592d47b54d78952ad4ae76748f2b49952d1a46623f5c33994376
Instruction ID: 04b7d2131951d4e52f0c80c14d3ed9651523ab6eb0d2f4b1dd740f16bf1ed352
Opcode Fuzzy Hash: fc9d4a2f15ee592d47b54d78952ad4ae76748f2b49952d1a46623f5c33994376
Instruction Fuzzy Hash: 7CF01574E0020CEBCF40EFA8D90568DBBB5EB88300F00C0A9E804A3350DB345A50DF81

Uniqueness

Uniqueness Score: -1.00%

Function 07755F81 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90dba6892fdb9914ff21d403380dec0b19443ff52036f9d378743e2a5f1b0278
Instruction ID: 2c093d2a2f73030385cecf6946004f67ec30d2bbb425fc360ed29171e8834e0e
Opcode Fuzzy Hash: 90dba6892fdb9914ff21d403380dec0b19443ff52036f9d378743e2a5f1b0278
Instruction Fuzzy Hash: D2E08CBB704600AFC7028B59D909E49BBA5EF99721B1688A7F649C7771CA70DC028B60

Uniqueness

Uniqueness Score: -1.00%

Function 0775E8E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2e2c58663ab865ca10f69aac190928312444afde6a1d4d6d84890cc9718993
Instruction ID: 9f237d8795d72b6ac012631ca8acdef8ee8c0965d5ea84d70ad9e5ea01d33074
Opcode Fuzzy Hash: 6d2e2c58663ab865ca10f69aac190928312444afde6a1d4d6d84890cc9718993
Instruction Fuzzy Hash: 37E092B0966108CFCB41ABE8D5406EC7BB9EF45310B009B12E8165F395CBB06D028F10

Uniqueness

Uniqueness Score: -1.00%

Function 0775CD1A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301ec3a2a99f6cd1b2b4f4aeac3db4622b49969147448a6389c771c264bb4ded
Instruction ID: f8ebbbafc633dd484981ce88fe789fec1bb1b2f674785a9342abeee0f6ac0eec
Opcode Fuzzy Hash: 301ec3a2a99f6cd1b2b4f4aeac3db4622b49969147448a6389c771c264bb4ded
Instruction Fuzzy Hash: 5DE0E5B4D1024ACFDB05DFA5C4896BEBBF8EB4A350F10A414D496A2204CA745683CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0775C3DF Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644338fd62005bd5ec1a510049edbd05c7a2d36a2095af0745e74a133f6ea9c4
Instruction ID: 8986a9169fbd40b1f9db6bf3148c9fc8e664e544f593e6d6d31def479e38d93a
Opcode Fuzzy Hash: 644338fd62005bd5ec1a510049edbd05c7a2d36a2095af0745e74a133f6ea9c4
Instruction Fuzzy Hash: EFE0C970515350CFC3158B20C558A687B76BF0E246F4155D9E40B9B251CB719D81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 07755F90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34aa04396ae7c0df83870732b52494fdd5300eb10700ceb1b1776707485933d7
Instruction ID: 4e512cfe805c0a195dbd5167ada63d6883cd4c6c82931f986b69cd44ed0fb6da
Opcode Fuzzy Hash: 34aa04396ae7c0df83870732b52494fdd5300eb10700ceb1b1776707485933d7
Instruction Fuzzy Hash: A0D01236300514AFC7149A4AD804D4ABBA9DFC9721B158066F609C7360CA71EC01C794

Uniqueness

Uniqueness Score: -1.00%

Function 0775CF80 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd872f422641a8a35655aad6b1e8c3bcc17f2c24a9be3cc3d4c1705c186af080
Instruction ID: d00d57df77e706c27076be8e41b47f7e2f6d08d5fdf261ac32e8e54c14d44754
Opcode Fuzzy Hash: bd872f422641a8a35655aad6b1e8c3bcc17f2c24a9be3cc3d4c1705c186af080
Instruction Fuzzy Hash: 71E0C2B080130CEFCB14DFE4E5056AEBFB4AB49302F1080A9F80457240CB304A81DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 077508DC Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab52aea0b7745d1ff13674502829e86cf26eccfdda1ab1adf6b23d37f89a0fd6
Instruction ID: 40ce53b868a10dbc78ef9fc664597b770fc5bd03673b285712d0888a360c9f50
Opcode Fuzzy Hash: ab52aea0b7745d1ff13674502829e86cf26eccfdda1ab1adf6b23d37f89a0fd6
Instruction Fuzzy Hash: D3E04FB4525344CFCB15DBB0C1498587B71FF46342B1014ADE4079B624C735E982CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0775B298 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: accba4c9a8f7a88c38ba0b33990691d515c7beda05e0e30c8440c074352f6c5b
Instruction ID: 2160cbd5037bc8886866fb1e4b693f1f7bda1278f23fa3e2c1b750d6e581d121
Opcode Fuzzy Hash: accba4c9a8f7a88c38ba0b33990691d515c7beda05e0e30c8440c074352f6c5b
Instruction Fuzzy Hash: E9E0ECB0D112489FCB40DFE8E54569DBFF4AB08301F1040A9A80493250EB705A41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 07750864 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c33bc0b4812198eb0ea2d1e16b37e9ede1462887212fc9af2243bf5fffeead
Instruction ID: 9563b40c6a055f0d5e47baf6b628cb1086ab02e2c55d074314dbdefdde45c060
Opcode Fuzzy Hash: 34c33bc0b4812198eb0ea2d1e16b37e9ede1462887212fc9af2243bf5fffeead
Instruction Fuzzy Hash: 78E08C70922304CFCB55DFA0C44958DBB70FF45342B1004AAE8168F268C7368A82CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0775ABF0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8107b16e51d4e542cb9e2ae99ba13ac15b081c380d6b2cf8c097c654da07a6e1
Instruction ID: 02a2422382d187ec907918d181266d349c1a1ed38faa4ba5a5bfbfd3471d3841
Opcode Fuzzy Hash: 8107b16e51d4e542cb9e2ae99ba13ac15b081c380d6b2cf8c097c654da07a6e1
Instruction Fuzzy Hash: 1BD0C775A56218DFCB10CB64E9417ECBB75FB85215F0015E1D51D93115DB301F95CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0775C608 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13e70a12e29d6c0f0f67cc159aa61f4c799de154d365fb03b4221d6ce7c9a1c
Instruction ID: 5d87df5eab0166c5f22dfe5817cd57a0a7d04659af9c7e0dab1eeef69b5c5383
Opcode Fuzzy Hash: b13e70a12e29d6c0f0f67cc159aa61f4c799de154d365fb03b4221d6ce7c9a1c
Instruction Fuzzy Hash: 3AD05E70429240CFC7018F60C9596683BB4FF0B246F4414D5E80B9F252CBB15941CF30

Uniqueness

Uniqueness Score: -1.00%

Function 0775A8E8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c074d3bcf95aa70592269dad90384cbae58f679149cd2a6bbd39727a3b17a323
Instruction ID: a1e87aef317b874e4603107676496d7b14e3ad9a5a32187eea2681719c00d8f6
Opcode Fuzzy Hash: c074d3bcf95aa70592269dad90384cbae58f679149cd2a6bbd39727a3b17a323
Instruction Fuzzy Hash: 78C08C7002130687C6112BD8F40E32C7EA8A704312F000020B40C000208FA010C2EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07750BF8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ede67e44e3de09e65f5631be26f8f0bd57c93d7d97e54f494437fca544d19fa
Instruction ID: 5275990fe64cf9fa39928a0aec6b6c3bb58ea198d02c6bdbda26fcf0082c08bb
Opcode Fuzzy Hash: 5ede67e44e3de09e65f5631be26f8f0bd57c93d7d97e54f494437fca544d19fa
Instruction Fuzzy Hash: 9EC012308269458BCB08CBE0C59A05DBB72EB8A300B1088198012EA158D7306642CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0775618C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3d414b2eaec070eb667a9d6db637272a7f85e993fc9ba0794f213b972042f0
Instruction ID: bdd0319b7bfcb67406dd5213999b6d9799945316e69f5afe8eab4f3eff595bce
Opcode Fuzzy Hash: 3e3d414b2eaec070eb667a9d6db637272a7f85e993fc9ba0794f213b972042f0
Instruction Fuzzy Hash: C9B012E51E4100F284046764498883BDC30EBB2F60F80CD21BB098115484A18464E32B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07758218 Relevance: 6.3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

T+-q, xrefs: 077586B2
[V~*, xrefs: 077584E4
", xrefs: 07758361
[V~*, xrefs: 077584DD
]\`, xrefs: 077585FA

Memory Dump Source

Source File: 0000000C.00000002.2058241804.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7750000_boqXv.jbxd

Similarity

API ID:
String ID: "$T+-q$[V~*$[V~*$]\`
API String ID: 0-1722654605
Opcode ID: a0ca843ea6dd72a2a198876f43b1e5be441e5873ed490a613acafd034239d3d3
Instruction ID: a95adb8a93dc34b84184821ec23f05f1fdb9fb3b8f9b09b7c9bd7f6a8fc517b6
Opcode Fuzzy Hash: a0ca843ea6dd72a2a198876f43b1e5be441e5873ed490a613acafd034239d3d3
Instruction Fuzzy Hash: F03182B1915609CBCB108F79C8502BEBFB0EF46384F048527E866DB292D7B59981C767

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: boqXv.exePID: 7928, Parent PID: 7688COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	148
Total number of Limit Nodes:	16

Executed Functions

Function 04E69F68 Relevance: 2.7, Instructions: 2723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1076c7d95f7c81f2a140241f71e12dbd0d34652dd67d0ea6a1a8ae5efcb89690
Instruction ID: 7b1007d40daad6d9eb32ceb2474d572ce16aa34ee53e014c6528ca21ac31cb39
Opcode Fuzzy Hash: 1076c7d95f7c81f2a140241f71e12dbd0d34652dd67d0ea6a1a8ae5efcb89690
Instruction Fuzzy Hash: FE53E731C10B1A8ACB55EF68C880699F7B1FF99300F11D79AE4597B125FB70AAD4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04E64200 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a532da7f56e45e3c01ccac5d557639b828dcd8528dd908b70b1797b66c837f
Instruction ID: dd528358bf06f07f64a6ed6d482fe2170fab46f0da810cf5fb6d47a3d6cda2ab
Opcode Fuzzy Hash: 19a532da7f56e45e3c01ccac5d557639b828dcd8528dd908b70b1797b66c837f
Instruction Fuzzy Hash: 59B17370E40209CFDB10CFA9D9857EDBBF2BF88358F149529D816E7294EB74A841CB85

Uniqueness

Uniqueness Score: -1.00%

Function 04E64AD0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c95d295911128e04b1a7a59fb1ed656bf0e499482ccc6158f6f064fbfcb3771
Instruction ID: 0a146549d615b921722a1fa33aa78b7f81d23d439376ab59a8ce086a7dfe6592
Opcode Fuzzy Hash: 9c95d295911128e04b1a7a59fb1ed656bf0e499482ccc6158f6f064fbfcb3771
Instruction Fuzzy Hash: 7BB19F70E40209DFDB10CFA9C9817DDBBF2AF88398F149529D416EB394EB74A841CB85

Uniqueness

Uniqueness Score: -1.00%

Function 04E63EB8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e622d6bb154ddc3896810ac43be4201452ab35d36fb7d6f3fc3bd0016151272e
Instruction ID: 848a56a93da49d4824401771202d539b398dbf10b839f5ffb0ed97bd42c074b3
Opcode Fuzzy Hash: e622d6bb154ddc3896810ac43be4201452ab35d36fb7d6f3fc3bd0016151272e
Instruction Fuzzy Hash: 4E91A170E40219DFDF10CFA9C9807DDBBF2AF88358F149129E416AB294EB74A945CF85

Uniqueness

Uniqueness Score: -1.00%

Function 05DE27FB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05DE287E
GetCurrentThread.KERNEL32 ref: 05DE28BB
GetCurrentProcess.KERNEL32 ref: 05DE28F8
GetCurrentThreadId.KERNEL32 ref: 05DE2951

Strings

(, xrefs: 05DE297D

Memory Dump Source

Source File: 00000010.00000002.2124664053.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5de0000_boqXv.jbxd

Similarity

API ID: Current$ProcessThread
String ID: (
API String ID: 2063062207-2063206799
Opcode ID: f92093fe2c3e25e53224a5a005579604ffdb27643c7432d4215d93ccae4e2c91
Instruction ID: 922b365ebcf879ea6ed52a0787c5d164d24059d75373d165da05a955b64364bd
Opcode Fuzzy Hash: f92093fe2c3e25e53224a5a005579604ffdb27643c7432d4215d93ccae4e2c91
Instruction Fuzzy Hash: 2E5155B09002098FDB14DFAAC988BDEFBF5FB48314F20805AE019A73A0DB359944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05DE2800 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05DE287E
GetCurrentThread.KERNEL32 ref: 05DE28BB
GetCurrentProcess.KERNEL32 ref: 05DE28F8
GetCurrentThreadId.KERNEL32 ref: 05DE2951

Strings

(, xrefs: 05DE297D

Memory Dump Source

Source File: 00000010.00000002.2124664053.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5de0000_boqXv.jbxd

Similarity

API ID: Current$ProcessThread
String ID: (
API String ID: 2063062207-2063206799
Opcode ID: 90da1abc0ae9225680685600217b45c4a0eea4d3024423ef4b24d3e2096260b3
Instruction ID: cc0ec75ea2990da3ad8e1e3f77672b48d96be0530d42e74e4820f3c092bbc362
Opcode Fuzzy Hash: 90da1abc0ae9225680685600217b45c4a0eea4d3024423ef4b24d3e2096260b3
Instruction Fuzzy Hash: 2F5146B09002498FDB14DFAAD948BDEFBF5FB48314F20845AE019A73A0DB359944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05DEAD18 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05DEAF7E

Memory Dump Source

Source File: 00000010.00000002.2124664053.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5de0000_boqXv.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5e819a563a531ea5b505f4ac4f32bd3f48924af1047abd8bebbe481380695e6b
Instruction ID: de91405277e3a078fd860cc4aed1c834538e66235a8918e0588612be5990aea0
Opcode Fuzzy Hash: 5e819a563a531ea5b505f4ac4f32bd3f48924af1047abd8bebbe481380695e6b
Instruction Fuzzy Hash: E2813770A00B059FD724EF29D44576ABBF5FF88300F10892AD48ADBB50DB34E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DECEC5 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05DED022

Memory Dump Source

Source File: 00000010.00000002.2124664053.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5de0000_boqXv.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f081a58c596688bc9f89c089231908e1d441245b09a0026d6cdb6ceed160ca4d
Instruction ID: ac1199cabb8d6d9e14e58ff8b1b68506e4e986c86e8827583181d97cc976d4e3
Opcode Fuzzy Hash: f081a58c596688bc9f89c089231908e1d441245b09a0026d6cdb6ceed160ca4d
Instruction Fuzzy Hash: 0451E1B1C00249EFDF15DF99C984ADEBFB6BF48310F64816AE818AB221D7719885CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DFE638 Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2124752501.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5df0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f980b438b44f152ffdabc054dd1747479d2a3207062e48e3f885e0c4906bb2
Instruction ID: e8223309dfa7ab5469e4defd2556c2b88dff9bf238242eaf49c56ac2db0b2c02
Opcode Fuzzy Hash: a0f980b438b44f152ffdabc054dd1747479d2a3207062e48e3f885e0c4906bb2
Instruction Fuzzy Hash: D641E272D103598BCB04DFA9D41469EBBF5EF89320F15866BD504A7250DB74A845CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 05DECF04 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05DED022

Memory Dump Source

Source File: 00000010.00000002.2124664053.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5de0000_boqXv.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d89a7c3da745feb8c4ddf79e47a65ac5f2b78bc2d92986d34ebeeec394795358
Instruction ID: 71db655624147603599772ec982ddf5de7ffcdb710198a234fa271de6aab5e7d
Opcode Fuzzy Hash: d89a7c3da745feb8c4ddf79e47a65ac5f2b78bc2d92986d34ebeeec394795358
Instruction Fuzzy Hash: DE51D0B1D003499FDB15DF9AC984ADEBFB6BF48310F64812AE419AB214D7709885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05DECF10 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05DED022

Memory Dump Source

Source File: 00000010.00000002.2124664053.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5de0000_boqXv.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9ea45fcb74fcab11425e0e973f0059830c460513cecfb29c3f3336f75e460f39
Instruction ID: a328f3ecd6571dbedf7992813b74e7ffca288e4cd6b2b95ea73b0f49a625468d
Opcode Fuzzy Hash: 9ea45fcb74fcab11425e0e973f0059830c460513cecfb29c3f3336f75e460f39
Instruction Fuzzy Hash: 3341C0B1D00309DFDB14DF9AC984ADEBBB6BF48310F64812AE419AB214D7719885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05DEA18C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05DEF711

Memory Dump Source

Source File: 00000010.00000002.2124664053.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5de0000_boqXv.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a045315234fcc9dd12a2f41dbc3ae8781e7676f13f349f017ce48f2ae118b0c5
Instruction ID: 44bedfdc3823109947202df9f6f7d17ae09a2f7511df3b048a6910e70c71e0a1
Opcode Fuzzy Hash: a045315234fcc9dd12a2f41dbc3ae8781e7676f13f349f017ce48f2ae118b0c5
Instruction Fuzzy Hash: 764128B4900306DFCB14EF59C888AAABBF5FB88314F24C45AD519AB361D775A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DE2A48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05DE2ACF

Memory Dump Source

Source File: 00000010.00000002.2124664053.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5de0000_boqXv.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e4c3db099917977d946936ff95d9f907b530a362dce26b2090e5c12584180107
Instruction ID: e86cd98477287296e767f1aec58357b591336ced22c31a2245f25a0c314252c8
Opcode Fuzzy Hash: e4c3db099917977d946936ff95d9f907b530a362dce26b2090e5c12584180107
Instruction Fuzzy Hash: 9521E4B59002099FDB10DF9AD984ADEBFF8FB48320F14841AE918A7310D374A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05DE2A40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05DE2ACF

Memory Dump Source

Source File: 00000010.00000002.2124664053.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5de0000_boqXv.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de38fa11d0fc4cf0dcdadc68ae9105b78eff3d0db4e1c6defaa89c8dbdec0c53
Instruction ID: 5f60a47df1db047f490fbf3c8b536f8b6ebfd3980f8c39bb8a7add64dac01c65
Opcode Fuzzy Hash: de38fa11d0fc4cf0dcdadc68ae9105b78eff3d0db4e1c6defaa89c8dbdec0c53
Instruction Fuzzy Hash: 8721E4B5D002099FDB10CFAAD585ADEBBF4FB48320F14841AE958A7310D378A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD2DC Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05DFE68A), ref: 05DFE777

Memory Dump Source

Source File: 00000010.00000002.2124752501.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5df0000_boqXv.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b454068b1b2c64f743a76b4b1b175e25a488e921cdf72ffd12e82749547efa10
Instruction ID: 1c24dadd9752f4bda25841c0fded7315b8e590658b4cc2339411c5c4f7686caf
Opcode Fuzzy Hash: b454068b1b2c64f743a76b4b1b175e25a488e921cdf72ffd12e82749547efa10
Instruction Fuzzy Hash: 721114B1C0065A9BCB10DF9AC544BEEFBF8FB48320F11856AD918B7251D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05DEB17A Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05DEAFF9,00000800,00000000,00000000), ref: 05DEB1EA

Memory Dump Source

Source File: 00000010.00000002.2124664053.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5de0000_boqXv.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 93ef92c999faf8bc3c95870e91f739598b696fb47deac1e1e7b009e574bf378f
Instruction ID: 6b029c499fc15bf1fca1930683049d4a79d55350197b828fac88a6cec51270bb
Opcode Fuzzy Hash: 93ef92c999faf8bc3c95870e91f739598b696fb47deac1e1e7b009e574bf378f
Instruction Fuzzy Hash: 711114B68003499FDB10DF9AC844ADEFBF4EF48320F14842AD499A7210C375A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05DE9F28 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05DEAFF9,00000800,00000000,00000000), ref: 05DEB1EA

Memory Dump Source

Source File: 00000010.00000002.2124664053.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5de0000_boqXv.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dbfb1f0bdb6a064c34f0d6323b2f9962d8fb56494c8387da92e0a5a672b0ebe6
Instruction ID: 91477a0963058d4aaa29d170ff8429173be279e6bb8e21c195dfa9e3ff879c0d
Opcode Fuzzy Hash: dbfb1f0bdb6a064c34f0d6323b2f9962d8fb56494c8387da92e0a5a672b0ebe6
Instruction Fuzzy Hash: 1A1114B69003099FDB10DF9AD844ADEFBF4EB48320F10842AE559A7210C375A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05DEAF18 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05DEAF7E

Memory Dump Source

Source File: 00000010.00000002.2124664053.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5de0000_boqXv.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8dbbcc8cdf41dfc27a58d7a03092a27ca0a5ffc084a56b4c9595249883b0bd44
Instruction ID: e19083e02dace8eeca57c08a578f8f8c4e92fe304264be42700d5593f85dbe81
Opcode Fuzzy Hash: 8dbbcc8cdf41dfc27a58d7a03092a27ca0a5ffc084a56b4c9595249883b0bd44
Instruction Fuzzy Hash: C011E3B6C003498FCB10DF9AC548ADEFBF4EB88314F10841AD459A7210C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04E6F680 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 04E6F7BB

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: f2faef06ccc8114b2eb437aefd5ff91e4aa281add4ebfa32c3babd6f65422447
Instruction ID: 96df34ace097739372c62b118295f697ddafc043c4944c47f651839504ff684c
Opcode Fuzzy Hash: f2faef06ccc8114b2eb437aefd5ff91e4aa281add4ebfa32c3babd6f65422447
Instruction Fuzzy Hash: 5231C1347002058FCB15AF34D65566F7BA6AF88244F245828D407DB3A5DF35EC42C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 04E672F0 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRkq, xrefs: 04E6735D

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 438c86f29e8aeda6b764d0fd8d1dfadcea5c5b8ae5e60f4e51576dc80c2f461a
Instruction ID: e032d86324162051fb5894d0cd79a159ff03ab12eedbed2682cfe29f3fdbda66
Opcode Fuzzy Hash: 438c86f29e8aeda6b764d0fd8d1dfadcea5c5b8ae5e60f4e51576dc80c2f461a
Instruction Fuzzy Hash: E1316130E50209CBEB14CF69D4457EEB7B5EF85358F209525E806EB254EB74ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04E672ED Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

LRkq, xrefs: 04E6735D

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 18b32df73a5b5f4de08b2e34ede65f22c6eb3a7507ca53029de4a33ef9b6fec5
Instruction ID: 365314e90c5bf678fca2f1ac80d1c9c533776cb1890abc271a24a7844dd215c1
Opcode Fuzzy Hash: 18b32df73a5b5f4de08b2e34ede65f22c6eb3a7507ca53029de4a33ef9b6fec5
Instruction Fuzzy Hash: 10314D30E902099BEF18DF69D5457AEB7B2EF45348F209529E802FB294EB74ED418B50

Uniqueness

Uniqueness Score: -1.00%

Function 04E66BBF Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

LRkq, xrefs: 04E66C07

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: b1269f13fe9e21c5de34cfcaa5c362d8b87832fca1d8c60296eaeb1183c1d692
Instruction ID: 19b921f56af4f2110b6bae80ffff1beb995eaa35336c79c791a627d378cae0ec
Opcode Fuzzy Hash: b1269f13fe9e21c5de34cfcaa5c362d8b87832fca1d8c60296eaeb1183c1d692
Instruction Fuzzy Hash: 851106317042405FC705AB7894957AE7FB6FF86710F1081AAD009CB7A6DE399C4A87A1

Uniqueness

Uniqueness Score: -1.00%

Function 04E67C91 Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92da82fd58eca113930afec9f74326a9e382ebe76618ba5db04fe40f9ee503a1
Instruction ID: 49ec041924e50f7b66e93e7b19fb8d505fe2c93140f35dda8f98dfc229a85e96
Opcode Fuzzy Hash: 92da82fd58eca113930afec9f74326a9e382ebe76618ba5db04fe40f9ee503a1
Instruction Fuzzy Hash: 561251317402028FDB15BB2CE89462C77A6FB86356F50593AE006CF399DF75EC868B91

Uniqueness

Uniqueness Score: -1.00%

Function 04E69A58 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a1a21aa0f9eeda23ee09d0f2577e35c7e2c5c7cb0fd619cd22fe7381b33dd4
Instruction ID: 0a802dee36ef8398624abfd46d13c00758e5b693ca02f56bf6587de35aac87a3
Opcode Fuzzy Hash: 63a1a21aa0f9eeda23ee09d0f2577e35c7e2c5c7cb0fd619cd22fe7381b33dd4
Instruction Fuzzy Hash: 71A1C3B4A002058FDF10DF68D9807AEFBB6FB84354F10856AE90ADB396D774E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04E641F4 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913f6dffd41207379c64171f68b8cc7df7d68c3dd4674b005778d26001fca987
Instruction ID: c843f9d5c22e392dcda4c0a4321737ac87ad9bd6a52ad436efd0f06f5da2bcd2
Opcode Fuzzy Hash: 913f6dffd41207379c64171f68b8cc7df7d68c3dd4674b005778d26001fca987
Instruction Fuzzy Hash: 55B17070E40209CFDB10CFA9D9857EDBBF2BF48348F149529D816EB294EB74A845CB85

Uniqueness

Uniqueness Score: -1.00%

Function 04E696F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae7f1cf49559b63db12d8a935caf5fdd47667d40c727d769de857bcaa016bfc
Instruction ID: a61b9aff9a765303ab9c1f508afeee8a5fb66e6515b0cbc454b6c79c6eea5829
Opcode Fuzzy Hash: 9ae7f1cf49559b63db12d8a935caf5fdd47667d40c727d769de857bcaa016bfc
Instruction Fuzzy Hash: F3A15D78A002048FDF14DF64D594AAEBBF2EF88354F248529E806E7365DB31ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04E6D1F0 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2239a8a3bab1638f899f4f378938487a981af04e8c37301602f97f066c6f84f4
Instruction ID: 0643271163f5bf95cf4970bb9af1fbe4068c42c69939dc3c2b013282e76752be
Opcode Fuzzy Hash: 2239a8a3bab1638f899f4f378938487a981af04e8c37301602f97f066c6f84f4
Instruction Fuzzy Hash: 4691C070B402169FDB11CF68C980E2EB7B6FB85350F648569D416CB3AACB35EC82C790

Uniqueness

Uniqueness Score: -1.00%

Function 04E696ED Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec055b1875773d77e0d9aac888e2bd580f05d2f967e1a2665618274d8aa022a
Instruction ID: 9dcbae9e95ec74d7a21aa7ff4145076018882c61e7fa6458a4ab15b6fc2fde53
Opcode Fuzzy Hash: aec055b1875773d77e0d9aac888e2bd580f05d2f967e1a2665618274d8aa022a
Instruction Fuzzy Hash: D9915D78A002049FDF14DFA4D594AAEBBF2EF88354F248529E806E7365DB31ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04E64848 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f5a02267e7266c8e4b8b0cbfe89d2a6d4168ca6da7c37a8a2d516981b7d812
Instruction ID: bbcfdc9d5134c3474aa73f05572f821743074b70830b6a44872ec13e0c46c917
Opcode Fuzzy Hash: 06f5a02267e7266c8e4b8b0cbfe89d2a6d4168ca6da7c37a8a2d516981b7d812
Instruction Fuzzy Hash: 9F718F70E40209DFDF14DFA9C8847DEBBF2AF88354F149129E455A7294EB74A841CF88

Uniqueness

Uniqueness Score: -1.00%

Function 04E66D18 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565a7066f9435f28cf4af97647485bacf18aefb51d31cc4154d98e4cbb9077e1
Instruction ID: 20edd567590d90762e41704e81ec47ce2733356f28bf797b96babf713cedc2cb
Opcode Fuzzy Hash: 565a7066f9435f28cf4af97647485bacf18aefb51d31cc4154d98e4cbb9077e1
Instruction Fuzzy Hash: 54512270D102188FDB18DFA9C984B9DBBF1BF48304F148519E81ABB364DB74A944CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04E61138 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a72c30f75db5ec287693d0b4c45de34ea5332275e7025d3fd0ffa6ff677a52f
Instruction ID: 3df47a0c3179ca57ac19bfcd4e98c572159a4696f5c052a008b3fe4d0d321c9d
Opcode Fuzzy Hash: 2a72c30f75db5ec287693d0b4c45de34ea5332275e7025d3fd0ffa6ff677a52f
Instruction Fuzzy Hash: 1551C9312592858FCB06FB28FED09597B6AF792704304A969D0949F33EDF706989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E650D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8f3c7e2f54a5ad8427a08425070d9545989f9b3bc2f0c90ff0134c4b45321d
Instruction ID: 1ee636c18a1523c2837692ab51c57d38bd747c911d38d95c07b14c93b3a841ce
Opcode Fuzzy Hash: ab8f3c7e2f54a5ad8427a08425070d9545989f9b3bc2f0c90ff0134c4b45321d
Instruction Fuzzy Hash: C0317A347442159FDF19EB64DA546AE73B6AF48288F101568D902AB3A5EF3AEC01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E6F540 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c854efed5690b46d6347a5834dbd7ea72647e5f970909b5630fc6c6a9737e129
Instruction ID: 69622e7d2bb2fc241334ad072620de4fcf9034e34a3807bd7fdc68479d04d185
Opcode Fuzzy Hash: c854efed5690b46d6347a5834dbd7ea72647e5f970909b5630fc6c6a9737e129
Instruction Fuzzy Hash: 4C317E35E102099BCB18CF64D594A9EB7B2AF89354F10892AE806EB350DF70EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04E6F53E Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c4c0a839ff8efbdb6b450ca50d95c7bf16101dccceef3d32383e416233df12
Instruction ID: 18ec182aeeb788090d929761e3cda7cf68ad06b46e413be14c72f58a87bacadf
Opcode Fuzzy Hash: e3c4c0a839ff8efbdb6b450ca50d95c7bf16101dccceef3d32383e416233df12
Instruction Fuzzy Hash: 0C316235E102059BCB19CF64D55569EB7B2BF89354F10891AE806EB354DF70EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04E62720 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7fc41af30e8a95b939126b01f2edbc2da4d6507bee9d686112673dc7de493cd
Instruction ID: 391bc1bcf15ff72d6e546400d772046e6cdf9145ce37f14304397f220427eab5
Opcode Fuzzy Hash: b7fc41af30e8a95b939126b01f2edbc2da4d6507bee9d686112673dc7de493cd
Instruction Fuzzy Hash: DB41C2B1D00349DFDB10DFA9C984ADEBFB5BF48314F108429E41AAB264DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04E650E0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3635b39a5ac87f657f86224c8911a094a55be1a8fe3b37a5a2231e5f80807cd6
Instruction ID: 7300ac7f918e5b1a8f6500d921f381cef77c007f235c9820aaff9c67ea91179d
Opcode Fuzzy Hash: 3635b39a5ac87f657f86224c8911a094a55be1a8fe3b37a5a2231e5f80807cd6
Instruction Fuzzy Hash: 33318C347442159FDF18EB74DA546AE73B6AF48288F101568D902AB3A9EF36EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04E695D8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049573dda2f947b38293022a1b9415df1bdad2c6ae794179ac3f6b1dafdfc6c8
Instruction ID: 5219540f64310a3f5491a861c7eb2353d50889c3d8cb313e1f141547844844b9
Opcode Fuzzy Hash: 049573dda2f947b38293022a1b9415df1bdad2c6ae794179ac3f6b1dafdfc6c8
Instruction Fuzzy Hash: 2E21A370E102099BDB05CF64D59069EF7B2FF85354F108A2AE816EB355DB71F886CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04E695D6 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34df804962da109a03af91632d2f38e79c8c9c706b8279cd82b4403577bc6e8
Instruction ID: 951992fe35f2297b46a62b12d0b090fb6fc633319652d4812529f7604ae86108
Opcode Fuzzy Hash: e34df804962da109a03af91632d2f38e79c8c9c706b8279cd82b4403577bc6e8
Instruction Fuzzy Hash: B221B170E102058BCB05CFA4C99069EF7B2FF85340F108A2AE806EB355DB71E886CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04E69DA0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a9ab78c49d488e7f4e6a2a849a861eb9814f17b9bd6b76770e629a31c6c246
Instruction ID: c50aad981a25eb78300f1b21531c8f45ffe564166764202a45b13a288e83b5cf
Opcode Fuzzy Hash: 25a9ab78c49d488e7f4e6a2a849a861eb9814f17b9bd6b76770e629a31c6c246
Instruction Fuzzy Hash: 8F21C2B1B401048FDB14DF69C954BAE7BFAEF88714F109125E502EB3A2DB71AC00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E69D99 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca641e8899f954b46d7ef740b0f2c4f3c17405b45f498e8c46c718e55f13ee7
Instruction ID: 674fdb579c1f8e3b413d8832ac24a69bb9d73e366d38515eca62ad0df08d7fee
Opcode Fuzzy Hash: 9ca641e8899f954b46d7ef740b0f2c4f3c17405b45f498e8c46c718e55f13ee7
Instruction Fuzzy Hash: 512195B1B501049FDB04DF69C954BAE7BF6EF88714F108065E506EB3A1DA71ED00C790

Uniqueness

Uniqueness Score: -1.00%

Function 04E613A1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b599898555bf3adc360f25b11d6eca88f356f35120fe0e06e0630e45ec4101
Instruction ID: f450edfd36052198142f8a4aea2f8d4046029c200ba8721d801fe8a1a09498d6
Opcode Fuzzy Hash: b6b599898555bf3adc360f25b11d6eca88f356f35120fe0e06e0630e45ec4101
Instruction Fuzzy Hash: EA219630A902009BEB322F6DD48833D7651E74639AF10147AE80BDB3D4DE28EC88C752

Uniqueness

Uniqueness Score: -1.00%

Function 00DED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2112813291.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ded000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f66ee3a086ee40ea91bf7a1205a22ece65f51911c7cf7087a8a5cafb8c5da8
Instruction ID: 268e2ed1f6914781503a202e08eca91a83b99ffd08661f429e311e454bfc37b9
Opcode Fuzzy Hash: 60f66ee3a086ee40ea91bf7a1205a22ece65f51911c7cf7087a8a5cafb8c5da8
Instruction Fuzzy Hash: 0621F271604280DFCB14EF15D984B26BBA6FB84314F28C569E84A4B296CB3AD847CA71

Uniqueness

Uniqueness Score: -1.00%

Function 04E694D5 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89dcd33f53f8e7f3ac1f9b463fef764378dd2ba9357e6436c2844ddd2f2109dd
Instruction ID: 21747bbc12036d871317e27639ad5a88f4524e93cdcac1a66a49f5ab3b62d8b4
Opcode Fuzzy Hash: 89dcd33f53f8e7f3ac1f9b463fef764378dd2ba9357e6436c2844ddd2f2109dd
Instruction Fuzzy Hash: C5219270E102159BDB18CF64D550ADEBBB2AF89354F10852AEC16FB351EB70E842CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04E64FC9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe089f19c3004504174b634222718f1f9cde0e59e282bba91e2e5a206cdcaf59
Instruction ID: 45bc1106b6adbacce287b4f4858ed1982b936f7b51aaa6f3b3d57b916ffb28e5
Opcode Fuzzy Hash: fe089f19c3004504174b634222718f1f9cde0e59e282bba91e2e5a206cdcaf59
Instruction Fuzzy Hash: 7A212734740204DFDB44EF78D958AAD7BF1AB48644F105468E406EB3A5EF36ED01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E694D8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238034d313855e903b0e5212fd245fa4093c7b6ddcf5650c464c9d94f0f155d2
Instruction ID: d9602bbe48fdfc4ed04151b3299833dc0ada1ab0ce097d6704f87e2c2991027e
Opcode Fuzzy Hash: 238034d313855e903b0e5212fd245fa4093c7b6ddcf5650c464c9d94f0f155d2
Instruction Fuzzy Hash: 77219F70E102199BCB18CF64C550A9EBBB6AF89354F10852AEC16FB351EB70E842CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04E618C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbea88af92aaae1753b50360a5907d5d8502c5adcf87eacb8dc667b9e538f077
Instruction ID: 3d081da4c1f4cf541934bd2e6b476d688c80eb6c1898029c5d71bf224b26aa05
Opcode Fuzzy Hash: bbea88af92aaae1753b50360a5907d5d8502c5adcf87eacb8dc667b9e538f077
Instruction Fuzzy Hash: AC213E30B44219CFDB55EF68C6546ADB7F6AF49284F101468D106EB364EF35AC00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E616E8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ff6b2e3228f3a8788b9419b9192ce9a002612b81e7ae4e7cd2c479733f61de
Instruction ID: e8a2d9dbaaf862318f5ba47806ff02529e2920fd6098a8729829f40936752040
Opcode Fuzzy Hash: 52ff6b2e3228f3a8788b9419b9192ce9a002612b81e7ae4e7cd2c479733f61de
Instruction Fuzzy Hash: 62218E386441014FDB12FB78E9C4729B75AEB42358F105A25D01ACF36DEF24FC848B90

Uniqueness

Uniqueness Score: -1.00%

Function 04E64FD0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d787f3e1026aee7fc88348104120629ce8bab39c81d274947455c553cc440e8
Instruction ID: 9a53ffaf8fecfc783aa24f3057cf81d4c9a592c7dcdf6dd20cecd2f5e5ea4362
Opcode Fuzzy Hash: 2d787f3e1026aee7fc88348104120629ce8bab39c81d274947455c553cc440e8
Instruction Fuzzy Hash: F3211634740204DFDB54EF78D958AAD7BF1AF48645F105468E406EB3A5EB36ED00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E66FA8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32feb55396fa0519246dacecc4d1df4da0b67058a6ac33bc4fe7d6fb635ceee2
Instruction ID: 5c9e9223b241051093dfed54957518c06996f8690589c5a0f4292ef2df591a09
Opcode Fuzzy Hash: 32feb55396fa0519246dacecc4d1df4da0b67058a6ac33bc4fe7d6fb635ceee2
Instruction Fuzzy Hash: 0D112330F002049BDF00AFB899543AFBBE5EB84354F20593AE416CB385EA35D89587A1

Uniqueness

Uniqueness Score: -1.00%

Function 00DED005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2112813291.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ded000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2eaf60a358a1bccf55cadfe03702151b725111d50d13a579937db72dd96b73
Instruction ID: 543c8db8f59f5abded5555657df3c4dc7e25761069327819ba6ebe8dff1280f3
Opcode Fuzzy Hash: 7b2eaf60a358a1bccf55cadfe03702151b725111d50d13a579937db72dd96b73
Instruction Fuzzy Hash: 71215E755093C08FDB12DF24D994715BF72EB46314F28C5EAD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 04E60848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3cce80b4b5557b4f024089b75a40ff344daee2f1563822cd3774447a8c974d
Instruction ID: c3ca097dd03570da7125e8b62eeecd2f5be1e087c1a96d9256d1943c82c6f9e3
Opcode Fuzzy Hash: 0d3cce80b4b5557b4f024089b75a40ff344daee2f1563822cd3774447a8c974d
Instruction Fuzzy Hash: E911E330B802245BEF20EF79C44476E7291EB41398F205979E00BDF391DA65EC818BD1

Uniqueness

Uniqueness Score: -1.00%

Function 04E614D0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5adf02bb80c1c726d73da695186c6a98f3b19dc8d55dce6e8755f5fca2a28a23
Instruction ID: 1262d3438426a8c121c0f6b56e5f947f395989449481124498c4eb4919c623e0
Opcode Fuzzy Hash: 5adf02bb80c1c726d73da695186c6a98f3b19dc8d55dce6e8755f5fca2a28a23
Instruction Fuzzy Hash: FD014031E412649FDF22EFB984406ADFBF5EB48299F146479D807E7301E731E8418B91

Uniqueness

Uniqueness Score: -1.00%

Function 04E61809 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa7e58cba61dae3773cdaf419c4b3d93dc3dae4cf2e28ec26a7379e5f55ce04
Instruction ID: a87baaa5532c8bfe4f3d1b2f1b706ab44db80d643c27be44f229751c84b356bb
Opcode Fuzzy Hash: dfa7e58cba61dae3773cdaf419c4b3d93dc3dae4cf2e28ec26a7379e5f55ce04
Instruction Fuzzy Hash: 8401C075F102119FCF11BB79980865EBBEAFB88650F104D26E90ADB359EA388C018BC1

Uniqueness

Uniqueness Score: -1.00%

Function 04E644EB Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0589a14f9ac7c8018e42f762d2d62515ec806d7186f0b51cb03773a895da86
Instruction ID: 523c4845d893be2d23df05196f60fecb3b0ead0588303cafeeaacb0876b41855
Opcode Fuzzy Hash: 4b0589a14f9ac7c8018e42f762d2d62515ec806d7186f0b51cb03773a895da86
Instruction Fuzzy Hash: 5E11E670D8021DDAEF24EAA4D5887ECB7B3AF0039DF14242AC002B61A0DB7469C9CB19

Uniqueness

Uniqueness Score: -1.00%

Function 04E618B1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0947698518247bb3a4e4a92b30997b5cccb700aeb204e5a4205852d8d9e56e07
Instruction ID: 44f58c47b0c55cf42a32f83fba5c1e433d088544f74cd6a8e98a39b97f302897
Opcode Fuzzy Hash: 0947698518247bb3a4e4a92b30997b5cccb700aeb204e5a4205852d8d9e56e07
Instruction Fuzzy Hash: 5AF08BB67000009FDF123734980039EB797E788660F108E11EA6ADB3DEEA399C0607C4

Uniqueness

Uniqueness Score: -1.00%

Function 04E6155C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b9b544f0ecb14697a74790c8608233122f115c63b440db3b695a8bbf38fb61
Instruction ID: 9be971f5f476994f521e84abf46c705e87c404be90432fa83ce78b3720904089
Opcode Fuzzy Hash: 41b9b544f0ecb14697a74790c8608233122f115c63b440db3b695a8bbf38fb61
Instruction Fuzzy Hash: 0DF0F633E441508FEB23CBA884912ACFBB2EB55298B196096D807DB212E320F846C751

Uniqueness

Uniqueness Score: -1.00%

Function 04E67408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ef8b9270ee21a3f26d67e2e01704e62911a64e6f9cdf165ec2737e80001032
Instruction ID: 3b102b28c250c0b052c79987461e4ed0bb658b0ee414ec672cb5c7c7a2e30508
Opcode Fuzzy Hash: 95ef8b9270ee21a3f26d67e2e01704e62911a64e6f9cdf165ec2737e80001032
Instruction Fuzzy Hash: 7FF0F235B00204CFCB04EB64D598B6C77B2FF88616F1040A8E9068B3B8CF34AD42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04E68478 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2122734308.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e60000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0af3e2ae1aeaf78b2a2a3afc0367499631643c90898de04fcec420948da19e6
Instruction ID: 9d41762eca568b531544ca18b4ce7712f35f1b71624ada7eee07fd11b7c0dd07
Opcode Fuzzy Hash: a0af3e2ae1aeaf78b2a2a3afc0367499631643c90898de04fcec420948da19e6
Instruction Fuzzy Hash: 41F044709001099FCB01FFA8FA9169DBBB6EB40300F504679C4059F369EF31AE449B91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: boqXv.exePID: 7044, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	223
Total number of Limit Nodes:	17

Executed Functions

Function 0166D2B1 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0166D33E
GetCurrentThread.KERNEL32 ref: 0166D37B
GetCurrentProcess.KERNEL32 ref: 0166D3B8
GetCurrentThreadId.KERNEL32 ref: 0166D411

Memory Dump Source

Source File: 00000013.00000002.2133038592.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1660000_boqXv.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c6751cd4e04fb0a399f56c9076d404973ddca029b7e241cf14fc0444c1f60cb9
Instruction ID: fc7d91acf18c46706153b2e4a6661a3615d771bcf0adbe6f763a8be166d67445
Opcode Fuzzy Hash: c6751cd4e04fb0a399f56c9076d404973ddca029b7e241cf14fc0444c1f60cb9
Instruction Fuzzy Hash: 175167B0E002098FDB15CFAAD988BDEBFF5AF89304F208459D049A7360D7749844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0166D2C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0166D33E
GetCurrentThread.KERNEL32 ref: 0166D37B
GetCurrentProcess.KERNEL32 ref: 0166D3B8
GetCurrentThreadId.KERNEL32 ref: 0166D411

Memory Dump Source

Source File: 00000013.00000002.2133038592.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1660000_boqXv.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 08691fef60f0f616ba7c5ce9dd7eadf1a7d4ac71d50b13f4ff6278a8336248c4
Instruction ID: a779da517cb0ae88fde7144add72fb2ddb4aa2dda44a4e14bfa46d227fcb6d79
Opcode Fuzzy Hash: 08691fef60f0f616ba7c5ce9dd7eadf1a7d4ac71d50b13f4ff6278a8336248c4
Instruction Fuzzy Hash: 0A5147B0E002498FDB14DFAAD948BDEFBF5AF89304F208459D159A7360D7749884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 076A1A7C Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076A1CBE

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 780a26128f3039aab36fb754b7686ea8a95e9a08f5aefeb85794c183238617dc
Instruction ID: 6b217186f7e86dbe1d942a39ab4087328fcf17a89feb9abf46a1b0c63189b4dd
Opcode Fuzzy Hash: 780a26128f3039aab36fb754b7686ea8a95e9a08f5aefeb85794c183238617dc
Instruction Fuzzy Hash: 64A169B1D0032EDFDB14DFA8C8407EDBBB2AF49310F1485A9D81AA7290DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 076A1A88 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076A1CBE

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9d67b586dd50d7496846a4d7e6984e8783ef89a1d0502d61d0d16c053c662ce4
Instruction ID: cda32efa479273d37cd837b051000c181d75d33307f6d36f2ddbdbaf18a5d661
Opcode Fuzzy Hash: 9d67b586dd50d7496846a4d7e6984e8783ef89a1d0502d61d0d16c053c662ce4
Instruction Fuzzy Hash: 8D9149B1D0031EEFDB14DFA8C840BEDBBB6AF49310F1485A9D80AA7250DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0166B028 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0166B27E

Memory Dump Source

Source File: 00000013.00000002.2133038592.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1660000_boqXv.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0599cbf1fc40b4ed51df23e089dedefbd7675438f57db1f5b50c23c3387c5a65
Instruction ID: 7ecdbbd81fcb7624bd92081797734f7eab63614be30ff281caa135c60f20fbde
Opcode Fuzzy Hash: 0599cbf1fc40b4ed51df23e089dedefbd7675438f57db1f5b50c23c3387c5a65
Instruction Fuzzy Hash: 2A811070A00B05DFD725DF6AD8407AABBF9BB88300F008A2DD49AD7B50DB75E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0166590C Relevance: 1.6, APIs: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016659C9

Memory Dump Source

Source File: 00000013.00000002.2133038592.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1660000_boqXv.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a45acc5ccab5e25b9e4bf7a3e31db7b9d335d740605d0cb36efb3f4ac3aca152
Instruction ID: 52f5d4ec5edef14ca87f9165b3a9891975197975eba04e38a2d0de35c3bc1628
Opcode Fuzzy Hash: a45acc5ccab5e25b9e4bf7a3e31db7b9d335d740605d0cb36efb3f4ac3aca152
Instruction Fuzzy Hash: B15102B1C00719CFEB24CFAAC8857DEBBF5AF48314F24806AD509AB251D7759986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016644C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 016659C9

Memory Dump Source

Source File: 00000013.00000002.2133038592.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1660000_boqXv.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a43acbdde6b8edceb578c5dc07fa6ec21e250481a613779e4c0d15a9cfe21137
Instruction ID: 12335140e6035b8ff8d790152214ccb607cc7a2939b52c19910fc4a29714ab67
Opcode Fuzzy Hash: a43acbdde6b8edceb578c5dc07fa6ec21e250481a613779e4c0d15a9cfe21137
Instruction Fuzzy Hash: 1F41D2B0C00719CBDB24CFAAC8857CEBBB9BF49304F24816AD509AB255DB755945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 076A17F8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076A1890

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0356b8367ef77df9c725395d227f2e34b326be3ddb5b4f092e814f44a65fd0ae
Instruction ID: d92d723cba71bc68fe73239092012294a33180247dc2e7b1a811d77effc419cc
Opcode Fuzzy Hash: 0356b8367ef77df9c725395d227f2e34b326be3ddb5b4f092e814f44a65fd0ae
Instruction Fuzzy Hash: B62137B59003199FCB10DFA9C981BDEBBF5FF48320F10882AE559A7251C7789944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 076A1800 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076A1890

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dfb9451cd92de32f3b678c832b9652292f5cbef5fa11d7b8339231e23b3b1584
Instruction ID: 701f528a92c5aa8b019ce5e7ca499c5802f6c1bbd1626c32c041df3b16b7a70c
Opcode Fuzzy Hash: dfb9451cd92de32f3b678c832b9652292f5cbef5fa11d7b8339231e23b3b1584
Instruction Fuzzy Hash: 272126B19003599FCB10CFA9C885BDEBBF5FF48320F108829E959A7250C7799944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 076A1228 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076A12AE

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6f6e4d1444d8f6db8e582f3689f80c5df81317e17443bfc162c9b6caaab9718c
Instruction ID: 3d2826c59e5c01661b62518b3fd73e55e5ce0613bb7fb0ac5d6489a6b73b4404
Opcode Fuzzy Hash: 6f6e4d1444d8f6db8e582f3689f80c5df81317e17443bfc162c9b6caaab9718c
Instruction Fuzzy Hash: BE2168B59003099FDB10DFAAC4847EEBBF4EF48324F10842AD459A7340CB78A985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 076A18E8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076A1970

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fe24eb9658fc8dc2510a6319ec9372ff7bedf75431170e6bacf332fb320a2ae0
Instruction ID: 462ecdf8ff56a44c372b1249a2740ca5cbb5e7106d84a6063bab77807a030bef
Opcode Fuzzy Hash: fe24eb9658fc8dc2510a6319ec9372ff7bedf75431170e6bacf332fb320a2ae0
Instruction Fuzzy Hash: 132119B59002599FDB10DFA9C941BDEFBF5FF48320F10882AE559A7250C7349945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0166D501 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0166D58F

Memory Dump Source

Source File: 00000013.00000002.2133038592.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1660000_boqXv.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a83ace0a1061cbdf0896f17d96dab74b251e405bd34c9e96546d1275ee0c4cfd
Instruction ID: ad80c38209b1c81db280371f54cfac8f1c1ab22da9296adcca16701616051e84
Opcode Fuzzy Hash: a83ace0a1061cbdf0896f17d96dab74b251e405bd34c9e96546d1275ee0c4cfd
Instruction Fuzzy Hash: 0921E4B59002589FDB10CFA9D984AEEFFF4FB48310F14841AE954A7311C375A940CF61

Uniqueness

Uniqueness Score: -1.00%

Function 076A1230 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076A12AE

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 53e55e07a66a9ac001ebe857836953723a956ff7481278fdf56495de5bb08c27
Instruction ID: 349a2df109ef6964f05fa4f5950dd5c3699345c43bd0ede46d1127926c3bd737
Opcode Fuzzy Hash: 53e55e07a66a9ac001ebe857836953723a956ff7481278fdf56495de5bb08c27
Instruction Fuzzy Hash: 8F2135B19003099FDB14DFAAC4857EEBBF4EF48324F10842AD559A7240CB78A984CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 076A18F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076A1970

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0587ff0bab5453dfbc88948fdd3dacf29779f7579c11859a260e7173abd9dd71
Instruction ID: 102a756edc94d95a9c406a6f723d5168c676c0d2ec0a095c1da76ddad1d409e2
Opcode Fuzzy Hash: 0587ff0bab5453dfbc88948fdd3dacf29779f7579c11859a260e7173abd9dd71
Instruction Fuzzy Hash: 092128B18003599FCB10DFAAC840ADEFBF5FF48320F10842AE559A7250C7759944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0166D508 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0166D58F

Memory Dump Source

Source File: 00000013.00000002.2133038592.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1660000_boqXv.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e7b80f1b33f58c683802fa012ff9c4b1511173c3fd3ab810fadfaf126e5bf401
Instruction ID: 0c281681ca1c5fa47da1dfc8d39a711f257ed4763b5a5a2f4fc4ee7cf8f557af
Opcode Fuzzy Hash: e7b80f1b33f58c683802fa012ff9c4b1511173c3fd3ab810fadfaf126e5bf401
Instruction Fuzzy Hash: 9221F3B59002589FDB10CFAAD984ADEFFF8FB48320F14841AE958A7310D375A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0166B498 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0166B2F9,00000800,00000000,00000000), ref: 0166B50A

Memory Dump Source

Source File: 00000013.00000002.2133038592.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1660000_boqXv.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4ba4f14adcfbfa5baf6c26b1ba1b8f88a98b4bfa58a5f9d9b00dd1df8693ce3a
Instruction ID: 69705025f45b0e971d7ada2612fd6f778544594492f14c9dd015c0621e438c41
Opcode Fuzzy Hash: 4ba4f14adcfbfa5baf6c26b1ba1b8f88a98b4bfa58a5f9d9b00dd1df8693ce3a
Instruction Fuzzy Hash: 3F2103B6901348DFDB20CFAAD844AEEFBF4AB89310F14842ED459A7210C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 076A1738 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076A17AE

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b2b963094a72b7ef7453fa9ea1a82ab363b119793bfccee6ee1a4918c7d20fd8
Instruction ID: b2307cd0999be5d77924b7ce8d34839ce55bc8e95c24e40e01de54ab654db6c2
Opcode Fuzzy Hash: b2b963094a72b7ef7453fa9ea1a82ab363b119793bfccee6ee1a4918c7d20fd8
Instruction Fuzzy Hash: 46117CB6800259DFDB10DFA9C9457DEBBF5EF48320F20881AD555A7250C7359944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0166ACDC Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0166B2F9,00000800,00000000,00000000), ref: 0166B50A

Memory Dump Source

Source File: 00000013.00000002.2133038592.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1660000_boqXv.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b1bdbb67d08bd5739da6b20b88e2054a9eba837a6966aef26b0fc0bc389ef965
Instruction ID: 5edd9a49163835ea7941f027afe3ffc9d8f9e3d2e368caf62ddcfb71e841afd1
Opcode Fuzzy Hash: b1bdbb67d08bd5739da6b20b88e2054a9eba837a6966aef26b0fc0bc389ef965
Instruction Fuzzy Hash: A81114B6900308CFDB20CF9AC844ADEFBF8EB48310F10842AD519A7310C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 076A1740 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076A17AE

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4be084554c1eadb00684d50337c5122d457ec56ad321fc32b2a9ed35b095fdeb
Instruction ID: 21682f6dfe77ce6b51e9f3f5f1ec25a561fff20eb2f642a64de2e0a92bea922f
Opcode Fuzzy Hash: 4be084554c1eadb00684d50337c5122d457ec56ad321fc32b2a9ed35b095fdeb
Instruction Fuzzy Hash: 161137B5900259DFDB10DFAAC844BDEBFF5EF48320F108819E555A7250C775A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 076A1178 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 076A11E2

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4ff47f36b5605c78552b6352ec3e1dbb9a1803fdd883ab0f857b6acac5920702
Instruction ID: 48115347823f8b034f88f02a76f317791ed50a52b11f09f9117d743c852f46fd
Opcode Fuzzy Hash: 4ff47f36b5605c78552b6352ec3e1dbb9a1803fdd883ab0f857b6acac5920702
Instruction Fuzzy Hash: CF1155B69002598FDB20DFA9C5457EEFBF4EF48324F20882AD459A7250CB35A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 076A1180 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 076A11E2

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c2748b16c2470529ec31c28b1bad96868110ad51445b6c8e85b8d4946920e0ca
Instruction ID: 62de82e1aec288b841e269357168e7de1b43bab91beb4f6b9a5f24bb1eb70807
Opcode Fuzzy Hash: c2748b16c2470529ec31c28b1bad96868110ad51445b6c8e85b8d4946920e0ca
Instruction Fuzzy Hash: 07113AB19003598FDB24DFAAC4457DEFBF4EF89324F20881AD459A7250CB75A944CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0166B218 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0166B27E

Memory Dump Source

Source File: 00000013.00000002.2133038592.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1660000_boqXv.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f26875ca0a0e8d68af504ceeba7577bbb0fa3f6e79d440675b12d0122e03382f
Instruction ID: 9bca3c9a873822fb9a6615417f6a68f7596f832a0a8057f29fe1360c5ea96f1e
Opcode Fuzzy Hash: f26875ca0a0e8d68af504ceeba7577bbb0fa3f6e79d440675b12d0122e03382f
Instruction Fuzzy Hash: B911D2B5D01349CFDB10DF9AC844ADEFBF8AB48314F10841AD569A7210D375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 076A3760 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 076A5595

Memory Dump Source

Source File: 00000013.00000002.2149557514.00000000076A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_76a0000_boqXv.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3ff1031996dba8f35401a8d0cc7b48532dfc4895fafcef8057a881cbbacf5954
Instruction ID: 7f20dc38b62f265b463698695c0e2cc1f04b60fbed60cb8d7b07be449a41daed
Opcode Fuzzy Hash: 3ff1031996dba8f35401a8d0cc7b48532dfc4895fafcef8057a881cbbacf5954
Instruction Fuzzy Hash: 0411F5B5800349DFDB10DF9AC444BDEFBF8EB48320F108459E559A7201C375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DCB2D8 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

Tekq, xrefs: 05DCB40B

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 1543a3a11943f7000cabcf25ee221c99d3e073e75d54218fc99b104f55e70418
Instruction ID: 3fb638c812865d4597c614a9350bc2477eeb478bd79dddaa60cde8b1405eb3bc
Opcode Fuzzy Hash: 1543a3a11943f7000cabcf25ee221c99d3e073e75d54218fc99b104f55e70418
Instruction Fuzzy Hash: 3D51F774E09209CFEB04CFA6C8856AEBFF6BF89304F54906ED446AB254DB349945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DCB2C9 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

Tekq, xrefs: 05DCB40B

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 266e2e252df64d5a3144b60938d508f802816457028832f9010df12067904003
Instruction ID: 5855e7cde9db755ff0e124e88e87798e392ea3842337e967de13b237ea79948a
Opcode Fuzzy Hash: 266e2e252df64d5a3144b60938d508f802816457028832f9010df12067904003
Instruction Fuzzy Hash: BB4104B0E09209CFEB04CFA5C9856AEBFF6BF89304F5090AFD409AB254DB349805CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DCB353 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Tekq, xrefs: 05DCB363

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 0251d0be766f4d55e7d571c46a99d72adbf7b9a8bd20ee8616d557b3d5eafd7f
Instruction ID: 6b4792ed99062c49d370c3278b54f7a684332115b785ed47480220bc95d0efe1
Opcode Fuzzy Hash: 0251d0be766f4d55e7d571c46a99d72adbf7b9a8bd20ee8616d557b3d5eafd7f
Instruction Fuzzy Hash: E1117F75E00209DFCB08DFE8C9849ADFBB2FB88310F208129E919AB355C635A915DB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DC7C0D Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb3eb399a32c883774d99d7d3e9fcba6b0a02f71c4beb2a533996e376c64c04
Instruction ID: f4abaeb075cecebb7c16a6ce163e6cb5bcb2ec9d2c3744c2b93f77f72a42ff04
Opcode Fuzzy Hash: ebb3eb399a32c883774d99d7d3e9fcba6b0a02f71c4beb2a533996e376c64c04
Instruction Fuzzy Hash: 9B517A70E0060A9FDB04DFA9CC41BBEBAB2FB84301F1081AEE555973D5DB74A942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DCCBE0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433726c905bed9b3ea3bb1b8f769ecfa53d89a613021676886d402e39cae088f
Instruction ID: 76d8740f0e6eb915068e7e495d3cfc75e169c2d3eecebc3d60cdeff11e1bfa8b
Opcode Fuzzy Hash: 433726c905bed9b3ea3bb1b8f769ecfa53d89a613021676886d402e39cae088f
Instruction Fuzzy Hash: 34513D7091820ACFCB04CF99D9858ADFFB6FF4D300B559599D519A7226D730E981CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DCCC4B Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71d9ba9b828503d406810462cae0f2018af4d06a5ab481400226c65476d1250
Instruction ID: 66e89c9c22b962ec8150da88d5eba8281738cded741538bfd48c203b15301b0b
Opcode Fuzzy Hash: a71d9ba9b828503d406810462cae0f2018af4d06a5ab481400226c65476d1250
Instruction Fuzzy Hash: 71515D7091820ACFCB04CF59D9849EDBFB6FF49301F15919AE519A7222CB34E981CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DCBA78 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4acfc954eeae4bcad6d3d684d0252fe10518afc8eec36c92fa3189ae4bf654e
Instruction ID: b7c87902b96a689a2dd2368efca5800b16f68e90425aaf7e85af5bf4548a0b6e
Opcode Fuzzy Hash: c4acfc954eeae4bcad6d3d684d0252fe10518afc8eec36c92fa3189ae4bf654e
Instruction Fuzzy Hash: B8410B70D082098FDB04CFAAC8416AEBFF6AB8C301F54D06BE459A3255DB749941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05DCA738 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f190c2a22aa9cefcea469df142c8970ac72e09bab1390a9b453fc03f64d7a7
Instruction ID: 7a04816ee713e6ac868f36f750f75c72f8f31653a16cab2e6377c8f7218b5059
Opcode Fuzzy Hash: 28f190c2a22aa9cefcea469df142c8970ac72e09bab1390a9b453fc03f64d7a7
Instruction Fuzzy Hash: 0A417F70E0461ECBCB14CFA9C9886AABFB2FF45700F0485ABE456DB291D334D882C756

Uniqueness

Uniqueness Score: -1.00%

Function 05DCBA6A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45856a6f12a58e4d1cc52fb0304ed2f59ad4b70a14eac4e8196a1d698bcbcde
Instruction ID: c22c2543722df7b511efc26397b37d4f7fc0446adbc1af355e851d99dfe9ede2
Opcode Fuzzy Hash: f45856a6f12a58e4d1cc52fb0304ed2f59ad4b70a14eac4e8196a1d698bcbcde
Instruction Fuzzy Hash: 28314B70E092098FEB04CFAAD8416AEBFF7AF89301F54D0ABE459A7255DB748901CA54

Uniqueness

Uniqueness Score: -1.00%

Function 05DC61D4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7351a9b6cad961763c9e74ba37915b4476c1a1d2dd5fdb5a76264643598e20a
Instruction ID: 7466ee8e7b237f3182ca88bf3f3b8d76a451ee98ba4b2330f5f58e681287e7fe
Opcode Fuzzy Hash: d7351a9b6cad961763c9e74ba37915b4476c1a1d2dd5fdb5a76264643598e20a
Instruction Fuzzy Hash: AE3128B5A002099FCF10DFA9D884ADEBFF5EB48310F10846AE919E7211D775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05DC8908 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cbf3057e8d439cd300f1d633e00281936bc269d244f1ab5bc35bb4a2ce666f
Instruction ID: a89e381beffdb599776885114596817cef1bd73517c2ddd535ef83fe9cb8192f
Opcode Fuzzy Hash: d4cbf3057e8d439cd300f1d633e00281936bc269d244f1ab5bc35bb4a2ce666f
Instruction Fuzzy Hash: 9D316D72E04126DBC710CB69C844ABEFBF2FF44310F0481ABE456DB2A1D738D841EA62

Uniqueness

Uniqueness Score: -1.00%

Function 05DCE554 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93b4caccf2175b247a03eae1fd383f2a87e44423043753929b2203d0cb43935
Instruction ID: 9088c432546a7c7b5e919b6b74eaafa4795f8e4854faffc8c3dece484af5e3c2
Opcode Fuzzy Hash: b93b4caccf2175b247a03eae1fd383f2a87e44423043753929b2203d0cb43935
Instruction Fuzzy Hash: 842191B0A59206CFCB12DF98D9506ADBFFEFB49301B00A5AAE016D7251DB70E985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 05DC87E8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f08f3a525163cc0149d778fddf26ee94e37cfaf2b4c9714fd4b512694145b3
Instruction ID: 374125aa79517db6a55c08dc974fe1d54d1701ebaf9bf26e500c93d4a284cd9d
Opcode Fuzzy Hash: 16f08f3a525163cc0149d778fddf26ee94e37cfaf2b4c9714fd4b512694145b3
Instruction Fuzzy Hash: C621D130B482469FD728CA15A805F267E63BF81701F65C0AFE0168F6D6DA36CC81D792

Uniqueness

Uniqueness Score: -1.00%

Function 0160D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2132413332.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_160d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae39a38f703bca5d900328be0e72efc4e7d84dd3b9caa6b6c287c880cbf0f7f
Instruction ID: b7e9f52874fee2161a83d2e47d19c5335464cc1b7b30eb914decbbcb7c44436c
Opcode Fuzzy Hash: aae39a38f703bca5d900328be0e72efc4e7d84dd3b9caa6b6c287c880cbf0f7f
Instruction Fuzzy Hash: E721C171504240DFDB0ADF98D9C4B2BBF65FB88324F24C669EA094A296C336D456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2132413332.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_160d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cecc018f093a04045e2de4fa2dbf14561be2bbe60ca77bdc237f886c246faa
Instruction ID: 117b48ca4b257a97569a6f33d34b31aff423517d74f925e114e42c8a74110223
Opcode Fuzzy Hash: 06cecc018f093a04045e2de4fa2dbf14561be2bbe60ca77bdc237f886c246faa
Instruction Fuzzy Hash: 5021D371504240DFDB0BDF98D9C0B2BBF65FB88318F24C669ED094B296C336D456CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DC619C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6394fa6bbdd1ac4703e60bb27836be1bfd828a7c3f30bb8607f8bfcb53ebd79
Instruction ID: 797298d82b479a8483ad651e85ff894ba549ab370a053a46b8202db3fb222856
Opcode Fuzzy Hash: b6394fa6bbdd1ac4703e60bb27836be1bfd828a7c3f30bb8607f8bfcb53ebd79
Instruction Fuzzy Hash: 6911D035A0E3889FCB06CBB89D654A97FB5EF4211072448EFE845CB253D924DE09C371

Uniqueness

Uniqueness Score: -1.00%

Function 0161D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2132513469.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_161d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8231a1d75efdc890a1cf8353f5f840436c7705a5fdee7a45c3f4f42c7c7180e9
Instruction ID: f6edda169e7d60a20da72fb59c3fb8a499d8b7f8d35d47257fb64b6cd3cba237
Opcode Fuzzy Hash: 8231a1d75efdc890a1cf8353f5f840436c7705a5fdee7a45c3f4f42c7c7180e9
Instruction Fuzzy Hash: 1B212671504240EFDB05DF98DDC8B66BBA5FB84324F28C66DEA094B35AC33AD446CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0161D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2132513469.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_161d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ea6f3ad07cdde1f89c746e937c493faab5a597a487e50358cb54afa05d21cc
Instruction ID: 64e8fcb375032683f1923c8fa6676b92ccf2350722fa2e4decec2675475ebdce
Opcode Fuzzy Hash: d9ea6f3ad07cdde1f89c746e937c493faab5a597a487e50358cb54afa05d21cc
Instruction Fuzzy Hash: 07212275604200DFCB15DF58D988B26BFA5EB84315F28C56DD80A4B39AC33AD447CA61

Uniqueness

Uniqueness Score: -1.00%

Function 05DCE5FD Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b0de680e90d33e26cf3fb6d34f70455bdab9915bccd49d4631c3b7d23dde44
Instruction ID: 615386e4c080ff2210692750da2fe20f9e7b45064bd55c5b8676a712d24bc2e2
Opcode Fuzzy Hash: a5b0de680e90d33e26cf3fb6d34f70455bdab9915bccd49d4631c3b7d23dde44
Instruction Fuzzy Hash: AA313934B153198FDB10DF14DA84BA97BF6FB99200F0081DAE41A97394DB709E89DF11

Uniqueness

Uniqueness Score: -1.00%

Function 05DC87D8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2ed9c1c1829b4669bd6f671cb7eb47beeb92e872207271643ddc4adcf46901
Instruction ID: a141807b4bc1bf9cc7c6b22b9e340b505bd4bcaf1a47569b25e3aecdafb6c286
Opcode Fuzzy Hash: 0c2ed9c1c1829b4669bd6f671cb7eb47beeb92e872207271643ddc4adcf46901
Instruction Fuzzy Hash: 2221AC30B48242DFD724CA45E801F667B62BF81701F6580AFE5169FA96CA36CC81D782

Uniqueness

Uniqueness Score: -1.00%

Function 05DCBC18 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46686df5a3762309f80bddc6ce66266899926992715c6f471b8221ed8bdeba63
Instruction ID: 55361eca354c9e46ce393ad375c718b266462affff275483c0264d65e96951a0
Opcode Fuzzy Hash: 46686df5a3762309f80bddc6ce66266899926992715c6f471b8221ed8bdeba63
Instruction Fuzzy Hash: AF21E574A08209CFDB40CFA8C6919AEBBB5EB49300F60519AD809E7711D730DA41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0161D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2132513469.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_161d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f676f77ebc685f171951ce491b873b7b13d19fe58993af1971ed4760bb0c0f7
Instruction ID: a1e83cdfdc015d1e49e0e85a6a652d96e0c42d7f9b30a2e16774341d10845c5b
Opcode Fuzzy Hash: 3f676f77ebc685f171951ce491b873b7b13d19fe58993af1971ed4760bb0c0f7
Instruction Fuzzy Hash: E921AE755093808FDB03CF64D994B15BF71EB46214F28C5EAD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 05DCFE38 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f11fe48a2f931facb300d15dc3f9d994a0cd713c72766a1e71e67b121789771
Instruction ID: 15208bedf3342400a4610a783d76e1c118b5b85f1572e96b7f8d677ca04624bc
Opcode Fuzzy Hash: 8f11fe48a2f931facb300d15dc3f9d994a0cd713c72766a1e71e67b121789771
Instruction Fuzzy Hash: CD119130B0021BCBCB189B7998106FB7EABBB89750F0495AEA516DB385EA30CD4087D0

Uniqueness

Uniqueness Score: -1.00%

Function 05DC87F3 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d43d6e995636c4a4f185d081be6b5eb92bafadd1a36cf4e3db653326a09774
Instruction ID: 3316f8ca33223562a9bf565d17f47da2f9b3965b3a08b1c2b37ec2cf9a403a4e
Opcode Fuzzy Hash: 02d43d6e995636c4a4f185d081be6b5eb92bafadd1a36cf4e3db653326a09774
Instruction Fuzzy Hash: F1117C30B48246EFD624CA40E905F367B62BF81705F65C0AFE1165FA96CA36C881E743

Uniqueness

Uniqueness Score: -1.00%

Function 05DCBC28 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39fd0f27340a3297ef603e64a44e3968981cf3f570b0036108a8314e519d27a1
Instruction ID: 2288f05b7ac496efe2013ada8e3f6dc378cfcf53b06d6085f5e1782884ae4035
Opcode Fuzzy Hash: 39fd0f27340a3297ef603e64a44e3968981cf3f570b0036108a8314e519d27a1
Instruction Fuzzy Hash: 062198B4D08209DFDB44CFA9C6919AEBBF5EB49300FA0919AD409E7711D730DA41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05DCC1A0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e90565a41ae4d661cc9ccc06ac7c5b3fdfdae98a0abf2bc0d375e1faa601a5
Instruction ID: 461002e1be67c75691f9d1ad69dc6d6643c986ecba4998c97467743fc6efd495
Opcode Fuzzy Hash: 12e90565a41ae4d661cc9ccc06ac7c5b3fdfdae98a0abf2bc0d375e1faa601a5
Instruction Fuzzy Hash: 9A21F9B1D046188BEB19CF9AD9543DEBFF6AFC8310F04C4AAD409BB264DB7409468F90

Uniqueness

Uniqueness Score: -1.00%

Function 0160D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2132413332.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_160d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction ID: 93f07c1f939b4e055b18358a5cc547d42174bf144b60b5cf8ade2fd4b4fa102d
Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction Fuzzy Hash: 5B21AF76504240DFDB06CF94D9C4B56BF72FB84324F24C6A9DD090B696C33AD42ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2132413332.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_160d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 5d54676e82ed0416b64b96cc62429afb3aec08aa95687bfde9442ef91a798345
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: A911CD72404280CFCB07CF54D9C4B16BF61FB88218F24C6A9DC090B296C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DC61E4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d355ac102ef23f8302b58946ed95c3abf793587490858ec6209bd455abcd2552
Instruction ID: b75b13d7a2c0e3c83bf058e59e53f35e207e904c80d11d95e8a53185651f656f
Opcode Fuzzy Hash: d355ac102ef23f8302b58946ed95c3abf793587490858ec6209bd455abcd2552
Instruction Fuzzy Hash: E121D0B59003499FCB20DF9AD884ADEBFF4FB48320F10846EE959A7211C375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0161D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2132513469.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_161d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3a4def1b3f50210b76a3d4a44054bf0c86877124989581b28ea22e62affe36ff
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F911BE75504280DFDB02CF54C9C4B55BFA1FB84224F28C6A9D9494B766C33AD40ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 05DCBCD0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1ae2100190d59564c0f80c6a3a904e7590403945d5aa5f0f206865af75b7e9
Instruction ID: 92c81403702227bde9fcbc182c1dc4ef9b0b9f712e0cc1991d4df3e47a67b850
Opcode Fuzzy Hash: 7a1ae2100190d59564c0f80c6a3a904e7590403945d5aa5f0f206865af75b7e9
Instruction Fuzzy Hash: 5D116D70A09209DFCB04CF98C9819ADBFF6BF49310F5491DAD49AAB362C374DA05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05DCB232 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d058452d044d1bea404b00cf16b6edb978d40577faac0a48de81153b2dfcf6
Instruction ID: c75c6b2b8c222cebeddbedb6011bf080fb00af92ecac35dbb19d1c35fb78875d
Opcode Fuzzy Hash: 26d058452d044d1bea404b00cf16b6edb978d40577faac0a48de81153b2dfcf6
Instruction Fuzzy Hash: 2011C46290C3DA4FDB62867CDDA62DC7FB09B07120F2806DBD9A4DB2E3D6245945C782

Uniqueness

Uniqueness Score: -1.00%

Function 05DCBCE0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f142a4f2da552a9d9ea11fa96b5df0aeccedd170bc64f206491b50faf821875
Instruction ID: d31fd7850b2ace2d272d344f8d00bc422ed60cf7d7804db834fc45e3aa7febf4
Opcode Fuzzy Hash: 2f142a4f2da552a9d9ea11fa96b5df0aeccedd170bc64f206491b50faf821875
Instruction Fuzzy Hash: CF1115B0E08209DFDB04DF99C9819AEBFFAFB48310F5095DA945AA7315D374EA448F80

Uniqueness

Uniqueness Score: -1.00%

Function 05DCC1B0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b633dfcdd0275ba247aeb5a0382b6fd0a7c072e13206b99d202b4c80af9bf6
Instruction ID: f920149b12b5a7abd6d8539d7b20ed7bf241d200c16b22cbf19cf9e646b86acf
Opcode Fuzzy Hash: 20b633dfcdd0275ba247aeb5a0382b6fd0a7c072e13206b99d202b4c80af9bf6
Instruction Fuzzy Hash: AE11B0B1D046188BEB18CFABC9553DEBEF7AFC8300F04C06AD519B6264DB7519468F90

Uniqueness

Uniqueness Score: -1.00%

Function 05DCCBDD Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efffd750ab9ffd0f8c92a19d248156e48944c35e21076f592ee1fbbce99474b
Instruction ID: f1a7a8205b3ef825bb8e4262cea4164dbeaeaa0e76513b9339258125d846175b
Opcode Fuzzy Hash: 0efffd750ab9ffd0f8c92a19d248156e48944c35e21076f592ee1fbbce99474b
Instruction Fuzzy Hash: F811F3B0D142198FCB04CFAAC9846EEBFF2BF8D310F1490AAD419A7261DB349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DCCFB8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59b3db4329183079f777da995f9bd31db245ba27a55983b782a33566eee4081
Instruction ID: d9c27bc0b420e8dce684dda7c27586dd73760a094703054b623c94ba01a774a7
Opcode Fuzzy Hash: c59b3db4329183079f777da995f9bd31db245ba27a55983b782a33566eee4081
Instruction Fuzzy Hash: AE01DF3055E186DFC301CB68C9509E9BFEAAF4A204B0495EEE04C8B163C6308E4AD740

Uniqueness

Uniqueness Score: -1.00%

Function 0160D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2132413332.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_160d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5e6a28f768591127048fa309a58e09e93fbcc76bfae041024f534899e4564d
Instruction ID: 3bc625c4f57bdeaddcf483bbd5c0178fbde4f907d42c45242ea7d521b3d78fe4
Opcode Fuzzy Hash: 3c5e6a28f768591127048fa309a58e09e93fbcc76bfae041024f534899e4564d
Instruction Fuzzy Hash: 4001A7710093809AE7165EE9CD84B77BF98DF81364F18C62AED094A2C6D779D841C671

Uniqueness

Uniqueness Score: -1.00%

Function 05DCD030 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234ae839fcaec0b8899f8e7be3581d13e2087a9cfdeb5c79d76043b029389c9b
Instruction ID: 6d5d47b2c98e66843b9e42b828404169d1e204c2f11f0857687e5aa9ca214173
Opcode Fuzzy Hash: 234ae839fcaec0b8899f8e7be3581d13e2087a9cfdeb5c79d76043b029389c9b
Instruction Fuzzy Hash: F3019234608285DFC705DBA8C955AADBFF2AF4A310F19C1DAD4499B2A2C6309E41EB41

Uniqueness

Uniqueness Score: -1.00%

Function 05DCCC88 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f83bffcbae7abb6f873a8c2e28fa9e05a6b4e3a5f491195db322d13721c9a7
Instruction ID: dd2ed8bc89a3d260e9b7340de0a63a7978cb7ab05cb0080c2fffe7009d87676a
Opcode Fuzzy Hash: b4f83bffcbae7abb6f873a8c2e28fa9e05a6b4e3a5f491195db322d13721c9a7
Instruction Fuzzy Hash: DA0113B491820ACFCB00CFA6C9849EDBFF6BF8D200B64909AD159A7221CA34C941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DCEA19 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564cb477ebe5f685ef7f69a359bbc3b13951d4b9f9af0509be19745d8722b5b3
Instruction ID: c80d4909c1b81350295e40667fd28cefb4e28e84b2daa6c9adaa060a1c803abe
Opcode Fuzzy Hash: 564cb477ebe5f685ef7f69a359bbc3b13951d4b9f9af0509be19745d8722b5b3
Instruction Fuzzy Hash: 7F116D74E0430A8FCB02CFA8D98499DBBF6FB04304F10865AE426DB389EB70D949CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DCD040 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c663abbf97bec28faa22eced5f58253a00bc1edb364811d6678963c630a47c8d
Instruction ID: 956aac5b98e94f82ac6b605cfc5ff47941737770308ef9b8646d5abee0eb30c3
Opcode Fuzzy Hash: c663abbf97bec28faa22eced5f58253a00bc1edb364811d6678963c630a47c8d
Instruction Fuzzy Hash: 1B01FF74A04108DFC704EFA8CA55A6DBFF6AF49300F55C0E9E8099B361D630DE45EB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DCCFC8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbda30fccfab09f89c3f811c8be6425e03e07f2bfa9ecf9848bab2f476d1c4d6
Instruction ID: 8c98939cc6c6b1cef053ba35d1185aee51780f39b5197567a4be4821860e5745
Opcode Fuzzy Hash: bbda30fccfab09f89c3f811c8be6425e03e07f2bfa9ecf9848bab2f476d1c4d6
Instruction Fuzzy Hash: 04F03C7091E14ADBC704DF99C9409B9BFFAAB49300F5091EEE5499B226DB309E45EB80

Uniqueness

Uniqueness Score: -1.00%

Function 05DCE7F1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10c209cfa75ec2a0e3c535569f807055074f03f83d3c58855d1b8ff464467b8
Instruction ID: 29c39de339ef3a33289a1614366e2dc4a203635d48650cdefa3cfb5eca0b445f
Opcode Fuzzy Hash: c10c209cfa75ec2a0e3c535569f807055074f03f83d3c58855d1b8ff464467b8
Instruction Fuzzy Hash: 63113934A15315CFEB11DF64CE94BA97BB6FB98200F0042DAE41AA7394DB309E89CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05DCE4EA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cfe096373aed2ad9da142e8cca6b86866db2656cb3e4cc232fc22a286fa9be9
Instruction ID: d4fbf3b4fcabe6ce6c314b4e6c65b2426d689dbada92dc088c6e951bfcf3d580
Opcode Fuzzy Hash: 7cfe096373aed2ad9da142e8cca6b86866db2656cb3e4cc232fc22a286fa9be9
Instruction Fuzzy Hash: A301F9B0A09246CFD712EBA4E5553AC7FFAEF84300F00996BD015A7754CFB05949DB51

Uniqueness

Uniqueness Score: -1.00%

Function 05DC72E0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ac463e028cfdc2b6463f887092267f4f758c2fd8285a782b4dc9a27325455b
Instruction ID: 837424e342958e12893cfda25f64bc934435015e5c794348d7c20d815edb198d
Opcode Fuzzy Hash: 24ac463e028cfdc2b6463f887092267f4f758c2fd8285a782b4dc9a27325455b
Instruction Fuzzy Hash: 87F0B4323081056FDF05CB98E8558EA7FFAEF45220B1480BFF444C7221D631DA50C760

Uniqueness

Uniqueness Score: -1.00%

Function 0160D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2132413332.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_160d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a999dc25d1371d343ecef94103f2fb4c8f06faab9f00b49d1d9e4bcdbc99296
Instruction ID: e8fefe65cfa69f15867ec2dac105a5bf908b83d70f41c1b278004de9814ad814
Opcode Fuzzy Hash: 3a999dc25d1371d343ecef94103f2fb4c8f06faab9f00b49d1d9e4bcdbc99296
Instruction Fuzzy Hash: D4F062714053849EE7158E5ACC88B67FFA8EB81674F18C55AED084B2C6C3799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05DCE4F0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95f5411aa63fffbd11acb04f3447300c23a157d62b7f87cd33ba171a373ef0a
Instruction ID: 1153ddcbcbfa63c041da1c6fec157707620d621af341860ea467a1226d12a909
Opcode Fuzzy Hash: c95f5411aa63fffbd11acb04f3447300c23a157d62b7f87cd33ba171a373ef0a
Instruction Fuzzy Hash: 16F0F4B0A0920ACFCB01EBA8D9153AC7FFEEF88300F00996B9015A7354DFB09948CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05DCFDC8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e1cd33d5769089d3c9df873c3df2a14af70df6a1e0d28ac7e1395c5d30e817
Instruction ID: 1872eb7aba6d5438e7ed3980e3463d8454cbd20030594daca5d9bf66fec481df
Opcode Fuzzy Hash: 53e1cd33d5769089d3c9df873c3df2a14af70df6a1e0d28ac7e1395c5d30e817
Instruction Fuzzy Hash: 3DF03A30E0524DAFCB55DFA8D9456DDBFB1EF49311F1080AAE8489B351DA344A58EB41

Uniqueness

Uniqueness Score: -1.00%

Function 05DCCF6F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e7a28cd2663933c2574e86bf7dc461a9b32064c7eeff0c25fc0ef1e6fe09c4
Instruction ID: 138da93b01d15eccb5a6780f53469045bf32ffc790ff3958176abf125897c6a1
Opcode Fuzzy Hash: d1e7a28cd2663933c2574e86bf7dc461a9b32064c7eeff0c25fc0ef1e6fe09c4
Instruction Fuzzy Hash: 2FE0223500E3859FC303CBB4D5211DA3FB09B07201F2480DAE888CB2A2C6354D47D790

Uniqueness

Uniqueness Score: -1.00%

Function 05DCC73E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79167bd067fffb800ffed5436ccd5c34c527ee562cc3c51285dab56ac38050d1
Instruction ID: 906744a0889d225d561ae34f74e04a56d2c40c25e11723cad44a87251eab94fe
Opcode Fuzzy Hash: 79167bd067fffb800ffed5436ccd5c34c527ee562cc3c51285dab56ac38050d1
Instruction Fuzzy Hash: 4DF01C30529211CFC724CB24CA486687B76BB0A206F9155DEE16F5B2B1CB31DD81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05DCFDD8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eafac2cc429f7920feeb8c0113dac9766ec1cba023dfba3d5f03d9fbed83bb
Instruction ID: 6dea92164f187f14f9dc251f357c29c33f9f3a75d31371cf0f00d8215652a8b3
Opcode Fuzzy Hash: e8eafac2cc429f7920feeb8c0113dac9766ec1cba023dfba3d5f03d9fbed83bb
Instruction Fuzzy Hash: EFF01534E0520CEFCB54EFA8D94569DBBB5EB88301F00C0AAA808A7350DA305A54DB81

Uniqueness

Uniqueness Score: -1.00%

Function 05DCE8E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506d6bbec3f22f571af2c671700d5e52e9c08713e50593b230be01d023e3c5cc
Instruction ID: 4ead66d3c9c99a30ef210d96de67ce9d42a6d180ccc07a8132ed857d35af1077
Opcode Fuzzy Hash: 506d6bbec3f22f571af2c671700d5e52e9c08713e50593b230be01d023e3c5cc
Instruction Fuzzy Hash: 76E09BB0A55209CFC701EB98D5501EC7FFEEF443107045B17D42697795CB7098459F00

Uniqueness

Uniqueness Score: -1.00%

Function 05DCCD1A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3af4733861578da7cf352e5123e90d18cb82b6629434a366cf03b97c36bdcfb
Instruction ID: 293540cf7b71bb2529f7756fbc4ad5e95c848752afdeb23388ba5adc8280291e
Opcode Fuzzy Hash: b3af4733861578da7cf352e5123e90d18cb82b6629434a366cf03b97c36bdcfb
Instruction Fuzzy Hash: B0E065B4E1010A8FDB00CFA1C58A6BEBFF9EB09301F109459E06AA2204CA344A82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05DCC3DF Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d720fbb12e36391795076462748ab9c55655749520169167643ac9eddd8328
Instruction ID: 02200c99a12fb26281241b7aa479c6952393683ebca4698db8985b5656bf6efd
Opcode Fuzzy Hash: 80d720fbb12e36391795076462748ab9c55655749520169167643ac9eddd8328
Instruction Fuzzy Hash: 29E0C230129250CFC315CB20CA58AA87B7ABF0A206F8258DEE04B5B262CB31DD85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05DCCF80 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b515c7b4ee36e6e8358a08d161c7b345702924477e69e0ceeec4e69b3bda31aa
Instruction ID: 7bb8f4acd1b68e8065cd4c7bbb7ec4caa9cc6079536f5771bd6ea94f475bf6ff
Opcode Fuzzy Hash: b515c7b4ee36e6e8358a08d161c7b345702924477e69e0ceeec4e69b3bda31aa
Instruction Fuzzy Hash: B7E0C27080920CEFCB14DFE4E5155ADBFB4AB45302F1080ADF90957250CB305E84EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05DCB298 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b299d92ecbd02b351088559473df096deed04c94d35a1a957afd244c48fe80
Instruction ID: c79697f8e18a51cc7313a81094fa5c39fc79c647d3f6b409f028ce67c8c23c33
Opcode Fuzzy Hash: d1b299d92ecbd02b351088559473df096deed04c94d35a1a957afd244c48fe80
Instruction Fuzzy Hash: BEE01270D15208DFCB40DFF8D54669CBFF4AB04301F5041AEE80993350EE305A44DB41

Uniqueness

Uniqueness Score: -1.00%

Function 05DCABF0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4495e86d89c425fbd1f7656a6b39edd2612cf1afcf104c7821c64584df6a8e3
Instruction ID: 91defc83fa0a6fa21d632309aa5cc2c66dc6394cef8d95046e5c771ac358c29a
Opcode Fuzzy Hash: a4495e86d89c425fbd1f7656a6b39edd2612cf1afcf104c7821c64584df6a8e3
Instruction Fuzzy Hash: D7D05E30A46208CFCB10CB24E9413E8BB76EB85210F4001E6D10C92111D7315ECA8F01

Uniqueness

Uniqueness Score: -1.00%

Function 05DCC608 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5cba97bb8e4c06c8951f45d5e1f0c31c5f6ffaf8cc267ffba168a3fbaba84d
Instruction ID: 78e4dc57ef69923ab4c60b3fd0ce145bd46a01f4a78b2ce1d56409c39f166917
Opcode Fuzzy Hash: 9b5cba97bb8e4c06c8951f45d5e1f0c31c5f6ffaf8cc267ffba168a3fbaba84d
Instruction Fuzzy Hash: 0DD05E3002C201CFC700CF20C9596643B75BF0B246B8114DAE44F5F162CB719C44CF20

Uniqueness

Uniqueness Score: -1.00%

Function 05DCA8E8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e43d58bb58d89998365cfd84fad58d183cbd1d5091bb1d6e375b60eba7c12df
Instruction ID: bdd385ee6a1a0f167c5e4f083556d2d0f61d9895051e0a4a34267eafe45afb34
Opcode Fuzzy Hash: 0e43d58bb58d89998365cfd84fad58d183cbd1d5091bb1d6e375b60eba7c12df
Instruction Fuzzy Hash: 29C08C3002930987C2106BD8F90E3283FA8AB00212F800018F00D014208E601488CA66

Uniqueness

Uniqueness Score: -1.00%

Function 05DC618C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41bc6cac1a79c0975100fdf68920dacf5c88de82cc856c928d45ed64fc8b434f
Instruction ID: 09f9708cdd5c25357ea67e343f589b4d0cda78cf5eb4a22592c0f5091da80cc8
Opcode Fuzzy Hash: 41bc6cac1a79c0975100fdf68920dacf5c88de82cc856c928d45ed64fc8b434f
Instruction Fuzzy Hash: DEB012652D7102A2DC0167A94D8C83BDD11EFB3711B40CC5F734A430548431C4A8D63B

Uniqueness

Uniqueness Score: -1.00%

Function 05DC6197 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b08f753c70667db10712e186b83cf1f8c66e1b13755b557d5f62b67332cf0c
Instruction ID: 2a734dfdfcc79e50c4e45eff993e730466514bdbd5256a5ea2b9c48540cf4cc7
Opcode Fuzzy Hash: e6b08f753c70667db10712e186b83cf1f8c66e1b13755b557d5f62b67332cf0c
Instruction Fuzzy Hash: AAA0223A280202B0AC02A3A28C00C0AEC02EFB0B02B00C08FB38A020808032C030EB3B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05DC8218 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

[V~*, xrefs: 05DC84DD
[V~*, xrefs: 05DC84D6
]\`, xrefs: 05DC85FA
T+-q, xrefs: 05DC86B2

Memory Dump Source

Source File: 00000013.00000002.2148510060.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5dc0000_boqXv.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$[V~*$]\`
API String ID: 0-1849991408
Opcode ID: c153e9ecbb4a1e273a57b87ab11a90a66538a47741fd7772676dc63517bbce01
Instruction ID: 238eb07a39772729e21c9fc435439cc48f26cbc6ab85b2fbebea42b597e5c480
Opcode Fuzzy Hash: c153e9ecbb4a1e273a57b87ab11a90a66538a47741fd7772676dc63517bbce01
Instruction Fuzzy Hash: 29318F70905606CBCB10CF78C854ABEFFB1EF45341F0485ABE4A6DB282D274D981D766

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: boqXv.exePID: 7100, Parent PID: 7044COMMON

Executed Functions

Function 01A09EA8 Relevance: 2.8, Instructions: 2824COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc6b014914eaa62739e7d0b87f9cbaeff890e7f9fd66eaa0d36db76b1e5ff9f
Instruction ID: b11df18f058e20f43996c869a9c6510ab6f8f9fccf74af50ff754ad3b502a83e
Opcode Fuzzy Hash: 9dc6b014914eaa62739e7d0b87f9cbaeff890e7f9fd66eaa0d36db76b1e5ff9f
Instruction Fuzzy Hash: D353F731D10B1A8ACB11EF68C890699F7B1FF99310F15D79AE4587B125FB70AAC4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01A04200 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a70adf09277405d33cbbd99940902ad603badf2edc4a150a3b1f990c8263619
Instruction ID: 206d88031183e4bc19f22ed3099776b213714ef35e452c7344f11a24cb7e965c
Opcode Fuzzy Hash: 4a70adf09277405d33cbbd99940902ad603badf2edc4a150a3b1f990c8263619
Instruction Fuzzy Hash: 90B13C70E00209CFDB15CFA9E9857AEBBF2BF8C314F148129D915EB294EB759845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01A04AD0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3cd3e20b0cdcc992a52f8229b8a91e83d4dfb9885c3db771adf13889c8d461
Instruction ID: a156a8784bf4ff40c972118c7ff0e219bfe5040e5d033bf49fa5888d4ba3e183
Opcode Fuzzy Hash: 1a3cd3e20b0cdcc992a52f8229b8a91e83d4dfb9885c3db771adf13889c8d461
Instruction Fuzzy Hash: 5BB16E70E00209CFDB15CFA9E9917EDBBF2BF88314F148529D915EB294EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01A03EB8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a50edbe9b3f02e87a86ddcff58ec2c01565d5125d4e43e472a61d3414988e8
Instruction ID: d8f1e78f5c7b5219dbb93206c1a7fe1a80503f2b16b1a66eb4e9a9692c39a0ce
Opcode Fuzzy Hash: f8a50edbe9b3f02e87a86ddcff58ec2c01565d5125d4e43e472a61d3414988e8
Instruction Fuzzy Hash: 1D914A70E00309DFDF15CFA9D98179EBBF2BF88314F148129E515AB294EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01A0F66D Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PHkq, xrefs: 01A0F7BB

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: aabaedb9859491b49e33ca4f856dbddbc8189b4f012e0e4aebec2cd5112a5ad5
Instruction ID: 2180bc336e1ed3762a63f2bd75e73f92c8f69597eb69ead4320b5eb7d632cb57
Opcode Fuzzy Hash: aabaedb9859491b49e33ca4f856dbddbc8189b4f012e0e4aebec2cd5112a5ad5
Instruction Fuzzy Hash: 7831F330B002018FDB269B34EA5466E7BB7AF88310F144569D406EB399DF39DC45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01A072E0 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRkq, xrefs: 01A0735D

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 42e0c18d94ca14e821c2def8d86a3d99d487a12c0fa653e09b122562ccea934f
Instruction ID: 830a26d39e27bf2e8382af5bb9c8262e3192174cede3c9407347a558b1cd0f49
Opcode Fuzzy Hash: 42e0c18d94ca14e821c2def8d86a3d99d487a12c0fa653e09b122562ccea934f
Instruction Fuzzy Hash: D4314130E10256DFEB26CFA8E55279EB7B1FF45300F208529E801EB295E775A942CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01A072F0 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRkq, xrefs: 01A0735D

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 3169ded3d6420ce0238f55029f7ba58dbd01de5c76ff5b5d2e27087536ddea87
Instruction ID: 304f6da01e703870f5d8aa8bfc4f1904c39da485684e49447745d6f162b1365c
Opcode Fuzzy Hash: 3169ded3d6420ce0238f55029f7ba58dbd01de5c76ff5b5d2e27087536ddea87
Instruction Fuzzy Hash: 8D317230E10209DFEB26CFA8E45179EB7B6FF85310F208529E805EB291DB75A941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A06BBF Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

LRkq, xrefs: 01A06C07

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 163bdaf15973aff4e309efbf51152e4da1eb7a78fd4ea187adfd00bf442173b3
Instruction ID: abf157576b06c1228f7bfdb5d23f994da89017f87daeb458f33a7d292a6b2525
Opcode Fuzzy Hash: 163bdaf15973aff4e309efbf51152e4da1eb7a78fd4ea187adfd00bf442173b3
Instruction Fuzzy Hash: 1921F4317042418FC716EF38D8906AE7BF6FF9A310B1444AAD045CB3A9EB399C45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01A08501 Relevance: .9, Instructions: 939COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4708a34558c458428743c4c6f16a3a656f89e8c7b7bf6db9a5ac3895e1675c25
Instruction ID: 1bb9e88217694a533e2b61631b46e88e012b9e0bec7d7c187b3184d5e077e24d
Opcode Fuzzy Hash: 4708a34558c458428743c4c6f16a3a656f89e8c7b7bf6db9a5ac3895e1675c25
Instruction Fuzzy Hash: 26822C34B001158FC755DB28EA90A7EB7BAFB8D710F1094AAD80697354DE39BC82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01A08510 Relevance: .9, Instructions: 934COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19821558d938067cbad3d624827b4b3e106664455972f35dd3fa114737c347c0
Instruction ID: 0cf467810f8c2adf089f23d66fc0e05a48be70e26f5600f25a7fbd62ae5e50e2
Opcode Fuzzy Hash: 19821558d938067cbad3d624827b4b3e106664455972f35dd3fa114737c347c0
Instruction Fuzzy Hash: D6822C34B001158FC755DB28EA90A7EB7BAFB8D710F1094AAD80697354DE39BC82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01A07C81 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b463a924f9294960f0ba455ab5780e7f501ae7f6491bf21812dcabf82ee5e324
Instruction ID: 90af063adc1a2ec12334466f20dc605e8020fd86687736174924d9908ad40cba
Opcode Fuzzy Hash: b463a924f9294960f0ba455ab5780e7f501ae7f6491bf21812dcabf82ee5e324
Instruction Fuzzy Hash: 0A1253317002068FCB16AB68F86422D76A6FB89361F245579D006CB359CF79EC87CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01A09A58 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542227ae0ea370872df2d15236d72d4a7d9263676e3816f1d872cdf917c38f8c
Instruction ID: c6020e89d22c09cae8d3d8f432bfe15b9db6837a1fbc80fb6ce5a988dcd7fa62
Opcode Fuzzy Hash: 542227ae0ea370872df2d15236d72d4a7d9263676e3816f1d872cdf917c38f8c
Instruction Fuzzy Hash: 13D1BD70A002058FDB11DF68E9807AEBBB6FF89314F24856AE509DB396DB30DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A096DC Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5739c424a33bc3c5268ea5e3652b4af8de519e9375dfd941642373434412270f
Instruction ID: 2645a39cd7b33f76be54ed369a90fe9fda6ec2f168e580a2c39f4dea11b1518f
Opcode Fuzzy Hash: 5739c424a33bc3c5268ea5e3652b4af8de519e9375dfd941642373434412270f
Instruction Fuzzy Hash: 5EB18134A001058FDB15DF68E944AAEBBF2FF88314F248569E909D73A6DB35EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A041F6 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae061b90817b622966b00f7ec6b374a6b41233ef1478dedb9ad7615205b754dd
Instruction ID: d06e224c5330fa20a59376cb051be47fc1c38ca8db47c55d84fb77e4362649cf
Opcode Fuzzy Hash: ae061b90817b622966b00f7ec6b374a6b41233ef1478dedb9ad7615205b754dd
Instruction Fuzzy Hash: 09B14BB0E00219CFDB11CFA9E9857AEBBF2BF8C314F148129D915E7294EB759845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01A04AC4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7518605c71e9a88b09832869a884b472c65ed6945913856b4262ef403faabc19
Instruction ID: c67b9e577fe915b6b52c6bb15409d89f5c3ced9e28077508c1c3941d3fc96550
Opcode Fuzzy Hash: 7518605c71e9a88b09832869a884b472c65ed6945913856b4262ef403faabc19
Instruction Fuzzy Hash: 85B16DB0E00209CFDB11CFA9E9857EDBBF1BF88314F148129D915EB294EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01A03EAC Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772fcb445916c9c161f79f2d5c21eaef2e3a56f15a29a0c07c0046cc1136599f
Instruction ID: 2c44ab8573847b5e02c96d3fb6d69cd3a69452f6160a46692a664be612578b84
Opcode Fuzzy Hash: 772fcb445916c9c161f79f2d5c21eaef2e3a56f15a29a0c07c0046cc1136599f
Instruction Fuzzy Hash: 3CA15A70E00309DFDB11CFA9D9817DEBBF1BF88314F148129E515AB294EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01A07067 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e8b7fb1d6c3aa8e97909f61f1e3326d915726e6e4c2aa46d0aa6e85c877817
Instruction ID: a2d5e219fec9435ed54929164eb94e098918caae922e15951b01bc8097af51c7
Opcode Fuzzy Hash: d9e8b7fb1d6c3aa8e97909f61f1e3326d915726e6e4c2aa46d0aa6e85c877817
Instruction Fuzzy Hash: 3161C134B003428BDB16EBB4EA5077E77A6EB88304F149129D8458B3D5DF39EC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A0483E Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b061d3d62b9f4792efeb46b54d36de28f01cd9ad793f9c4756122f9a04b4af
Instruction ID: 421893a7194389f796d0cafe2977c9846996e621efbd5d807fc07f595a8e8472
Opcode Fuzzy Hash: f7b061d3d62b9f4792efeb46b54d36de28f01cd9ad793f9c4756122f9a04b4af
Instruction Fuzzy Hash: C87159B0E00219DFDB11DFA9D9807DEBBF1BF88354F148129E914E72A4EB749881CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01A04848 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c55f7efa473ce134ea23b6d0aac6ddaaa69b4327eb311e9237caca843c4eba1
Instruction ID: 3dd3a8a6b57ed574a1357dfd4cbe538515e5743dfc5782441b7906fee0a3465c
Opcode Fuzzy Hash: 7c55f7efa473ce134ea23b6d0aac6ddaaa69b4327eb311e9237caca843c4eba1
Instruction Fuzzy Hash: 35717AB0E00209CFDF15CFA9D98079EBBF2BF88354F148129E514E7294EB749881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01A06D12 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e6dea7aefe6ec90f4e9dc0f7564c278f92650ec9926263858b38895a558254
Instruction ID: d9c456c60084098390197a2663c28bab59c5af3470fcb240224e500139c9f572
Opcode Fuzzy Hash: f1e6dea7aefe6ec90f4e9dc0f7564c278f92650ec9926263858b38895a558254
Instruction Fuzzy Hash: FC5101B0D002288FDB19CFA9D884BDDBBB1BF48314F148129E819AB3A4D7749884CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01A06D18 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc2defdf0584c850d39be0798e022560ad24d9d0a2fd4c86a79ca2b41f5af89
Instruction ID: 199523589f4f355431ddadf44d4c50aee60fb1e13442809a3d8ce199ccc34384
Opcode Fuzzy Hash: 2dc2defdf0584c850d39be0798e022560ad24d9d0a2fd4c86a79ca2b41f5af89
Instruction Fuzzy Hash: 555103B0D006188FDB19CFA9D884B9DBBF1BF48314F148519E819BB3A4D7749884CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01A02714 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e55da8bad190d3d0f94628c6a7c0fafefd445bae4d8862ef88bca1397c742b1
Instruction ID: 40d9023b1d588652b06caf62f2a9e41bb893385b846e17d8ebd5a8e2457ce900
Opcode Fuzzy Hash: 8e55da8bad190d3d0f94628c6a7c0fafefd445bae4d8862ef88bca1397c742b1
Instruction Fuzzy Hash: 0F51F0B1D00349CFDB14DFA9D884BDEBFF5AF48314F24842AE419AB254DB74A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A01132 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c2340c55dbbf2fafd958ba86e3835dfad235c63d0c2968cdacfb3d23791594
Instruction ID: 2aa51c0f37931259849b53a0630155b1729d999daff6be5166a0897f9c0dd7e2
Opcode Fuzzy Hash: 30c2340c55dbbf2fafd958ba86e3835dfad235c63d0c2968cdacfb3d23791594
Instruction Fuzzy Hash: 8B519831A516458FC715DF28FE809AA7F69F79A304F04A1A9D4044B33ADE78BD49CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01A01138 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73038ddaef03e7ad7dbf7cf57081dd36027749c683b7e8278bd8d45f37de1b09
Instruction ID: 90cbc3a8160dc6dfa453316ca2e2e00e8ee0ad77a7749884cac7a617ae8f845f
Opcode Fuzzy Hash: 73038ddaef03e7ad7dbf7cf57081dd36027749c683b7e8278bd8d45f37de1b09
Instruction Fuzzy Hash: 38519531A516458FC715DF28FE8096A7F69F79A304F00A1A9D4044B33ADE78BD89CF82

Uniqueness

Uniqueness Score: -1.00%

Function 01A0F53E Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54d470d2de08816161aa93ea6dd7e18807c43362d583acef301554951a2513e
Instruction ID: ec9cb07e2ca5a4d0abf4f58d120e1600062b43cc9103bc3b36864d13c2af12bd
Opcode Fuzzy Hash: d54d470d2de08816161aa93ea6dd7e18807c43362d583acef301554951a2513e
Instruction Fuzzy Hash: D2314D34E102099FCB16CF78D955A9EBBB6EF89300F108529E816E7390EB71ED42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A050D0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5f95f5437131ee619b87efecce7f1661dd57b98571250ec22e4165283831ae
Instruction ID: 2284aa070f475f14605518a5771d9559d22efd9ece74d892dca154db8ad2bd25
Opcode Fuzzy Hash: db5f95f5437131ee619b87efecce7f1661dd57b98571250ec22e4165283831ae
Instruction Fuzzy Hash: 5B31FB34B00315CFDB1AEB68E6546AE77B5AF48344F1004A8D902AB3A5EB3ADD11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A0F540 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4837d958a3d485c1c9a3e9be124232f10424b42c36ebaf4b6aed9fe16a25c45c
Instruction ID: 27c9f16d08aabca862cb7af153d31ae1082d9b6c29d25482fc1712a73737dd42
Opcode Fuzzy Hash: 4837d958a3d485c1c9a3e9be124232f10424b42c36ebaf4b6aed9fe16a25c45c
Instruction Fuzzy Hash: 9F314D34E102099FCB16CF78D955A9EBBB6EF89300F108529E816E7390DB71ED42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A02720 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc755d24e5120839865f85be1087c244d33df1ed637ac6a16661ddb39502f3be
Instruction ID: 27d9a1254dc890efce928204c215640fbdffe0384ec806850cc030f6f3f279f5
Opcode Fuzzy Hash: bc755d24e5120839865f85be1087c244d33df1ed637ac6a16661ddb39502f3be
Instruction Fuzzy Hash: F641EFB0D00349DFDB14DFA9C584ADEBFB5FF48310F10842AE809AB264DB75A949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A050E0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd9c261952e1ce87567936b24a1f0e05f84ba8bed36b53536233322f73e16ba
Instruction ID: e6e67c0e4b2a9eb72d09af3ac7487fc672ddeeace3b67a0bf30dc51efbaeafe9
Opcode Fuzzy Hash: ebd9c261952e1ce87567936b24a1f0e05f84ba8bed36b53536233322f73e16ba
Instruction Fuzzy Hash: 8131FA34B04315CFDB1AEB78E6546AE77B6AF48344F1004A8D501AB3A5EF3ADD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A095C7 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c2e0ab83034ce641afdef68063bb0d320c1d2e6dd3ef971942673b075f21f1
Instruction ID: 100ce16116a7ac39f679bb5f7f5e3a4a1ef670d826164d2f7f1cb37c9918dcd7
Opcode Fuzzy Hash: c3c2e0ab83034ce641afdef68063bb0d320c1d2e6dd3ef971942673b075f21f1
Instruction Fuzzy Hash: 2F319531E102099BDB16CF64E99069EF7B2FF85304F14C519E815AB392DB71ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A01390 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2ba7c20b0f7589830fadb042a9538d9dba563481f162a6d2d9bf4ebb733bbb
Instruction ID: 3aeb5062f0f2b1201dda91e05bd78b50856c48cd490fab14e1196d70aee5c57e
Opcode Fuzzy Hash: 5e2ba7c20b0f7589830fadb042a9538d9dba563481f162a6d2d9bf4ebb733bbb
Instruction Fuzzy Hash: 8021B375A102018BEB33576CF4887BD3B65E746319F150869E50AC73EADA29C886CB53

Uniqueness

Uniqueness Score: -1.00%

Function 01A095D8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63b0d112d95fe4eb3c80de3774706b3fe9ac0e923bc854d223ce011f22a08c4
Instruction ID: 68ced38dc13dd4c844d4addf8e1ca7b777d8721804f4fcb6b6b397fc649498c5
Opcode Fuzzy Hash: c63b0d112d95fe4eb3c80de3774706b3fe9ac0e923bc854d223ce011f22a08c4
Instruction Fuzzy Hash: 71218530E102099BDB16CF69D95069EF7B6FF85304F108619E819AB391DB71AC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A016D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db64d6d6d63e023b6eeba7560e5dda07638aed29c1adf8c7bd688ac16ccf0afe
Instruction ID: e5ba38a610209092a3470545d840c2c339818d46fb4866828be74ce18973bec0
Opcode Fuzzy Hash: db64d6d6d63e023b6eeba7560e5dda07638aed29c1adf8c7bd688ac16ccf0afe
Instruction Fuzzy Hash: 5B2133346402015FDF22DB7CF984BA9776AEB49314F109565D406C72AADB38EC858F91

Uniqueness

Uniqueness Score: -1.00%

Function 01A094C9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6337b2b36332e9808a6b1e772b582af146730036c6aae2702daf7fbbb4d1c58b
Instruction ID: 5abb127bb87d59eca5c8159fd7c80cfeb5e6d3d04a969d02a62cb409065eb4d3
Opcode Fuzzy Hash: 6337b2b36332e9808a6b1e772b582af146730036c6aae2702daf7fbbb4d1c58b
Instruction Fuzzy Hash: D921B231E106169BCB1ACF79D5509EEB7B2AF88304F10852AE815BB381DB72A846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A04FC0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615b8bb6e66b3918c547b1b14d2b4582268437177da885faef458c86976ba169
Instruction ID: 8e91f12924b9fd9efb84a7f57577f1e3da8c6eb287bbf71e9b585b9fc36d7a60
Opcode Fuzzy Hash: 615b8bb6e66b3918c547b1b14d2b4582268437177da885faef458c86976ba169
Instruction Fuzzy Hash: 5A210834A00205CFDB55DF78DA59AAEBBF1BB48314B1040A8E406EB3A4EB369D00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0162D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3099872265.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_162d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c003282e1f2d0dd80ad5520ca7e4b637c547f16e3b63418ce0eda8ee988e61f6
Instruction ID: ab1138f42ce02dcc843d9233ffc2b8814c2e237a9a65abe95ab298f71549c17a
Opcode Fuzzy Hash: c003282e1f2d0dd80ad5520ca7e4b637c547f16e3b63418ce0eda8ee988e61f6
Instruction Fuzzy Hash: CC212271604640DFCB15DF58D984B26BFA5EB84314F20C56DD90A4B3A6C33AD447CA61

Uniqueness

Uniqueness Score: -1.00%

Function 01A018B2 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa340f50c310b31ed6753be74d4f6f2161d5ddfc6f6231de2a64ec6111fd2d7a
Instruction ID: 812300aa91a40d586e132838a843bfaf1bca07c03b37cfdcd7d69cef619813f9
Opcode Fuzzy Hash: aa340f50c310b31ed6753be74d4f6f2161d5ddfc6f6231de2a64ec6111fd2d7a
Instruction Fuzzy Hash: EC213934B00206CFDB26EB78D6556EE77F6AF88344F1004A8D506EB2A0EB36DD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A094D8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c58d9b4035a71e9cd5cf42e5b61a1565c56603abbdb4a5de57f1a9e4550ff65
Instruction ID: 376bec3f17ff6a864dd629c011b73446e20a55b232ef9e1c4df4655edf2c1bf1
Opcode Fuzzy Hash: 9c58d9b4035a71e9cd5cf42e5b61a1565c56603abbdb4a5de57f1a9e4550ff65
Instruction Fuzzy Hash: BD21B331E102099BCB1ACF79D55099FB7B6AF89304F10852AE815BB381DB71E846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A018C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f160b3c58cf89cb750d61605761b68ef071f9d6b15823250d1e9da4b7fffb413
Instruction ID: 2888e91895677866634ba2a9d8a3dfd148d9328e5b5269a5534380d483717b29
Opcode Fuzzy Hash: f160b3c58cf89cb750d61605761b68ef071f9d6b15823250d1e9da4b7fffb413
Instruction Fuzzy Hash: 3C212834B00209CFDB16EB68D6546AE77F6AF89345F100468D506EB3A0EF3ADD00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A016E8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40fcbd8575608f361a4a471c4f3e03d1602da1855963258fbe4b4a2a61c96d0d
Instruction ID: 9d0caa0061821988b2cbc843d260dcc14f5537b829127268ba2786ac99089e47
Opcode Fuzzy Hash: 40fcbd8575608f361a4a471c4f3e03d1602da1855963258fbe4b4a2a61c96d0d
Instruction Fuzzy Hash: 5F2112346402015FDF22DB6CF984BA9775EEB49314F109A25D406C72AAEB38EC858F95

Uniqueness

Uniqueness Score: -1.00%

Function 01A04FD0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5282a22edd8e8c69be29a17caedbff2aaf69a1afbe60d23259a1b5ef6c7c0e8
Instruction ID: a8b062ea4a88ccdb773a00e6ad888464cde8e13744ccfa53a6eb8b0f5ede4f55
Opcode Fuzzy Hash: c5282a22edd8e8c69be29a17caedbff2aaf69a1afbe60d23259a1b5ef6c7c0e8
Instruction Fuzzy Hash: AB21EA34B00205CFDB15DF79DA58AAE77F5AB4D715F1000A8E506E73A5EB369D00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A06FA8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67a07e5170042356bd54454db6c4c2fafad028c3f0c4b6d89e8ecabea714905
Instruction ID: ed377d6cba8c645d9d7ab39091156dd568b57529f114b74ac8dcfb66acc47182
Opcode Fuzzy Hash: f67a07e5170042356bd54454db6c4c2fafad028c3f0c4b6d89e8ecabea714905
Instruction Fuzzy Hash: 9A11EB30F001055BDB11DFB8A9543AF7BE5EB84324F10467AD519C72C5EE35D8A58391

Uniqueness

Uniqueness Score: -1.00%

Function 01A00838 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a371f06484ed6361dfb49402b91f0e91af57817174bea10b9fd82698b55987
Instruction ID: 01f13ecfe7889f499901a45f27d16d3a57580aed3822f9cab3ded5f9f6928cc9
Opcode Fuzzy Hash: 55a371f06484ed6361dfb49402b91f0e91af57817174bea10b9fd82698b55987
Instruction Fuzzy Hash: 23110A30B002049BDF235B7DEA4077A7795FB46390F248879F406CB2C2DA65DD498BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0162D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3099872265.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_162d000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995076d28e6cbf9d56210751b886dd444712b1a07e56f810627d061fcfa87cc9
Instruction ID: 5e77b2dbb058a571666f14fe68b3f50dc1c88665967f026a6ae0d597f237629b
Opcode Fuzzy Hash: 995076d28e6cbf9d56210751b886dd444712b1a07e56f810627d061fcfa87cc9
Instruction Fuzzy Hash: 0E2180755087809FCB02CF64D994B11BF71EB46314F28C5DAD8498F2A7C33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 01A014C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb4b899368bfc6c1f96b9c5d404f4026be1f0dbd6a8b2c6f44e61749cd8bd29
Instruction ID: 645127e071ca1b8b1541f74e3195486f857ee0b70e9613b648eef55c346a746d
Opcode Fuzzy Hash: eeb4b899368bfc6c1f96b9c5d404f4026be1f0dbd6a8b2c6f44e61749cd8bd29
Instruction Fuzzy Hash: B6119D71E013158FCB22EFB8E5516ED7BF1AF59310B194479D806EB281E732D8428B91

Uniqueness

Uniqueness Score: -1.00%

Function 01A00848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110a8b71dd993f603b6d5c950d2bd404a61e61af28586ab6f73a7d4956315e56
Instruction ID: 705ead5ecf67f9b944e4bce25856c88f09ae67d123868e9f4dedffffbbdef4ff
Opcode Fuzzy Hash: 110a8b71dd993f603b6d5c950d2bd404a61e61af28586ab6f73a7d4956315e56
Instruction Fuzzy Hash: 2A11C130B002049BEF276B7CEA4477E7695FB45390F218979F006DB392DA61DE898BC1

Uniqueness

Uniqueness Score: -1.00%

Function 01A017F8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ac51e212e499e3993749fc9ec5e6e6fc94eb1a7d9265284688ca4b3db36235
Instruction ID: 2715afb327b42f0df9a6198b3150b4f6c2207db8a0741f5897fb967fb5ebba4f
Opcode Fuzzy Hash: 29ac51e212e499e3993749fc9ec5e6e6fc94eb1a7d9265284688ca4b3db36235
Instruction Fuzzy Hash: EC11B27AE003019FCB239B78A9046AE7BEAEB88310B154565D905D3255F638DE068B91

Uniqueness

Uniqueness Score: -1.00%

Function 01A014D0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a68d554aeeb4b50a7554b7542171fb33f61b9bbf3c00f351e025fe759fbdbad
Instruction ID: 5beef829087a6777839d5e0238f7bf882621479b6ff36fa9e277a0fa15cf8428
Opcode Fuzzy Hash: 0a68d554aeeb4b50a7554b7542171fb33f61b9bbf3c00f351e025fe759fbdbad
Instruction Fuzzy Hash: A4018031E012158FCF22EFBCA5506ED7BF5EB58354B140479E806EB381E732D8418B91

Uniqueness

Uniqueness Score: -1.00%

Function 01A08469 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2faf29ceeea151c1c2b0b3937730e23d7e66ddd9c3d78daa566ff29132e18ffe
Instruction ID: cfbf8c1a4ffd8395278b3970c6949123291a91e81ea409ea5cc4cc70331dcd6a
Opcode Fuzzy Hash: 2faf29ceeea151c1c2b0b3937730e23d7e66ddd9c3d78daa566ff29132e18ffe
Instruction Fuzzy Hash: 8801443094124ADFCB04EFB8EA8199DBBB6EF45300F5095E9C4059B268EB35BE48CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01A0155C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ea8e63769109fa0ac27d978e421d0789afd47c045c9ca8755b8461400c5610
Instruction ID: e9d3be44f758cdc26051dde970cdbd96587a7470da8550a9c8942f94a8e1b7eb
Opcode Fuzzy Hash: 64ea8e63769109fa0ac27d978e421d0789afd47c045c9ca8755b8461400c5610
Instruction Fuzzy Hash: 21F0F633E042508BDB138BB8A5902ECBFB0EA5935171D4096D907DF291D336E846C751

Uniqueness

Uniqueness Score: -1.00%

Function 01A07408 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e619d6d9737ea6ca512e70e66b653c2053293d844a490d5c5db5c3996fe4eac6
Instruction ID: 46efa002323d6d8ca59f56f74dcc47d19908bf1291783497e4d91d82265fcf23
Opcode Fuzzy Hash: e619d6d9737ea6ca512e70e66b653c2053293d844a490d5c5db5c3996fe4eac6
Instruction Fuzzy Hash: A9F0B239B00214CFCB14DB74D698A6D77B2EF88711F1140A8E5069B3B8DB35AD42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01A08478 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3104131536.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1a00000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b25a61f442ff283f17c9e66f344ebac964533d86de7f7daea4e8236bfae0a8e
Instruction ID: a275b75ce335ba4053fee9fa6edc6c4cb053f3bb9a02f18ce5e498063c87bca4
Opcode Fuzzy Hash: 1b25a61f442ff283f17c9e66f344ebac964533d86de7f7daea4e8236bfae0a8e
Instruction Fuzzy Hash: 57F0F4709411099FCB04EFA8FA419ADBBBAEB44700F5096B8C40597368EF35BE44CB95

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.PWSX-gen.32561.14552.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.PWSX-gen.32561.14552.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boqXv.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tiucdfZoOi.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ig3bnmw.fcy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1k2zn34i.jdo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_roccajcr.unl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_unusszsa.jub.ps1

C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp

C:\Users\user\AppData\Local\Temp\tmp6B88.tmp

C:\Users\user\AppData\Local\Temp\tmp97D8.tmp

C:\Users\user\AppData\Local\Temp\tmpB88F.tmp

C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Windows Analysis Report
SecuriteInfo.com.PWSX-gen.32561.14552.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre