Edit tour

Windows Analysis Report
BKG#SGN2106728.PDF.exe

Overview

General Information

Sample name:	BKG#SGN2106728.PDF.exe
Analysis ID:	1427946
MD5:	ccdb29c0d8e287cad8644e0adfd56178
SHA1:	3b5534a7af776ec14a07dbe81cde5bdbb538dce8
SHA256:	cb06339a87bdd6284086a97545c32dc8a3eb3701c7642543e7c327d0539005f9
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension File Execution

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

BKG#SGN2106728.PDF.exe (PID: 6768 cmdline: "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe" MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

powershell.exe (PID: 7036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7316 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 4996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7032 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp5779.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BKG#SGN2106728.PDF.exe (PID: 7020 cmdline: "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe" MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

BKG#SGN2106728.PDF.exe (PID: 4348 cmdline: "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe" MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

BKG#SGN2106728.PDF.exe (PID: 332 cmdline: "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe" MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

eDnxmGWzJ.exe (PID: 7276 cmdline: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

schtasks.exe (PID: 7460 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6F75.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

eDnxmGWzJ.exe (PID: 7516 cmdline: "C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe" MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

eDnxmGWzJ.exe (PID: 7524 cmdline: "C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe" MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

BjTxJte.exe (PID: 7788 cmdline: "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe" MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

schtasks.exe (PID: 7928 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9D3C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BjTxJte.exe (PID: 7980 cmdline: "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe" MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

BjTxJte.exe (PID: 7988 cmdline: "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe" MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

BjTxJte.exe (PID: 7996 cmdline: "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe" MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

BjTxJte.exe (PID: 8172 cmdline: "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe" MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

schtasks.exe (PID: 5480 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBC2E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BjTxJte.exe (PID: 6180 cmdline: "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe" MD5: CCDB29C0D8E287CAD8644E0ADFD56178)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.flexwelltour.com", "Username": "info@flexwelltour.com", "Password": "w$5DC?c5"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000001C.00000002.2933396914.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2932875412.00000000030C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001C.00000002.2933396914.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001C.00000002.2933396914.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001C.00000002.2933396914.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2932875412.00000000030BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2932875412.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2932875412.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.2934216134.000000000347A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.2934216134.0000000003431000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2934216134.0000000003431000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000002.1983604428.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1749314625.0000000003C58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1749314625.0000000003C58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000002.1983604428.0000000002F94000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.2934216134.0000000003482000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000002.1983604428.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.1983604428.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1811050369.000000000399F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1811050369.000000000399F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: BKG#SGN2106728.PDF.exe PID: 6768	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BKG#SGN2106728.PDF.exe PID: 6768	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: BKG#SGN2106728.PDF.exe PID: 6768	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: BKG#SGN2106728.PDF.exe PID: 332	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BKG#SGN2106728.PDF.exe PID: 332	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: eDnxmGWzJ.exe PID: 7276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: eDnxmGWzJ.exe PID: 7276	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: eDnxmGWzJ.exe PID: 7276	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: eDnxmGWzJ.exe PID: 7524	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: eDnxmGWzJ.exe PID: 7524	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: BjTxJte.exe PID: 7788	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: BjTxJte.exe PID: 7996	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BjTxJte.exe PID: 7996	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: BjTxJte.exe PID: 8172	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: BjTxJte.exe PID: 6180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BjTxJte.exe PID: 6180	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33b7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33bee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33c78:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d0a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33d74:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33de6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33e7c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f0c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.eDnxmGWzJ.exe.399fde0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.eDnxmGWzJ.exe.399fde0.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.eDnxmGWzJ.exe.399fde0.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31d7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31dee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31e78:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31f0a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31f74:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31fe6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3207c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3210c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.BKG#SGN2106728.PDF.exe.4acc780.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BKG#SGN2106728.PDF.exe.4acc780.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BKG#SGN2106728.PDF.exe.4acc780.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31d7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31dee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31e78:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31f0a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31f74:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31fe6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3207c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3210c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31d7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31dee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31e78:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31f0a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31f74:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31fe6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3207c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3210c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33b7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6eb9c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33bee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ec0e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33c78:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ec98:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d0a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ed2a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33d74:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ed94:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33de6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ee06:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33e7c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ee9c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f0c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6ef2c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xd9d9c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x114dbc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xd9e0e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x114e2e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xd9e98:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x114eb8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xd9f2a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x114f4a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xd9f94:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x114fb4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xda006:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x115026:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xda09c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1150bc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xda12c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x11514c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.eDnxmGWzJ.exe.399fde0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.eDnxmGWzJ.exe.399fde0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.eDnxmGWzJ.exe.399fde0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33b7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6eb9c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33bee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ec0e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33c78:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ec98:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d0a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ed2a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33d74:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ed94:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33de6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ee06:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33e7c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ee9c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f0c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6ef2c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x17ffbc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1bafdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x18002e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1bb04e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1800b8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1bb0d8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x18014a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1bb16a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1801b4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1bb1d4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x180226:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1bb246:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1802bc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1bb2dc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x18034c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x1bb36c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", CommandLine: "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe, NewProcessName: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe, OriginalFileName: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", ProcessId: 6768, ProcessName: BKG#SGN2106728.PDF.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", ParentImage: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe, ParentProcessId: 6768, ParentProcessName: BKG#SGN2106728.PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", ProcessId: 7036, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe, ProcessId: 332, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BjTxJte

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6F75.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6F75.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe, ParentImage: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe, ParentProcessId: 7276, ParentProcessName: eDnxmGWzJ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6F75.tmp", ProcessId: 7460, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 94.199.200.238, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe, Initiated: true, ProcessId: 332, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp5779.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp5779.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", ParentImage: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe, ParentProcessId: 6768, ParentProcessName: BKG#SGN2106728.PDF.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp5779.tmp", ProcessId: 7032, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", ParentImage: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe, ParentProcessId: 6768, ParentProcessName: BKG#SGN2106728.PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", ProcessId: 7036, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp5779.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp5779.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe", ParentImage: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe, ParentProcessId: 6768, ParentProcessName: BKG#SGN2106728.PDF.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp5779.tmp", ProcessId: 7032, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BKG#SGN2106728.PDF.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Avira: detection malicious, Label: HEUR/AGEN.1323731
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Avira: detection malicious, Label: HEUR/AGEN.1323731

Found malware configuration

Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.flexwelltour.com", "Username": "info@flexwelltour.com", "Password": "w$5DC?c5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Virustotal: Detection: 43%	Perma Link
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Virustotal: Detection: 43%	Perma Link

Multi AV Scanner detection for submitted file

Source: BKG#SGN2106728.PDF.exe	Virustotal: Detection: 43%			Perma Link
Source: BKG#SGN2106728.PDF.exe	ReversingLabs: Detection: 44%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: BKG#SGN2106728.PDF.exe

Joe Sandbox ML: detected

Source: BKG#SGN2106728.PDF.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: BKG#SGN2106728.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 94.199.200.238:587

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 94.199.200.238:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000031DB000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000034EB000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.000000000347A000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://flexwelltour.com
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000031DB000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000034EB000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.000000000347A000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.flexwelltour.com
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.000000000153F000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2963874949.0000000006AE7000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2927536460.0000000001577000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003482000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1980182823.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1993408123.0000000006622000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2962504711.00000000069DE000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001392000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0L
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.000000000153F000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2963874949.0000000006AE7000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2927536460.0000000001577000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003482000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1980182823.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1993408123.0000000006622000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2962504711.00000000069DE000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001392000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: BKG#SGN2106728.PDF.exe, 00000000.00000002.1747954818.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.0000000003041000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000A.00000002.1809479007.00000000028D2000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.1921505605.00000000027A2000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.2003324584.000000000312B000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.000000000317C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2985822507.0000000007F90000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.000000000153F000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2963874949.0000000006AE7000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2927536460.0000000001577000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2927536460.00000000015A1000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003482000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1980182823.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1993408123.0000000006622000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001380000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001392000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BjTxJte.exe, 0000001C.00000002.2962504711.00000000069DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.len
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2985822507.0000000007F90000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.000000000153F000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2963874949.0000000006AE7000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2927536460.0000000001577000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2927536460.00000000015A1000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003482000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1980182823.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1993408123.0000000006622000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001380000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001392000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: BKG#SGN2106728.PDF.exe, 00000000.00000002.1749314625.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000A.00000002.1811050369.000000000399F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: BKG#SGN2106728.PDF.exe, 00000000.00000002.1749314625.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.0000000003041000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000A.00000002.1811050369.000000000399F000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.000000000317C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.0000000003041000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.000000000317C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.0000000003041000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.000000000317C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49741 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, cPKWk.cs	.Net Code: O7h
Source: 0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.raw.unpack, cPKWk.cs	.Net Code: O7h

Installs a global keyboard hook

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_071C80D8 GetKeyState,GetKeyState,GetKeyState,		15_2_071C80D8
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_071C80C8 GetKeyState,GetKeyState,GetKeyState,		15_2_071C80C8

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.eDnxmGWzJ.exe.399fde0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.eDnxmGWzJ.exe.399fde0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.BKG#SGN2106728.PDF.exe.5400000.4.raw.unpack, LoginForm.cs

Large array initialization: : array initializer size 33603

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: BKG#SGN2106728.PDF.exe

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_010E8430	0_2_010E8430
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_010E8811	0_2_010E8811
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_010E7000	0_2_010E7000
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_010E7340	0_2_010E7340
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_010E84D1	0_2_010E84D1
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_010E732E	0_2_010E732E
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_010E7878	0_2_010E7878
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_012A4758	0_2_012A4758
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_012A7178	0_2_012A7178
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_012A001E	0_2_012A001E
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_012A0040	0_2_012A0040
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_012A4749	0_2_012A4749
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_012A0918	0_2_012A0918
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_014A41F8	9_2_014A41F8
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_014AA998	9_2_014AA998
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_014AEB71	9_2_014AEB71
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_014A4AC8	9_2_014A4AC8
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_014A3EB0	9_2_014A3EB0
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_014AADF0	9_2_014AADF0
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06D43468	9_2_06D43468
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06D465C0	9_2_06D465C0
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06D455A8	9_2_06D455A8
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06D47D40	9_2_06D47D40
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06D4B1F8	9_2_06D4B1F8
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06D47660	9_2_06D47660
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06D45CAB	9_2_06D45CAB
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06D4E378	9_2_06D4E378
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06D40040	9_2_06D40040
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06E32003	9_2_06E32003
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06E32008	9_2_06E32008
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06D40006	9_2_06D40006
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_01048422	10_2_01048422
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_01047000	10_2_01047000
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_01047340	10_2_01047340
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_010484D1	10_2_010484D1
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_0104732E	10_2_0104732E
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_01047878	10_2_01047878
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_010A395A	10_2_010A395A
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_010A0030	10_2_010A0030
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_010A0040	10_2_010A0040
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_010A63F0	10_2_010A63F0
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_010A0918	10_2_010A0918
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_010A39C5	10_2_010A39C5
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_080A0468	10_2_080A0468
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_080A0780	10_2_080A0780
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_080A70B5	10_2_080A70B5
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_080AE880	10_2_080AE880
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_080AECB8	10_2_080AECB8
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_080AE448	10_2_080AE448
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_080A0458	10_2_080A0458
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_080A0771	10_2_080A0771
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_080A5CF0	10_2_080A5CF0
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_080A5D00	10_2_080A5D00
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 10_2_080A16E8	10_2_080A16E8
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_018D41F8	15_2_018D41F8
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_018DA998	15_2_018DA998
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_018D4AC8	15_2_018D4AC8
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_018DADE2	15_2_018DADE2
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_018D3EB0	15_2_018D3EB0
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_018DEC59	15_2_018DEC59
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_06F13460	15_2_06F13460
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_06F17658	15_2_06F17658
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_06F10040	15_2_06F10040
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_06F10006	15_2_06F10006
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_07002002	15_2_07002002
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_07002008	15_2_07002008
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_071C5BD1	15_2_071C5BD1
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_071C07F4	15_2_071C07F4
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_071CDC38	15_2_071CDC38
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_071CDC28	15_2_071CDC28
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_00D98430	17_2_00D98430
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_00D98758	17_2_00D98758
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_00D97000	17_2_00D97000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_00D97340	17_2_00D97340
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_00D984D1	17_2_00D984D1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_00D9737A	17_2_00D9737A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_00D9732E	17_2_00D9732E
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_00D97878	17_2_00D97878
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_0489395A	17_2_0489395A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_04892091	17_2_04892091
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_04890007	17_2_04890007
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_04890040	17_2_04890040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_048963F0	17_2_048963F0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_048939C5	17_2_048939C5
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_04890918	17_2_04890918
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_0549E448	17_2_0549E448
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_05490458	17_2_05490458
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_05490468	17_2_05490468
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_0549E42E	17_2_0549E42E
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_05490771	17_2_05490771
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_05490780	17_2_05490780
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_0549ECB8	17_2_0549ECB8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_0549E870	17_2_0549E870
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_0549E880	17_2_0549E880
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_0549B7A0	17_2_0549B7A0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_05495D00	17_2_05495D00
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_05495CF0	17_2_05495CF0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 17_2_05499BB2	17_2_05499BB2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_014641F8	22_2_014641F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_0146EA60	22_2_0146EA60
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_01464AC8	22_2_01464AC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_0146ACD0	22_2_0146ACD0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_01463EB0	22_2_01463EB0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06AE3468	22_2_06AE3468
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06AE55A8	22_2_06AE55A8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06AE65C0	22_2_06AE65C0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06AE7D40	22_2_06AE7D40
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06AEB208	22_2_06AEB208
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06AE7660	22_2_06AE7660
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06AE5CC0	22_2_06AE5CC0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06AEE378	22_2_06AEE378
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06AE0040	22_2_06AE0040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06BD1DC8	22_2_06BD1DC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06BD1DC2	22_2_06BD1DC2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06AE0006	22_2_06AE0006
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_02ED39D1	25_2_02ED39D1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_02ED6330	25_2_02ED6330
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_02ED0040	25_2_02ED0040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_02ED0918	25_2_02ED0918
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_03098758	25_2_03098758
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_03098422	25_2_03098422
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_03097340	25_2_03097340
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_03097000	25_2_03097000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_030984D1	25_2_030984D1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_0309732E	25_2_0309732E
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_0309737A	25_2_0309737A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_03097878	25_2_03097878
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08AD0468	25_2_08AD0468
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08AD0780	25_2_08AD0780
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08AD70B5	25_2_08AD70B5
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08ADE880	25_2_08ADE880
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08ADECB8	25_2_08ADECB8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08ADE448	25_2_08ADE448
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08AD0458	25_2_08AD0458
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08AD0771	25_2_08AD0771
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08AD7942	25_2_08AD7942
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08AD7950	25_2_08AD7950
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08AD5CF0	25_2_08AD5CF0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08AD5D00	25_2_08AD5D00
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08ADF268	25_2_08ADF268
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08AD16E8	25_2_08AD16E8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_08AD16D9	25_2_08AD16D9
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_015EEA51	28_2_015EEA51
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_015E4AC8	28_2_015E4AC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_015EACC2	28_2_015EACC2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_015E3EB0	28_2_015E3EB0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_015E41F8	28_2_015E41F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06DA3468	28_2_06DA3468
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06DA65C0	28_2_06DA65C0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06DA55A8	28_2_06DA55A8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06DA7D40	28_2_06DA7D40
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06DAB1F8	28_2_06DAB1F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06DA7660	28_2_06DA7660
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06DA5CAB	28_2_06DA5CAB
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06DAE378	28_2_06DAE378
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06DA0040	28_2_06DA0040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06E91DC8	28_2_06E91DC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06E91DC3	28_2_06E91DC3
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06DA0007	28_2_06DA0007

Source: BKG#SGN2106728.PDF.exe, 00000000.00000002.1747954818.0000000002CD4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3a3d57e0-9612-4728-98de-585016f919fc.exe4 vs BKG#SGN2106728.PDF.exe
Source: BKG#SGN2106728.PDF.exe, 00000000.00000002.1746563839.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs BKG#SGN2106728.PDF.exe
Source: BKG#SGN2106728.PDF.exe, 00000000.00000002.1749314625.0000000003C58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3a3d57e0-9612-4728-98de-585016f919fc.exe4 vs BKG#SGN2106728.PDF.exe
Source: BKG#SGN2106728.PDF.exe, 00000000.00000002.1752259649.0000000005400000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs BKG#SGN2106728.PDF.exe
Source: BKG#SGN2106728.PDF.exe, 00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs BKG#SGN2106728.PDF.exe
Source: BKG#SGN2106728.PDF.exe, 00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3a3d57e0-9612-4728-98de-585016f919fc.exe4 vs BKG#SGN2106728.PDF.exe
Source: BKG#SGN2106728.PDF.exe, 00000000.00000002.1753765317.00000000088A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs BKG#SGN2106728.PDF.exe
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2927080035.0000000001138000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs BKG#SGN2106728.PDF.exe
Source: BKG#SGN2106728.PDF.exe	Binary or memory string: OriginalFilenameHfcxg.exeT vs BKG#SGN2106728.PDF.exe

Source: BKG#SGN2106728.PDF.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.eDnxmGWzJ.exe.399fde0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.eDnxmGWzJ.exe.399fde0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: BKG#SGN2106728.PDF.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: eDnxmGWzJ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, jltxWJLFOkrowWdHRa.cs	Security API names: _0020.SetAccessControl
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, jltxWJLFOkrowWdHRa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, jltxWJLFOkrowWdHRa.cs	Security API names: _0020.AddAccessRule
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, jltxWJLFOkrowWdHRa.cs	Security API names: _0020.SetAccessControl
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, jltxWJLFOkrowWdHRa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, jltxWJLFOkrowWdHRa.cs	Security API names: _0020.AddAccessRule
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, hbZNRJKn3pZuk9vCcl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, hbZNRJKn3pZuk9vCcl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, jltxWJLFOkrowWdHRa.cs	Security API names: _0020.SetAccessControl
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, jltxWJLFOkrowWdHRa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, jltxWJLFOkrowWdHRa.cs	Security API names: _0020.AddAccessRule
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, hbZNRJKn3pZuk9vCcl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@41/20@2/2

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

File created: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Mutant created: \Sessions\1\BaseNamedObjects\dgxgXtThNJPtdK
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5779.tmp

Jump to behavior

Source: BKG#SGN2106728.PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BKG#SGN2106728.PDF.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BKG#SGN2106728.PDF.exe	Virustotal: Detection: 43%
Source: BKG#SGN2106728.PDF.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

File read: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp5779.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6F75.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process created: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe "C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe"
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process created: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe "C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9D3C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBC2E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp5779.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6F75.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process created: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe "C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process created: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe "C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9D3C.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBC2E.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: BKG#SGN2106728.PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BKG#SGN2106728.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, jltxWJLFOkrowWdHRa.cs	.Net Code: pcNqjD8lAw System.Reflection.Assembly.Load(byte[])
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, jltxWJLFOkrowWdHRa.cs	.Net Code: pcNqjD8lAw System.Reflection.Assembly.Load(byte[])
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, jltxWJLFOkrowWdHRa.cs	.Net Code: pcNqjD8lAw System.Reflection.Assembly.Load(byte[])
Source: 0.2.BKG#SGN2106728.PDF.exe.5400000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 0_2_012A1912 push ecx; ret	0_2_012A191C
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_014A0B4D push edi; ret	9_2_014A0CC2
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06E381BD push esp; iretd	9_2_06E381C5
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06E31698 pushfd ; ret	9_2_06E3169C
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Code function: 9_2_06E37580 push esp; iretd	9_2_06E37589
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_018D0B4D push edi; ret	15_2_018D0CC2
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_018D0C95 push edi; retf	15_2_018D0C3A
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_070081BD push esp; iretd	15_2_070081C5
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_07007590 push esp; iretd	15_2_07007599
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_070071C2 push es; ret	15_2_070071D0
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Code function: 15_2_071C4EF3 push dword ptr [ecx+ecx-75h]; iretd	15_2_071C4F03
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_0146A2A2 pushad ; ret	22_2_0146A2A9
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_01460C3D push edi; ret	22_2_01460CC2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_01460C95 push edi; retf	22_2_01460C3A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06BD1653 push cs; retf	22_2_06BD165B
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06BD7350 push esp; iretd	22_2_06BD7359
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 22_2_06BD7F7D push esp; iretd	22_2_06BD7F85
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 25_2_02ED1912 push ecx; ret	25_2_02ED191C
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_015EA2A2 pushad ; ret	28_2_015EA2A9
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_015E0C3D push edi; ret	28_2_015E0CC2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_015E0C95 push edi; retf	28_2_015E0C3A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06E91658 push cs; retf	28_2_06E9165B
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06E97350 push esp; iretd	28_2_06E97359
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Code function: 28_2_06E97F7D push esp; iretd	28_2_06E97F85

Source: BKG#SGN2106728.PDF.exe	Static PE information: section name: .text entropy: 7.962537044370944
Source: eDnxmGWzJ.exe.0.dr	Static PE information: section name: .text entropy: 7.962537044370944

Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, jwvBObYx4KVfbRPv8H.cs	High entropy of concatenated method names: 'dNitCBtyDX', 'LGxtKyc2Gf', 'DtStBGq7Dl', 'Kdrt0CgSW4', 'RxYtOuOUBA', 'aJNt4TKylH', 'ruLyIUVPrB4ueT7al4', 'TQppsVRICj7DY6vPLK', 'XNjtt2Uy2r', 'eU9tLcgiPM'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, O6JYRBbGpphBJ1wiTr.cs	High entropy of concatenated method names: 'aUYhEDxDLg', 'jkUhlEPtOR', 'KF3hnKYmbg', 'qlEhuWfPdf', 'gXEhOMMUeu', 'qGeh4gPbUF', 'RAAhsQnnWg', 'BbOhrhdd7v', 'TOJheUFipl', 'd4th5ed66k'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, uqb8829qSQEKSUUyX8.cs	High entropy of concatenated method names: 'rtWrkCm7DB', 'lP6rQhnIAF', 'LbBrNnnEVw', 'EuYrIBOX1r', 'iRDr7jdZVC', 'mnXrpxDqFf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, qFYK852BrT3Kkc2vmV.cs	High entropy of concatenated method names: 'ToString', 'zP04mHM7LT', 'Jtv4QDWxdF', 'yyK4NSxP4u', 'Lde4Ii4Bf0', 'TOr4pGF67I', 'RdY4xyfdl2', 'YiK4TMLoL9', 'Mbu4VmHe83', 'RHX4iL1328'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, jltxWJLFOkrowWdHRa.cs	High entropy of concatenated method names: 'seFLSBnOpc', 'QE9LZdSWex', 'bJoLvnWHk7', 'A0kLhD1IBT', 'P6PLaQOMmc', 'ENOL1Jh0eU', 'dtGLCl5PkZ', 'tDrLKnIP87', 'cCRLWJLpjg', 'ooxLBaYBH8'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, NrduLADURKlOmqWg36.cs	High entropy of concatenated method names: 'Dispose', 'dMltdwbRA3', 'SVqgQJoKWO', 'wTuJJWsrbE', 'j8qtMIh6J0', 'lT7tz3Jerk', 'ProcessDialogKey', 'Vn7gwqUXMi', 'jSZgtjOB2E', 'v1iggpDuKl'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, aglaL3SBeIfXbEHPr5.cs	High entropy of concatenated method names: 'yXyjD4ccT', 'rmIEgF0Lt', 'KvnlWhZ9v', 'MYg9jXo9Q', 'AoduPg6vq', 'aTJA2fql4', 'vfabRaTseTihmVIBbq', 'oqC9ECJ7jnFvOil5Y8', 'EcgowA4VcZUR6YVWVb', 'wJOr9GZBk'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, lsSq27I0hnIdfvPF4e.cs	High entropy of concatenated method names: 'GS4rZIyRch', 'krfrvMo2Vh', 'zcgrhuAU1d', 'E8gra6OC98', 'MHWr1Nt9K3', 'PFCrCv9ELL', 'TLTrKOkL8C', 'knJrWVXJvv', 'mQfrBBRdId', 'qYRr0dw2Jh'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, a6JHtZGdpnrIbdwyXv.cs	High entropy of concatenated method names: 'ViFet6IgGt', 'ExfeLAf10o', 'iqIeqd02sw', 'LwXeZDAcij', 'dBuevhFKOK', 'ufuea1s2Yn', 'bI0e1n1dkH', 'pCwrYGqcwX', 'eqTrffr0Jh', 'j6hrdy0lUf'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, IK1XrNJvr7PPm1j0MU.cs	High entropy of concatenated method names: 'LyUsfGYeW3', 'dXcsMSiTm6', 'Cb7rwVBCEb', 'G0drtoQdIw', 'woPsmJRtcK', 'J2WsXFjci4', 'kCasbnGPaV', 'Pbts7Fux4c', 'eM8scJxOuU', 'lgCsUgB5Gu'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, BdI41qFnRSKwjr8vRsn.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Svq57XkBVw', 'Gf35cnPVvI', 'YUK5UeVrNG', 'CW85o2AK86', 'l2l5GLIyyM', 'tG452jZ1sY', 'vsJ5YkQVty'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, Knh1rZctAHXyTagCjl.cs	High entropy of concatenated method names: 'pwJCDuvOXY', 'V7VC6ZraL8', 'VQUCj1a4HL', 'XqoCETSHf1', 'TbwCP3iO7c', 'oDTClQYMK3', 'aXoC9ZW6fT', 'UwvCnafP8F', 'UtwCuxdeZb', 'seFCAQpgIv'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, BQ07W6faPBvr0ngALj.cs	High entropy of concatenated method names: 'GPx1Su0hbi', 'epd1vD3fbv', 'Ii21aL7h0G', 'vb41C8yrg5', 'cSX1KHZ5iX', 'YEaaGuNu4N', 'fkja2cuZKI', 'tVlaYSwTkW', 'i1fafgFgFS', 'ylrad0irmy'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, hbZNRJKn3pZuk9vCcl.cs	High entropy of concatenated method names: 'x4uv79T57D', 'MmjvcWuxcC', 'O66vU2FRJw', 'RwNvoKedMK', 'N7gvGhACcU', 'P6Mv2oxrXw', 'DnwvYjkEQy', 'YmhvfXTs1J', 'khavdUYoEm', 'wgYvMadjZ6'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, WHHN6qPHh8Gp7ChIm9.cs	High entropy of concatenated method names: 'PqbCZSZJeO', 'R5YChTqG27', 'Y4EC1H5Xgc', 'gOl1MntkaJ', 'bcS1z063qy', 'yR5CwajvHY', 'x5PCtPNV8N', 'Lb1Cgs6wGv', 'PCFCLGPFeU', 'UUGCqhuF7N'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, M2rrVhU3FjFAhrKFRP.cs	High entropy of concatenated method names: 'C3lsBYVfUZ', 'z8Vs0eDmTu', 'ToString', 'TlgsZ5c0eg', 'L4fsvXrPp0', 'wtesh7u6Rr', 'lonsak2A59', 'Db5s1fhOLX', 'jsIsCLlpL3', 'RPXsKp3rU2'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, i0WP6bFCToAWJjStbBE.cs	High entropy of concatenated method names: 'soPeDdAJ4U', 'kBOe6TZYNG', 'vT8ejZRa3Z', 's85eEItWvs', 'Uv0ePtWMGe', 'Hryelhb4BA', 'Gdle9Y7x2A', 'i4nen1cjPy', 'zKTeucFwIc', 'A5veAJxbb3'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, YKiqK78yXUtNKTP13r.cs	High entropy of concatenated method names: 'lvBO8IFhoK', 'BrUOXeDSph', 'jPxO71OQkR', 'jkfOcHEbeR', 'dZcOQK3dAq', 'tFCONLucdK', 'v5LOIuyiMu', 'cTbOpYu4y7', 'j9qOx53wkT', 'rmaOT9VkhZ'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, acsoXDaJfaCEw9XyjA.cs	High entropy of concatenated method names: 'dq9aPXxkoT', 'SRoa99nncq', 'qv5hN84FxZ', 'oeUhIBg5eC', 'CwGhpyTf4t', 'EdshxdVGK9', 'W3phTnVqKg', 'a6IhVRkTcY', 'Q2QhiD5Zjt', 'rQgh8ns60g'
Source: 0.2.BKG#SGN2106728.PDF.exe.88a0000.7.raw.unpack, p02NCl3dFf9aHThU9q.cs	High entropy of concatenated method names: 'Gbr3nuweOX', 'x2G3u5SUO5', 'cgd3kL46ly', 'lpZ3QJ00X1', 'Sxc3IZ8Vxe', 'gaH3pQi5bG', 'd6N3TSIogC', 'vgC3VyeswW', 'USG38SFwJW', 'pi23mpWesb'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, jwvBObYx4KVfbRPv8H.cs	High entropy of concatenated method names: 'dNitCBtyDX', 'LGxtKyc2Gf', 'DtStBGq7Dl', 'Kdrt0CgSW4', 'RxYtOuOUBA', 'aJNt4TKylH', 'ruLyIUVPrB4ueT7al4', 'TQppsVRICj7DY6vPLK', 'XNjtt2Uy2r', 'eU9tLcgiPM'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, O6JYRBbGpphBJ1wiTr.cs	High entropy of concatenated method names: 'aUYhEDxDLg', 'jkUhlEPtOR', 'KF3hnKYmbg', 'qlEhuWfPdf', 'gXEhOMMUeu', 'qGeh4gPbUF', 'RAAhsQnnWg', 'BbOhrhdd7v', 'TOJheUFipl', 'd4th5ed66k'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, uqb8829qSQEKSUUyX8.cs	High entropy of concatenated method names: 'rtWrkCm7DB', 'lP6rQhnIAF', 'LbBrNnnEVw', 'EuYrIBOX1r', 'iRDr7jdZVC', 'mnXrpxDqFf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, qFYK852BrT3Kkc2vmV.cs	High entropy of concatenated method names: 'ToString', 'zP04mHM7LT', 'Jtv4QDWxdF', 'yyK4NSxP4u', 'Lde4Ii4Bf0', 'TOr4pGF67I', 'RdY4xyfdl2', 'YiK4TMLoL9', 'Mbu4VmHe83', 'RHX4iL1328'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, jltxWJLFOkrowWdHRa.cs	High entropy of concatenated method names: 'seFLSBnOpc', 'QE9LZdSWex', 'bJoLvnWHk7', 'A0kLhD1IBT', 'P6PLaQOMmc', 'ENOL1Jh0eU', 'dtGLCl5PkZ', 'tDrLKnIP87', 'cCRLWJLpjg', 'ooxLBaYBH8'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, NrduLADURKlOmqWg36.cs	High entropy of concatenated method names: 'Dispose', 'dMltdwbRA3', 'SVqgQJoKWO', 'wTuJJWsrbE', 'j8qtMIh6J0', 'lT7tz3Jerk', 'ProcessDialogKey', 'Vn7gwqUXMi', 'jSZgtjOB2E', 'v1iggpDuKl'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, aglaL3SBeIfXbEHPr5.cs	High entropy of concatenated method names: 'yXyjD4ccT', 'rmIEgF0Lt', 'KvnlWhZ9v', 'MYg9jXo9Q', 'AoduPg6vq', 'aTJA2fql4', 'vfabRaTseTihmVIBbq', 'oqC9ECJ7jnFvOil5Y8', 'EcgowA4VcZUR6YVWVb', 'wJOr9GZBk'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, lsSq27I0hnIdfvPF4e.cs	High entropy of concatenated method names: 'GS4rZIyRch', 'krfrvMo2Vh', 'zcgrhuAU1d', 'E8gra6OC98', 'MHWr1Nt9K3', 'PFCrCv9ELL', 'TLTrKOkL8C', 'knJrWVXJvv', 'mQfrBBRdId', 'qYRr0dw2Jh'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, a6JHtZGdpnrIbdwyXv.cs	High entropy of concatenated method names: 'ViFet6IgGt', 'ExfeLAf10o', 'iqIeqd02sw', 'LwXeZDAcij', 'dBuevhFKOK', 'ufuea1s2Yn', 'bI0e1n1dkH', 'pCwrYGqcwX', 'eqTrffr0Jh', 'j6hrdy0lUf'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, IK1XrNJvr7PPm1j0MU.cs	High entropy of concatenated method names: 'LyUsfGYeW3', 'dXcsMSiTm6', 'Cb7rwVBCEb', 'G0drtoQdIw', 'woPsmJRtcK', 'J2WsXFjci4', 'kCasbnGPaV', 'Pbts7Fux4c', 'eM8scJxOuU', 'lgCsUgB5Gu'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, BdI41qFnRSKwjr8vRsn.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Svq57XkBVw', 'Gf35cnPVvI', 'YUK5UeVrNG', 'CW85o2AK86', 'l2l5GLIyyM', 'tG452jZ1sY', 'vsJ5YkQVty'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, Knh1rZctAHXyTagCjl.cs	High entropy of concatenated method names: 'pwJCDuvOXY', 'V7VC6ZraL8', 'VQUCj1a4HL', 'XqoCETSHf1', 'TbwCP3iO7c', 'oDTClQYMK3', 'aXoC9ZW6fT', 'UwvCnafP8F', 'UtwCuxdeZb', 'seFCAQpgIv'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, BQ07W6faPBvr0ngALj.cs	High entropy of concatenated method names: 'GPx1Su0hbi', 'epd1vD3fbv', 'Ii21aL7h0G', 'vb41C8yrg5', 'cSX1KHZ5iX', 'YEaaGuNu4N', 'fkja2cuZKI', 'tVlaYSwTkW', 'i1fafgFgFS', 'ylrad0irmy'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, hbZNRJKn3pZuk9vCcl.cs	High entropy of concatenated method names: 'x4uv79T57D', 'MmjvcWuxcC', 'O66vU2FRJw', 'RwNvoKedMK', 'N7gvGhACcU', 'P6Mv2oxrXw', 'DnwvYjkEQy', 'YmhvfXTs1J', 'khavdUYoEm', 'wgYvMadjZ6'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, WHHN6qPHh8Gp7ChIm9.cs	High entropy of concatenated method names: 'PqbCZSZJeO', 'R5YChTqG27', 'Y4EC1H5Xgc', 'gOl1MntkaJ', 'bcS1z063qy', 'yR5CwajvHY', 'x5PCtPNV8N', 'Lb1Cgs6wGv', 'PCFCLGPFeU', 'UUGCqhuF7N'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, M2rrVhU3FjFAhrKFRP.cs	High entropy of concatenated method names: 'C3lsBYVfUZ', 'z8Vs0eDmTu', 'ToString', 'TlgsZ5c0eg', 'L4fsvXrPp0', 'wtesh7u6Rr', 'lonsak2A59', 'Db5s1fhOLX', 'jsIsCLlpL3', 'RPXsKp3rU2'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, i0WP6bFCToAWJjStbBE.cs	High entropy of concatenated method names: 'soPeDdAJ4U', 'kBOe6TZYNG', 'vT8ejZRa3Z', 's85eEItWvs', 'Uv0ePtWMGe', 'Hryelhb4BA', 'Gdle9Y7x2A', 'i4nen1cjPy', 'zKTeucFwIc', 'A5veAJxbb3'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, YKiqK78yXUtNKTP13r.cs	High entropy of concatenated method names: 'lvBO8IFhoK', 'BrUOXeDSph', 'jPxO71OQkR', 'jkfOcHEbeR', 'dZcOQK3dAq', 'tFCONLucdK', 'v5LOIuyiMu', 'cTbOpYu4y7', 'j9qOx53wkT', 'rmaOT9VkhZ'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, acsoXDaJfaCEw9XyjA.cs	High entropy of concatenated method names: 'dq9aPXxkoT', 'SRoa99nncq', 'qv5hN84FxZ', 'oeUhIBg5eC', 'CwGhpyTf4t', 'EdshxdVGK9', 'W3phTnVqKg', 'a6IhVRkTcY', 'Q2QhiD5Zjt', 'rQgh8ns60g'
Source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, p02NCl3dFf9aHThU9q.cs	High entropy of concatenated method names: 'Gbr3nuweOX', 'x2G3u5SUO5', 'cgd3kL46ly', 'lpZ3QJ00X1', 'Sxc3IZ8Vxe', 'gaH3pQi5bG', 'd6N3TSIogC', 'vgC3VyeswW', 'USG38SFwJW', 'pi23mpWesb'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, jwvBObYx4KVfbRPv8H.cs	High entropy of concatenated method names: 'dNitCBtyDX', 'LGxtKyc2Gf', 'DtStBGq7Dl', 'Kdrt0CgSW4', 'RxYtOuOUBA', 'aJNt4TKylH', 'ruLyIUVPrB4ueT7al4', 'TQppsVRICj7DY6vPLK', 'XNjtt2Uy2r', 'eU9tLcgiPM'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, O6JYRBbGpphBJ1wiTr.cs	High entropy of concatenated method names: 'aUYhEDxDLg', 'jkUhlEPtOR', 'KF3hnKYmbg', 'qlEhuWfPdf', 'gXEhOMMUeu', 'qGeh4gPbUF', 'RAAhsQnnWg', 'BbOhrhdd7v', 'TOJheUFipl', 'd4th5ed66k'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, uqb8829qSQEKSUUyX8.cs	High entropy of concatenated method names: 'rtWrkCm7DB', 'lP6rQhnIAF', 'LbBrNnnEVw', 'EuYrIBOX1r', 'iRDr7jdZVC', 'mnXrpxDqFf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, qFYK852BrT3Kkc2vmV.cs	High entropy of concatenated method names: 'ToString', 'zP04mHM7LT', 'Jtv4QDWxdF', 'yyK4NSxP4u', 'Lde4Ii4Bf0', 'TOr4pGF67I', 'RdY4xyfdl2', 'YiK4TMLoL9', 'Mbu4VmHe83', 'RHX4iL1328'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, jltxWJLFOkrowWdHRa.cs	High entropy of concatenated method names: 'seFLSBnOpc', 'QE9LZdSWex', 'bJoLvnWHk7', 'A0kLhD1IBT', 'P6PLaQOMmc', 'ENOL1Jh0eU', 'dtGLCl5PkZ', 'tDrLKnIP87', 'cCRLWJLpjg', 'ooxLBaYBH8'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, NrduLADURKlOmqWg36.cs	High entropy of concatenated method names: 'Dispose', 'dMltdwbRA3', 'SVqgQJoKWO', 'wTuJJWsrbE', 'j8qtMIh6J0', 'lT7tz3Jerk', 'ProcessDialogKey', 'Vn7gwqUXMi', 'jSZgtjOB2E', 'v1iggpDuKl'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, aglaL3SBeIfXbEHPr5.cs	High entropy of concatenated method names: 'yXyjD4ccT', 'rmIEgF0Lt', 'KvnlWhZ9v', 'MYg9jXo9Q', 'AoduPg6vq', 'aTJA2fql4', 'vfabRaTseTihmVIBbq', 'oqC9ECJ7jnFvOil5Y8', 'EcgowA4VcZUR6YVWVb', 'wJOr9GZBk'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, lsSq27I0hnIdfvPF4e.cs	High entropy of concatenated method names: 'GS4rZIyRch', 'krfrvMo2Vh', 'zcgrhuAU1d', 'E8gra6OC98', 'MHWr1Nt9K3', 'PFCrCv9ELL', 'TLTrKOkL8C', 'knJrWVXJvv', 'mQfrBBRdId', 'qYRr0dw2Jh'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, a6JHtZGdpnrIbdwyXv.cs	High entropy of concatenated method names: 'ViFet6IgGt', 'ExfeLAf10o', 'iqIeqd02sw', 'LwXeZDAcij', 'dBuevhFKOK', 'ufuea1s2Yn', 'bI0e1n1dkH', 'pCwrYGqcwX', 'eqTrffr0Jh', 'j6hrdy0lUf'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, IK1XrNJvr7PPm1j0MU.cs	High entropy of concatenated method names: 'LyUsfGYeW3', 'dXcsMSiTm6', 'Cb7rwVBCEb', 'G0drtoQdIw', 'woPsmJRtcK', 'J2WsXFjci4', 'kCasbnGPaV', 'Pbts7Fux4c', 'eM8scJxOuU', 'lgCsUgB5Gu'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, BdI41qFnRSKwjr8vRsn.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Svq57XkBVw', 'Gf35cnPVvI', 'YUK5UeVrNG', 'CW85o2AK86', 'l2l5GLIyyM', 'tG452jZ1sY', 'vsJ5YkQVty'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, Knh1rZctAHXyTagCjl.cs	High entropy of concatenated method names: 'pwJCDuvOXY', 'V7VC6ZraL8', 'VQUCj1a4HL', 'XqoCETSHf1', 'TbwCP3iO7c', 'oDTClQYMK3', 'aXoC9ZW6fT', 'UwvCnafP8F', 'UtwCuxdeZb', 'seFCAQpgIv'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, BQ07W6faPBvr0ngALj.cs	High entropy of concatenated method names: 'GPx1Su0hbi', 'epd1vD3fbv', 'Ii21aL7h0G', 'vb41C8yrg5', 'cSX1KHZ5iX', 'YEaaGuNu4N', 'fkja2cuZKI', 'tVlaYSwTkW', 'i1fafgFgFS', 'ylrad0irmy'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, hbZNRJKn3pZuk9vCcl.cs	High entropy of concatenated method names: 'x4uv79T57D', 'MmjvcWuxcC', 'O66vU2FRJw', 'RwNvoKedMK', 'N7gvGhACcU', 'P6Mv2oxrXw', 'DnwvYjkEQy', 'YmhvfXTs1J', 'khavdUYoEm', 'wgYvMadjZ6'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, WHHN6qPHh8Gp7ChIm9.cs	High entropy of concatenated method names: 'PqbCZSZJeO', 'R5YChTqG27', 'Y4EC1H5Xgc', 'gOl1MntkaJ', 'bcS1z063qy', 'yR5CwajvHY', 'x5PCtPNV8N', 'Lb1Cgs6wGv', 'PCFCLGPFeU', 'UUGCqhuF7N'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, M2rrVhU3FjFAhrKFRP.cs	High entropy of concatenated method names: 'C3lsBYVfUZ', 'z8Vs0eDmTu', 'ToString', 'TlgsZ5c0eg', 'L4fsvXrPp0', 'wtesh7u6Rr', 'lonsak2A59', 'Db5s1fhOLX', 'jsIsCLlpL3', 'RPXsKp3rU2'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, i0WP6bFCToAWJjStbBE.cs	High entropy of concatenated method names: 'soPeDdAJ4U', 'kBOe6TZYNG', 'vT8ejZRa3Z', 's85eEItWvs', 'Uv0ePtWMGe', 'Hryelhb4BA', 'Gdle9Y7x2A', 'i4nen1cjPy', 'zKTeucFwIc', 'A5veAJxbb3'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, YKiqK78yXUtNKTP13r.cs	High entropy of concatenated method names: 'lvBO8IFhoK', 'BrUOXeDSph', 'jPxO71OQkR', 'jkfOcHEbeR', 'dZcOQK3dAq', 'tFCONLucdK', 'v5LOIuyiMu', 'cTbOpYu4y7', 'j9qOx53wkT', 'rmaOT9VkhZ'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, acsoXDaJfaCEw9XyjA.cs	High entropy of concatenated method names: 'dq9aPXxkoT', 'SRoa99nncq', 'qv5hN84FxZ', 'oeUhIBg5eC', 'CwGhpyTf4t', 'EdshxdVGK9', 'W3phTnVqKg', 'a6IhVRkTcY', 'Q2QhiD5Zjt', 'rQgh8ns60g'
Source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, p02NCl3dFf9aHThU9q.cs	High entropy of concatenated method names: 'Gbr3nuweOX', 'x2G3u5SUO5', 'cgd3kL46ly', 'lpZ3QJ00X1', 'Sxc3IZ8Vxe', 'gaH3pQi5bG', 'd6N3TSIogC', 'vgC3VyeswW', 'USG38SFwJW', 'pi23mpWesb'

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	File created: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe			Jump to dropped file
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	File created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp5779.tmp"

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BjTxJte			Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BjTxJte			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	File opened: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	File opened: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: BKG#SGN2106728.PDF.exe

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: BKG#SGN2106728.PDF.exe PID: 6768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eDnxmGWzJ.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BjTxJte.exe PID: 7788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BjTxJte.exe PID: 8172, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: 10E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: 6230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: 7230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: 7370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: 8370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: 8950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: 9950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: A950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: B950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: 14A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory allocated: 5040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory allocated: 1040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory allocated: 5CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory allocated: 6CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory allocated: 6E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory allocated: 7E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory allocated: 86A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory allocated: 5CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory allocated: 1780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory allocated: 33E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory allocated: 3200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: D90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 2770000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 4870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 5F40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 6F40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 7090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 8090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 8900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 5F40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 1460000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 4F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 30E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 6710000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 7710000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 7850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 8850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 8E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 9E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: AE10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: BE10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 15E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 3170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory allocated: 1660000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199875	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199766	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199656	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199547	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199437	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199328	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199219	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199109	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199871
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199765
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199656
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199546
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199437
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199328
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199218
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199109
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198999
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198890
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198781
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198572
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198406
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198281
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198165
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197926
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197807
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197687
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197578
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197468
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197359
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197249
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199936
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199828
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199589
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199484
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199375
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199240
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199938
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199825
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199594
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1196985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1196860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1196735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1196610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1196485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1196360

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7408	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6839	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Window / User API: threadDelayed 3068	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Window / User API: threadDelayed 6736	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Window / User API: threadDelayed 4686
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Window / User API: threadDelayed 5148
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Window / User API: threadDelayed 3754
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Window / User API: threadDelayed 6097
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Window / User API: threadDelayed 4139
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Window / User API: threadDelayed 5660

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 6804	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6504	Thread sleep count: 7408 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -99873s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -99764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -99646s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -99515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -98968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -98515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -98297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -98187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -97968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -97421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -97091s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -96875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -96765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -96655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -96547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -96437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -96218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -95995s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -95875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -95762s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -95656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -1199875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -1199766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -1199656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -1199547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -1199437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -1199328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -1199219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -1199109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe TID: 7376	Thread sleep time: -1199000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -98672s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -98343s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -98225s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -98109s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -98000s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -97881s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -97610s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -97487s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -97035s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -96906s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -96654s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1199871s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1199765s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1199656s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1199546s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1199437s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1199328s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1199218s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1199109s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1198999s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1198890s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1198781s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1198572s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1198406s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1198281s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1198165s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1197926s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1197807s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1197687s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1197578s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1197468s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1197359s >= -30000s
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe TID: 7632	Thread sleep time: -1197249s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7812	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -99843s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8160	Thread sleep count: 3754 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -99734s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8160	Thread sleep count: 6097 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -99625s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -99515s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -99406s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -99291s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -99187s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -99078s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -98968s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -98859s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -98750s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -98640s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -98531s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -98422s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -98312s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -98203s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -98093s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -97984s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -97875s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -97765s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -97656s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -97547s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -97437s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -97328s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -97218s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -97109s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -97000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -96890s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -96781s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -96672s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -96561s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -96442s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -96281s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1199936s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1199828s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1199719s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1199589s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1199484s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1199375s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1199240s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1199110s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1198985s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1198860s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1198735s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1198610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1198485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1198360s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1198235s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8156	Thread sleep time: -1198110s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7032	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 1068	Thread sleep count: 4139 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 1068	Thread sleep count: 5660 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -99424s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -99187s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -99050s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -98891s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -98759s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -98625s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -98345s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -98219s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -98103s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -97741s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -97637s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -96986s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -96840s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -96728s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -96411s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -96030s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -95922s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -95813s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1199938s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1199825s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1199719s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1199594s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1199485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1199360s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1199235s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1199110s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1198985s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1198860s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1198735s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1198610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1198485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1198360s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1198235s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1198110s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1197985s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1197860s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1197735s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1197610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1197485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1197360s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1197235s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1197110s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1196985s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1196860s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1196735s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1196610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1196485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 4996	Thread sleep time: -1196360s >= -30000s

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 99873	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 99764	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 99646	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 99515	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 98968	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 98515	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 98187	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 97968	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 97421	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 97091	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 96875	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 96765	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 96655	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 96547	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 96437	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 96218	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 95995	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 95875	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 95762	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 95656	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199875	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199766	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199656	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199547	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199437	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199328	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199219	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199109	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Thread delayed: delay time: 1199000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 99546
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 99218
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 98672
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 98453
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 98343
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 98225
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 98109
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 98000
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 97881
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 97750
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 97610
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 97487
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 97359
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 97035
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 96906
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 96654
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199871
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199765
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199656
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199546
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199437
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199328
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199218
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1199109
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198999
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198890
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198781
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198572
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198406
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198281
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1198165
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197926
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197807
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197687
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197578
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197468
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197359
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Thread delayed: delay time: 1197249
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99843
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99734
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99625
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99515
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99406
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99291
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99187
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99078
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98968
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98859
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98750
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98640
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98531
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98422
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98312
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98203
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98093
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 97984
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 97875
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 97765
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 97656
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 97547
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 97437
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 97328
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 97218
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 97109
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 97000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 96890
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 96781
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 96672
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 96561
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 96442
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 96281
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199936
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199828
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199589
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199484
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199375
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199240
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99424
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99187
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 99050
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98891
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98759
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98625
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98345
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98219
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 98103
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 97741
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 97637
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 96986
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 96840
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 96728
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 96411
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 96030
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 95922
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 95813
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199938
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199825
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199594
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1199110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1198110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1197110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1196985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1196860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1196735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1196610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1196485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Thread delayed: delay time: 1196360

Source: BjTxJte.exe, 00000019.00000002.2001406435.0000000001381000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~U
Source: eDnxmGWzJ.exe, 0000000A.00000002.1807266227.0000000000A42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
Source: eDnxmGWzJ.exe, 0000000F.00000002.2927536460.00000000015A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: BjTxJte.exe, 00000011.00000002.1919920191.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.000000000153F000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1980182823.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001392000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe"
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Memory written: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Memory written: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory written: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Memory written: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe base: 400000 value starts with: 4D5A

Source: eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003493000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq3<b>[ Program Manager]</b> (18/04/2024 15:48:28)<br>
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030CF000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003493000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003493000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRkqtuI
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq3<b>[ Program Manager]</b> (19/04/2024 06:06:28)<br>
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Time: 05/16/2024 18:56:06<br>User Name: user<br>Computer Name: 609290<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 81.181.57.52<br><hr><b>[ Program Manager]</b> (19/04/2024 06:06:28)<br>{Win}r
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq8<b>[ Program Manager]</b> (19/04/2024 06:06:28)<br>{Win}THpq
Source: eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003493000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq8<b>[ Program Manager]</b> (18/04/2024 15:48:28)<br>{Win}THpqLjI
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRkqD
Source: BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq9<b>[ Program Manager]</b> (19/04/2024 06:06:28)<br>{Win}rTHpq
Source: eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000034A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Time: 05/18/2024 13:58:21<br>User Name: user<br>Computer Name: 609290<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 81.181.57.52<br><hr><b>[ Program Manager]</b> (18/04/2024 15:48:28)<br>{Win}r
Source: eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003493000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq9<b>[ Program Manager]</b> (18/04/2024 15:48:28)<br>{Win}rTHpqLjI

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Queries volume information: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Queries volume information: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Queries volume information: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Queries volume information: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eDnxmGWzJ.exe.399fde0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eDnxmGWzJ.exe.399fde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.2933396914.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2932875412.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2933396914.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2933396914.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2932875412.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2932875412.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2934216134.000000000347A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2934216134.0000000003431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1983604428.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1749314625.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1983604428.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2934216134.0000000003482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1983604428.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1811050369.000000000399F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BKG#SGN2106728.PDF.exe PID: 6768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BKG#SGN2106728.PDF.exe PID: 332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eDnxmGWzJ.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eDnxmGWzJ.exe PID: 7524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BjTxJte.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BjTxJte.exe PID: 6180, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eDnxmGWzJ.exe.399fde0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eDnxmGWzJ.exe.399fde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.2933396914.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2932875412.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2934216134.0000000003431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1749314625.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1983604428.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1811050369.000000000399F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BKG#SGN2106728.PDF.exe PID: 6768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BKG#SGN2106728.PDF.exe PID: 332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eDnxmGWzJ.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eDnxmGWzJ.exe PID: 7524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BjTxJte.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BjTxJte.exe PID: 6180, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eDnxmGWzJ.exe.399fde0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.3cb4bc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4acc780.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4a26560.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eDnxmGWzJ.exe.399fde0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BKG#SGN2106728.PDF.exe.4980340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.2933396914.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2932875412.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2933396914.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2933396914.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2932875412.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2932875412.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2934216134.000000000347A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2934216134.0000000003431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1983604428.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1749314625.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1983604428.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2934216134.0000000003482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1983604428.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1811050369.000000000399F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BKG#SGN2106728.PDF.exe PID: 6768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BKG#SGN2106728.PDF.exe PID: 332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eDnxmGWzJ.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eDnxmGWzJ.exe PID: 7524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BjTxJte.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BjTxJte.exe PID: 6180, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	1 Deobfuscate/Decode Files or Information	211 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	12 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	211 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BKG#SGN2106728.PDF.exe	44%	Virustotal		Browse
BKG#SGN2106728.PDF.exe	45%	ReversingLabs	Win32.Trojan.Vigorf
BKG#SGN2106728.PDF.exe	100%	Avira	HEUR/AGEN.1323731
BKG#SGN2106728.PDF.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	100%	Avira	HEUR/AGEN.1323731
C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	100%	Avira	HEUR/AGEN.1323731
C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	45%	ReversingLabs	Win32.Trojan.Vigorf
C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe	44%	Virustotal		Browse
C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	45%	ReversingLabs	Win32.Trojan.Vigorf
C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe	44%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
flexwelltour.com	0%	Virustotal		Browse
mail.flexwelltour.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://flexwelltour.com	0%	Virustotal		Browse
http://mail.flexwelltour.com	0%	Virustotal		Browse
http://r3.i.lencr.org/0L	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
flexwelltour.com	94.199.200.238	true	false	0%, Virustotal, Browse	unknown
api.ipify.org	172.67.74.152	true	false		high
mail.flexwelltour.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.000000000153F000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2963874949.0000000006AE7000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2927536460.0000000001577000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003482000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1980182823.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1993408123.0000000006622000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2962504711.00000000069DE000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001392000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	BKG#SGN2106728.PDF.exe, 00000000.00000002.1749314625.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.0000000003041000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000A.00000002.1811050369.000000000399F000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.000000000317C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://flexwelltour.com	BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000031DB000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000034EB000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.000000000347A000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://r3.i.lencr.org/0L	BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.000000000153F000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2963874949.0000000006AE7000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2927536460.0000000001577000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003482000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1980182823.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1993408123.0000000006622000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2962504711.00000000069DE000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001392000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://account.dyn.com/	BKG#SGN2106728.PDF.exe, 00000000.00000002.1749314625.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000A.00000002.1811050369.000000000399F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.0000000003041000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.000000000317C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.flexwelltour.com	BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000031DB000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000034EB000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.000000000347A000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BKG#SGN2106728.PDF.exe, 00000000.00000002.1747954818.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.0000000003041000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000A.00000002.1809479007.00000000028D2000.00000004.00000800.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.1921505605.00000000027A2000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.2003324584.000000000312B000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.000000000317C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2985822507.0000000007F90000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.000000000153F000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2963874949.0000000006AE7000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2927536460.0000000001577000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2927536460.00000000015A1000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003482000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1980182823.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1993408123.0000000006622000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001380000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001392000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001367000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2932875412.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2985822507.0000000007F90000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.000000000153F000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2963874949.0000000006AE7000.00000004.00000020.00020000.00000000.sdmp, BKG#SGN2106728.PDF.exe, 00000009.00000002.2928753620.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2927536460.0000000001577000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2927536460.00000000015A1000.00000004.00000020.00020000.00000000.sdmp, eDnxmGWzJ.exe, 0000000F.00000002.2934216134.0000000003482000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1980182823.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1993408123.0000000006622000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1983604428.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001380000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2933396914.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001392000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001C.00000002.2927542147.0000000001367000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.len	BjTxJte.exe, 0000001C.00000002.2962504711.00000000069DE000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.199.200.238	flexwelltour.com	Turkey		42807	AEROTEK-ASTR	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427946
Start date and time:	2024-04-18 11:23:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BKG#SGN2106728.PDF.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@41/20@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 488 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:24:05	Task Scheduler	Run new task: eDnxmGWzJ path: C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe
10:24:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BjTxJte C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
10:24:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BjTxJte C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
11:24:01	API Interceptor	1899383x Sleep call for process: BKG#SGN2106728.PDF.exe modified
11:24:04	API Interceptor	33x Sleep call for process: powershell.exe modified
11:24:07	API Interceptor	698512x Sleep call for process: eDnxmGWzJ.exe modified
11:24:19	API Interceptor	492166x Sleep call for process: BjTxJte.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.199.200.238	Purchase Order PDF.exe	Get hash	malicious	AgentTesla	Browse
	P..O PDF.exe	Get hash	malicious	AgentTesla	Browse
	UPDATED SOA PDF.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	product11221.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	DHL-9384915702.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Outstanding Payment Invoice PO 3400375980.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Arrival Notice PUS_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Purchase Order PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Leoch-Purchase Order.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	p silp AI240190.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Win32.PWSX-gen.1728.1300.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Heur.15333.25205.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Leoch-Purchase Order.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AEROTEK-ASTR	Purchase Order PDF.exe	Get hash	malicious	AgentTesla	Browse	94.199.200.238
	P..O PDF.exe	Get hash	malicious	AgentTesla	Browse	94.199.200.238
	UPDATED SOA PDF.exe	Get hash	malicious	AgentTesla	Browse	94.199.200.238
	OSET BESAFETY Mekatronik _ Siparis 0058114343.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	94.199.206.42
	Fiyat BKBambalaj 03.04.2024 - TR-24-0286_ unit Siparis.exe	Get hash	malicious	AgentTesla	Browse	37.230.104.41
	fiyat 01.04.2024 - AT-24-0186_ unit order .exe	Get hash	malicious	AgentTesla	Browse	37.230.104.41
	Urunlar fiyat 25.03.2024 ara alim_ unit order.exe	Get hash	malicious	AgentTesla	Browse	37.230.104.41
	fiyat 25.03.2024 ara alim_ unit order.exe	Get hash	malicious	AgentTesla	Browse	37.230.104.41
	x8bQ5T4284.elf	Get hash	malicious	Unknown	Browse	152.89.38.40
	fiyat teklif_turanlargroupNM24A-SiparisT24A9030124.exe	Get hash	malicious	AgentTesla	Browse	109.232.216.182
CLOUDFLARENETUS	product11221.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	http://streaming.jsonmediapacks.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://www.hegemann-reiners.de/	Get hash	malicious	Unknown	Browse	172.67.157.200
	http://gamma.app/docs/Adobe-1098-uanmwmhgl6i90tc?mode=doc	Get hash	malicious	Unknown	Browse	104.18.11.200
	DHL-9384915702.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Outstanding Payment Invoice PO 3400375980.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Arrival Notice PUS_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	5FU4LRpQdy.rtf	Get hash	malicious	Remcos	Browse	104.21.84.67
	NEW ORDER.doc	Get hash	malicious	HTMLPhisher	Browse	104.21.25.202
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	product11221.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	product1122.html	Get hash	malicious	Unknown	Browse	172.67.74.152
	DHL-9384915702.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	FACTURA24021151 - BP.vbs	Get hash	malicious	Unknown	Browse	172.67.74.152
	Outstanding Payment Invoice PO 3400375980.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	Arrival Notice PUS_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	Transferencias SEPA.vbs	Get hash	malicious	Unknown	Browse	172.67.74.152
	shipping doc.vbs	Get hash	malicious	GuLoader	Browse	172.67.74.152
	FACTURA 130424435.vbs	Get hash	malicious	Unknown	Browse	172.67.74.152
	justificant de transfer#U00e8ncia.vbs	Get hash	malicious	Unknown	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BjTxJte.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eDnxmGWzJ.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4y4RY5mFoUeW+gZ9tK8NPZHUxL7u1iMuge//8PUyus:fLHyIYgKLgZ2KRHWLOug8s
MD5:	914CF3F4E3B8A3E129E2699C0C44BC7A
SHA1:	2BE8F29B8058D6C7BC16D0D13C49BDE1385EBD6D
SHA-256:	639686067F67F6DC6E58B9086A00B442632A8E2E06163E1644EC2FD36C71474A
SHA-512:	4F4B5CD075D1051A3F85895B9834FF970E040A927285AA5C85D85CAC29B3B97F80F2A4DBC7F64D0A575F5C08243198E7F615DE3787E4E12AD85C7CD30AD4B885
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............i..VdqF...\|...........System.Configuration<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1p2awkjv.ak2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hvnzv503.kgs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kokkn5tx.1eq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_moeippkc.0oq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spio0q4i.pq1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmrbabsa.hh2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vdp1yt0x.gcn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yv1yxft0.g02.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp5779.tmp

Download File

Process:	C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.11341022652264
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtanxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTqv
MD5:	D874639CB6C7E85DD03C44AAB8E85F11
SHA1:	34AAA5646A759918D128EDABDEFCD2324D3CAC5F
SHA-256:	D6D3A679D6900698354DCB1ED52613E27AAEF6023D182948E5874510AE566FE8
SHA-512:	3DA8235E3EFD5692F13256D8B3D877AD8925E5BE7B44D0A8E34070868D72678AC07CC841934B17225AE03C6CFDC56BC2F53F2844E715B30DAF96A64DCF0B1B3A
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp6F75.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.11341022652264
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtanxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTqv
MD5:	D874639CB6C7E85DD03C44AAB8E85F11
SHA1:	34AAA5646A759918D128EDABDEFCD2324D3CAC5F
SHA-256:	D6D3A679D6900698354DCB1ED52613E27AAEF6023D182948E5874510AE566FE8
SHA-512:	3DA8235E3EFD5692F13256D8B3D877AD8925E5BE7B44D0A8E34070868D72678AC07CC841934B17225AE03C6CFDC56BC2F53F2844E715B30DAF96A64DCF0B1B3A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp9D3C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.11341022652264
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtanxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTqv
MD5:	D874639CB6C7E85DD03C44AAB8E85F11
SHA1:	34AAA5646A759918D128EDABDEFCD2324D3CAC5F
SHA-256:	D6D3A679D6900698354DCB1ED52613E27AAEF6023D182948E5874510AE566FE8
SHA-512:	3DA8235E3EFD5692F13256D8B3D877AD8925E5BE7B44D0A8E34070868D72678AC07CC841934B17225AE03C6CFDC56BC2F53F2844E715B30DAF96A64DCF0B1B3A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpBC2E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.11341022652264
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtanxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTqv
MD5:	D874639CB6C7E85DD03C44AAB8E85F11
SHA1:	34AAA5646A759918D128EDABDEFCD2324D3CAC5F
SHA-256:	D6D3A679D6900698354DCB1ED52613E27AAEF6023D182948E5874510AE566FE8
SHA-512:	3DA8235E3EFD5692F13256D8B3D877AD8925E5BE7B44D0A8E34070868D72678AC07CC841934B17225AE03C6CFDC56BC2F53F2844E715B30DAF96A64DCF0B1B3A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe

Download File

Process:	C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	901632
Entropy (8bit):	7.95829712238213
Encrypted:	false
SSDEEP:	12288:6FCnt27FjOqHjvCcDRLM4o4K6GCj4jo5TIOTOJLUn6nwj7po+Cycrf5ehpph1yB:Zo7FjOy3D93ovokqOJLU6nwjRCspH1k
MD5:	CCDB29C0D8E287CAD8644E0ADFD56178
SHA1:	3B5534A7AF776EC14A07DBE81CDE5BDBB538DCE8
SHA-256:	CB06339A87BDD6284086A97545C32DC8A3EB3701C7642543E7C327D0539005F9
SHA-512:	6E0CC7CEBD79142FA190D148C6030F2935D77F35DAAEB10B3F75C27C90DA27AA2908C3F17ADA436B49D6EF16273217B3FD47E4AD83441A4215E05EC98F1E2757
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45% Antivirus: Virustotal, Detection: 44%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... f............................v.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...\|.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................X.......H.......<~...X......K...................................................z.(......}.....(....o ...}......0...........{............3.....(.......................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.\|.{....Xa}......}.....{....o`...:q....(....+..(........}.........(......................n..}.....{....,..{....oX.....{....*.s!.

C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe

Download File

Process:	C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	901632
Entropy (8bit):	7.95829712238213
Encrypted:	false
SSDEEP:	12288:6FCnt27FjOqHjvCcDRLM4o4K6GCj4jo5TIOTOJLUn6nwj7po+Cycrf5ehpph1yB:Zo7FjOy3D93ovokqOJLU6nwjRCspH1k
MD5:	CCDB29C0D8E287CAD8644E0ADFD56178
SHA1:	3B5534A7AF776EC14A07DBE81CDE5BDBB538DCE8
SHA-256:	CB06339A87BDD6284086A97545C32DC8A3EB3701C7642543E7C327D0539005F9
SHA-512:	6E0CC7CEBD79142FA190D148C6030F2935D77F35DAAEB10B3F75C27C90DA27AA2908C3F17ADA436B49D6EF16273217B3FD47E4AD83441A4215E05EC98F1E2757
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45% Antivirus: Virustotal, Detection: 44%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... f............................v.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...\|.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................X.......H.......<~...X......K...................................................z.(......}.....(....o ...}......0...........{............3.....(.......................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.\|.{....Xa}......}.....{....o`...:q....(....+..(........}.........(......................n..}.....{....,..{....oX.....{....*.s!.

C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.95829712238213
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	BKG#SGN2106728.PDF.exe
File size:	901'632 bytes
MD5:	ccdb29c0d8e287cad8644e0adfd56178
SHA1:	3b5534a7af776ec14a07dbe81cde5bdbb538dce8
SHA256:	cb06339a87bdd6284086a97545c32dc8a3eb3701c7642543e7c327d0539005f9
SHA512:	6e0cc7cebd79142fa190d148c6030f2935d77f35daaeb10b3f75c27c90da27aa2908c3f17ada436b49d6ef16273217b3fd47e4ad83441a4215e05ec98f1e2757
SSDEEP:	12288:6FCnt27FjOqHjvCcDRLM4o4K6GCj4jo5TIOTOJLUn6nwj7po+Cycrf5ehpph1yB:Zo7FjOy3D93ovokqOJLU6nwjRCspH1k
TLSH:	EB151357722D0B03CAFA1AF5450762292BF40259B5E7F3C98DD209E531EAFD49ACAC43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... f............................v.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4dd776
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6620C288 [Thu Apr 18 06:49:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdd71c	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xde000	0x5e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdb77c	0xdb800	4dfb64cc7cb8cf9bc24534b4c346ed00	False	0.9590433246725513	data	7.962537044370944	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xde000	0x5e8	0x600	aca1b73ca892d6cf9c1b10d31a84bc37	False	0.4427083333333333	data	4.236389012456819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe0000	0xc	0x200	cc955ecb5af03f4c6658d8379999c43f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xde0a0	0x394	OpenPGP Secret Key			0.42139737991266374
RT_MANIFEST	0xde434	0x1b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators			0.5642201834862385

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 11:24:06.350627899 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:06.350666046 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:06.350730896 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:06.364840984 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:06.364875078 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:06.591444016 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:06.591548920 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:06.594926119 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:06.594954014 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:06.595361948 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:06.635801077 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:06.710103989 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:06.752119064 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:06.885509014 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:06.885574102 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:06.885679960 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:06.891366005 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:08.158734083 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:08.405529976 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:08.405867100 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:08.780041933 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:08.780292988 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:09.027519941 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:09.027913094 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:09.276181936 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:09.276770115 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:09.531550884 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:09.531619072 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:09.531663895 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:09.531750917 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:09.558322906 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:09.805227995 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:09.809037924 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:10.055780888 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:10.057199955 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:10.304379940 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:10.304745913 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:10.590322971 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:10.596420050 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:10.596702099 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:10.843595982 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:10.843658924 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:10.843985081 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:11.131622076 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:11.136096001 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:11.136425972 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:11.383279085 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:11.383339882 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:11.386192083 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:11.386265993 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:11.386320114 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:11.386400938 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:11.632781029 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:11.632831097 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:11.632864952 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:12.040632963 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:12.088903904 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:12.224796057 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:12.224896908 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:12.224991083 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:12.229022980 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:12.229060888 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:12.444650888 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:12.444736958 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:12.446794987 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:12.446810007 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:12.447060108 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:12.495138884 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:12.503273010 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:12.544190884 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:12.746954918 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:12.747041941 CEST	443	49732	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:12.747095108 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:12.751605988 CEST	49732	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:13.555670977 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:13.799115896 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:13.799197912 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:14.047209978 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:14.047477961 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:14.290776014 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:14.290951967 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:14.535862923 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:14.536370039 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:14.787254095 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:14.787312984 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:14.787353992 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:14.787390947 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:14.788763046 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:15.032650948 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:15.041126966 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:15.284605980 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:15.286902905 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:15.530497074 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:15.530848980 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:15.779095888 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:15.781728983 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:16.025099993 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:16.026098967 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:16.308960915 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:16.320794106 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:16.370138884 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:16.505496025 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:16.749063969 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:16.749124050 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:16.751240969 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:16.760036945 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:16.760054111 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:16.760149956 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:16.994604111 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:17.003734112 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:17.003751993 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:17.003768921 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:17.450637102 CEST	587	49733	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:17.495151997 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:23.313112974 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:23.313152075 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:23.313226938 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:23.316452980 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:23.316466093 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:23.532391071 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:23.532464981 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:23.533895016 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:23.533904076 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:23.534224033 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:23.585700035 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:23.628110886 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:23.838673115 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:23.838825941 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:23.839109898 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:23.842123985 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:24.306951046 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:24.552021980 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:24.552114010 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:24.800533056 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:24.800734997 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:25.046039104 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:25.046221972 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:25.292879105 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:25.293607950 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:25.546672106 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:25.546717882 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:25.546757936 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:25.546786070 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:25.548736095 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:25.794019938 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:25.799376965 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:26.044503927 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:26.044891119 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:26.290486097 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:26.290802956 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:26.540549040 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:26.540873051 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:26.786166906 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:26.786472082 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:27.071331978 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:27.074132919 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:27.074358940 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:27.319271088 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:27.319334984 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:27.319996119 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:27.320056915 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:27.320080042 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:27.320113897 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:27.564977884 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:27.565032005 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:27.565071106 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:27.565104961 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:28.007097006 CEST	587	49740	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:28.057672977 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:31.382195950 CEST	49741	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:31.382287025 CEST	443	49741	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:31.382359028 CEST	49741	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:31.387006044 CEST	49741	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:31.387043953 CEST	443	49741	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:31.610465050 CEST	443	49741	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:31.610548019 CEST	49741	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:31.616195917 CEST	49741	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:31.616205931 CEST	443	49741	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:31.616597891 CEST	443	49741	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:31.667020082 CEST	49741	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:31.683917999 CEST	49741	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:31.728123903 CEST	443	49741	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:31.917975903 CEST	443	49741	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:31.918047905 CEST	443	49741	172.67.74.152	192.168.2.4
Apr 18, 2024 11:24:31.918127060 CEST	49741	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:31.921277046 CEST	49741	443	192.168.2.4	172.67.74.152
Apr 18, 2024 11:24:32.527776003 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:32.650538921 CEST	49740	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:32.774422884 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:32.774640083 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:33.025479078 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:33.025702000 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:33.272602081 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:33.272810936 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:33.520772934 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:33.522929907 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:33.777229071 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:33.777297020 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:33.777337074 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:33.777393103 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:33.780231953 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:34.027087927 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:34.073316097 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:34.163846016 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:34.410429001 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:34.410743952 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:34.657851934 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:34.663624048 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:34.914343119 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:34.914669991 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:35.161266088 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:35.276562929 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:35.514558077 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:35.800865889 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:35.802018881 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:35.802212954 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:36.049395084 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:36.049559116 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:36.056421995 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:36.056421995 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:36.056421995 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:36.056421995 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:24:36.303311110 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:36.303334951 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:36.303349972 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:36.303365946 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:36.716850042 CEST	587	49742	94.199.200.238	192.168.2.4
Apr 18, 2024 11:24:36.870325089 CEST	49742	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:41.044287920 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:41.113869905 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:41.291347980 CEST	587	49731	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:41.292001009 CEST	49731	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:41.293773890 CEST	49745	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:41.360810041 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:41.360914946 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:41.540301085 CEST	587	49745	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:41.540383101 CEST	49745	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:41.611841917 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:41.611999035 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:41.791186094 CEST	587	49745	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:41.791403055 CEST	49745	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:41.858880997 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:41.859009981 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:42.038404942 CEST	587	49745	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:42.038570881 CEST	49745	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:42.107530117 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:42.108215094 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:42.287306070 CEST	587	49745	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:42.287698030 CEST	49745	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:42.366795063 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:42.366839886 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:42.366877079 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:42.366908073 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:42.369359970 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:42.541903973 CEST	587	49745	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:42.542036057 CEST	587	49745	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:42.542076111 CEST	587	49745	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:42.542392969 CEST	49745	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:42.546686888 CEST	49745	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:42.617464066 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:42.622288942 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:42.793339014 CEST	587	49745	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:42.795981884 CEST	49745	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:42.869008064 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:42.870999098 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.042428970 CEST	587	49745	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:43.043426037 CEST	49745	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.118227005 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:43.118494987 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.123796940 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.125824928 CEST	49745	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.142425060 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.250843048 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.290484905 CEST	587	49745	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:43.294681072 CEST	49745	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.387569904 CEST	587	49746	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:43.387710094 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.403970957 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:43.410283089 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:43.410295963 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:43.410325050 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.410351038 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.411055088 CEST	587	49744	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:43.411097050 CEST	49744	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.411935091 CEST	587	49745	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:43.412092924 CEST	49745	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.495534897 CEST	587	49747	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:43.495614052 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.637373924 CEST	587	49746	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:43.682764053 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.744364977 CEST	587	49747	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:43.792182922 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.832729101 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:43.832808018 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:44.077501059 CEST	587	49747	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:44.077743053 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:44.077789068 CEST	587	49746	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:44.077922106 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:44.324347973 CEST	587	49747	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:44.324609995 CEST	587	49746	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:44.370240927 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:44.370242119 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:45.161446095 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:45.161487103 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:45.416373968 CEST	587	49746	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:45.416434050 CEST	587	49746	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:45.416474104 CEST	587	49746	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:45.416488886 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:45.418219090 CEST	587	49747	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:45.418260098 CEST	587	49747	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:45.418294907 CEST	587	49747	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:45.418315887 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:45.422194004 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:45.424025059 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:45.666948080 CEST	587	49747	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:45.668968916 CEST	587	49746	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:45.678468943 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:45.678740025 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:45.923350096 CEST	587	49747	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:45.923561096 CEST	587	49746	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:45.923562050 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:45.923707962 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:46.208255053 CEST	587	49747	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:46.208273888 CEST	587	49746	94.199.200.238	192.168.2.4
Apr 18, 2024 11:25:52.340931892 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:52.395828962 CEST	49748	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:52.670821905 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:53.167154074 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:53.386683941 CEST	49749	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:53.464042902 CEST	49748	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:53.824827909 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:54.090353012 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:54.090389967 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:54.161540985 CEST	49750	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:54.464073896 CEST	49749	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:54.667226076 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:54.667274952 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:55.167119026 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:55.167227030 CEST	49750	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:55.463993073 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:55.464067936 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:55.464128971 CEST	49748	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:56.464004040 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:56.464129925 CEST	49749	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:57.167129993 CEST	49750	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:57.167138100 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:57.167151928 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:57.701217890 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:25:59.528543949 CEST	49748	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:00.130506039 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:00.260860920 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:00.354602098 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:00.464147091 CEST	49749	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:01.167284012 CEST	49750	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:04.965436935 CEST	49733	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:06.410512924 CEST	49746	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:06.464071989 CEST	49747	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:07.629355907 CEST	49748	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:08.465383053 CEST	49749	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:09.262712955 CEST	49750	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:12.240015984 CEST	49751	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:13.245260954 CEST	49751	587	192.168.2.4	94.199.200.238
Apr 18, 2024 11:26:14.573409081 CEST	49733	587	192.168.2.4	94.199.200.238

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 11:24:06.200213909 CEST	60270	53	192.168.2.4	1.1.1.1
Apr 18, 2024 11:24:06.306721926 CEST	53	60270	1.1.1.1	192.168.2.4
Apr 18, 2024 11:24:07.610055923 CEST	53924	53	192.168.2.4	1.1.1.1
Apr 18, 2024 11:24:08.157241106 CEST	53	53924	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 11:24:06.200213909 CEST	192.168.2.4	1.1.1.1	0x431d	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:24:07.610055923 CEST	192.168.2.4	1.1.1.1	0xc914	Standard query (0)	mail.flexwelltour.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 11:24:06.306721926 CEST	1.1.1.1	192.168.2.4	0x431d	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:24:06.306721926 CEST	1.1.1.1	192.168.2.4	0x431d	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:24:06.306721926 CEST	1.1.1.1	192.168.2.4	0x431d	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:24:08.157241106 CEST	1.1.1.1	192.168.2.4	0xc914	No error (0)	mail.flexwelltour.com	flexwelltour.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 18, 2024 11:24:08.157241106 CEST	1.1.1.1	192.168.2.4	0xc914	No error (0)	flexwelltour.com		94.199.200.238	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.74.152	443	332	C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:24:06 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-18 09:24:06 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 09:24:06 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 876399966b1906e2-ATL
2024-04-18 09:24:06 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 Data Ascii: 81.181.57.52

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	172.67.74.152	443	7524	C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:24:12 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-18 09:24:12 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 09:24:12 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 876399bb0c99b0b8-ATL
2024-04-18 09:24:12 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 Data Ascii: 81.181.57.52

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	172.67.74.152	443	7996	C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:24:23 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-18 09:24:23 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 09:24:23 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 87639a0049a26736-ATL
2024-04-18 09:24:23 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 Data Ascii: 81.181.57.52

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	172.67.74.152	443	6180	C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:24:31 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-18 09:24:31 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 09:24:31 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 87639a32c900452c-ATL
2024-04-18 09:24:31 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 Data Ascii: 81.181.57.52

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 18, 2024 11:24:08.780041933 CEST	587	49731	94.199.200.238	192.168.2.4	220-srvc235.trwww.com ESMTP Exim 4.96.2 #2 Thu, 18 Apr 2024 12:24:08 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 11:24:08.780292988 CEST	49731	587	192.168.2.4	94.199.200.238	EHLO 609290
Apr 18, 2024 11:24:09.027519941 CEST	587	49731	94.199.200.238	192.168.2.4	250-srvc235.trwww.com Hello 609290 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 11:24:09.027913094 CEST	49731	587	192.168.2.4	94.199.200.238	STARTTLS
Apr 18, 2024 11:24:09.276181936 CEST	587	49731	94.199.200.238	192.168.2.4	220 TLS go ahead
Apr 18, 2024 11:24:14.047209978 CEST	587	49733	94.199.200.238	192.168.2.4	220-srvc235.trwww.com ESMTP Exim 4.96.2 #2 Thu, 18 Apr 2024 12:24:13 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 11:24:14.047477961 CEST	49733	587	192.168.2.4	94.199.200.238	EHLO 609290
Apr 18, 2024 11:24:14.290776014 CEST	587	49733	94.199.200.238	192.168.2.4	250-srvc235.trwww.com Hello 609290 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 11:24:14.290951967 CEST	49733	587	192.168.2.4	94.199.200.238	STARTTLS
Apr 18, 2024 11:24:14.535862923 CEST	587	49733	94.199.200.238	192.168.2.4	220 TLS go ahead
Apr 18, 2024 11:24:24.800533056 CEST	587	49740	94.199.200.238	192.168.2.4	220-srvc235.trwww.com ESMTP Exim 4.96.2 #2 Thu, 18 Apr 2024 12:24:24 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 11:24:24.800734997 CEST	49740	587	192.168.2.4	94.199.200.238	EHLO 609290
Apr 18, 2024 11:24:25.046039104 CEST	587	49740	94.199.200.238	192.168.2.4	250-srvc235.trwww.com Hello 609290 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 11:24:25.046221972 CEST	49740	587	192.168.2.4	94.199.200.238	STARTTLS
Apr 18, 2024 11:24:25.292879105 CEST	587	49740	94.199.200.238	192.168.2.4	220 TLS go ahead
Apr 18, 2024 11:24:33.025479078 CEST	587	49742	94.199.200.238	192.168.2.4	220-srvc235.trwww.com ESMTP Exim 4.96.2 #2 Thu, 18 Apr 2024 12:24:32 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 11:24:33.025702000 CEST	49742	587	192.168.2.4	94.199.200.238	EHLO 609290
Apr 18, 2024 11:24:33.272602081 CEST	587	49742	94.199.200.238	192.168.2.4	250-srvc235.trwww.com Hello 609290 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 11:24:33.272810936 CEST	49742	587	192.168.2.4	94.199.200.238	STARTTLS
Apr 18, 2024 11:24:33.520772934 CEST	587	49742	94.199.200.238	192.168.2.4	220 TLS go ahead
Apr 18, 2024 11:25:41.611841917 CEST	587	49744	94.199.200.238	192.168.2.4	220-srvc235.trwww.com ESMTP Exim 4.96.2 #2 Thu, 18 Apr 2024 12:25:41 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 11:25:41.611999035 CEST	49744	587	192.168.2.4	94.199.200.238	EHLO 609290
Apr 18, 2024 11:25:41.791186094 CEST	587	49745	94.199.200.238	192.168.2.4	220-srvc235.trwww.com ESMTP Exim 4.96.2 #2 Thu, 18 Apr 2024 12:25:41 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 11:25:41.791403055 CEST	49745	587	192.168.2.4	94.199.200.238	EHLO 609290
Apr 18, 2024 11:25:41.858880997 CEST	587	49744	94.199.200.238	192.168.2.4	250-srvc235.trwww.com Hello 609290 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 11:25:41.859009981 CEST	49744	587	192.168.2.4	94.199.200.238	STARTTLS
Apr 18, 2024 11:25:42.038404942 CEST	587	49745	94.199.200.238	192.168.2.4	250-srvc235.trwww.com Hello 609290 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 11:25:42.038570881 CEST	49745	587	192.168.2.4	94.199.200.238	STARTTLS
Apr 18, 2024 11:25:42.107530117 CEST	587	49744	94.199.200.238	192.168.2.4	220 TLS go ahead
Apr 18, 2024 11:25:42.287306070 CEST	587	49745	94.199.200.238	192.168.2.4	220 TLS go ahead
Apr 18, 2024 11:25:43.410295963 CEST	587	49744	94.199.200.238	192.168.2.4	421 srvc235.trwww.com lost input connection
Apr 18, 2024 11:25:43.637373924 CEST	587	49746	94.199.200.238	192.168.2.4	220-srvc235.trwww.com ESMTP Exim 4.96.2 #2 Thu, 18 Apr 2024 12:25:43 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 11:25:43.744364977 CEST	587	49747	94.199.200.238	192.168.2.4	220-srvc235.trwww.com ESMTP Exim 4.96.2 #2 Thu, 18 Apr 2024 12:25:43 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 11:25:43.832729101 CEST	49746	587	192.168.2.4	94.199.200.238	EHLO 609290
Apr 18, 2024 11:25:43.832808018 CEST	49747	587	192.168.2.4	94.199.200.238	EHLO 609290
Apr 18, 2024 11:25:44.077501059 CEST	587	49747	94.199.200.238	192.168.2.4	250-srvc235.trwww.com Hello 609290 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 11:25:44.077743053 CEST	49747	587	192.168.2.4	94.199.200.238	STARTTLS
Apr 18, 2024 11:25:44.077789068 CEST	587	49746	94.199.200.238	192.168.2.4	250-srvc235.trwww.com Hello 609290 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 18, 2024 11:25:44.077922106 CEST	49746	587	192.168.2.4	94.199.200.238	STARTTLS
Apr 18, 2024 11:25:44.324347973 CEST	587	49747	94.199.200.238	192.168.2.4	220 TLS go ahead
Apr 18, 2024 11:25:44.324609995 CEST	587	49746	94.199.200.238	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	11:24:00
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"
Imagebase:	0x7a0000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1749314625.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1749314625.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1749314625.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:24:03
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"
Imagebase:	0xf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:24:03
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:24:03
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe"
Imagebase:	0xf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:24:03
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:24:03
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp5779.tmp"
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:24:03
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:24:04
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"
Imagebase:	0x170000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:24:04
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"
Imagebase:	0x550000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:24:04
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BKG#SGN2106728.PDF.exe"
Imagebase:	0xc90000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2932875412.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2932875412.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2932875412.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2932875412.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	11:24:05
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe
Imagebase:	0x280000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1811050369.000000000399F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1811050369.000000000399F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs Detection: 44%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:24:06
Start date:	18/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:24:10
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp6F75.tmp"
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:24:10
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:24:10
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe"
Imagebase:	0xa0000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:24:10
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\eDnxmGWzJ.exe"
Imagebase:	0xe40000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2934216134.000000000347A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2934216134.0000000003431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2934216134.0000000003431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2934216134.0000000003482000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	11:24:18
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Imagebase:	0x4a0000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs Detection: 44%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:24:21
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9D3C.tmp"
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:24:21
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:24:21
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Imagebase:	0x130000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:24:22
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Imagebase:	0x30000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:24:22
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Imagebase:	0xb50000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.1983604428.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.1983604428.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.1983604428.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.1983604428.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:24:26
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Imagebase:	0xc80000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:24:29
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDnxmGWzJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBC2E.tmp"
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:24:29
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:24:30
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Imagebase:	0xcd0000
File size:	901'632 bytes
MD5 hash:	CCDB29C0D8E287CAD8644E0ADFD56178
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.2933396914.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001C.00000002.2933396914.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.2933396914.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.2933396914.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.2%
Total number of Nodes:	215
Total number of Limit Nodes:	9

Executed Functions

Function 010E7340 Relevance: 4.7, Strings: 3, Instructions: 970
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRkq, xrefs: 010E73D0
\skq, xrefs: 010E75DF
LRkq, xrefs: 010E7EFC

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$\skq
API String ID: 0-3619136892
Opcode ID: 8aa278a268666a2218f180b71ccbcaed05025c78bbed16377a6b4271b1467f0f
Instruction ID: 2b09e4240405e44b52687047e0c896aa753d07e82654639ddcef8c89da2f0b2c
Opcode Fuzzy Hash: 8aa278a268666a2218f180b71ccbcaed05025c78bbed16377a6b4271b1467f0f
Instruction Fuzzy Hash: 86828C75E002298FCB15CF6AD984AADBBF2FF88300F14C5A9E449EB255DB349941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010E732E Relevance: 2.9, Strings: 2, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRkq, xrefs: 010E73D0
\skq, xrefs: 010E75DF

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: LRkq$\skq
API String ID: 0-3259353708
Opcode ID: b877433f77677279d6c66038cee44b08c5b2cfa41e99665642a6ead283fc688b
Instruction ID: ebb03ce29860e462592b63a017ab52bc78cd61a8e54009d81f006e5646d10876
Opcode Fuzzy Hash: b877433f77677279d6c66038cee44b08c5b2cfa41e99665642a6ead283fc688b
Instruction Fuzzy Hash: 0FE18E75E012298FDB14CF7AD984AAEB7F2BF88301F118569E446EB354DB34A905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010E7000 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

\skq, xrefs: 010E7185

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: \skq
API String ID: 0-1461930697
Opcode ID: 64d4e7933055813b3072f8d7a0b64472003ee5d226c8125633c8df484e30fcee
Instruction ID: 09e1b406e1e3c71636f8658fba7966d7a43e2876d442c4593f31a7198fcf9e20
Opcode Fuzzy Hash: 64d4e7933055813b3072f8d7a0b64472003ee5d226c8125633c8df484e30fcee
Instruction Fuzzy Hash: 57811CB8E4020E9FDF54CFAAD884AADBBF1BF48300F10A655D406EB295DB319A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010E8811 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

, xrefs: 010E886E

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b5c847ba6d116384994f9ec6a3d9c9a85ed08de3d4c8d1d3a32a8c1ca1b3a200
Instruction ID: 97902a5a23a040c9c068ffccb659234c35532b80fe01bdb2b22dc92fc5cc8a07
Opcode Fuzzy Hash: b5c847ba6d116384994f9ec6a3d9c9a85ed08de3d4c8d1d3a32a8c1ca1b3a200
Instruction Fuzzy Hash: 3631AC31F501198FCB09CB7DD9846AEBBF2AFC821671985BAE505D7359EA34EC428780

Uniqueness

Uniqueness Score: -1.00%

Function 010E8430 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bda63379c923d3385159da277070d4e16f6a1a368c871693bbfc527f666c2f5
Instruction ID: 4a4975902deb28f5ba93d077ea8ca19dcbaa6414c02d712cea78456a69b2d7b3
Opcode Fuzzy Hash: 0bda63379c923d3385159da277070d4e16f6a1a368c871693bbfc527f666c2f5
Instruction Fuzzy Hash: C3817132F105158FD754DB69D894A9EB7E3AFC8710F1AC069E449EB369DE34EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 010E84D1 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d61187ce9bbda943d2d0817d92a21152e425f9f2478946308aa49ea3d450bea
Instruction ID: 872aa36f6f0a0c6771f51cc65c106cf543e0797c5f41aaf177762f1faf7a289d
Opcode Fuzzy Hash: 0d61187ce9bbda943d2d0817d92a21152e425f9f2478946308aa49ea3d450bea
Instruction Fuzzy Hash: 99613032F105258FD754DB69C884A9EB7E3AFC8710F1AC169D449AB369DE34EC018B80

Uniqueness

Uniqueness Score: -1.00%

Function 012A4758 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f0109a3e6ca744c4f2f1f8eb8f609b30d88abadd221a32e86ffa834263a353
Instruction ID: 6c7796713905a29c3c1f144aa77ef72b9333ae408ed3c9b64eca0fa03ad2e54b
Opcode Fuzzy Hash: b0f0109a3e6ca744c4f2f1f8eb8f609b30d88abadd221a32e86ffa834263a353
Instruction Fuzzy Hash: CB713371D25259CFEB28DF66DC017E9BBB6BF89300F14D1AAD409A6250EBB05A81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 012A1565 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 012A17A6

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7526a7da2af40cdccdb417770be00515688ed8c871df94d266ad3ab26c0b0294
Instruction ID: e810dc86d695306e86cfbf398a0ed294235c7ed87560f29bac96701f67f532df
Opcode Fuzzy Hash: 7526a7da2af40cdccdb417770be00515688ed8c871df94d266ad3ab26c0b0294
Instruction Fuzzy Hash: 32A16C71D1021ACFEB14CFA9C841BEDBBB2BF48720F5881A9D908E7250DB749995CF91

Uniqueness

Uniqueness Score: -1.00%

Function 012A1570 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 012A17A6

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a1f127e81dd49fd12821909679e6d9c301872e70499e5f85e9c32b0f22394885
Instruction ID: 7d8a012e4f083687ac76f0855cf6d29450800982e60dfc6d0b1db72c24f91481
Opcode Fuzzy Hash: a1f127e81dd49fd12821909679e6d9c301872e70499e5f85e9c32b0f22394885
Instruction Fuzzy Hash: 9C916C71D1021ACFEB14CFA9C841BEDBBF2BF48720F5881A9D908A7250DB749995CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010ED397 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 010ED5FE

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a4f25ec321adc195a10141fec663b7a6bf10c202649558833f62ac539051b613
Instruction ID: ba0f53cd8f3b8c362e0a5e5ef307ac284e1557cd7d15ba2245e0f89f649a75a1
Opcode Fuzzy Hash: a4f25ec321adc195a10141fec663b7a6bf10c202649558833f62ac539051b613
Instruction Fuzzy Hash: 688156B0A00B058FD764DF6AD04979ABBF1FF88304F00896DD48ADBA50DB75E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010E58EC Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010E59A9

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1365f983288d60dbdf7aca198f26ad229b8d3ee1031e7d759ce5b59aff62a84b
Instruction ID: a09af0159e3104a51f46ddd04eb8473929b60333ec0aca7b73b0e04fe8f09ce8
Opcode Fuzzy Hash: 1365f983288d60dbdf7aca198f26ad229b8d3ee1031e7d759ce5b59aff62a84b
Instruction Fuzzy Hash: AA4115B4C00719CEDB24CFAAC884BDDBBF1BF49304F24809AD449AB255DB755946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010E44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010E59A9

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fccea23be9a571e346f0d2bba49409fafbebe64a7ae744702cdf961ae5dab83e
Instruction ID: 4522f4a82b3f78c601124f616a4f46b364bd1eb560fb094f131ff3a7e2b5b959
Opcode Fuzzy Hash: fccea23be9a571e346f0d2bba49409fafbebe64a7ae744702cdf961ae5dab83e
Instruction Fuzzy Hash: 874102B0C0071DCFDB24CFAAC888A8DBBF5BF48304F2484AAD409AB251DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012A0EE0 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 012A0F78

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ae252501b505a9fddb48b9af13eb9b35fc5f9c5d73ca2c3b1931317a1a9b4cca
Instruction ID: 6e949911a8473b46251922cd77e6e6be6c0ba00be3c0732055443ac753644e9d
Opcode Fuzzy Hash: ae252501b505a9fddb48b9af13eb9b35fc5f9c5d73ca2c3b1931317a1a9b4cca
Instruction Fuzzy Hash: EA215AB1900359CFDB10CFA9C885BEEBBF5FF48310F14842AE959A7250C7789545CB65

Uniqueness

Uniqueness Score: -1.00%

Function 012A0EE8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 012A0F78

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1f62b8fab014fea913f6a7009a78e6979c5f0283ce85f5d472c24fbbbc550d9e
Instruction ID: e31868aa9f37d490febe4b9fb4f6e3a5775c7acb1878d90f4b075addd39bfb07
Opcode Fuzzy Hash: 1f62b8fab014fea913f6a7009a78e6979c5f0283ce85f5d472c24fbbbc550d9e
Instruction Fuzzy Hash: B22157B1900349DFCB10CFA9C884BDEBBF5FF48320F10842AE958A7250C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 012A0D48 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 012A0DCE

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 859d88bf4ff4a4e3202bd8a19600eb70da6d7aef699e9026a73381adc776d533
Instruction ID: d14fc7ff1120fb5e3c4005024abcdd99576d52f81c199a9301a1bb75e90867b2
Opcode Fuzzy Hash: 859d88bf4ff4a4e3202bd8a19600eb70da6d7aef699e9026a73381adc776d533
Instruction Fuzzy Hash: F52148B1D103098FDB10CFAAC4857EEBBF4EF88324F50842AD559A7250C7789985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 012A0FD1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 012A1058

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 157e48105f9cdb134bdf8689e2c1958be898a81c8fc9733b887c234fa43ef1fd
Instruction ID: ae37c240e58c32db569a365b42656773e25b6fa9f86cbce32e26b54026fb5d5a
Opcode Fuzzy Hash: 157e48105f9cdb134bdf8689e2c1958be898a81c8fc9733b887c234fa43ef1fd
Instruction Fuzzy Hash: 6D2148B1900359DFCB10DFAAC884AEEFBF5FF48320F50842AE959A7250C7749554CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010EDD90 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010EFC46,?,?,?,?,?), ref: 010EFD07

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9bb052c8b5eff7d1fe760cbd80e6da8a203b91ec554ed564bea22beee0183eb3
Instruction ID: 988ad6254e7d6fdb47a1b580903ab09933e000b9bf4002f41c7e0bb12743cd76
Opcode Fuzzy Hash: 9bb052c8b5eff7d1fe760cbd80e6da8a203b91ec554ed564bea22beee0183eb3
Instruction Fuzzy Hash: 242105B59002499FDB10CF9AD984ADEFFF5EB48310F24801AE954A7310D374A950CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 012A0D50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 012A0DCE

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fc5f763ef3b06b2c6cb76d815e310a90462e2d67fb187bda44e24924c14673da
Instruction ID: b329a344e6178e0cfda9016ea54ccb54dc6f75187baa3dfdc1a533708c88324b
Opcode Fuzzy Hash: fc5f763ef3b06b2c6cb76d815e310a90462e2d67fb187bda44e24924c14673da
Instruction Fuzzy Hash: 262149B19003098FDB10DFAAC4857EEBFF4EF88324F54842AD559A7250C778A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 012A0FD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 012A1058

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ffa52b358506b262e175666f7893ac93360ab58a8b56c65e66300bdb2b810063
Instruction ID: 55d56ca68e167023927d61233c3a4e265b75a8726a910862121d941321d1f6f3
Opcode Fuzzy Hash: ffa52b358506b262e175666f7893ac93360ab58a8b56c65e66300bdb2b810063
Instruction Fuzzy Hash: E62139B1900359DFCB10DFAAC844AEEFBF5FF48320F508429E959A7250C7749554CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010EFC78 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010EFC46,?,?,?,?,?), ref: 010EFD07

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fc6aee020d459c93de36cfa044230c91f25acf32f104c75edf1f8671160979ba
Instruction ID: 75d9056bfac9bc8d4be89e3fbca1436186b03804f8434928e80dc51a46ef2bb9
Opcode Fuzzy Hash: fc6aee020d459c93de36cfa044230c91f25acf32f104c75edf1f8671160979ba
Instruction Fuzzy Hash: 6E21F2B59002499FDB10CFAAD984AEEBFF5EB08310F24845AE958A7321D374A940CF60

Uniqueness

Uniqueness Score: -1.00%

Function 012A0E20 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 012A0E96

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c6db77373dbdde03cc385316c08ebaa4592c4a3bbf551324cf5bcdd6987a3cb2
Instruction ID: 12bc39bbf0d7de1004867572209b62bbe12c57efbdb0a3e8b007c02b1c4272d2
Opcode Fuzzy Hash: c6db77373dbdde03cc385316c08ebaa4592c4a3bbf551324cf5bcdd6987a3cb2
Instruction Fuzzy Hash: E6115972900249DFCB10DFAAC944BEEBFF5EF88320F248419E555A7260C7359940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010EC768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,010ED679,00000800,00000000,00000000), ref: 010ED88A

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4b48eaa003492288f8021bc49a02412cdeb61671e69f6e2bbf9bcf480674698b
Instruction ID: b9b1d76c575201b66794f59b779f873ce25c599549f802cb4bc0327ab126fad5
Opcode Fuzzy Hash: 4b48eaa003492288f8021bc49a02412cdeb61671e69f6e2bbf9bcf480674698b
Instruction Fuzzy Hash: B11126B6D003489FDB14CF9AC948ADEFBF4EB48320F10846AD559A7210C375A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 012A0E28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 012A0E96

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 87e5be6f14ed7c2355a2feae4857f1672adbbbadce6c77770d9f0622e3cbbabb
Instruction ID: 80e87c164b3cf68faebb49cb6b202c3fb377fffc69f613b02f427319a93e7389
Opcode Fuzzy Hash: 87e5be6f14ed7c2355a2feae4857f1672adbbbadce6c77770d9f0622e3cbbabb
Instruction Fuzzy Hash: A91126729002499FCB10DFAAC944ADEBFF5EB48320F248819E555A7260C775A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 012A0861 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 012A08CA

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ab661239187d145e91d491dcc5c6b0324c64677285959810ae8877c74969a386
Instruction ID: de13237fab50ac9f4c9f82ad49aae63103c9c3eca1c1e974bb81c0b00f172bc1
Opcode Fuzzy Hash: ab661239187d145e91d491dcc5c6b0324c64677285959810ae8877c74969a386
Instruction Fuzzy Hash: 8E1137B1D002498FCB14DFA9C8457EEFBF4AF88324F248829D555A7650C738A544CF94

Uniqueness

Uniqueness Score: -1.00%

Function 010ED819 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,010ED679,00000800,00000000,00000000), ref: 010ED88A

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5b718549031e4eb69801c3117cbc93754a3213eff12df9a071b137ded9b96f89
Instruction ID: c326f0ce798e4d0df88a9e3e7c2c010030c75a5676d25c561011b82c176a0fa1
Opcode Fuzzy Hash: 5b718549031e4eb69801c3117cbc93754a3213eff12df9a071b137ded9b96f89
Instruction Fuzzy Hash: C01134B6C003488FDB14CF9AC548ADEFBF4EB48320F14846AD959A7210C379A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 012A0868 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 012A08CA

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0a4ee80afe79a6bf35264d4289fc106079fc564791592122e7cf73d3d7a33ae7
Instruction ID: ddb254c5ee80c68a16ef34e4fda9e93cf083c74c4b48215dcb3c5228b295d512
Opcode Fuzzy Hash: 0a4ee80afe79a6bf35264d4289fc106079fc564791592122e7cf73d3d7a33ae7
Instruction Fuzzy Hash: 45113AB1D003498FDB14DFAAC4457DEFBF4EB88324F248829D559A7250C775A544CF98

Uniqueness

Uniqueness Score: -1.00%

Function 010ED598 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 010ED5FE

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6e38ab4b279390facac3f8f7d2918c51545ac0956a474ace129fcd804360d04b
Instruction ID: 22e34cdad4bdeb3081aad22bedc81190e4019ca1be1a78ee10aa90eb08a9b66e
Opcode Fuzzy Hash: 6e38ab4b279390facac3f8f7d2918c51545ac0956a474ace129fcd804360d04b
Instruction Fuzzy Hash: 191122B6C003498FDB10CF9AC848ADEFBF4EF88324F10846AD859A7610C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012A5919 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 012A5945

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c53f08df200a0cf54a205fbc87544a70cfe0b7d01c098637f01c07b814911845
Instruction ID: a7ec771e64391682838c6e72202cb8122ab080be8ee19b1da548b58357e8d664
Opcode Fuzzy Hash: c53f08df200a0cf54a205fbc87544a70cfe0b7d01c098637f01c07b814911845
Instruction Fuzzy Hash: 9FF0E7B5800309DFDB10CF89D444BDEBBF4EB48324F10841AE559A7210C375A594CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746219174.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3fcb6fb83ff8fd004dddd6029baf4d923fa7a3c78eeef9e9903283c5793892b
Instruction ID: a053d95d6b0b92a61337410774579f7804fb389b040902e4695184aea9b56098
Opcode Fuzzy Hash: f3fcb6fb83ff8fd004dddd6029baf4d923fa7a3c78eeef9e9903283c5793892b
Instruction Fuzzy Hash: 01213771508240EFCB05DF14EDC8B27BF65FB98318F20C569E8095B256C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746219174.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5fe7f6c16ff749fb6012b6e043bf18f9ba53723f70895e82c4af26e9c26e3c
Instruction ID: 754cb8568b403c4cd182a901b411dc7676a6b61f4fdea7e12c27543662cb4a10
Opcode Fuzzy Hash: 3d5fe7f6c16ff749fb6012b6e043bf18f9ba53723f70895e82c4af26e9c26e3c
Instruction Fuzzy Hash: 5A213771508204DFDB05DF14EDC8B2ABF65FB98328F20C169E9095B256C336E856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746263066.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e4d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3899513ee9e24906a5d62b58ffaa354579abd6dbd7d1ba264c1105e3d2387d3b
Instruction ID: bb0b83bbb304a4f99ba8bd12b26ecb24997b8a1cdeffec7bf95bb5a9887ead05
Opcode Fuzzy Hash: 3899513ee9e24906a5d62b58ffaa354579abd6dbd7d1ba264c1105e3d2387d3b
Instruction Fuzzy Hash: FC212971548304DFCB04DF54E9C4B16BB65FB94318F20C56DE8095B366C3B6D846CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746263066.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e4d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9282064178758bc62402a70ecb47ee6d9f10896dd51401f164a95f04a30f73
Instruction ID: 2bd4ec3892e04f8fcea28390ad8970b9e78b11edf460b9306d494c8e297fb27b
Opcode Fuzzy Hash: ce9282064178758bc62402a70ecb47ee6d9f10896dd51401f164a95f04a30f73
Instruction Fuzzy Hash: 2B210471608200DFCB14DF14E9C4B26BFA6FB84318F20C56DD80A5B396C33AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746263066.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e4d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b94599b01788595bb2177a67f003f7a866502216f715daa2e07db1e370a68ef
Instruction ID: adb6b0bf64ec70dded88b1d22e990cdd1801fd421b2966916b7e00c5b5dbe626
Opcode Fuzzy Hash: 6b94599b01788595bb2177a67f003f7a866502216f715daa2e07db1e370a68ef
Instruction Fuzzy Hash: 7821837550D3808FCB02CF24D994715BF71EB46314F28C5EAD8498F2A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E3D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746219174.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 5ef47d6b489b8f543017d49d86300702a16d40700cfbe5d93199277d323aa85b
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 9811E676504280DFCB16CF14E9C4B16BF71FB94328F24C6A9DC494B656C336D85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746219174.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e3d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: fccfd203ef65d855980b47aeefe8fe0bb93abf8b86b91b30d17630bd30eb301f
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 34110372404240CFCB12CF10E9C4B16BF71FB94328F24C2A9D8090B256C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746263066.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e4d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 558123e1d08481526792ed3ba4debd76c3546bb78a4bd48dadc4666095572f27
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: B111D075508240DFCB01CF50D9C4B15BF61FB44318F24C6A9D8094B666C37AD80ACB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 012A7178 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851eeb4574c489b95bd7ff39bf8ef80818f9613c8ff255fdb0a9123616fc3b02
Instruction ID: 522141e7ce17f968df0df95fee95a54cb283b915c6801b001d83764ae5c62061
Opcode Fuzzy Hash: 851eeb4574c489b95bd7ff39bf8ef80818f9613c8ff255fdb0a9123616fc3b02
Instruction Fuzzy Hash: 01D1BE317107428FEB29EB7AC550BAEBBF6AF89700F54446DD6468B290DB36E801CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012A0918 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d8e1dd8eca9f418dfdbe17ac70d740d8bfa8cc669672c9b3dd4e3551872f00
Instruction ID: 17b0288a1f508ac710261e9231a280f29248917c1fcce44ffc91457cd6654292
Opcode Fuzzy Hash: 60d8e1dd8eca9f418dfdbe17ac70d740d8bfa8cc669672c9b3dd4e3551872f00
Instruction Fuzzy Hash: 53E10A74E101198FDB14DFA9C6909AEFBF2FF88304F249169E518AB356DB30A941CF64

Uniqueness

Uniqueness Score: -1.00%

Function 012A0040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033965a016abfd5660e094aa855ef197d15592869566c1f1061a1c8dae8cd515
Instruction ID: 95bcc6218f10813f54841bf36c52668d7db26a4e9ef417c9ba52ebfcc03f37c9
Opcode Fuzzy Hash: 033965a016abfd5660e094aa855ef197d15592869566c1f1061a1c8dae8cd515
Instruction Fuzzy Hash: 23E1E674E102198FDB14DFA9C5809AEFBF2FF89304F249169E518AB356DB30A941CF64

Uniqueness

Uniqueness Score: -1.00%

Function 012A001E Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446c63b6254bb0562a5ab11d6b47e530569446df31a6f44a20365dd54ba492f7
Instruction ID: a24c53213213635d7d259fcfef4955e461bead581b2c7b6fe77c86d65fc528d4
Opcode Fuzzy Hash: 446c63b6254bb0562a5ab11d6b47e530569446df31a6f44a20365dd54ba492f7
Instruction Fuzzy Hash: 24515D70E142598FCB14CF69C9815AEFBF2FF89304F2481AAD418AB216D731A941CF65

Uniqueness

Uniqueness Score: -1.00%

Function 010E7878 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747067339.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef1c4c8ce7de3a95db06e2c8abf9bba47e8955ec7c83ac9ab2c9457974c600b
Instruction ID: 8a6e9a96201f1686ed2babe3843e2bf8b1d73e4334f86110cfe35656e9d7a539
Opcode Fuzzy Hash: 7ef1c4c8ce7de3a95db06e2c8abf9bba47e8955ec7c83ac9ab2c9457974c600b
Instruction Fuzzy Hash: F2414879E5400E8FDF14CFAAE585AADF7F1BF48300B54E219E016EB284CA35A945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 012A4749 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747446431.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1969a38fd63d76da11792c6af1b362212a3f64d4758d5524057d6c2fc3c617e
Instruction ID: 5c4aa697f1f64f82bcc6d87806273585e52e8d044fad81f0ed0fb4dcc4b6bbe1
Opcode Fuzzy Hash: b1969a38fd63d76da11792c6af1b362212a3f64d4758d5524057d6c2fc3c617e
Instruction Fuzzy Hash: C321E571D156A88BEB18DFAB9C053DDBAF6AFC9300F08C1AAC40CA6254DBB446468E40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BKG#SGN2106728.PDF.exePID: 332, Parent PID: 6768COMMON

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	27
Total number of Limit Nodes:	5

Executed Functions

Function 06D43468 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06D43B9C
$kq, xrefs: 06D43B90
$kq, xrefs: 06D43B73
$kq, xrefs: 06D43BC0
$kq, xrefs: 06D43BB4
$kq, xrefs: 06D43B67

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: ad6b61f035230d1b212f72f47769a7044beb245f27d86997a01f81e42b0ca98f
Instruction ID: 1b9b0f00acf92ef9d53effca8cee6dbea91d6f75191e53ef69a5e2c10a989f98
Opcode Fuzzy Hash: ad6b61f035230d1b212f72f47769a7044beb245f27d86997a01f81e42b0ca98f
Instruction Fuzzy Hash: DC322131E1061A8FCB14EF79C99459DB7B2FFD9300F21866AD409A7264EB34ED85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D47D40 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06D482E7
$kq, xrefs: 06D482DB

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 8cfa16eeaf11f43e8173df76c41df0b6200f9763bc4886e1f65274704671bca8
Instruction ID: bca62d3949e6087222894a4eccef5288359f96cdac0086db6416ca15e92b8cc5
Opcode Fuzzy Hash: 8cfa16eeaf11f43e8173df76c41df0b6200f9763bc4886e1f65274704671bca8
Instruction Fuzzy Hash: 8D029E30B006059FCB64EF69D690AAEB7F2FF84340F148569E406AB395DB75EC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D465C0 Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc77ffd0e8928c908591c5bfdad11ad452b8ea8fdf1f513533c2db47a8ce1da
Instruction ID: 5bc32195e8a519061f0e8ecd622adc3b1bb3c03feb4f528fff46b574b4bbfeec
Opcode Fuzzy Hash: 9fc77ffd0e8928c908591c5bfdad11ad452b8ea8fdf1f513533c2db47a8ce1da
Instruction Fuzzy Hash: 34626B34F002458FDB64EF69D594AADB7F2EF89314F148469E406AB394DB35EC85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06D455A8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feddd847f570cfe5ba4a5785c5643cb768c6a281100ae4aea531723469ead03a
Instruction ID: 89b03db2a581558d5400ec4315891d2de5f6c5c424ff5f807bf880187d3ba1a3
Opcode Fuzzy Hash: feddd847f570cfe5ba4a5785c5643cb768c6a281100ae4aea531723469ead03a
Instruction Fuzzy Hash: 2412F075F102159BDF64EB64E9806AEB7B2FF85310F248439E956AB394CB34EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D4B1F8 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbd090ac16c125b2bb7cf22b362480d8a6f045a3fc246e8b922a0fc9978300d
Instruction ID: cddcc73d4c84167da8a01651b8f41742a3b4a61c48c7a8184226a1c9d89c0701
Opcode Fuzzy Hash: 3cbd090ac16c125b2bb7cf22b362480d8a6f045a3fc246e8b922a0fc9978300d
Instruction Fuzzy Hash: 96228070E002098FDF64EB68D5807AEB7B5FB59310F24882AE449EB395DB35DC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06D4ACA0 Relevance: 10.4, Strings: 8, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06D4ADC1
$kq, xrefs: 06D4AE43
$kq, xrefs: 06D4AE4F
$kq, xrefs: 06D4AE6C
$kq, xrefs: 06D4AE78
$kq, xrefs: 06D4AE20
$kq, xrefs: 06D4ADCD
$kq, xrefs: 06D4AE14

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 720e0dd7a1e1620484ccb8fa4fe53d50ba9a92feef20938114801aa9d04af58f
Instruction ID: 786d90331c17194d963dc1c0536274f3d111170abf92a22ac756ccdc3cf8851f
Opcode Fuzzy Hash: 720e0dd7a1e1620484ccb8fa4fe53d50ba9a92feef20938114801aa9d04af58f
Instruction Fuzzy Hash: E5E15F70F1020A8FDB65EF69D5906AEB7B2EF85300F14852AE415EB358DB35DC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D4B620 Relevance: 8.0, Strings: 6, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06D4BB8B
$kq, xrefs: 06D4BB4B
$kq, xrefs: 06D4BB7F
$kq, xrefs: 06D4BB57
$kq, xrefs: 06D4BBB3
$kq, xrefs: 06D4BBBF

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: dd134489cf08c71549ff03c8d5ffa77b24f82e6314be5392bc4aa0bcc8a4e1a5
Instruction ID: b66ae270fbf5c9d5e23dce78fd36f3070087733125f24f77bed3c6f436faecaa
Opcode Fuzzy Hash: dd134489cf08c71549ff03c8d5ffa77b24f82e6314be5392bc4aa0bcc8a4e1a5
Instruction Fuzzy Hash: C9027C70E102098FDBA4EF68D580AADB7B2FF64310F24896AE455EB355DB35DC81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06D49110 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06D4919E
$kq, xrefs: 06D49192
$kq, xrefs: 06D49157
$kq, xrefs: 06D49163

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: f01ce15864c151115aa7f83f51cbbdcd7193cfae1d369829d591666210a24eaf
Instruction ID: 08123defcc209184d1a90a905fd2688e215512060a581ae21e01cf7985512082
Opcode Fuzzy Hash: f01ce15864c151115aa7f83f51cbbdcd7193cfae1d369829d591666210a24eaf
Instruction Fuzzy Hash: 4E915170F1060A8FDB64DF65D960BAFB3F6EF84240F108969C409AB394EB79DC518B90

Uniqueness

Uniqueness Score: -1.00%

Function 06D4CF18 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06D4D323
$kq, xrefs: 06D4D317
$kq, xrefs: 06D4D30F

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq
API String ID: 0-2086306503
Opcode ID: cdf81ad2372ed3451fd6fafb7b371676a399506970a41c1bcdaac036e76dc57a
Instruction ID: 5ad1132a6101f530bd61b1e1df5d548daff1e645f1928b9aa86ea45e97806079
Opcode Fuzzy Hash: cdf81ad2372ed3451fd6fafb7b371676a399506970a41c1bcdaac036e76dc57a
Instruction Fuzzy Hash: AD620074A002068FCB55EF68D690A5EB7F2FF84304B248679D4059F369DB79ED86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06D44B70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fpq, xrefs: 06D4527D
\Opq, xrefs: 06D44D27
XPpq, xrefs: 06D44C9D

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: 0f88b34a5cd4fb17178882a8ee21e41803253beebe53e276b136b9ac79c8e192
Instruction ID: 3ec235913415be4ddf676ae089ecdc7da6f1f0ba85cc56ec503389650d1c8f05
Opcode Fuzzy Hash: 0f88b34a5cd4fb17178882a8ee21e41803253beebe53e276b136b9ac79c8e192
Instruction Fuzzy Hash: 2C613170F002099FEB549FA5C9547AEBAF6FF88300F20852AD506AB395DF758C45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06D4A373 Relevance: 2.7, Strings: 2, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x!@, xrefs: 06D4A537
X!@, xrefs: 06D4A516

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: X!@$x!@
API String ID: 0-2527372166
Opcode ID: df4384d1d75e757ca3858f917a6debc7e8bf8648137786e6aef8b2d19dfd5384
Instruction ID: 0fbcde79bd41287ac01e33db733b3e9b3b41ad7596d23942249758802bfc6406
Opcode Fuzzy Hash: df4384d1d75e757ca3858f917a6debc7e8bf8648137786e6aef8b2d19dfd5384
Instruction Fuzzy Hash: 8F718D71F102099FDB54EFA9D9806ADB7B2EB88310F148479E50AEB358EB35DC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D490FF Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06D49192
$kq, xrefs: 06D49157

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 228b61c4fb1ab3158654573ea4d900246a93a2025e3998d7b49f5dcf476e40ff
Instruction ID: 5e30af3d26b2745c6aa109d09eea4da1866f0a8500358812bf8cb4848998850a
Opcode Fuzzy Hash: 228b61c4fb1ab3158654573ea4d900246a93a2025e3998d7b49f5dcf476e40ff
Instruction Fuzzy Hash: 10515E70F105068FDB64DF75D960BAF73F6EB88640F508869C40AEB399EA78DC118B90

Uniqueness

Uniqueness Score: -1.00%

Function 014A8168 Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 014A81E0

Memory Dump Source

Source File: 00000009.00000002.2928547371.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14a0000_BKG#SGN2106728.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0a82ce147e19dca890aa35385d36fde7d4941a5444b5d270eb7a072c6b3ebefe
Instruction ID: 05302a55ca551df8f00fc8be9e330272e737986c351cfdd33026cfd44ea70ac3
Opcode Fuzzy Hash: 0a82ce147e19dca890aa35385d36fde7d4941a5444b5d270eb7a072c6b3ebefe
Instruction Fuzzy Hash: 532134B1C0065A9BCB24CF9AC444BDEFBB4FB48320F11812AE858B7751D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 014A8170 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 014A81E0

Memory Dump Source

Source File: 00000009.00000002.2928547371.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14a0000_BKG#SGN2106728.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 78450e4e4f4ff1f495d74379f94851bd0395439fe6cf6ba6fd4b914ec0e8d16f
Instruction ID: ec5eff738879f2c89528f2892d35e876a2c7a9f1ce6fe539c4512b77757b27c3
Opcode Fuzzy Hash: 78450e4e4f4ff1f495d74379f94851bd0395439fe6cf6ba6fd4b914ec0e8d16f
Instruction Fuzzy Hash: 361133B1C0061A9BCB14CF9AC444BAEFBB4FB48320F11812AD858B7351D738A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 014AF0F0 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 014AF157

Memory Dump Source

Source File: 00000009.00000002.2928547371.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14a0000_BKG#SGN2106728.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 85cb19143cb294bbbdd593b2964173b444c22e4b2af0377e8ca4814c394c1747
Instruction ID: 2dd15ebf201c6fe92a7e8e49ab8b6467dd0793cc18e2262ede721e6d55da439f
Opcode Fuzzy Hash: 85cb19143cb294bbbdd593b2964173b444c22e4b2af0377e8ca4814c394c1747
Instruction Fuzzy Hash: 50111FB1C002699BCB10CFAAC444BDEFBF4AB48320F11816AD818B7251D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D44B60 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

XPpq, xrefs: 06D44C9D

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: XPpq
API String ID: 0-1266478781
Opcode ID: 323584450fc470cd6631639ba7820d63899230ecd589b51a69f105ee5b8a57cd
Instruction ID: ebaa040b14f591dec79a6bdcb18747000f1b873a589ddbf400755259d8b9efff
Opcode Fuzzy Hash: 323584450fc470cd6631639ba7820d63899230ecd589b51a69f105ee5b8a57cd
Instruction Fuzzy Hash: F4416270F002099FDB54DFA9C954B9EBAF6FF88300F20852AE505AB3A5DB758C41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D4DA8D Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06D4DBE9

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: c60deb469f081d7a072b0bc40af23f4923dbd408b35b6eb6cdce23cc0dec88a6
Instruction ID: 4edf4b4fcd6cd20db91dece33e903a8443fe1cb6682be714be09e52f1e05578f
Opcode Fuzzy Hash: c60deb469f081d7a072b0bc40af23f4923dbd408b35b6eb6cdce23cc0dec88a6
Instruction Fuzzy Hash: B9419D70E0020A9FDB65AF65C58469EBBB6FF85300F20852AE406EB354DB75DC46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06D421D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06D4230B

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 3c4d8769b0d5320228c28f66ee6a0880f68545533f219e1c59ca164b0d8e0a65
Instruction ID: 5c7eff8e022d95a5904bbb3e78bb2f987b80796dd7d77ffffec11fe1438e18b7
Opcode Fuzzy Hash: 3c4d8769b0d5320228c28f66ee6a0880f68545533f219e1c59ca164b0d8e0a65
Instruction Fuzzy Hash: 1131DE70B102058FCB69AB78D65466F7AE6AB89340F20443CE406EB399DF39DE41C790

Uniqueness

Uniqueness Score: -1.00%

Function 06D482B6 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

$kq, xrefs: 06D482DB

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq
API String ID: 0-3037731980
Opcode ID: 482dd299f433c6c225e07e5cadfa794a6921a4b481d5c53652776c69dd782918
Instruction ID: 64bd6b3d216497bce2b1a2c6d1c0286df7b902e3c046f431219b3a2e79bca1f5
Opcode Fuzzy Hash: 482dd299f433c6c225e07e5cadfa794a6921a4b481d5c53652776c69dd782918
Instruction Fuzzy Hash: 21F0A936F00641CFEF74AF48EA843B973B0EB516D6F1800B2DA01E7151DA38DE05E650

Uniqueness

Uniqueness Score: -1.00%

Function 06D44A59 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Opq, xrefs: 06D44A65

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: \Opq
API String ID: 0-3546586535
Opcode ID: 45a259e0ba93c08425c345fec18b2db5b2c533e6fe59b3bd388b19b2bf2402d2
Instruction ID: 1e811f38669c07cfab52d46f12b24fc229c551f81b3a7983940d6eb385f6ac6e
Opcode Fuzzy Hash: 45a259e0ba93c08425c345fec18b2db5b2c533e6fe59b3bd388b19b2bf2402d2
Instruction Fuzzy Hash: 29F0FE70A14229DFDB14EF94E859BADBBB2FF44704F244129E502A7294CB745C45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06D4C158 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5159d9825326a259571422d868906d2b949234ba805357814c998181be704c
Instruction ID: fde55707562572604154801c94a0fbb34186877a630244e43e1e6acefea3ea0b
Opcode Fuzzy Hash: 5d5159d9825326a259571422d868906d2b949234ba805357814c998181be704c
Instruction Fuzzy Hash: 1D325E74F112059FDB64EF68D680BAEB7B2EB88310F108529E505EB395DB39EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D461B8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56416292cd35e3427f987821b15d1fe15a7f74d26f759ecdacdb7fd7a9ed378
Instruction ID: a4cfe50f0d50a009907aac91365e2013bea7e924ff2d7a4cc4d0f82336ec53ce
Opcode Fuzzy Hash: b56416292cd35e3427f987821b15d1fe15a7f74d26f759ecdacdb7fd7a9ed378
Instruction Fuzzy Hash: C561B2B1F001214BCF65AB7EC88066EBAEBAFD5610B154439E80BDB375DE69DC0287C1

Uniqueness

Uniqueness Score: -1.00%

Function 06D442A1 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a9b92d8b204b9cf660da2e6c0105cbcb008efb646696f5cbf51098019255c8
Instruction ID: bc0eac18b2eaf9ab799f6eb008de029c5dc9c755a33e298dc0128ab2f56efa60
Opcode Fuzzy Hash: d9a9b92d8b204b9cf660da2e6c0105cbcb008efb646696f5cbf51098019255c8
Instruction Fuzzy Hash: 87812E70B006058BDF54DFA9D5947AEB7F6EF88700F108829E50AEB395EB74DC828B51

Uniqueness

Uniqueness Score: -1.00%

Function 06D445C4 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3e53285f0c17ee3daa3c204f268e18d0214e911c0b2c4b7bef805b074b18ea
Instruction ID: 48d19876097fce12ab273a2e091fcdea5dd0107e6e7b036b48870c395acd0796
Opcode Fuzzy Hash: 1b3e53285f0c17ee3daa3c204f268e18d0214e911c0b2c4b7bef805b074b18ea
Instruction Fuzzy Hash: FD913C74E106198BDF60DF68C880B9DB7B1FF89310F208699D549BB295DB70AD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06D445D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24acf91d2f8fa2673543a1f5195a28379b2834fbcacd1a1239a3b6360e1299e5
Instruction ID: 525e482b44f8d5e34112a3548091fbe03bb4b65eb6428b139cadfe8eee23b7e6
Opcode Fuzzy Hash: 24acf91d2f8fa2673543a1f5195a28379b2834fbcacd1a1239a3b6360e1299e5
Instruction Fuzzy Hash: AD913A74E1061A8BDF60DF68C880B9DB7B1FF89310F208599D549BB294DB70AE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06D4EEE8 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ca6f890f04b9be245deaf0b45c5e5808d796f2730488bacaafa682fd0e11c1
Instruction ID: 5cefe6ab48d913561db62f62b2058c9d3de78320285c8d38984a649cac588aff
Opcode Fuzzy Hash: c6ca6f890f04b9be245deaf0b45c5e5808d796f2730488bacaafa682fd0e11c1
Instruction Fuzzy Hash: E0713B70A002099FCB54EFA9D980AADBBF6FF84300F148529D409EB364DB34EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06D4EEF8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f29dae09e64fa7c5208e4f0473cb854978139876454547b15fdfe06f516a800
Instruction ID: efab96b0ba93381aae1470a71e13bf76b37048e3c64750d37b978b26c374cff2
Opcode Fuzzy Hash: 9f29dae09e64fa7c5208e4f0473cb854978139876454547b15fdfe06f516a800
Instruction Fuzzy Hash: 28711C70A002099FDB54EFA9D980A9EBBF6FF88304F148469D409EB365DB34EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06D4FC48 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488bf6973e6213416acc318efb5350c95a8ae374985837b9136250adc59b88d8
Instruction ID: 5be58a0db46edd0b1080a115af03b5a2da99023d61c3b498227ec6f2f9904b0e
Opcode Fuzzy Hash: 488bf6973e6213416acc318efb5350c95a8ae374985837b9136250adc59b88d8
Instruction Fuzzy Hash: D751AD71E00105DFCB64AFB8E5846AEBBB2EBC4315F208879E106E7264DB358D55CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06D4F9F7 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94540a59b0e976e65790db0827cec63c3ba244412caaf686a7df0120d3e6d6fd
Instruction ID: 637eb2e32c89adc06c6649f3d6523069815d80e77439f270bdd79f9021686f68
Opcode Fuzzy Hash: 94540a59b0e976e65790db0827cec63c3ba244412caaf686a7df0120d3e6d6fd
Instruction Fuzzy Hash: 6951C774B102148FEFA06B7CD994B6F265AE7C9750F10483AE50AE73F4C92DCC4547A2

Uniqueness

Uniqueness Score: -1.00%

Function 06D4FA08 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96c5422f0ba36bc4d57549cefe82a4d8cf56b0dc7f79ab6300d4c5eef564c8d
Instruction ID: 8dfd56eeab1f9e8260c9209e8d312804aa7a19654154fc31a305786bd3c7b9b1
Opcode Fuzzy Hash: f96c5422f0ba36bc4d57549cefe82a4d8cf56b0dc7f79ab6300d4c5eef564c8d
Instruction Fuzzy Hash: F651B9B4B102048FEFA46BBCD994B2F265AD7C9350F10483AE50AE73B4C96DCC4547A2

Uniqueness

Uniqueness Score: -1.00%

Function 06D45598 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a571e80182b142032dae55621a063eaa8f0b23164b37621ec7a775870fad01c1
Instruction ID: 203eb04e88cf8d225eb8be74bea9703651a1c77ce76b5113816ec0101be6021e
Opcode Fuzzy Hash: a571e80182b142032dae55621a063eaa8f0b23164b37621ec7a775870fad01c1
Instruction Fuzzy Hash: 84517F74E1011A9BDF64EB68D480A7EFBB2FB45310F248A26E456DB681C634EC91CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06D45419 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20477d09a29fb9073531cd875c29e22b8c7b64bcea7064715675c8b6b2e509f
Instruction ID: d667b56ab80e6d91f4127fc762c462d20f1381990b6c95a29abb64a7e79a22e8
Opcode Fuzzy Hash: b20477d09a29fb9073531cd875c29e22b8c7b64bcea7064715675c8b6b2e509f
Instruction Fuzzy Hash: B0416D71E006099FDB60DFA9E881ABFFBB2EB45210F10492AE15ADB654D330EC55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06D42080 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e971e9f4521aa1a63ae06f381d841c609905c75d641bc60ed5ea9c737a6362d
Instruction ID: 3b713a89d4129b90c669cf1a8dbafb3ccea9e83976490726dc6aa34a43c47e22
Opcode Fuzzy Hash: 4e971e9f4521aa1a63ae06f381d841c609905c75d641bc60ed5ea9c737a6362d
Instruction Fuzzy Hash: E031C170E0020A9BCB55DF65D894A9EB7F2EF89300F108429F906E7350DB35ED41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 06D4D940 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf3a841f3eb84ee32f0347a0eb84c372b6b11ad59e3052df37c5f094948b993
Instruction ID: 90978da35a1797034929df417f0b2a7192288a1adcc955b9098223e1d2ca2a48
Opcode Fuzzy Hash: 3bf3a841f3eb84ee32f0347a0eb84c372b6b11ad59e3052df37c5f094948b993
Instruction Fuzzy Hash: E531D270E1020A9FCF24EF69C990A9EBBB6EF85300F104529E401E7354EB75ED45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06D46441 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75658a29fd41ca89c2f2f0a09ab2e37a26a210030fad8f808b57de5165d08dd
Instruction ID: bdb8d52179a34d86ae6edc7fd948c89791ce14d8c23a6c8f7286d18293208c68
Opcode Fuzzy Hash: c75658a29fd41ca89c2f2f0a09ab2e37a26a210030fad8f808b57de5165d08dd
Instruction Fuzzy Hash: B9317CB1D05259AFCB10DFA9D881BDEFBB8FB09350F10816AE449E7241D3759940CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D42090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eba0049eb499ecaa139e99e5bb3faeaaab0a341ca1c8bb8b9ec02647ab391d1
Instruction ID: 7fbb00495fa6f899daa89af2ecba7d23b43f0a7876217520a45d3fd74e0da6cf
Opcode Fuzzy Hash: 5eba0049eb499ecaa139e99e5bb3faeaaab0a341ca1c8bb8b9ec02647ab391d1
Instruction Fuzzy Hash: D2317A70E1060A9BCB14DF65D994AAEB7F2EF89300F108929F906E7390DB75ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D43EA9 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86826746e76822a61d01f7e924c6889bb7357a213d7d4d286a2fabb31c8eb02
Instruction ID: 55d8adb6ef7d05ee316baaed4f8ed228ce444975b7074ae8708cadb07a0a1568
Opcode Fuzzy Hash: b86826746e76822a61d01f7e924c6889bb7357a213d7d4d286a2fabb31c8eb02
Instruction Fuzzy Hash: 51218B75F112059FDB50DF7AD980AEEBBF5EB48610F11842AE905EB3A1E738DC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0140D006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2927935860.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf66a573f671c67b0559a9ffd435826e5b58db0c303183dd6194b00c642cc63
Instruction ID: 46f3c8b11623330446dfbfa79761bc215a2ae73d7c5acdbd95994d556d8d3c47
Opcode Fuzzy Hash: edf66a573f671c67b0559a9ffd435826e5b58db0c303183dd6194b00c642cc63
Instruction Fuzzy Hash: 4F312B7150D3C09FC703CB64D994611BF71AB47214F29C5EBD8898F2A3C27A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06D43EB8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c533db03ec5cb85b38c30aa4633c4da71f80870dbdbae8d6ce4601483fe637d
Instruction ID: 548ba8d24c8d20b652f4baa949b0c4194b4472d7b4dce85a983b2c0cb5f07c18
Opcode Fuzzy Hash: 4c533db03ec5cb85b38c30aa4633c4da71f80870dbdbae8d6ce4601483fe637d
Instruction Fuzzy Hash: 23217A75F116159FDB50DF6AD980AAEBBF1EB88610F11843AE905E73A0E738DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0140D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2927935860.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c85c5a46034dc6a446e03c2e4080f842dd304985c2fc289eff2c2df931dfc7
Instruction ID: f8e971da43b59074b0e652e9b3f58e505e3ca42c7d67299882108cdbec1612a9
Opcode Fuzzy Hash: 71c85c5a46034dc6a446e03c2e4080f842dd304985c2fc289eff2c2df931dfc7
Instruction Fuzzy Hash: C82103B1904204DFCB16DF99C984B26BB65EB84318F20C57AE94D4B3A6C736D44BCA61

Uniqueness

Uniqueness Score: -1.00%

Function 0140D20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2927935860.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b996cd56fcff0baf4bf041a08db92e0605426bd9cf3bac6d9f1f356fd2227cfe
Instruction ID: ea60217e3700980142e821f430cb5dd3e6b0a8876640a30c741c0ea3298de467
Opcode Fuzzy Hash: b996cd56fcff0baf4bf041a08db92e0605426bd9cf3bac6d9f1f356fd2227cfe
Instruction Fuzzy Hash: F2210471904244DFDB02DF99D584B2BBB65FB84334F20C67ED8494B3A6C37AD44ACA61

Uniqueness

Uniqueness Score: -1.00%

Function 0140D3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2927935860.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa474603f03533c411ac9ada861dbab7cf8bade5e24be9702b73ecf1ca1e12f4
Instruction ID: 2ef0a03351cea6526adbe9f6bc8bc8d968af16dd2f91c5cfc1c183e80e76f42c
Opcode Fuzzy Hash: fa474603f03533c411ac9ada861dbab7cf8bade5e24be9702b73ecf1ca1e12f4
Instruction Fuzzy Hash: 2521F271904204DFDB06DF99D9C4B26BBA5FB84314F20C57ED90A4B3A6C376E44ACA61

Uniqueness

Uniqueness Score: -1.00%

Function 06D43458 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240a849394413faccad41ef7282855dbcfca2df6dd5079b14197fdc7db3bb747
Instruction ID: 5a37d68e43abb56ae2ff8e07bb3273e21643450b3531bc990147f0b43e2d6d34
Opcode Fuzzy Hash: 240a849394413faccad41ef7282855dbcfca2df6dd5079b14197fdc7db3bb747
Instruction Fuzzy Hash: CD21A171E002289BCB54AB6AD8405DEB7F5EB89310F154469E10AE7204DA329D40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D4F921 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb723ba5568c82714db725767a047bb1fcf8bed010395116852d1783118dafb
Instruction ID: d1f1406b4fe01c8ba5538db495d9fbb8c2bde4125798a6a96efa625ac7bf48ac
Opcode Fuzzy Hash: 3eb723ba5568c82714db725767a047bb1fcf8bed010395116852d1783118dafb
Instruction Fuzzy Hash: 7111C460B202256BEF643B7D8D5472F268EC7DA750F25483BE10AE73B5C85ACC4243E2

Uniqueness

Uniqueness Score: -1.00%

Function 0140D12C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2927935860.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6457caa013caf7bb609b4b694e145766db5bf2bdf8df65ac36a6cc283197f350
Instruction ID: 196931e4686153f08a5adc025b74b14600bff1bea50303d6cb0044466691f9a7
Opcode Fuzzy Hash: 6457caa013caf7bb609b4b694e145766db5bf2bdf8df65ac36a6cc283197f350
Instruction Fuzzy Hash: 3921D371944240DFDB06DF99C984B26BB65EB84314F20C67ED9094E3A6C736D44AC661

Uniqueness

Uniqueness Score: -1.00%

Function 06D4A2D0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb8a20c1c3ab849cb3f25da06183697acf83b4a6f6f68e3bf1a0b37af4c005d
Instruction ID: 6aabbc8cb56a6afcae95db24bfff4389954b16be0ed1174a1f4cfae99e3b53c4
Opcode Fuzzy Hash: eeb8a20c1c3ab849cb3f25da06183697acf83b4a6f6f68e3bf1a0b37af4c005d
Instruction Fuzzy Hash: EF11C271B401241FCB61ABBDE890BAAB7A6EB85650F188479E10AD7244EA1ADC018791

Uniqueness

Uniqueness Score: -1.00%

Function 06D4F930 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd25bacf1bfde94fcdf7998365a4659e68218f2469380a3f0c241074ec8a110
Instruction ID: bcd563490f6a3b47fc16c306b1f05fb5b6c598669665e1a612c3a43f466819cf
Opcode Fuzzy Hash: 7fd25bacf1bfde94fcdf7998365a4659e68218f2469380a3f0c241074ec8a110
Instruction Fuzzy Hash: A7018460B20225ABEF643B6D895472F658EC7D9750F21483AE50EE73B4C96BCC8103E2

Uniqueness

Uniqueness Score: -1.00%

Function 06D44200 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7fe6161514ea1694ee3cebf0486e3ad17e05e6e8738a1aa699e5f7b8bf0c99
Instruction ID: 947395573235b887090d49001d1cf1432e75ff2ddfb6e7b55abf3f1408772aad
Opcode Fuzzy Hash: 9b7fe6161514ea1694ee3cebf0486e3ad17e05e6e8738a1aa699e5f7b8bf0c99
Instruction Fuzzy Hash: D911D630B001210FC764AA7D989075BB7DBDBC6A10F20882AE14AD7791DE25CC464391

Uniqueness

Uniqueness Score: -1.00%

Function 06D43FC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b777245e2c733ef744a6cc80d11982168925ef1fde74e4343a0f78235ebc06a
Instruction ID: bb7e508ffffb9df835cb5407d2109a91967af7c9168f37e7e303f79f88a1b3ce
Opcode Fuzzy Hash: 4b777245e2c733ef744a6cc80d11982168925ef1fde74e4343a0f78235ebc06a
Instruction Fuzzy Hash: A211A131B101244FDF64AA6DC8146AE73FAEBC8650B008539D506E7354EF79DC118BD1

Uniqueness

Uniqueness Score: -1.00%

Function 06D43C80 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606eeff3585cb9c80494cc1a7ae34225c6c5bd1c4f03bce9c90da5636b3504e9
Instruction ID: 10f565eebcd8a73a64633b9d47dfa508a648e4ff58458b439e5ee4bac8c1f123
Opcode Fuzzy Hash: 606eeff3585cb9c80494cc1a7ae34225c6c5bd1c4f03bce9c90da5636b3504e9
Instruction Fuzzy Hash: 8021C3B5D01219AFCB00DF9AD884ACEFBB8FB48314F10812AE918A7201C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D4F168 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b297b85c4874bb1ea9f2e295afb5e11a1815341f32ac5c887cd97a52fd0ac90
Instruction ID: ab5f3c0ffb6a98e92ac237579f33c98c4323e6c86734b4dc42209e1fe19ca5f7
Opcode Fuzzy Hash: 7b297b85c4874bb1ea9f2e295afb5e11a1815341f32ac5c887cd97a52fd0ac90
Instruction Fuzzy Hash: 8F01F7B5B001510FDB65AB3DD96073A67D7DBC9650F10883AE10BC7390EA25DC024791

Uniqueness

Uniqueness Score: -1.00%

Function 06D43FB7 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7aad46ccfec6cd243779f6864d8b48f2714f420d327d4d037a7383850864333
Instruction ID: c5d8dbd7fca530ce6724ef9929d505683c5eeadefa563d7d6005dae165d52cc1
Opcode Fuzzy Hash: d7aad46ccfec6cd243779f6864d8b48f2714f420d327d4d037a7383850864333
Instruction Fuzzy Hash: AD01B136B101141BDF689A6ECC246EF76FEEBC8650F044039E506E7344EE658C1287D1

Uniqueness

Uniqueness Score: -1.00%

Function 06D43054 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde69fb094673f96fb17e158aaca7af1020bc6971be9f53f9575951aa883aadb
Instruction ID: ab1e4e0af2f5d3fbc6974a413400cc7297ad0b4fa1f6f9f850c3e5c4265c4eda
Opcode Fuzzy Hash: cde69fb094673f96fb17e158aaca7af1020bc6971be9f53f9575951aa883aadb
Instruction Fuzzy Hash: DA21CEB1D01259AFCB10DF9AD884ADEFBB4FB48324F10812AE918B7241C374A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0140D207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2927935860.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: 7d6cd426508758fbdf2157c36bc821a99bcf46fbb7b549e794a33906e5fe486a
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: C4119075904284CFDB12CF94D5C4B56BF61FB84324F24C6AED8494B796C33AD41ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 0140D3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2927935860.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 6dd5d4074a1b7dd695d361c10b9ee719a5d0dfc87e573b9ab3f0ef2043b1e3e4
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 70118E75904240DFDB06CF54D5C4B56BF61FB44214F24C6BAD8494B7A6C33AE44ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 0140D127 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2927935860.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_140d000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction ID: 3b57461814e244c67f381d39db9722c8d5c0301fee782e02e0df506c992af800
Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction Fuzzy Hash: 10118E75904280CFDB16CF58D5C4B16BF62FB44214F24C6AAD8494B7A6C33AD44ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 06D44210 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d192190b3c2b27640830ae34829291236e46b4fc08fc49472a02417d8a5eb0a2
Instruction ID: 84ff6ff1b3bb3211e5cd52863b888ef7b50fa50e0ae5deeaaa88d4093eb5e6e2
Opcode Fuzzy Hash: d192190b3c2b27640830ae34829291236e46b4fc08fc49472a02417d8a5eb0a2
Instruction Fuzzy Hash: 5801A431B000210BDB74ABBE9594B2FB7DBDBC9B20F108839E60AC7784EE65DC424395

Uniqueness

Uniqueness Score: -1.00%

Function 06D4F178 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a66d157d7371bfc414787d3c31fd186a4adcfc19a8ee471c427fe2a3a187010
Instruction ID: 57a8331a46b54ca15de6a5bf475ae73240f426d712ba8f53471996f7d2b350a2
Opcode Fuzzy Hash: 0a66d157d7371bfc414787d3c31fd186a4adcfc19a8ee471c427fe2a3a187010
Instruction Fuzzy Hash: 9901A4B5B100110BDB64AB3DD960B3F62D7DBC9660F10883AE20AC7390EE65DC0247C1

Uniqueness

Uniqueness Score: -1.00%

Function 06D4A2E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e63d72df92648ff9757bc98b3daa7d8203226bb413288548feee9531eed1a16
Instruction ID: 6e5cac1ba2fffbfafa1062c236e810aa025b0ed630e12ca0d081df8a151834b2
Opcode Fuzzy Hash: 2e63d72df92648ff9757bc98b3daa7d8203226bb413288548feee9531eed1a16
Instruction Fuzzy Hash: 1F01A470B105254FDB60EBBDE594B2FB3D6E789710F148838E20AC7358EA2AEC018785

Uniqueness

Uniqueness Score: -1.00%

Function 06D4C798 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d9eb7956b56305ecc7b6579c057d40b8f4b4b6263a92a2fdc061daca3ab119
Instruction ID: 15a01f312737066fbacc94360499a29cc438e1d9bd62759f988dd5abe39ae7ac
Opcode Fuzzy Hash: b4d9eb7956b56305ecc7b6579c057d40b8f4b4b6263a92a2fdc061daca3ab119
Instruction Fuzzy Hash: 0EF02479E22224ABCB64BE79DC005DAB776FBC0360F114039E951B7340DA36AC04C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 06D4FF48 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73cae4e1e6f5e3ea30c84193e0472f5935c7893593207d2a1c369b0b4f4869b
Instruction ID: 0bc0a29cc61ed5d4fd63273335be2225d5e6b9e277cb864227f40c1ae2b03bcd
Opcode Fuzzy Hash: c73cae4e1e6f5e3ea30c84193e0472f5935c7893593207d2a1c369b0b4f4869b
Instruction Fuzzy Hash: 07D02220325AE002F702B29CA810BE92F8C834B315F0040AAE80883692CEEA080503CA

Uniqueness

Uniqueness Score: -1.00%

Function 06D4FF58 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee3f8bedd354f0dc90160dc08d97c409235907b3807a23b5c203eb65b510ecc
Instruction ID: efb287b004d31c99e5a3c91f2fea26cca4b30461938fea5d4efe677bfea42612
Opcode Fuzzy Hash: 4ee3f8bedd354f0dc90160dc08d97c409235907b3807a23b5c203eb65b510ecc
Instruction Fuzzy Hash: 44B09B2172457513D90471DD641059D728D4789564F004077A50D877854DD55C4102DA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06D47660 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$kq, xrefs: 06D477C5
$kq, xrefs: 06D47BFC
$kq, xrefs: 06D47794
$kq, xrefs: 06D477D1
$kq, xrefs: 06D47B51
$kq, xrefs: 06D47BF0
$kq, xrefs: 06D47C06
$kq, xrefs: 06D47C12
$kq, xrefs: 06D477A0
$kq, xrefs: 06D47B5D

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: 54f9d8260906be8ee84bcb68e49b9fa5f56b367b56190505df944468cb02e58b
Instruction ID: 5e18faf2724fd7584ee60ed5569529ab2cee64febafd17a10f1b95e2cf9ba041
Opcode Fuzzy Hash: 54f9d8260906be8ee84bcb68e49b9fa5f56b367b56190505df944468cb02e58b
Instruction Fuzzy Hash: B8121A70E006198FDB64EF69C954A9EB7B2FF88300F208569D40AAB365DB35DD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06D4A908 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$kq, xrefs: 06D4AA84
$kq, xrefs: 06D4AA59
$kq, xrefs: 06D4AA65
$kq, xrefs: 06D4AA90
$kq, xrefs: 06D4AAC6
$kq, xrefs: 06D4AA0A
$kq, xrefs: 06D4AABA
$kq, xrefs: 06D4A9FE

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 50b3d7741fae99d7c4ecaa0e3f5e2bbc3c993226f1e83f2d61217f22fa037fd0
Instruction ID: 978df9bec14cfd8ee9466f6648cc0aef3940c9eded8e73fc2a84c98d71f8a208
Opcode Fuzzy Hash: 50b3d7741fae99d7c4ecaa0e3f5e2bbc3c993226f1e83f2d61217f22fa037fd0
Instruction Fuzzy Hash: F8917070A40209DFEB64EF65D655B6E77B6EF84300F188529E442AB398DB399C41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D47060 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$kq, xrefs: 06D474FC
$kq, xrefs: 06D47568
$kq, xrefs: 06D47574
$kq, xrefs: 06D473A8
$kq, xrefs: 06D4739C
$kq, xrefs: 06D47342

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 30b20a7da32de314cfe1cc55f9f839b4076ff5d74bbcc363eee2a8aff4481ea0
Instruction ID: 0ade5ee9181aa2dbcd9264b7aa9d9e806a069f29c05a9ace2cc1fbe2e459b460
Opcode Fuzzy Hash: 30b20a7da32de314cfe1cc55f9f839b4076ff5d74bbcc363eee2a8aff4481ea0
Instruction Fuzzy Hash: 07F13D74B00209CFDB54EF69C554A6EB7B2FF94300F248569D405AB3A9DB79EC82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06D48398 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$kq, xrefs: 06D48657
$kq, xrefs: 06D48663
$kq, xrefs: 06D485FE
$kq, xrefs: 06D485F2

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 5fe4e5ce0d36fa5882778abcda6dcbe155374b3e729f6a6eaaeb5601a5346dd9
Instruction ID: 7b96654f7368cab59365440455abae03c345f41108bf7482d2522d8682e07970
Opcode Fuzzy Hash: 5fe4e5ce0d36fa5882778abcda6dcbe155374b3e729f6a6eaaeb5601a5346dd9
Instruction Fuzzy Hash: BFB12D70F102098FDB64EF69D5506AEB7B2FF94340F248929D406AB3A5DB75DC82DB80

Uniqueness

Uniqueness Score: -1.00%

Function 06D4AC93 Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

$kq, xrefs: 06D4ADC1
$kq, xrefs: 06D4AE43
$kq, xrefs: 06D4AE6C
$kq, xrefs: 06D4AE14

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 8998a89be88c734dcf117f429e65fb8d621d85feb261a41517b74e8fec027a2a
Instruction ID: bf302fb672d6a82666980c2d5deed4c6487508cdd71b69926dee9d26268f7513
Opcode Fuzzy Hash: 8998a89be88c734dcf117f429e65fb8d621d85feb261a41517b74e8fec027a2a
Instruction Fuzzy Hash: B0519174F502059FDF64EB68D5806AEB3B2EB84311F18893AE815E7358DB39DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06D487B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRkq, xrefs: 06D488A3
$kq, xrefs: 06D4883B
$kq, xrefs: 06D4882F
LRkq, xrefs: 06D488F2

Memory Dump Source

Source File: 00000009.00000002.2968629468.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d40000_BKG#SGN2106728.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: 4bb33f7dc6c3b21f18c76c49dc92b6737fcd0c8146ea60fc5a01ed8249d36fa9
Instruction ID: c01335ff22163dfb6a8c5e321b0fdb14e490d536c72b3bceb6a74bda0a9c637f
Opcode Fuzzy Hash: 4bb33f7dc6c3b21f18c76c49dc92b6737fcd0c8146ea60fc5a01ed8249d36fa9
Instruction Fuzzy Hash: D351E530B002018FDB54EF68D990A6AB7F2FF88340F14856DE412AB3A5DB39EC40CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: eDnxmGWzJ.exePID: 7276, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	171
Total number of Limit Nodes:	11

Executed Functions

Function 080A70B5 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46221bc442e214b46bcd8706e2e19772c528f1eefb3ab1de8b760a0de89f3a8d
Instruction ID: b693f869a3a35c17d611e1a8b9c1bef61f9c37c153109f6aa4e8d382011ad0da
Opcode Fuzzy Hash: 46221bc442e214b46bcd8706e2e19772c528f1eefb3ab1de8b760a0de89f3a8d
Instruction Fuzzy Hash: D1B1DF75E04248DFDB04DFE8C8416BEBBF2BF44302F14C1AAE591AB292D7349942C792

Uniqueness

Uniqueness Score: -1.00%

Function 080A0780 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d7085dc0d3b496485a33be8610d611f1ea00d98cec851562381fe86c1a76d3
Instruction ID: 7191d0f93d5186a3e614ced3a6dc38cb61c8352b46a3c19480e397cf0562ae9c
Opcode Fuzzy Hash: d2d7085dc0d3b496485a33be8610d611f1ea00d98cec851562381fe86c1a76d3
Instruction Fuzzy Hash: F391F374E06609DFCB48CFE9D580A9DBBB2FF89301F20A41AE416BB268D7349945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 080A0771 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70bccd060ef777e111fc90d6617bd1b9dc1b05f8e98b69e995cc3cf109fea18
Instruction ID: cb4f5b2fd4bc50332b224edb6b082d0ddc03805e1299d255c983cbe1d03c2672
Opcode Fuzzy Hash: b70bccd060ef777e111fc90d6617bd1b9dc1b05f8e98b69e995cc3cf109fea18
Instruction Fuzzy Hash: 87910474E06609DFCB48CFE9D580A9DBBF2FF89301F20A42AE416B7268D73499058F54

Uniqueness

Uniqueness Score: -1.00%

Function 080A0468 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0940de1131c0c8160b2d803db39f67f5ccce5ec3c53e63e82164a0c093e3264
Instruction ID: 376a45008a6a1e81e15994984a7ab29f28d87c702cb6f1411e2f1f9b5e83a44f
Opcode Fuzzy Hash: b0940de1131c0c8160b2d803db39f67f5ccce5ec3c53e63e82164a0c093e3264
Instruction Fuzzy Hash: EF810FB5E06629DFDB04CFE9D9809EEFBB2FB88301F10996AD405A7254D7389902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 080A0458 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cfee9c59408369199708cff11acbb5d40716f2ffc5dc893e4745c0f8f6205b
Instruction ID: 45132d5fcda0035f9c654c3bc2ecf9d301879581b560626a73347eee4d05b4b9
Opcode Fuzzy Hash: 21cfee9c59408369199708cff11acbb5d40716f2ffc5dc893e4745c0f8f6205b
Instruction Fuzzy Hash: FB8111B5E06619DFDB04CFE9C980AEEFBB2FB88301F00996AD405A7254D7389912CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0104FA28 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0104FAB6
GetCurrentThread.KERNEL32 ref: 0104FAF3
GetCurrentProcess.KERNEL32 ref: 0104FB30
GetCurrentThreadId.KERNEL32 ref: 0104FB89

Memory Dump Source

Source File: 0000000A.00000002.1808132090.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1040000_eDnxmGWzJ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 53aee69d8a105d592300b0e21eed8f312ef60bce5560a1403b23491746c4bb67
Instruction ID: 48a906134bec038ca7e93a1d53024ff66127794c344a28a1a55e449dd2d61e6e
Opcode Fuzzy Hash: 53aee69d8a105d592300b0e21eed8f312ef60bce5560a1403b23491746c4bb67
Instruction Fuzzy Hash: 505166B09002498FDB14DFA9D588B9EBBF1AF88304F20C06DE159A72A0DB755984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0104FA38 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0104FAB6
GetCurrentThread.KERNEL32 ref: 0104FAF3
GetCurrentProcess.KERNEL32 ref: 0104FB30
GetCurrentThreadId.KERNEL32 ref: 0104FB89

Memory Dump Source

Source File: 0000000A.00000002.1808132090.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1040000_eDnxmGWzJ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2489f7182e08f293353d511396a11549828620d65cd3a1060ab2698c16df5466
Instruction ID: b03474a615032dd9d706408c5a2ba8b4693272b67638e60f23c7818038adacfb
Opcode Fuzzy Hash: 2489f7182e08f293353d511396a11549828620d65cd3a1060ab2698c16df5466
Instruction Fuzzy Hash: 9C5157B09002498FDB14DFAAD588B9EBBF1EF88304F20C069E159A7360DB749984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 080ADD0E Relevance: 2.6, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 080ADD0F
o, xrefs: 080ADCA3

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: 0$o
API String ID: 0-4157579757
Opcode ID: a3e3bbf311da31a7488af40b6c798a8d142b8315bed1691a49f497b02c23b577
Instruction ID: 1b76c27c682b751b9a17bf9cace7dfa9d977935fe8f87e102dd52d4512684d2a
Opcode Fuzzy Hash: a3e3bbf311da31a7488af40b6c798a8d142b8315bed1691a49f497b02c23b577
Instruction Fuzzy Hash: EA311A34A0511A8FD720DF68DD54BA9BBB6FF86202F0081A9E40E97756DF785D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010A1165 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 010A13A6

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a822939d3d008d31bcbb771f61ef2b461748a9418c62148f8447a1221df40b55
Instruction ID: 9d3f7adfdc3974bb6f03190f119ca0876c8867e372cd297505bad11d7bfeb592
Opcode Fuzzy Hash: a822939d3d008d31bcbb771f61ef2b461748a9418c62148f8447a1221df40b55
Instruction Fuzzy Hash: 33A15AB1D00219CFEB10DFA8C940BEDBBF2BF48310F5481A9E858A7290DB749995CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010A1170 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 010A13A6

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2ebe2212ea3950b39ead4629d94520967b43a3bda363376bc24153423d44ec14
Instruction ID: b96acc809bba97bf6495d63a72824ceffa661dc104bac3c58fbc13c8c36a5a1c
Opcode Fuzzy Hash: 2ebe2212ea3950b39ead4629d94520967b43a3bda363376bc24153423d44ec14
Instruction Fuzzy Hash: B7915CB1D00219CFEB10DFA8C940BEDBBF2BF48310F5481A9E858A7294DB749995CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0104D397 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0104D5FE

Memory Dump Source

Source File: 0000000A.00000002.1808132090.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1040000_eDnxmGWzJ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 92ff644707a835fccebd86507765dfe1f7a098fb809b56f102ac6f2cfff75dae
Instruction ID: 4846a23b4ae14e4c13a044d6a26b802b58256367130d1c2ee74be1f032a21041
Opcode Fuzzy Hash: 92ff644707a835fccebd86507765dfe1f7a098fb809b56f102ac6f2cfff75dae
Instruction Fuzzy Hash: BB8123B0A00B058FDB64DF69D48179ABBF1BF88304F008A6ED48AD7A50DB75E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 080AF268 Relevance: 1.6, Strings: 1, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'kq, xrefs: 080AF778

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 9110c6a2d0a1ef37612a3a4f99097022f1e55da0a72d498082c1429fd748da61
Instruction ID: c0291dbcfd44623f7800eace19bd2d251619b8b1f3c4f7e47757c794f251fd4f
Opcode Fuzzy Hash: 9110c6a2d0a1ef37612a3a4f99097022f1e55da0a72d498082c1429fd748da61
Instruction Fuzzy Hash: 4BE14F35A00609DFDB05EFA8D544AAEBBB7FF88310F108499E805B7368DB359D85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010458EC Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010459A9

Memory Dump Source

Source File: 0000000A.00000002.1808132090.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1040000_eDnxmGWzJ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6cdb9a0a86390255b30a1e7c1ee3c7512f4b6a5b203aa6436e717f8e706c61d4
Instruction ID: ae1fb4eb2234fd605e85de1661a445b9c39d19eebc60457105c785ad0ac63b62
Opcode Fuzzy Hash: 6cdb9a0a86390255b30a1e7c1ee3c7512f4b6a5b203aa6436e717f8e706c61d4
Instruction Fuzzy Hash: 0C41E2B0C00719CFDB24CFA9C984A8DBBF5BF49704F2081AAD448AB255DB756986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010444B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010459A9

Memory Dump Source

Source File: 0000000A.00000002.1808132090.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1040000_eDnxmGWzJ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9783bdc7b6213141538f99d42aece94245724b8cdf6d54e3d741acfdb40cc9ad
Instruction ID: 29787b65d2f454dbd1662c0b2d0bc9235afc17e5fdc3b5e9b562904fe52a26f5
Opcode Fuzzy Hash: 9783bdc7b6213141538f99d42aece94245724b8cdf6d54e3d741acfdb40cc9ad
Instruction Fuzzy Hash: F441E3B0C0071DCBDB24DFA9C884B8DBBF5BF49704F2081AAD548AB255DB756986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010A0EE0 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 010A0F78

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a6d20fc51512c9cc5486539feadbc8d11b250bb92f173c54c6505508c0051efc
Instruction ID: 7cd3133729ef3d441787c40c7bc13a1739b810c2017e42122a3e476f5236e689
Opcode Fuzzy Hash: a6d20fc51512c9cc5486539feadbc8d11b250bb92f173c54c6505508c0051efc
Instruction Fuzzy Hash: E62135B59003598FDB10DFA9C884BDEBBF5FB48320F10842AE959A7250C7789544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010A0EE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 010A0F78

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 03f85746e581e6ba899a47a23c52a8919dbee442df7c3fcfccfab2c7cd2799b8
Instruction ID: 88336b48a4346e1873845fd6bdba265fa3c9598dfbf774aa236fdefedf0f8543
Opcode Fuzzy Hash: 03f85746e581e6ba899a47a23c52a8919dbee442df7c3fcfccfab2c7cd2799b8
Instruction Fuzzy Hash: C92155B59003599FCB10CFAAC884BDEBBF5FF48320F10842AE958A7250C7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0104FC78 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0104FD07

Memory Dump Source

Source File: 0000000A.00000002.1808132090.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1040000_eDnxmGWzJ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f9da191ac0a832cf589d6623040cf53b78ba8cc33bb279ce4656ce431cf98560
Instruction ID: 097f5cd07171c3cd542b1ca14b784a91627b9b25a916d4226cac4fdaf3a0a8ac
Opcode Fuzzy Hash: f9da191ac0a832cf589d6623040cf53b78ba8cc33bb279ce4656ce431cf98560
Instruction Fuzzy Hash: 0F21F4B5900259DFDB10CFAAD984ADEBFF4FB48310F24805AE954A7310C375A940CF64

Uniqueness

Uniqueness Score: -1.00%

Function 010A0D49 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 010A0DCE

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c836def1e55a9cda81753dc8213dc253fd2d208d5eca725a412afd94f54b7e72
Instruction ID: 67a163dc70593b397fe35a04e79594ff58be88726f2fb9574c8fc11237a8f739
Opcode Fuzzy Hash: c836def1e55a9cda81753dc8213dc253fd2d208d5eca725a412afd94f54b7e72
Instruction Fuzzy Hash: 0A2148719003088FDB10DFAAC4847EEBFF4AF88324F54842AD499A7245C778A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010A0FD0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 010A1058

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5bcac3eaabc22f91ea366c3ccacda685b4dfaa4899cafcc42cb4d8be4af63c8f
Instruction ID: a4cc2a17e7afc3316ef68222b0480c77a4ee3bd9d5d2f535cbe62684661dc426
Opcode Fuzzy Hash: 5bcac3eaabc22f91ea366c3ccacda685b4dfaa4899cafcc42cb4d8be4af63c8f
Instruction Fuzzy Hash: 562126B19003599FDB10DFA9C844AEEBBF5FF88320F50842EE559A7250C7759944CF60

Uniqueness

Uniqueness Score: -1.00%

Function 010A0D50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 010A0DCE

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a3d666ba67605a0ff521a239b5e2cf7e9d1f0b250e52d3825417beb8f3a684fd
Instruction ID: c61b681de966c6d6bf6eca55389d744c659e62281256fc9068262e097ef4e4a6
Opcode Fuzzy Hash: a3d666ba67605a0ff521a239b5e2cf7e9d1f0b250e52d3825417beb8f3a684fd
Instruction Fuzzy Hash: BC2149719003098FDB10DFAAC4857EEBFF4EF88324F50842AD559A7244C778A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010A0FD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 010A1058

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a67628e0ceb19692f119fded30791964e1f7b1a9cdfeed6f7d3213961ecbd156
Instruction ID: 28d82a981a6b134a915dd81efd378f0f9317c0f42aab53f32669d112111e42e0
Opcode Fuzzy Hash: a67628e0ceb19692f119fded30791964e1f7b1a9cdfeed6f7d3213961ecbd156
Instruction Fuzzy Hash: F72125B19003599FCB10DFAAC884AEEBBF5FF48320F50842AE558A7250C7799944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0104FC80 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0104FD07

Memory Dump Source

Source File: 0000000A.00000002.1808132090.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1040000_eDnxmGWzJ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a57528147a6d5fac6d259e2cb8250bf40166d96127088d5bb54d388dc2b66466
Instruction ID: ff8d11a3216ddbc2593c2e7bd24ad326f59e0dbd0bca6c3fed76e528f62e6ab4
Opcode Fuzzy Hash: a57528147a6d5fac6d259e2cb8250bf40166d96127088d5bb54d388dc2b66466
Instruction Fuzzy Hash: 2D21E4B59002599FDB10CFAAD984ADEBFF9EB48310F14801AE954A3350D374A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0104C768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0104D679,00000800,00000000,00000000), ref: 0104D88A

Memory Dump Source

Source File: 0000000A.00000002.1808132090.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1040000_eDnxmGWzJ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1240522abedb66eedd8b6a84c58ae07a4b19f5483e5dd22a7d0c34ab37032304
Instruction ID: 64e9fdd2d726dcabefc07c994ab39a4c60890d96637dcb121bc3c3e3b7fe8991
Opcode Fuzzy Hash: 1240522abedb66eedd8b6a84c58ae07a4b19f5483e5dd22a7d0c34ab37032304
Instruction Fuzzy Hash: CB1112B6D003489FDB10DF9AC888AEEFBF4EB58320F10846EE559A7210C375A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0104D819 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0104D679,00000800,00000000,00000000), ref: 0104D88A

Memory Dump Source

Source File: 0000000A.00000002.1808132090.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1040000_eDnxmGWzJ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6aa43fc36f3b0fd3eb19a524f47e75308a48d8f3048b90fa103ffbcbe9b37348
Instruction ID: be84560e30bcd6c54b43cba5260749b5427dd954373b696fc6ec8c91faae5355
Opcode Fuzzy Hash: 6aa43fc36f3b0fd3eb19a524f47e75308a48d8f3048b90fa103ffbcbe9b37348
Instruction Fuzzy Hash: 5B1156B6D003088FDB10DF9AC484AEEFBF4EB98320F10842ED559A7210C375A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010A0E20 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 010A0E96

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: def8fcd1a82d40b89b044c5540a6c9420da202121517f32396f501c82d07b76a
Instruction ID: a55de345faeb767bf5b03ec70b8142984d07237ab93c0666d2fc7d616c20c553
Opcode Fuzzy Hash: def8fcd1a82d40b89b044c5540a6c9420da202121517f32396f501c82d07b76a
Instruction Fuzzy Hash: 981129769002498FDB10DFA9C844BEFBFF5AF48324F14841AE595A7260C7359554DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A0E28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 010A0E96

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b000d05b8799e3ad2bda25a6d04285118bc84789be2928b9a9035de328db0753
Instruction ID: ee2d0ee744090ef40c9cbe66a7e54a32d150c9fa925fb844d751e6e35e6568f1
Opcode Fuzzy Hash: b000d05b8799e3ad2bda25a6d04285118bc84789be2928b9a9035de328db0753
Instruction Fuzzy Hash: 521137769002499FCB10DFAAC844BDFBFF5EF48320F108819E555A7250C775A544CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A0860 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 010A08CA

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5689d9ccd6b72fcaa27a8549c776b1af1a9123e3e4b156dfff7ba512f5d53a00
Instruction ID: 3dd7606c31d9146838f8d0b1ece768632342c3108fd4a4b9ec824733f4e59b88
Opcode Fuzzy Hash: 5689d9ccd6b72fcaa27a8549c776b1af1a9123e3e4b156dfff7ba512f5d53a00
Instruction Fuzzy Hash: 001149B1D003488FDB14DFA9C4457EEBBF4AF88324F20882AD455A7250C7796944CF94

Uniqueness

Uniqueness Score: -1.00%

Function 010A4B58 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 010A4BBD

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d5eb79c9f7045bc9c949401b511d4584e5f46a1237c633ed03df518df3395376
Instruction ID: 92debbf9983110ca47ac89272b8691a7bbf6a30778606d8c18141472c0534738
Opcode Fuzzy Hash: d5eb79c9f7045bc9c949401b511d4584e5f46a1237c633ed03df518df3395376
Instruction Fuzzy Hash: CF1155B58003889FDB10CF9AD889BDEFFF8EB48324F24885AD554A7240C3B5A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010A0868 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 010A08CA

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 54cf9b4252443bc79a13e511c6a77bd124b071ff00acc3bee4eb256af3fd9abf
Instruction ID: 8af49d45167ede9125858fe9d0a14b0eccb983d7c79485a00ca1713936a0ce93
Opcode Fuzzy Hash: 54cf9b4252443bc79a13e511c6a77bd124b071ff00acc3bee4eb256af3fd9abf
Instruction Fuzzy Hash: ED113AB5D003498FDB10DFAAC4457DEFBF8EB88324F208829D559A7254C775A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0104D598 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0104D5FE

Memory Dump Source

Source File: 0000000A.00000002.1808132090.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1040000_eDnxmGWzJ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3444dffff160f6b84a9ce862c8fd35a228a9ea84a60711b7cc61e8cddf5a7420
Instruction ID: 556095b700f0c3de2cd6e615b2382ea9a8c0ed6cb7099a4f9868b46ce7f70d79
Opcode Fuzzy Hash: 3444dffff160f6b84a9ce862c8fd35a228a9ea84a60711b7cc61e8cddf5a7420
Instruction Fuzzy Hash: 751110B5D003498FDB10DF9AC844ADEFBF4AB88324F10846AD968A7210C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010A1CC4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 010A4BBD

Memory Dump Source

Source File: 0000000A.00000002.1808372074.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10a0000_eDnxmGWzJ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6e9802d7b154f0664ab01ece8c2fff4486c2f510cd930fa61bbf687e54be1204
Instruction ID: 96374ca7e8a3b9077c2febd55f7e5eac65f7e757dd572df5fcf6212781d55f1e
Opcode Fuzzy Hash: 6e9802d7b154f0664ab01ece8c2fff4486c2f510cd930fa61bbf687e54be1204
Instruction Fuzzy Hash: 9E11F5B98003499FDB10DF9AD845BDEFBF8EB48310F148459E554A7340C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 080A4DF0 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

Tekq, xrefs: 080A4F51

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 9bb034306d8949bdcfe2132d86e2d7bdb9323357fb7c720bd34bc9071635eb11
Instruction ID: 0905ff92b464d6672c46ac092d5c5ab855d3e5df2c4920b0173bcbd31beae35f
Opcode Fuzzy Hash: 9bb034306d8949bdcfe2132d86e2d7bdb9323357fb7c720bd34bc9071635eb11
Instruction Fuzzy Hash: C541BE75B006058FCB10EFB998449AEBBF7EFC52217248569E429DB391EB70DD068790

Uniqueness

Uniqueness Score: -1.00%

Function 080A41B8 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

mfU, xrefs: 080A52AA

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: mfU
API String ID: 0-2548623419
Opcode ID: 69ef9012c9c3d8fe5745cd90843a684b186bb9a07e1eb294af9ea76fd0faf819
Instruction ID: 02da69b77dd217e47d6405261da1d77f096af58781c23554fd0a9fc9a7b8fbbb
Opcode Fuzzy Hash: 69ef9012c9c3d8fe5745cd90843a684b186bb9a07e1eb294af9ea76fd0faf819
Instruction Fuzzy Hash: 6741F2B1D003499FDB10DFE9C984ACDBBB5BF49305F24806AD408BB255D7B56A49CF90

Uniqueness

Uniqueness Score: -1.00%

Function 080A41C4 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

mfU, xrefs: 080A52AA

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: mfU
API String ID: 0-2548623419
Opcode ID: f691731482f07bde0b77f72086a9d63ccbbbadd253d7bdaccfdd33ad429bba54
Instruction ID: b10f7dce2217ffc56f6e10d274585fd3063a68eccd3c2fb153afb3ca5f8634a3
Opcode Fuzzy Hash: f691731482f07bde0b77f72086a9d63ccbbbadd253d7bdaccfdd33ad429bba54
Instruction Fuzzy Hash: 9A41D0B1D00209DFDB20DFE9C984ACEBBB6BF48305F248429D408BB255D7B56A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 080A5204 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

mfU, xrefs: 080A52AA

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: mfU
API String ID: 0-2548623419
Opcode ID: 9427391276852eaed1664719e970659eb61fa47afe637c2a195aa8061434f235
Instruction ID: 67e3b5c60ada47a621333643703a94d68136df94b84df9006cdf82dcc2b48c2a
Opcode Fuzzy Hash: 9427391276852eaed1664719e970659eb61fa47afe637c2a195aa8061434f235
Instruction Fuzzy Hash: AC41C1B1D01209DFDB10DFE9C984ACDBBB6BF48305F648429D408BB255D7B5AA49CF90

Uniqueness

Uniqueness Score: -1.00%

Function 080AA8A9 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

Tekq, xrefs: 080AA959

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 800b4e0d4aeb8a9a945da13fa2b6ed42b30f34b39bd9500395e9f398e2614746
Instruction ID: 6965d3b24eb78010c3eddb9b627ed6f4b82a4b43c940fe503845bc1855b2b200
Opcode Fuzzy Hash: 800b4e0d4aeb8a9a945da13fa2b6ed42b30f34b39bd9500395e9f398e2614746
Instruction Fuzzy Hash: B231E4B4E042588FDB08CFEAC9546EEBBF6EF89301F109029D41AAB395DB745906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 080A5108 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

mfU, xrefs: 080A513B

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: mfU
API String ID: 0-2548623419
Opcode ID: bd60225bc2614c324bf481bb145d731007e2240bbf354a1474663867df0fa0e9
Instruction ID: fba471a57a80515f14d38525a1486d114fee14fefc9863bf42b5865f796c52e8
Opcode Fuzzy Hash: bd60225bc2614c324bf481bb145d731007e2240bbf354a1474663867df0fa0e9
Instruction Fuzzy Hash: AB21B2756006048FCB10EFB8C84449BBBE6EF84204B1588ADD546EB395EF75ED0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 080AA8B8 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

Tekq, xrefs: 080AA959

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: ae4e41ac354ff523245ee8f0dc1a0dc36cf5a651495fd6a5d972618e6fb14c2f
Instruction ID: a6457bac64a1ac12ae60e41429b66c76c4323b3390b63713350255c7c5560a45
Opcode Fuzzy Hash: ae4e41ac354ff523245ee8f0dc1a0dc36cf5a651495fd6a5d972618e6fb14c2f
Instruction Fuzzy Hash: B131B474E042188BDB44DFEAC9546EEBBF6FF89301F109029D41AAB399DB745906CF50

Uniqueness

Uniqueness Score: -1.00%

Function 080A50F8 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

mfU, xrefs: 080A513B

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: mfU
API String ID: 0-2548623419
Opcode ID: 92dbe20fc69d86cd77ab6ab37fe60653ed2a56be8531163865247f48e0fda207
Instruction ID: 4fb93c54622cad2923a3315050c1a34c5738c885318d2faf4de21d215c647cbf
Opcode Fuzzy Hash: 92dbe20fc69d86cd77ab6ab37fe60653ed2a56be8531163865247f48e0fda207
Instruction Fuzzy Hash: 38210375A002048FC710DFA8C8448EBBBF6FF80204B1584A9E546AB3A5EB34ED058BD1

Uniqueness

Uniqueness Score: -1.00%

Function 080A20E0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Tekq, xrefs: 080A214B

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 1cc451de1213d780a81466135dc0513ac1ea55293e3425d5bd9d10056fe0e7e2
Instruction ID: 5c3acfd94337f9408cb68f5ab71ea422ff8c3f281b23dfd650d92a38e95d12fb
Opcode Fuzzy Hash: 1cc451de1213d780a81466135dc0513ac1ea55293e3425d5bd9d10056fe0e7e2
Instruction Fuzzy Hash: 6A115771B0020A8FCB58EBB999115EFB7F6AF98211B204479CA04E7254EB319E51CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 080AA97D Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Tekq, xrefs: 080AA98D

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: cbed8abfe1e0aee40c383e555360571259809cad7f255a5b803db1a241f2b193
Instruction ID: 0a9479b1b42751ab4fd00b06bbdeb068ed582bb03afdab2b157cd8bc6d552d15
Opcode Fuzzy Hash: cbed8abfe1e0aee40c383e555360571259809cad7f255a5b803db1a241f2b193
Instruction Fuzzy Hash: E0115375E002098FCB04DFE8C8849ADFBB2FB88310F208169D919AB355D6316955CF50

Uniqueness

Uniqueness Score: -1.00%

Function 080AC2FB Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

@, xrefs: 080AC310

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 743271bfe7b34a70c5e25f7df477eb431a9287d09a6b8166147c9e30145bc462
Instruction ID: 37dfdb8c38a6b12a1a5691d8e550ffffdf92184f454df67e2d6990b69f5ce682
Opcode Fuzzy Hash: 743271bfe7b34a70c5e25f7df477eb431a9287d09a6b8166147c9e30145bc462
Instruction Fuzzy Hash: 35E01AB590C384DBE705CAA5C4686E87F7AEB9A246F1990D9D8490E147D63841068B05

Uniqueness

Uniqueness Score: -1.00%

Function 080AC858 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

mfU, xrefs: 080AC86B

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: mfU
API String ID: 0-2548623419
Opcode ID: 0eef8eab2c855b056c4372090f9df1fce303e161317e9b9baeb9dd9f2b81ddf0
Instruction ID: dab68bf28c0c59adfd90a4b7a030995b5b86453b7c45dbea6023b2dc6dbbea1d
Opcode Fuzzy Hash: 0eef8eab2c855b056c4372090f9df1fce303e161317e9b9baeb9dd9f2b81ddf0
Instruction Fuzzy Hash: 4BE0C2351082486FD742DFA4D950D923FE8BF0620030480B6E090CF033E621E425D792

Uniqueness

Uniqueness Score: -1.00%

Function 080AAADA Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f339498a56417d9dc8f9ea6e25c33d22e5b0ea5d13107a9130fd1b23de66adc
Instruction ID: 0bc10877ae1146dfa0a38a5586098dab46468be274c739768f2a52299d9d0463
Opcode Fuzzy Hash: 9f339498a56417d9dc8f9ea6e25c33d22e5b0ea5d13107a9130fd1b23de66adc
Instruction Fuzzy Hash: C2A1E670E452198FCB04DBE8D5806EDFBB6FF89301F109629D419AB396DB30A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 080A6680 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa61f045859f7890b7f4ef09539191a7ab1d5e5d2dcd0ce36990601c1261f77
Instruction ID: 98156024ac2d34ee274d8ffff3cadc03da3251c8d486d79d11a2630c6c71dbee
Opcode Fuzzy Hash: 2fa61f045859f7890b7f4ef09539191a7ab1d5e5d2dcd0ce36990601c1261f77
Instruction Fuzzy Hash: 67415BB6F04248AFDB01DBB4DC046ED7BFBDFA2201F1944AAD415EB262EA31D906C754

Uniqueness

Uniqueness Score: -1.00%

Function 080AB078 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7cbbfdf7a57e4760910ce69c678477064e6b1887a3e5ff6fadbaa7224cdfe75
Instruction ID: 98d4f14607a3a6e84478f19e71c40d644a4b34b0a41a05c22c4ea6ecc706a796
Opcode Fuzzy Hash: f7cbbfdf7a57e4760910ce69c678477064e6b1887a3e5ff6fadbaa7224cdfe75
Instruction Fuzzy Hash: 34514874E092088FCB04CFEAD8506FEBBF6EB8A322F14D16AD419A7252D7744942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 080AB981 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b08c8c95d217b4f3d53b930be72bda5e5f161f5de431bdd8f77ef97b55d294f
Instruction ID: e7af55a6d82534ee1ce815bb5ae85b49fb9fe4e02fb92fe1040aa593c479479a
Opcode Fuzzy Hash: 2b08c8c95d217b4f3d53b930be72bda5e5f161f5de431bdd8f77ef97b55d294f
Instruction Fuzzy Hash: 01519374D05218CFCB64CFA8C994AECBBB6FF49311F249199D809A7356C735A984CF10

Uniqueness

Uniqueness Score: -1.00%

Function 080A0031 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0de3a526959c6df997fd893e68739b4678885d31e73936fc30f1dac1939981
Instruction ID: 13c1fcb36774044e4d76a0a8831a8d77139cf8874ac1af345ff4fa46b3020a6e
Opcode Fuzzy Hash: be0de3a526959c6df997fd893e68739b4678885d31e73936fc30f1dac1939981
Instruction Fuzzy Hash: 38416CB4E0060ADFCB44CFD9D8819EEBBB2FB89311F14952AD505B7364D774AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 080A0040 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9bcb1b5b58ee8a57a696d5899e13d5b0c0b6053079a8bf75174228eb76562e
Instruction ID: 1dc86ee49d4adbb48de0948aab3a58f112039973eba2f5f1f530bfdcafd91a36
Opcode Fuzzy Hash: 8c9bcb1b5b58ee8a57a696d5899e13d5b0c0b6053079a8bf75174228eb76562e
Instruction Fuzzy Hash: D0416A74E0020ADFCB44CFD9D8819EEBBB2FB89311F10952AD505BB364D7749A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 080A7DA0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efbd302eaed40bf97034eba78f82eb68402f25e28a7aa09b90f9c97637639328
Instruction ID: d2ee8dfbe978de689855f70f7122657efac65cbdb28581a1733a725b64717f0a
Opcode Fuzzy Hash: efbd302eaed40bf97034eba78f82eb68402f25e28a7aa09b90f9c97637639328
Instruction Fuzzy Hash: 43318D71E0052ACBC7608FADD8406FEB7F2BF84312F05C1AAE595DB292D738D940CA90

Uniqueness

Uniqueness Score: -1.00%

Function 080ADD24 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8a1d9c896a326d6f55bbbd2f3caf776ed7ae6b52ad72d3033660099d2ff680
Instruction ID: 5eee90e7d2c0df6d6300462a05b87d3c04a83804085bc70ae7806c1c1dbf1673
Opcode Fuzzy Hash: 7f8a1d9c896a326d6f55bbbd2f3caf776ed7ae6b52ad72d3033660099d2ff680
Instruction Fuzzy Hash: CC414474906206CFD740DFACE9849ADBBF6FB49312B049459F41A9B352DB39A881CF14

Uniqueness

Uniqueness Score: -1.00%

Function 080A7C90 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91bd0bac34ea5529f65143142466ddde0e181b1400332cf3048d7f52cecdfef
Instruction ID: 9588cdb2b4aaa1284541bdacbd185b18d1fb966703ab2f843f7100a12391e0a7
Opcode Fuzzy Hash: b91bd0bac34ea5529f65143142466ddde0e181b1400332cf3048d7f52cecdfef
Instruction Fuzzy Hash: 1221B030744615DFD7284E99C81577A3BB3AB85702F25C0AEE05A8F2E6CA3ACC42C756

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1807821469.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7ebf2db242a1af68d09b6d45b56c406367ce82a8ad80c443635432cdbf1319
Instruction ID: ec4822a67da35c6fa5690d51f3a52dd9a923d90664bcd0b42621036c06f6ed53
Opcode Fuzzy Hash: cd7ebf2db242a1af68d09b6d45b56c406367ce82a8ad80c443635432cdbf1319
Instruction Fuzzy Hash: BD212871508204DFDF05DF14DDC0B2ABF65FB94324F20C169D9095B256C336E856C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 080AAA1A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13905f60d0ff05f344566bad5d720b6709a20847b6d35b7a2491d33bef2f5040
Instruction ID: 65854bcf5a5eb137eba88548d6563068d310fb4e5bc1471a0b0807a79cf98252
Opcode Fuzzy Hash: 13905f60d0ff05f344566bad5d720b6709a20847b6d35b7a2491d33bef2f5040
Instruction Fuzzy Hash: DD21D574E05228CFDB44CFA9D584AEDBBF6BF59302F20A169E406BB2A1D7349901CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1807871172.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ead000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ecaa6c89f660ac3e61eb6764f96afaf069fb984404b6491672d5be94ee6506
Instruction ID: ceb5eda76565cfc2ec2539c174e5f0920a1480732f5fa09065944ce6a665a537
Opcode Fuzzy Hash: 80ecaa6c89f660ac3e61eb6764f96afaf069fb984404b6491672d5be94ee6506
Instruction Fuzzy Hash: EC210471548304DFCB04DF54D9C0B26BBA5FB99318F20C56DE80A5F6A6C376E846CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1807871172.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ead000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fa889b29638d1078b03d6b42bbf8f0eb17ec0be8726901b4753ec290e2961f
Instruction ID: d7fee10976a68046a7b83d2e805af0cd2f57f965cceba961e5fbb40cf31af373
Opcode Fuzzy Hash: 09fa889b29638d1078b03d6b42bbf8f0eb17ec0be8726901b4753ec290e2961f
Instruction Fuzzy Hash: D021F271608200DFCB14DF24D9C4B26BFA6EB89318F20C569D84A5F696C33AE847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 080AB240 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab94af788ec45852a1a0e2b5e0dd3235c28a506447981819d82e9f3d0ff0dc8
Instruction ID: 21755c169f211bce73123b5912b1e403e1f0bafa00a5570d659b72acd1651c00
Opcode Fuzzy Hash: aab94af788ec45852a1a0e2b5e0dd3235c28a506447981819d82e9f3d0ff0dc8
Instruction Fuzzy Hash: 192116B4D08209CFCB40CFE9C5919EEBBF6EB49321F6051AAD819A7312C7309A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 080AAE3A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2585b7d3d78ada0d0cc8dbb1eb6472731781000358b69fbde20f4872e825093
Instruction ID: 8758f60139b184dfff8013cd25f7c734b82f318901318a13eb5e6856c22ef11e
Opcode Fuzzy Hash: e2585b7d3d78ada0d0cc8dbb1eb6472731781000358b69fbde20f4872e825093
Instruction Fuzzy Hash: 82215B75E0011A8BCB40DBE8C9406FEB7BAFF89302F108569D415B7395DB346E85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 080A4F94 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2461017aa83369e564b1e0a1dcb2aca2cf559d44b2e217e9791df350765a62
Instruction ID: 8f7b5272487f47e235b0a2f317203869f252b8ebe17ae26559b5cfe5d1baeb84
Opcode Fuzzy Hash: 3a2461017aa83369e564b1e0a1dcb2aca2cf559d44b2e217e9791df350765a62
Instruction Fuzzy Hash: D731BFB0D01218DFDB20DFDAC988B8EBBF5BB48315F24845AE404BB250C7B55885CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 080A4194 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ab5feb7f4f036500713829b5816d1c5de700be07a4252b5210cc3da3402607
Instruction ID: bc03bb838dfc293a7515bf6577b0776b2efbc7a4e4dd17bbb8efd6902ef46545
Opcode Fuzzy Hash: 22ab5feb7f4f036500713829b5816d1c5de700be07a4252b5210cc3da3402607
Instruction Fuzzy Hash: 2B31C2B4D01258DFDB20DFD9C988B9DBBF5BB48314F148459E404BB250C7B55845CB94

Uniqueness

Uniqueness Score: -1.00%

Function 080AAE48 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b5a1703d8d18452c11dafc444b7f300219ceb1ee457145862df6b0bc67f913
Instruction ID: 96d2454936d2ceeaf8637e16a500971bce46bfc985c74411ff6fa3b2f2943e09
Opcode Fuzzy Hash: f1b5a1703d8d18452c11dafc444b7f300219ceb1ee457145862df6b0bc67f913
Instruction Fuzzy Hash: 43214775A0021A8BCB40DBE8C9406FEB7BAEF89301F108669D415B7395DB306E85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 080A7C80 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe22c6e6af108ed5732b62bddcd5c25d3b190968ebd92c71ea797e25cc3f992
Instruction ID: e8c22911f9b957cd805af71a6f306a412bd52c536213c2062883eca1167def85
Opcode Fuzzy Hash: cfe22c6e6af108ed5732b62bddcd5c25d3b190968ebd92c71ea797e25cc3f992
Instruction Fuzzy Hash: A7217C31B44611CFD7298F98C905B7937B3AB85707F25C0AEE19A4F2A6CB3AC842C705

Uniqueness

Uniqueness Score: -1.00%

Function 080AB7A0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a8290e58b4216a9410d08b260f3b1d4f2be0588fc3137be7eda4647dec29c9
Instruction ID: 9506ad254a1950f8087613b84afce2c79f0de935c1bb8650076e787a11b7e0aa
Opcode Fuzzy Hash: 04a8290e58b4216a9410d08b260f3b1d4f2be0588fc3137be7eda4647dec29c9
Instruction Fuzzy Hash: A221E7B1D046188BEB18CF9BC8547EEBBB6BFC9311F14C06AD419A6255DB740949CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1807871172.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ead000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0fecab3f56438aef26605e51028ee205210c68ff79a9c9d74eb8f7527940260
Instruction ID: ec7583b9c6509263f0f0458e2a40f9cf728cb048542daed85adc9d1a422896f7
Opcode Fuzzy Hash: c0fecab3f56438aef26605e51028ee205210c68ff79a9c9d74eb8f7527940260
Instruction Fuzzy Hash: A82141755093808FDB12CF24D9D4715BF72EB46214F28C5DAD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 080AF1B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1020da461fde35864e0a434dfa010301f8964d2c4c4df4ff80e96c8dc8dea5a6
Instruction ID: 2c78ace405360c63100944dbf4cd24cf5e507bda05e6b25aa5de0479b3af526a
Opcode Fuzzy Hash: 1020da461fde35864e0a434dfa010301f8964d2c4c4df4ff80e96c8dc8dea5a6
Instruction Fuzzy Hash: 9B11C134B0021A8BDB589ABAA80067F76E7EB84712F108529E816D7390EE708D0187D0

Uniqueness

Uniqueness Score: -1.00%

Function 080A4DE0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e0e56685b630ff40de9256855315982f6ea9024a4273f9ec98c464d169957f
Instruction ID: 7deedb774b8ab2c6dfc22e5845f1f040d32fef643375f2de5db23e8c61d9a7a1
Opcode Fuzzy Hash: 74e0e56685b630ff40de9256855315982f6ea9024a4273f9ec98c464d169957f
Instruction Fuzzy Hash: E311A0B9A006059F9B11EAB98C405BFBBF7EBC5261724452DD415E7340EB709D0687A0

Uniqueness

Uniqueness Score: -1.00%

Function 080A7C9B Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec55072f3d26ed41390db4ca4c78e5af01e41746c962104a7eb6d0c1b4f0ee11
Instruction ID: 82bee00cf5e700f81eb6768a5757401147ad2ca1b35441c0dd3e38ee92bef817
Opcode Fuzzy Hash: ec55072f3d26ed41390db4ca4c78e5af01e41746c962104a7eb6d0c1b4f0ee11
Instruction Fuzzy Hash: 2A11AC31740601DFD7284E88C901B7937B3AB85703F25C0AEE0AA4F2A2CB3AC882C705

Uniqueness

Uniqueness Score: -1.00%

Function 080AB250 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d654e386788c7208873fb4667de2dfb31e76ec068e04e424f5343862c7f3a8
Instruction ID: f0105f60a7a9b40c51e03b3d566e43d458971d4965510077088480e63eca4905
Opcode Fuzzy Hash: f4d654e386788c7208873fb4667de2dfb31e76ec068e04e424f5343862c7f3a8
Instruction Fuzzy Hash: F721EAB4E08209DFCB40CFD9C191AAEBBF6EB48311F60906AD819A7715D7309A40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 080AB2F9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07460285e61ec34a95f34eef9114053d0a20e05ce724ceff6a059d6386ea81c5
Instruction ID: 5b8d9e0b4703a06736282016f23e1125bda3dd573ecd06f93d82c9f0b6f38f5f
Opcode Fuzzy Hash: 07460285e61ec34a95f34eef9114053d0a20e05ce724ceff6a059d6386ea81c5
Instruction Fuzzy Hash: 961146B8D08208DFCB00DFA9C4528ADBFF6EF4A321F0592D9D458AB222D7309A45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 080AB7B0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1747c0481631a8dbcaf88cd78560b5507bb060c25309401dc9fe48cdd9f18f7b
Instruction ID: 498ac1fc457a74c818a78604ec119a125345c6ce484dd069ac0995a5d7431ab7
Opcode Fuzzy Hash: 1747c0481631a8dbcaf88cd78560b5507bb060c25309401dc9fe48cdd9f18f7b
Instruction Fuzzy Hash: CC21D3B0D046188BEB18CFABC8547EEFAF7AFC8311F14C06AD419A6254DB7409498F90

Uniqueness

Uniqueness Score: -1.00%

Function 080A4CA4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37d056724aede8b2354edf584247b1ae84e6481982a982fe65103b6f3ca7681
Instruction ID: 057d2f40f01d6451bc42e5717721797e0dfb5989e8f52ae9714968881c2a5864
Opcode Fuzzy Hash: d37d056724aede8b2354edf584247b1ae84e6481982a982fe65103b6f3ca7681
Instruction Fuzzy Hash: DD2114B59003499FCB10CF9AC844ADEBBF9FF48350F14842AE929A7210D375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1807821469.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: dc4809fb5d0942b7945b0249c5f9bf69af0d5c160a399ef89d253f91a1cd0b5f
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: F5110372404240DFCF12CF00D9C4B16BF71FB94328F24C2A9D8090B256C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 080A67FA Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2cddb202962a02beae63b257288bc356d09188e9d3ea35d06274d4e14ca08c
Instruction ID: d697ac289851a09d04304a2acc5c130e9bbe7352fa6ecb5a206a7a6931192ad0
Opcode Fuzzy Hash: df2cddb202962a02beae63b257288bc356d09188e9d3ea35d06274d4e14ca08c
Instruction Fuzzy Hash: 5B2114B5D002499FCB10CFAAD884ADEBFF5FB48350F14851AE919A7210C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 080ADE1D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1c0ee72a0f37ed5cfc4d8d765e801b62af6b9299243599483aa4a06ccce14b
Instruction ID: e73672c549fd3c7c2520f756f2f9a6e4dbfa02af8be0327dbe5cfd6815a48518
Opcode Fuzzy Hash: fe1c0ee72a0f37ed5cfc4d8d765e801b62af6b9299243599483aa4a06ccce14b
Instruction Fuzzy Hash: F921F834A0431ACFD750DF68DD547A9B7B2EF86202F1081D9A849A731ACF744E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1807871172.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ead000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 66bb58ff638e6b690e00feda8d452ed617824cbfed08503b02d3fb941343ee5b
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4D11D075508240CFCB01CF50D9C4B15BFB1FB49318F24C6A9D80A4F666C33AE80ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 080AA940 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23de89283777fd5054941c69430a2c70075bd2c2c02b8129c87428edf9eca5eb
Instruction ID: 6ab5d172cf25cd6c99293981e7fc0d924294def7f6aeda580a6812e826f1c939
Opcode Fuzzy Hash: 23de89283777fd5054941c69430a2c70075bd2c2c02b8129c87428edf9eca5eb
Instruction Fuzzy Hash: FA11D474A082488FCB40DFE8C554A9DBBB6FF4A301B109169D41AAF396D7386D06CF00

Uniqueness

Uniqueness Score: -1.00%

Function 080AC628 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfbb586ec410018c3214c4ef84109c2c05020dea86fd963c04809d01ed5f92d
Instruction ID: a3e46ef09f82a5770036c304f736de3de1b044eedae68810af92390f9f1b56e7
Opcode Fuzzy Hash: 5dfbb586ec410018c3214c4ef84109c2c05020dea86fd963c04809d01ed5f92d
Instruction Fuzzy Hash: 1B110075A04208EFDB04DFA8C984AADBBF9EF4D301F269499E4099B262D7309E00DB51

Uniqueness

Uniqueness Score: -1.00%

Function 080AC5B1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a282e4b8c198133d27d527f0142f6fe16072538b4affa921d348c99b636f034
Instruction ID: 3691ff0ed22525adf02c865a73202a8acec2aa82abf95da392d4691d71b8363b
Opcode Fuzzy Hash: 3a282e4b8c198133d27d527f0142f6fe16072538b4affa921d348c99b636f034
Instruction Fuzzy Hash: 7801887094D244DFEB05CBA9C5409EDBFBAAF6A302B0691A9E406AB112D7318F45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 080A41A0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432b105be3edb7294a5c41d40750f5594686c04c33aa9ead98bd3a087355dfaf
Instruction ID: c9fac5e156c3f532c5c0d851b85af49ddce1e1f5f50c7d850a2b23546d948943
Opcode Fuzzy Hash: 432b105be3edb7294a5c41d40750f5594686c04c33aa9ead98bd3a087355dfaf
Instruction Fuzzy Hash: A611F5B59003488FCB20DF9AD844BDEBBF4EB48320F10841AD569A7250D775A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 080A57F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684609b69934fc515297b386ea4c4ddbf5be16250ca504c2faf0ae802bf47a60
Instruction ID: 306ae52db86f98cf141e75e0d40d8ab29229e48fa4d922ce9364a2bfac778678
Opcode Fuzzy Hash: 684609b69934fc515297b386ea4c4ddbf5be16250ca504c2faf0ae802bf47a60
Instruction Fuzzy Hash: 841122B59002488FCB20DF9AC884B9EBBF4EB48320F10852AD569A73A0C774A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1807821469.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bf4dd0f221a4b671ceeab201ba4eee721ad9f2f596fe153605c2cc23757311
Instruction ID: 949078a2066e1f093a62332fcca8a4ad85fa8bbc5d007000ef0b62862c7f8e9c
Opcode Fuzzy Hash: b2bf4dd0f221a4b671ceeab201ba4eee721ad9f2f596fe153605c2cc23757311
Instruction Fuzzy Hash: EE01DB7500D3549AEB104AA5CDC47A7FFD8EF41364F18C52BED095B196C279DC40C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 080ADC81 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc47d398b9c596ec355d1037d61539ab4c088d9d8f2b03b042f5123fd0577f12
Instruction ID: f1db400c2be90683ea299447daf9fd3276f020e31633e374c120450cca21abdd
Opcode Fuzzy Hash: cc47d398b9c596ec355d1037d61539ab4c088d9d8f2b03b042f5123fd0577f12
Instruction Fuzzy Hash: BA11EC34905515CFD724DFA8DD88A9DBBB6FB49301F0491AAE40AA7352DF346D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 080A4C94 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5fefe499344ac45bf2afeb4c52a6d2b5d98c52f78568d2787b67f5e8440aee
Instruction ID: ecb39f61a54b5c5f3af6bc16b93ad72f3f6c6467427445f467d588af42eba68a
Opcode Fuzzy Hash: 6f5fefe499344ac45bf2afeb4c52a6d2b5d98c52f78568d2787b67f5e8440aee
Instruction Fuzzy Hash: D4F096767001086FDB04DF9AD8408AEBBFBEFC4315704C066E518DB318DA31D9058B94

Uniqueness

Uniqueness Score: -1.00%

Function 080AC5C0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5fb33e7e1a472955b78076be3b4e24305cc62143409c97d336470332c2c8f59
Instruction ID: 7ebac23656e02d39328fb2e7d41ae7d5aad15f91e45cdc7c44796453793f62aa
Opcode Fuzzy Hash: c5fb33e7e1a472955b78076be3b4e24305cc62143409c97d336470332c2c8f59
Instruction Fuzzy Hash: 27F03170948208DBE704CBA9C5409ADBBFAAF99302F15E1A9E40A6B212D7319A85DB50

Uniqueness

Uniqueness Score: -1.00%

Function 080A672A Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b4488e1ebf1845cafd345f81d9464a71a93063e448daf5cbb22f3c7db8bcfc4
Instruction ID: 4bec3e3647ef795c8bb049de804f1ad1f93190cdc53dd336b5f6c17c5eefe292
Opcode Fuzzy Hash: 8b4488e1ebf1845cafd345f81d9464a71a93063e448daf5cbb22f3c7db8bcfc4
Instruction Fuzzy Hash: E3F0C276A001087FDB04DF9ADC4099E7BFBEBC4310B04C07AE918D7355EA30D9018B90

Uniqueness

Uniqueness Score: -1.00%

Function 080ADCBF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9747483479fff0f820109c327b0cee7b9e74b05ced1163f7e8be7d8f38688e2
Instruction ID: 8d24bc374c5826461865c107ea3ba504d4d778b696c276eb75d69653d3f2d8b0
Opcode Fuzzy Hash: f9747483479fff0f820109c327b0cee7b9e74b05ced1163f7e8be7d8f38688e2
Instruction Fuzzy Hash: 03012D34905115CFD710DFA8DD446ECB7B2FB88201F00519AD80EA7346DB345D81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 080A563C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1807dca5ae126e1de16825a5d1430dcd8aa61eedb411bb42eca46916a5aa6605
Instruction ID: 606a57ba09512510c0f53a248ffbc3d06d7b9dd00707798b21dbb17d02ab6921
Opcode Fuzzy Hash: 1807dca5ae126e1de16825a5d1430dcd8aa61eedb411bb42eca46916a5aa6605
Instruction Fuzzy Hash: 5901DA71900219DFEB14DFDAC8047AEBAF6BF48365F158269E424AB2A0D7744A40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 080A56D8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc4cd736e9d30be24aecc27b8bddc0b88384cce0350e4eeda5412e9c9ae84e6
Instruction ID: bacfe20f24f164575fa2ce0b35e72640fd5b6130013d687d287232466a9c5ea5
Opcode Fuzzy Hash: 1fc4cd736e9d30be24aecc27b8bddc0b88384cce0350e4eeda5412e9c9ae84e6
Instruction Fuzzy Hash: A6F082B27041142FE3149A6EDC89E2BBBEDEBC96707158179F518D7351DD709C00C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1807821469.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174b7544bc641a5746da5531112224aeca0c1dbf2d3c22c43fcc3d443101468b
Instruction ID: 8658ac2f8a751b4a3d564a82a1fa272caa918c4cb060e72df4d875744f548da8
Opcode Fuzzy Hash: 174b7544bc641a5746da5531112224aeca0c1dbf2d3c22c43fcc3d443101468b
Instruction Fuzzy Hash: 48F0F675008354AEEB108A16CCC4BA2FFE8EF90378F18C45BED085F282C2799C40CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 080A68A8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c0a561aa43857e40c300b8fcd68d586f919758bd07caf43fc76af056428761
Instruction ID: 994ad9b1e5846a1bc8f4430ba9a2eb2981dc06134bc9eea731581362adf80528
Opcode Fuzzy Hash: d1c0a561aa43857e40c300b8fcd68d586f919758bd07caf43fc76af056428761
Instruction Fuzzy Hash: D6F0E972D003048BDB209BEE9404396BBF69F91325F1881AEC4599B261E63AD409CB91

Uniqueness

Uniqueness Score: -1.00%

Function 080A5648 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40034d4407bdee099fc609ffebc145bc1bbc0cc3f478b6ad8d151a5138170ea2
Instruction ID: a3739674806ba88aed51b600355c0cc8e5f73364dde689529a40e7bb7bb14105
Opcode Fuzzy Hash: 40034d4407bdee099fc609ffebc145bc1bbc0cc3f478b6ad8d151a5138170ea2
Instruction Fuzzy Hash: 9201BB70800219DFEB14DFEAC8447AEBBF6FF48355F148669E824AB2A0D7744A44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 080A56E8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8babe0f20f15eadd1c088f5da09ec5c4d59f99e5230080c7addb9fd585b5acc
Instruction ID: 6c6bdd0372f4938d4144f4f4863ee86acb212d7f9bba0ce31bdb3256a5190c42
Opcode Fuzzy Hash: f8babe0f20f15eadd1c088f5da09ec5c4d59f99e5230080c7addb9fd585b5acc
Instruction Fuzzy Hash: A4E039B27041286F93049A6ED884C6BBBEDEBCC660311807AF508C7310D9319C0086A0

Uniqueness

Uniqueness Score: -1.00%

Function 080AC7BA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea9bbf008f6782b30a4a6772e00fadec27dfe11f61e6c1ed9dbff14b265487f
Instruction ID: 28e7d455959fabb7a1ec68a0ed39d4a0e6bce3ba456f2252a6879ef24da91db2
Opcode Fuzzy Hash: aea9bbf008f6782b30a4a6772e00fadec27dfe11f61e6c1ed9dbff14b265487f
Instruction Fuzzy Hash: 11F044B0D0424A9FDB44DFA8C841AAEBFF1BF09200F0284A9D800EB241E7B48601CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 080ADD74 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7819993f393b62b0e617b83e42107559c1b27cd7e0e90f4ef01ce8daef5bb62
Instruction ID: 99fa7b3d88b00f8a80694c15569e19495c01de11885c7b797ec9629f81fe182c
Opcode Fuzzy Hash: b7819993f393b62b0e617b83e42107559c1b27cd7e0e90f4ef01ce8daef5bb62
Instruction Fuzzy Hash: 2701E834905205CFD724DBA8DE487A9BBB2FB89201F0491AAD80EA7356DB385D82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 080AC7C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000a6b6baef9af7960dd81eb252d792c573d91d1798f7106abf978af82441603
Instruction ID: 88b9b8a5649694c358c6236b3aa01e0fb4006d53e95e826ccf87fbcb7367e143
Opcode Fuzzy Hash: 000a6b6baef9af7960dd81eb252d792c573d91d1798f7106abf978af82441603
Instruction Fuzzy Hash: 30F0B7B0D0420A9FDB44DFA9C841AAEBBF5BF48700F5185AAD918E7341E77496018B90

Uniqueness

Uniqueness Score: -1.00%

Function 080A509F Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b0fa0d926447f73b805bfad7260ab79f98e687a1b2d2dd7fbc5ff802e1de14
Instruction ID: 51f4b89f094c83ba887d1b56ab65c7ec103dc830b3b5e3574da49ef8e9d45daf
Opcode Fuzzy Hash: 50b0fa0d926447f73b805bfad7260ab79f98e687a1b2d2dd7fbc5ff802e1de14
Instruction Fuzzy Hash: 2DF09236A05508DFDB00EFB4E98669CB7B5EF85304B3281E8D804A7205EB326F12DF90

Uniqueness

Uniqueness Score: -1.00%

Function 080AF0F0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f1e085695b105df2f0e6be582de8d03bc6faa3a89333d8cf5bf7bbd355c1e2
Instruction ID: 37c632edb643fbcd70c9e3cfa26e98976c6f10805a6f00affd082d514471284d
Opcode Fuzzy Hash: f4f1e085695b105df2f0e6be582de8d03bc6faa3a89333d8cf5bf7bbd355c1e2
Instruction Fuzzy Hash: D8F0A574E00208ABCF44EFA8D845A9DBBB6EB88311F10C1A9E924A3350DA356A50DF91

Uniqueness

Uniqueness Score: -1.00%

Function 080AC760 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacc15624b0ccccde340e01df565d5c66dcff4506093e3cbb6d21bcae7566336
Instruction ID: 57f8f8dd448dd684d70256d856f1e82643149faca2b43fe59af7fe4c19f01e95
Opcode Fuzzy Hash: bacc15624b0ccccde340e01df565d5c66dcff4506093e3cbb6d21bcae7566336
Instruction Fuzzy Hash: 8DE09B70A44246DED310CF6DC54464DBFF16F04364F29C1A4C054DF162DB7491069B81

Uniqueness

Uniqueness Score: -1.00%

Function 080A50B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cefd9f74d2b19ba46fd6d3fb94446d5e1d95c49ca1704a62d958a4ba2b94195e
Instruction ID: 7ebcf5935cec842a110d1701b5785cd8254042ed115492ac2e7f2cf13b8520f9
Opcode Fuzzy Hash: cefd9f74d2b19ba46fd6d3fb94446d5e1d95c49ca1704a62d958a4ba2b94195e
Instruction Fuzzy Hash: F5E08635A0050CEFDB04EFA4E90245CB7B9EB84300721C194D80593314EB326F009B50

Uniqueness

Uniqueness Score: -1.00%

Function 080AC770 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ef0328a04308b05b15ac566969f590df9d595bacf9cb8146134858bb34b83c
Instruction ID: ceee8f3fa5a4973e979ea2f32b476169cdd33dac81e52b82f73a40d9c29d9dc9
Opcode Fuzzy Hash: d2ef0328a04308b05b15ac566969f590df9d595bacf9cb8146134858bb34b83c
Instruction Fuzzy Hash: 2EE0B6B0E4020ADFD740EFBDC945A5EBBF1BF08200F1185A9D019E7211EBB496048F91

Uniqueness

Uniqueness Score: -1.00%

Function 080ADDCF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1522e2be80e19f5ddca52f4fb3446a07ac2b6fea5597935588b8ecace2411fed
Instruction ID: ae45b17c41c897eebd06a6fa3faa01fe35b04a54b2761d4ef618517341e217a0
Opcode Fuzzy Hash: 1522e2be80e19f5ddca52f4fb3446a07ac2b6fea5597935588b8ecace2411fed
Instruction Fuzzy Hash: E2E04F3490520ACFDB00EBD8C9549FDBBBBFB84301B008519D405D731ACB744C46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 080ABD1D Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3bff4e85811ea29ece8665eebd50109b78f92741c27a08106321d89808df69f
Instruction ID: 6d7b43020432bd391dc0e2fb665fd6ee8f75a73824bb4deb9a62c0dc1d9d84ea
Opcode Fuzzy Hash: f3bff4e85811ea29ece8665eebd50109b78f92741c27a08106321d89808df69f
Instruction Fuzzy Hash: 93E01730109210CFC764DBE8C968AB8377AFB4E333F000299D41E662A2CB369A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 080AC025 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debbd2c8d6c095765be2531751cab1f9d32f70d740e0c7f4830a70729f117bf4
Instruction ID: b2287375cdd5161f6db5b11ad9d58f2e1e8d400d0707a81266c215b99bac3748
Opcode Fuzzy Hash: debbd2c8d6c095765be2531751cab1f9d32f70d740e0c7f4830a70729f117bf4
Instruction Fuzzy Hash: 31D01730808215CFC724DBE9DC649FDB33ABB8A223F449256C02E62196DB300804CF20

Uniqueness

Uniqueness Score: -1.00%

Function 080A20A9 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e4daeeb02b1098b4194529d8c1839c0f1ceb4d9eff6e5a0bf8e0e630564164
Instruction ID: 88b03e255a41e078fd3ab967efc953a06ab6384ccc3aad06bb720491baae8294
Opcode Fuzzy Hash: c8e4daeeb02b1098b4194529d8c1839c0f1ceb4d9eff6e5a0bf8e0e630564164
Instruction Fuzzy Hash: FCC08CF31400004FF3041A808845AB4B7C2FB68229B629012D14A261A12822E8126602

Uniqueness

Uniqueness Score: -1.00%

Function 080ABB03 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c48e058d6676cd6c0ab9f206464c9f0f040edf936c830090e5cd3572e37f7d
Instruction ID: 46ea524a32d0718f5aa4180385e3ea39f3c26c0581ab125df69a2230df2408be
Opcode Fuzzy Hash: 97c48e058d6676cd6c0ab9f206464c9f0f040edf936c830090e5cd3572e37f7d
Instruction Fuzzy Hash: B3D0C971104210CFD354DBA4D994AA83776FB8E323F014499D00E67212CB36ED84CF10

Uniqueness

Uniqueness Score: -1.00%

Function 080A6700 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c7c665ef0205cad7739e076ab0db7f226e4496818f813786351fd384d606ed
Instruction ID: db74479cad2e61466208b071b90850aa22b495f6f483a2c3663b3fe02ad7cfe2
Opcode Fuzzy Hash: 53c7c665ef0205cad7739e076ab0db7f226e4496818f813786351fd384d606ed
Instruction Fuzzy Hash: 46C09BFB854905E5E50066D0CD05F55502BD774757F584574525AD01A0E162C016D51E

Uniqueness

Uniqueness Score: -1.00%

Function 080A9F10 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9cef10481103a2dfd3c2fc7115c790519635eb1d7cb51837efd87ca0d0aba3d
Instruction ID: 2df46df43a43342eb5f2e8e4b760ad395fc6d86e3a9d75c51b7cdcbd87345698
Opcode Fuzzy Hash: b9cef10481103a2dfd3c2fc7115c790519635eb1d7cb51837efd87ca0d0aba3d
Instruction Fuzzy Hash: 8AC08C301412068BC65427E8BC0C3E57AA8D700326F004028A52882422CFA84440CA66

Uniqueness

Uniqueness Score: -1.00%

Function 080AA412 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1813690720.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_80a0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec9e08827f9683a7b233bdc530241f7e321f5c808555b2487f298e5a9a9aa49
Instruction ID: 2d8bcd2ba5028b66476f12c70a5fd60a8030f068e47af3d423531ca4fe08b6f1
Opcode Fuzzy Hash: dec9e08827f9683a7b233bdc530241f7e321f5c808555b2487f298e5a9a9aa49
Instruction Fuzzy Hash: F8C00230A46629CFDB20DB6CDA84BE8B7B6EB45301F0055E4D50DA626AD7305E84DF01

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: eDnxmGWzJ.exePID: 7524, Parent PID: 7276COMMON

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	42
Total number of Limit Nodes:	6

Executed Functions

Function 06F13460 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06F13B94
$kq, xrefs: 06F13B6B
$kq, xrefs: 06F13BB8
$kq, xrefs: 06F13B5F
$kq, xrefs: 06F13B88
$kq, xrefs: 06F13BAC

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: b65a7c2ab294bf76451055663900ecbd3dd26d9c537113920e45ff945e93c8aa
Instruction ID: f41ef583fa62cdf29c97fb3391ba45e66367fb78d6d1a664e225c72f893f0a5c
Opcode Fuzzy Hash: b65a7c2ab294bf76451055663900ecbd3dd26d9c537113920e45ff945e93c8aa
Instruction Fuzzy Hash: 9F324F35E1061ACFDB14EF75D99459DB7B2FFC9300F208669D409AB264EB70AD85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 071C5BD1 Relevance: 1.8, APIs: 1, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2974155040.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_71c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854506dc5dc392040d63468b0c050ebb78cba2f4311a8f0b9871e0d4c4336813
Instruction ID: b21ab900b7f37350c8c1481b4dff21a2447e91ec793d45b0438b0c50f02e6e50
Opcode Fuzzy Hash: 854506dc5dc392040d63468b0c050ebb78cba2f4311a8f0b9871e0d4c4336813
Instruction Fuzzy Hash: 6FD16CB0A0020ACFEB15DFE5C948BADBBF2BF58314F258158E405AF2A4DB74E955CB41

Uniqueness

Uniqueness Score: -1.00%

Function 06F19108 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06F1915B
$kq, xrefs: 06F1918A
$kq, xrefs: 06F19196
$kq, xrefs: 06F1914F

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 2556eec92e297e30de532c74ad14071cc020aa8915235cf8b09a43cca637dbdc
Instruction ID: d3d9ad884431f99c4bf683cc1ecba08d7cc3448dfd8f83bcdf52b869f62db10f
Opcode Fuzzy Hash: 2556eec92e297e30de532c74ad14071cc020aa8915235cf8b09a43cca637dbdc
Instruction Fuzzy Hash: 9E915074F1020A8FDB64DF65D9607AEB7FAEBC4240F108569D409EB394EB74DC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 016C07F8 Relevance: 4.1, Strings: 3, Instructions: 343
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 016C099D
(oq, xrefs: 016C0972
(oq, xrefs: 016C0B2F

Memory Dump Source

Source File: 0000000F.00000002.2931172192.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3965398577
Opcode ID: d73547939bf2585f4b5c8d96040293b24ffd22e685169e0c5d0d3d777522c435
Instruction ID: f08a35e3444f982bc54f905d37bc62c8eb54d89acf3236b8b76334240e88987b
Opcode Fuzzy Hash: d73547939bf2585f4b5c8d96040293b24ffd22e685169e0c5d0d3d777522c435
Instruction Fuzzy Hash: 27D18D74E00209DFDB14DFA9C8546AEBBF6EF88710F24866DE505AB391DB30AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F14B68 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fpq, xrefs: 06F15275
\Opq, xrefs: 06F14D1F
XPpq, xrefs: 06F14C95

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: bd68fac892a09f42e828984073f9aa8ff44e166ade6ecb1ffaf873d92df1768a
Instruction ID: ed4468929104a1d2bfc7e98bbe32b25561d3138ddb0fa731e81ba3d5aa4ec1c5
Opcode Fuzzy Hash: bd68fac892a09f42e828984073f9aa8ff44e166ade6ecb1ffaf873d92df1768a
Instruction Fuzzy Hash: 9B616B71E002199FEF54DBA5D814BAEBBF7FF88340F20852AD506AB394DA758C41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06F18030 Relevance: 2.7, Strings: 2, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06F182D3
$kq, xrefs: 06F182DF

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 693fe8382f5e09884ffdf12cba734cd25c864c182882e8041d9f85ca0b280644
Instruction ID: 432a8e10dd1cf3943eba130494f0c98ad8fe85833795c4f43dfb50c1da4baca4
Opcode Fuzzy Hash: 693fe8382f5e09884ffdf12cba734cd25c864c182882e8041d9f85ca0b280644
Instruction Fuzzy Hash: FD91CE34F006458FDB69DB75D65066EB3E6EF84380F248928D816DB398DB35EC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F19103 Relevance: 2.7, Strings: 2, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06F1918A
$kq, xrefs: 06F1914F

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 125920490b7f79d9c5624b050d9e0558b56c2f93a1cd450d7892caba95d04e9c
Instruction ID: f7bc2711e65200dd2e158255874cfe9fe8b05dc3c6ee7137105f524c8491543c
Opcode Fuzzy Hash: 125920490b7f79d9c5624b050d9e0558b56c2f93a1cd450d7892caba95d04e9c
Instruction Fuzzy Hash: 00513E74F001068FEB54EB75D960B6E73FAEBC8680F508469D509DB398EA74DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018D8168 Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 018D81E0

Memory Dump Source

Source File: 0000000F.00000002.2932435945.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_18d0000_eDnxmGWzJ.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f839e1d147b037f0ef68eae66146de7b4bafe1f6de8054dd60492d724b970433
Instruction ID: 66e1900de1a35ea5f53b01bdbed2c0f43ea6988be06fca9b1f9995a3194de4c2
Opcode Fuzzy Hash: f839e1d147b037f0ef68eae66146de7b4bafe1f6de8054dd60492d724b970433
Instruction Fuzzy Hash: A72158B1C0065A9FCB14CFAAC844BDEFBB4FF49320F14816AD958A7254D734AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 018D8170 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 018D81E0

Memory Dump Source

Source File: 0000000F.00000002.2932435945.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_18d0000_eDnxmGWzJ.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 682c118e18b21402b90026e689d68b8ba84fde0706915804b19e5d1ac392402d
Instruction ID: 349db09e5d568bf5488e907b94c3eff1b6350352ecf2093f31475383d46b59ed
Opcode Fuzzy Hash: 682c118e18b21402b90026e689d68b8ba84fde0706915804b19e5d1ac392402d
Instruction Fuzzy Hash: B11136B1C0065A9BCB14CFAAC544BDEFBB4BB48320F14816AD958A7250D738AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 071C60DA Relevance: 1.6, APIs: 1, Instructions: 56
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 071C6148

Memory Dump Source

Source File: 0000000F.00000002.2974155040.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_71c0000_eDnxmGWzJ.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 632cf5fb37c20e772d137eead4ccacf10d11f497c722c8e0268d3baf9f1646b4
Instruction ID: 4dffb39c0fe47356cd8f29328038e332da8da14eff42bbf845a389742d184ce3
Opcode Fuzzy Hash: 632cf5fb37c20e772d137eead4ccacf10d11f497c722c8e0268d3baf9f1646b4
Instruction Fuzzy Hash: 0A1137B6C00249DFCB10CF9AD944BDEFBF8EB48320F10842AE558A7651C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 071C0928 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,071C1A91,00000800), ref: 071C1B22

Memory Dump Source

Source File: 0000000F.00000002.2974155040.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_71c0000_eDnxmGWzJ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 07369f90ab14ce32306852b9d8ae1e6cfc53e65963b41fdddff35be908cc80a3
Instruction ID: c9128a46762db1abd87447d7b15b61848de209a5d9c625d043cc4c0cdfd27c98
Opcode Fuzzy Hash: 07369f90ab14ce32306852b9d8ae1e6cfc53e65963b41fdddff35be908cc80a3
Instruction Fuzzy Hash: A81112B69002499FCB24CF9AC544BDEFBF4EB98310F10842EE919A7651C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 071C1AB2 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,071C1A91,00000800), ref: 071C1B22

Memory Dump Source

Source File: 0000000F.00000002.2974155040.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_71c0000_eDnxmGWzJ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d8be43198730b33841fb1cde4412fbfadc1c4e43fac1f8a6b8662943fdab16f9
Instruction ID: 813200c9141ada854d9d009795f5340e36fd50df580d32238f36cba6d805d4b8
Opcode Fuzzy Hash: d8be43198730b33841fb1cde4412fbfadc1c4e43fac1f8a6b8662943fdab16f9
Instruction Fuzzy Hash: E41123B6D002499FCB20CF9AD444BDEFBF4EB98320F10842ED919A7650C375A645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 018DF0F0 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 018DF157

Memory Dump Source

Source File: 0000000F.00000002.2932435945.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_18d0000_eDnxmGWzJ.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 84b1597bc9390e07f8a9b5506ce476886f61508b3973bb79e9def2d97acd6b27
Instruction ID: b05a03b1138d1bcab0b9e0289378fd550d1a4d31174928e8d614667ce053f614
Opcode Fuzzy Hash: 84b1597bc9390e07f8a9b5506ce476886f61508b3973bb79e9def2d97acd6b27
Instruction Fuzzy Hash: 451123B1C006699BCB10CFAAC544BDEFBF4AF48324F10816AD918B7250D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 071C60E0 Relevance: 1.6, APIs: 1, Instructions: 52
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 071C6148

Memory Dump Source

Source File: 0000000F.00000002.2974155040.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_71c0000_eDnxmGWzJ.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 259f98bbcbe44d8f95b2c256300bd8ebeab42863b822589ba2097d1fb5bde444
Instruction ID: 99fe99a3852838bed95f9e02137a6bb57a442877a258d88ad65684558851908d
Opcode Fuzzy Hash: 259f98bbcbe44d8f95b2c256300bd8ebeab42863b822589ba2097d1fb5bde444
Instruction Fuzzy Hash: C21104B5C00249DFDB10CF9AD944BDEFBF8EB48324F10842AE958A7251C379A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F14B63 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

XPpq, xrefs: 06F14C95

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: XPpq
API String ID: 0-1266478781
Opcode ID: 284fd20bd958d2d67fe2b7c0cd0cf64b88445a6a2416fbf17f779eda0e83b2c8
Instruction ID: a82c5677dbf248ab2a8c93ff9f3d227343935a09bddecfab3412aaeb7960167a
Opcode Fuzzy Hash: 284fd20bd958d2d67fe2b7c0cd0cf64b88445a6a2416fbf17f779eda0e83b2c8
Instruction Fuzzy Hash: C5416D71F002099FEB54DFA5C814BAEBAF7FF88300F208529D106AB394DA758C41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06F1DA91 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06F1DBE1

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 03173999dfc0148261781b28dcc992695e3688390b077894353f1ba56dfe9947
Instruction ID: aa7dee9a9b9d77b47c9cc22299f3183f4cf7f38719a4e72dcaea735e3a1021ef
Opcode Fuzzy Hash: 03173999dfc0148261781b28dcc992695e3688390b077894353f1ba56dfe9947
Instruction Fuzzy Hash: 87419F71E0020ADFDB65DF65C5546AEBBB6FF85390F208929E402EB344DB74E842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F121D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06F1230B

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 6e72a60f8eb1679c45c38315a6a9058f20bea2011eb67998ce60bb8e11e9aafd
Instruction ID: a95a69abfe7406bee075ed996f6cffaa8d3899ec0f086a5953b796c2b389207e
Opcode Fuzzy Hash: 6e72a60f8eb1679c45c38315a6a9058f20bea2011eb67998ce60bb8e11e9aafd
Instruction Fuzzy Hash: 8831D030B002018FEB65ABB4C55466F7AE7AB89290F20842CD402DF398DF35DD82C795

Uniqueness

Uniqueness Score: -1.00%

Function 06F182AE Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

$kq, xrefs: 06F182D3

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: $kq
API String ID: 0-3037731980
Opcode ID: 9e5746769dab0f75849387e18dd38833b807a9ffaaf330e94e769749fcd5fd35
Instruction ID: c5a2e106e842cfb26fbbc1707c53f7dc5002e02437f7ff15dd3be1163e52893d
Opcode Fuzzy Hash: 9e5746769dab0f75849387e18dd38833b807a9ffaaf330e94e769749fcd5fd35
Instruction Fuzzy Hash: 2CF0A03AF00640CFEF659B81EB511A9B365E7402D0F180067DD208F140C339DD02CA94

Uniqueness

Uniqueness Score: -1.00%

Function 06F14A51 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Opq, xrefs: 06F14A5D

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: \Opq
API String ID: 0-3546586535
Opcode ID: 3f25ac7bf83c4da1a2231f7855c5ff586d4ad2df294ca1ad99d1b715787622d3
Instruction ID: 54ae4a575ebac11a9e3e86564deb6609867d41247eb62a7d6689507ad65dc7f6
Opcode Fuzzy Hash: 3f25ac7bf83c4da1a2231f7855c5ff586d4ad2df294ca1ad99d1b715787622d3
Instruction Fuzzy Hash: C6F0FE30A10229DFDB14DF94E869BADBBF2FF84750F214129E402AB394CB745C05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 016C0550 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931172192.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e24d4fcca90b43c284cfa8be0ca97e2756cc95ebf7f175b9f1ce09a71a3df6
Instruction ID: 17cf255939c311e91790beee10882c27e07fa3624a260ab80807475fca7ce142
Opcode Fuzzy Hash: 16e24d4fcca90b43c284cfa8be0ca97e2756cc95ebf7f175b9f1ce09a71a3df6
Instruction Fuzzy Hash: 55418D30E00709DFDB04DFA9C8546AEBBB5EF88700F15C65DE509BB260EB70A981CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06F1C4F8 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd143dd6ddb3fd874dc11e2d29c1d0e8009eebd0f75061279a9daf6f378ac5b3
Instruction ID: 428fc569aa06a20300c270e3b43501a9c16c3ec26deb2a6dbc727b2d5bab6f14
Opcode Fuzzy Hash: bd143dd6ddb3fd874dc11e2d29c1d0e8009eebd0f75061279a9daf6f378ac5b3
Instruction Fuzzy Hash: 21D19D34B012098FDF54DB69D980AADBBB6FF88350F108529D905DB395DB39EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F158B0 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c55ea4c6d5303712a53a7321ebd4f0cb7dd7b7d3a11ef7be8b878300778116
Instruction ID: 1651a70a214499e6d1781b2d6a5b08a33cd529d97c0458dc84fe195e16797351
Opcode Fuzzy Hash: 16c55ea4c6d5303712a53a7321ebd4f0cb7dd7b7d3a11ef7be8b878300778116
Instruction Fuzzy Hash: EAB15DB5F002159FDB14DFA5D994A6E77B6EFC4350F208429D902AF398DA78EC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06F1B1F0 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908cb1c2e790706e291fc4f2aabe4d9ec0d939c1db4cd3182c880419cad8af0b
Instruction ID: 6e32fcea8f7fd0739547e06fd97fcfc1e3d96d63daebb651b61d2a7c6e49340e
Opcode Fuzzy Hash: 908cb1c2e790706e291fc4f2aabe4d9ec0d939c1db4cd3182c880419cad8af0b
Instruction Fuzzy Hash: 33B18434E10209CFEF64DBACD5907AEB6B6FB89350F204929E405EB395CA35DC858B51

Uniqueness

Uniqueness Score: -1.00%

Function 06F1B1F9 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ac7b9bff6af1a3b9215cfa5609569931d066d9191477bf3dc128e46c6d520e
Instruction ID: 9be8c1918ce5a866dbcb0b0e562c8673a0e1050113906b5ec392df38b4551274
Opcode Fuzzy Hash: 18ac7b9bff6af1a3b9215cfa5609569931d066d9191477bf3dc128e46c6d520e
Instruction Fuzzy Hash: 99A19334F00209CBEF64DBACD5907AEB6B6FB89350F208929E405EB395CA35DC858B51

Uniqueness

Uniqueness Score: -1.00%

Function 06F1B618 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450fd51e485047e1350aed066dd1d394d8b49c1b4c2300b436a3dfe8434ff6da
Instruction ID: 44e3d3c1ffc3af1e5016c4aace8b20b79b0b51d37156128a40f0be80834de8bd
Opcode Fuzzy Hash: 450fd51e485047e1350aed066dd1d394d8b49c1b4c2300b436a3dfe8434ff6da
Instruction Fuzzy Hash: 21A19B30E10209CFDBA0CB69D594BADB7B1EB45390F64856AE458DF3A5DB34DC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F1B617 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e3013292c9be90dbb14107a1761e39ab1ba29c3eef4a82cd77d83194b172be
Instruction ID: f8911d00846d3f1c60555ea69ca822e4b92408eb2721ac9dbb7d90697617cf53
Opcode Fuzzy Hash: 38e3013292c9be90dbb14107a1761e39ab1ba29c3eef4a82cd77d83194b172be
Instruction Fuzzy Hash: 05A17A34E10209CFDBA0CB69D594BADB7B1EB45390F64856AE448DF3A5DB34DC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F155A0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e901b5b8c89b5cbcd6f2d988ebf37db62f066ce4dbf5ddeec87533a2d0a830
Instruction ID: ea1abd9a2a886ba6c910b9e14b561a92260a32b39648a349e4b8de78c8ca64d7
Opcode Fuzzy Hash: 62e901b5b8c89b5cbcd6f2d988ebf37db62f066ce4dbf5ddeec87533a2d0a830
Instruction Fuzzy Hash: 3B91C0B5E142198FDF608B68C49076EFBA2EB863A0F14C967D469DF281C635DC81CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06F16CD8 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b2000ab3a79aa48a631a17f6fbed7bc40bccadce419a1feb3bcf10d43f8e77c
Instruction ID: 32fabd42cd21fa9e53c37a8188e7855e8a0761b5c003c37ee18845e4a97b8af2
Opcode Fuzzy Hash: 5b2000ab3a79aa48a631a17f6fbed7bc40bccadce419a1feb3bcf10d43f8e77c
Instruction Fuzzy Hash: D5A18830E00215CFCB64EB69D644A6DB7F2EF84394F158569E41AAF394EB76EC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06F158AF Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d641aa8967a42e6f4df26130ca9d76badb2ce21cacb30b83c5d091b2c5227ed
Instruction ID: 68ba4a7be14ce6894263cf129b6aab5bd421bddf2612c98c63d01fcb8dd69e55
Opcode Fuzzy Hash: 1d641aa8967a42e6f4df26130ca9d76badb2ce21cacb30b83c5d091b2c5227ed
Instruction Fuzzy Hash: ED914DB4F002059BDB14DFB4D990A6E77B6EFC4350F648428D902AF398DA78ED46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06F158A7 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063b2f834dbae7751d89b0fe3538d6c8fb5a4a63c29d41d24bf5ed281e4a3244
Instruction ID: a27342ee01f89b24477c29cf7bb406cba84eb16da529158c7b01c1816766d3ab
Opcode Fuzzy Hash: 063b2f834dbae7751d89b0fe3538d6c8fb5a4a63c29d41d24bf5ed281e4a3244
Instruction Fuzzy Hash: A9814AB4F002059BDB14DFA4D990A6E77B6EFC4360F648528D902AF398DB78ED46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 06F161B0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2225f139f3b687e5df69ddfd0f5daca1c7a9c9d5c7d5ddd8481a73850d0a25a9
Instruction ID: 24e41c6fa5415137ceadec3c53b4fee83b0d2099a8658ba1c1dd222db6e82c68
Opcode Fuzzy Hash: 2225f139f3b687e5df69ddfd0f5daca1c7a9c9d5c7d5ddd8481a73850d0a25a9
Instruction Fuzzy Hash: 6B61D4B2F001214FDF519B7DC89066FAAEBAFD4650B154039E80ADB379DE65DC0287D1

Uniqueness

Uniqueness Score: -1.00%

Function 06F142A3 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7df47a6c2a966254c458837468168fb1e38660e3f57abcf87e995b45df297ed
Instruction ID: 42bb0883d4dff032804ec92e6103eed9e40e600e89f1b7cd81cfde8443447d96
Opcode Fuzzy Hash: e7df47a6c2a966254c458837468168fb1e38660e3f57abcf87e995b45df297ed
Instruction Fuzzy Hash: 39810934F0020A8BDF54DFA9D5546AEB7F6AFC9340F108529D50AEB398EA74DC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 06F1AEE8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc20da85800ef7105af688439eeb0d04801cbcb401f3b534f4f40b3795f4ef4c
Instruction ID: 4612fbdac2ae532c428a504e08d472db031f6440489b7e8fb498dbde25986540
Opcode Fuzzy Hash: bc20da85800ef7105af688439eeb0d04801cbcb401f3b534f4f40b3795f4ef4c
Instruction Fuzzy Hash: 5B715C31E0031A8FDB65DFA9D9906AEB7B2FF85340F118629D409AF354DB74D886CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F145CF Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d05ca658502d12796d7770dc4bed008f1fd4b732b7841570b625a7c90b64dc
Instruction ID: 700bbdfa18c5dd1798dbcc686fd9b35090f0838ddd12fefad661566941d46546
Opcode Fuzzy Hash: a0d05ca658502d12796d7770dc4bed008f1fd4b732b7841570b625a7c90b64dc
Instruction Fuzzy Hash: B9913F34E106198FDF60DF68C850B9DB7B1FF89310F208699D549AB355DB70AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06F145D0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd7011ccde2a6eb6c5e0dbe471008d5a6c230cb74ef4d7ef1feac2852d2ae2c
Instruction ID: b97b4421080968a00136d01de31d5a9c79b61396ac78f06d7bad841dfbf3b55b
Opcode Fuzzy Hash: 8dd7011ccde2a6eb6c5e0dbe471008d5a6c230cb74ef4d7ef1feac2852d2ae2c
Instruction Fuzzy Hash: F1913F34E106198FDF60DF68C850B9DB7B1FF89310F208699D549AB355DB70AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06F1EEF0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305c002fc03f36fcc9b2a6905dd129abd2aec8c6aad9eca90a21831fe3b0379b
Instruction ID: 99ebb55c150371a00531efa9521a03e4e8deb615b42e890760e8b5478c4d22d2
Opcode Fuzzy Hash: 305c002fc03f36fcc9b2a6905dd129abd2aec8c6aad9eca90a21831fe3b0379b
Instruction Fuzzy Hash: 31713870E012098FDB54DBA9D980AAEBBF6FF88340F148529E415EB365DB30EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06F1EEE9 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a064cfd9346cd152a515525d55f4cdfaf50dfecbfaa88833842e225165355bd9
Instruction ID: 962dd568ac4ca71984a48c95bda95fabe116ad5a106ca129c800ed9f46391b96
Opcode Fuzzy Hash: a064cfd9346cd152a515525d55f4cdfaf50dfecbfaa88833842e225165355bd9
Instruction Fuzzy Hash: DA713970E012098FCB54DBA9D980AAEBBF6FF88340F148529E415EB364DB30ED46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 06F1F9EF Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a94cb1a9e0ba9c58fcf7bf2db628fdc6669d91fdb5fac2243f434fdb2f8c7b
Instruction ID: 039a1e4b218ab27e004a714df33932aadb9487f8b1d6154b78c6c9e2667f32b8
Opcode Fuzzy Hash: 43a94cb1a9e0ba9c58fcf7bf2db628fdc6669d91fdb5fac2243f434fdb2f8c7b
Instruction Fuzzy Hash: 8951D570F11215CFEF609668DD64B7F269EEB89390F20482AE40ADB3E5C92DCC4583A1

Uniqueness

Uniqueness Score: -1.00%

Function 06F1FC49 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ab24ef27d874410a6ca71cfbfed005e0853acb225fe925834af3097269b15e
Instruction ID: 353712438d98eda8971f9dd4efc64701581a5148603ea32ecd90d8b579f2f0cb
Opcode Fuzzy Hash: 59ab24ef27d874410a6ca71cfbfed005e0853acb225fe925834af3097269b15e
Instruction Fuzzy Hash: 3B51D331E02109CFDB64EB78E4546ADBBF6EF883A5F108869D506DB250DB358955CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06F1FA00 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5345c457f5bab20b675f7d791db0f2aa28e11a22caf446a4734f2343bb829d7e
Instruction ID: 50f0e6b58281a2a4cf9a7f29c8779cb2930fdb2bd8bbcb7d7b68c7f0ddaca78b
Opcode Fuzzy Hash: 5345c457f5bab20b675f7d791db0f2aa28e11a22caf446a4734f2343bb829d7e
Instruction Fuzzy Hash: BF51C370F11215CFEF64966CD95477F269EE789390F20482AE50ADB3E4C92DCC8143A2

Uniqueness

Uniqueness Score: -1.00%

Function 06F15590 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb426d2081fbd90cc249bf221937ba4599754d08cb3fa4815813f37bfffddd5f
Instruction ID: 8aa9e7e13642007fb2464db796e39c6cab972f52ee8de4a5da37bc5bbe0cad66
Opcode Fuzzy Hash: eb426d2081fbd90cc249bf221937ba4599754d08cb3fa4815813f37bfffddd5f
Instruction Fuzzy Hash: 275191B4E1021A8FDF648B68C484A7EFBB2FB85350F248A26E456DF241C634EC51CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06F15411 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c7d80b6dcba8f39d7a621ac1608b2b01606e5e59f2c777b17e4adbf5de89d6
Instruction ID: 0acab05529c2cfd49363c4fb9438d18960bae076aee66bda6528629db7f87cae
Opcode Fuzzy Hash: c6c7d80b6dcba8f39d7a621ac1608b2b01606e5e59f2c777b17e4adbf5de89d6
Instruction Fuzzy Hash: F94160B1E002099FDF70CEA9D880AAFFBF2FB85354F10492AD156DB654D330E9598B91

Uniqueness

Uniqueness Score: -1.00%

Function 06F1D938 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7d7282b31a22146ce471594507dd85e920322559292fd5709f7761d07a981a
Instruction ID: d98206e88081b0e0a54198d15dd28287c71eb9af66c923d9fb3bc82d072d1750
Opcode Fuzzy Hash: 6d7d7282b31a22146ce471594507dd85e920322559292fd5709f7761d07a981a
Instruction Fuzzy Hash: 63317E30E1021A9FCB24DF65D9A069EBBB6FF85344F104929E405AB358EB70E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F12080 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e9896fe67cfa31d60614ef8ca296224fbec03d1d66288d36775187f529c725
Instruction ID: 539682aedfb457cd1f114ea9962689586789c1e9b4fbbd3162635ff71726b207
Opcode Fuzzy Hash: 34e9896fe67cfa31d60614ef8ca296224fbec03d1d66288d36775187f529c725
Instruction Fuzzy Hash: C131A134E0025A9FCB15CFA5D9546AEBBB2FF89340F108929E906EB354DB71ED81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 016C1040 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931172192.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e2d67123c346af2a232bd02e3e5859fa44bcf46681f4f09fb0b43c08f25f61
Instruction ID: 518e5e186067a5815a7d47fb2c86129fd0d44d5db0deca0528aeb524be873202
Opcode Fuzzy Hash: b0e2d67123c346af2a232bd02e3e5859fa44bcf46681f4f09fb0b43c08f25f61
Instruction Fuzzy Hash: AF319070A002068FDB11EB79DD40AAEB7F5EF8A710F104529D005EB7A5DB39AD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F16439 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913980a2410901b9b1c7b854194ea35ecb84d39f7821ef9bc7e1cc50226e0c8e
Instruction ID: 9d81d0dbd41f290303cbd8b8780601823ecce26381601be3090a0e698e2daae6
Opcode Fuzzy Hash: 913980a2410901b9b1c7b854194ea35ecb84d39f7821ef9bc7e1cc50226e0c8e
Instruction Fuzzy Hash: 623180B1D01219AFDB10CFA9D885BDEFBB8FB49310F10816AE408E7241E3759A44CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 016C1050 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931172192.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb726627a661f4cb713ac56080895ff04ba56f2ce98a7d78d4c06f3ce56d4dfd
Instruction ID: 6ba286e745b00d9e1b2fb47d02ad015e0f4a23f0e3218e81aa477a79fb7b729d
Opcode Fuzzy Hash: cb726627a661f4cb713ac56080895ff04ba56f2ce98a7d78d4c06f3ce56d4dfd
Instruction Fuzzy Hash: BB317E70A0021A8FDF51EB69DD40ABEB7F5EF89710F104529D006EB765DB39AD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F1D948 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff30f20695c1d602d3f796972dd43bbb2a7712eb3fc593245c6a8644d9824f4
Instruction ID: e184ff62d39f589c51ca76ce297bc3816b92ae62214a9789ade0805b2844b3c4
Opcode Fuzzy Hash: 1ff30f20695c1d602d3f796972dd43bbb2a7712eb3fc593245c6a8644d9824f4
Instruction Fuzzy Hash: D3316130E1061A8FCB24DF69C9A069EBBB6FF85340F104929E405EB354EB71E946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06F12090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33cc25361d909eca63332b08eb5d18bfc1d2b77e609a70e0539b2ad2f992380
Instruction ID: ab8e519508796e104e92d2491af34ba6e2a273b0d874bd938c7398750c858a5a
Opcode Fuzzy Hash: a33cc25361d909eca63332b08eb5d18bfc1d2b77e609a70e0539b2ad2f992380
Instruction Fuzzy Hash: F9319034E1021A9BCB14CFA5D954AAEB7F2FF89340F108529E906EB350DB71ED81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F13EB0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9034bd71c267de8e9c1eefa848d0eed83540961e46cc53730511e36941d09417
Instruction ID: 187c5f0ae2323b592ea957acbcac5559be62d0e283fa54650d18109a9e500358
Opcode Fuzzy Hash: 9034bd71c267de8e9c1eefa848d0eed83540961e46cc53730511e36941d09417
Instruction Fuzzy Hash: 2121AE7AF002158FEB50DF79D980AAEB7F5EB88750F108029E905EB394E774DD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 06F13EAB Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a9627426d5fde7c99f9369967ec3c191edeee4b089b40c772f0b164168ca73
Instruction ID: 702b8de9c84168edbf7c94901c85b1528a87039b640334b7d9f19ffc6a520378
Opcode Fuzzy Hash: 05a9627426d5fde7c99f9369967ec3c191edeee4b089b40c772f0b164168ca73
Instruction Fuzzy Hash: F821AC7AF012159FEB50DF79D880AAEBBF5EB88750F108029E905EB390E774DD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 016C0B6C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931172192.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbd65259cf8fb7b1e2a2db9faf7c10e365d57dcae21a77d57b9ca40bcd16468
Instruction ID: 299ab91c30abc984b29c1f31b9aeddc085894bf0902bc44b8988092498f5c47a
Opcode Fuzzy Hash: 2dbd65259cf8fb7b1e2a2db9faf7c10e365d57dcae21a77d57b9ca40bcd16468
Instruction Fuzzy Hash: 7731E0B4D01318EFDB24CF99C988BDEBFF9EB48714F20805AE404AB250C3B59845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 016FD20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931574454.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16fd000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b65062e6de3ac893a2b2048d61cbfddd00180f6f4fc93ac67e504f93df3ceda
Instruction ID: 71867b837d11f5fecc6d3d121665d5ad7770507e3d979b97317595483647e12a
Opcode Fuzzy Hash: 9b65062e6de3ac893a2b2048d61cbfddd00180f6f4fc93ac67e504f93df3ceda
Instruction Fuzzy Hash: 45212679504244DFDB01DF58D9C4B2ABB65FB84334F20C66DDB494B346C376E446CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 016FD3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931574454.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16fd000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0475be3f0e12d839a2919a3939acec2539fcc34083f8ffd43566044be136bda0
Instruction ID: 819543263ed2c01abc5cd5d474c68cc3fdf468646291cb7979a76e1cc9eba04c
Opcode Fuzzy Hash: 0475be3f0e12d839a2919a3939acec2539fcc34083f8ffd43566044be136bda0
Instruction Fuzzy Hash: 9A212671504204DFDB05DF58D9C4B26BFA5FB84314F20C56DDA0A4B396C376F846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 016FD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931574454.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16fd000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f45b6119227d665c6fc3a31f82c0c910166da0c0fa998688aa016564b31f8d
Instruction ID: d052867b699eb7cbfed8570ea9541d7480a51cb783cdc0e25fd2032e916befea
Opcode Fuzzy Hash: 25f45b6119227d665c6fc3a31f82c0c910166da0c0fa998688aa016564b31f8d
Instruction Fuzzy Hash: 27210471504204EFDB15DF68CDC4B26BBA5FB84314F20C56DEA494B356C73AE447CA62

Uniqueness

Uniqueness Score: -1.00%

Function 016FD12C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931574454.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16fd000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c828ccc6a0d5409e6a45a00a5d17b4689548edbf3a6a9f23f69b74692c7fa6b
Instruction ID: e79a8ed60aa2415fe24ec3b106db3bfcdfe5362ad6a8f816e2204bef95bf0ff1
Opcode Fuzzy Hash: 8c828ccc6a0d5409e6a45a00a5d17b4689548edbf3a6a9f23f69b74692c7fa6b
Instruction Fuzzy Hash: 8C2105B1644240DFDB05DF58DDC4B26BFA6FB84319F20C66DDA0A4B366C33AE846C661

Uniqueness

Uniqueness Score: -1.00%

Function 016C0504 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931172192.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd8599a872bc5d9b5d45853de10a7f821e849e8163d2b60d4324244a24734be
Instruction ID: e1cc170598bbc56a9ed551f93d58c0494422d23a76cda16ce03cc5bf9c5689fc
Opcode Fuzzy Hash: 8dd8599a872bc5d9b5d45853de10a7f821e849e8163d2b60d4324244a24734be
Instruction Fuzzy Hash: BD31D1B4D00318DFDB24CF99C988BAEBBF4EB48714F24845AE404AB350C7B59845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F1F919 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389f11226130d4b1cf90d86e53f788a80a6342f71c9993f21d59799fbf44e4cd
Instruction ID: 8b4145328eb6b51bfce9020ad6e489d6c1b508b2c0d873ffc6ee2a77f5d5c203
Opcode Fuzzy Hash: 389f11226130d4b1cf90d86e53f788a80a6342f71c9993f21d59799fbf44e4cd
Instruction Fuzzy Hash: 02110830F122196BEF64297D8D6077F159EC7C5790F64082AE00ADB3A9C819CC4103E2

Uniqueness

Uniqueness Score: -1.00%

Function 06F16CD7 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a0362d66f80a9c818ecdf7986d7ca8f87d5b0621d093a959fac93d0574c9ee
Instruction ID: 0dedee0a20fe9386b4a331bbd07734d292db857b83a5a7b1ffa7776f77304515
Opcode Fuzzy Hash: 05a0362d66f80a9c818ecdf7986d7ca8f87d5b0621d093a959fac93d0574c9ee
Instruction Fuzzy Hash: 3D21B430F101199FDF64DB69E9506AEB7BBEB84390F248425E805EF394DB75DC418B80

Uniqueness

Uniqueness Score: -1.00%

Function 06F13457 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59ccb44a86983f20fcecb53389d5063d68621d87a3af264f2179b1f1f3d3508
Instruction ID: 53e20fd5ef399605490a7cb39dbd239e2e1dc027634122f5bb00ff375c35e7b6
Opcode Fuzzy Hash: f59ccb44a86983f20fcecb53389d5063d68621d87a3af264f2179b1f1f3d3508
Instruction Fuzzy Hash: E111AF32E002299FCB649B69D8405DEF7F6FB89350F108569D006EB344DA32D940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06F1A2C8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d74c7900efead62d7e14000aeb488b8d1221d7bc05ca93c0e80a1ba50e91a3
Instruction ID: 9f0e1ecd71f4334b150c732ab4563e5227bce3ed4212833982b12d0293dd2821
Opcode Fuzzy Hash: 11d74c7900efead62d7e14000aeb488b8d1221d7bc05ca93c0e80a1ba50e91a3
Instruction Fuzzy Hash: 3B112635F022241FCB619B7DE85177BB7D6E789790F108429E10ACB340EA27DC028790

Uniqueness

Uniqueness Score: -1.00%

Function 06F1F928 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9b5bc10e938872e2c2136f79b379fadc491c3fe68ea21cf871f078305385be
Instruction ID: 517b14682a866524e719b73ae82dccae3f9c96ce3c421e9898101aaff05df194
Opcode Fuzzy Hash: 9b9b5bc10e938872e2c2136f79b379fadc491c3fe68ea21cf871f078305385be
Instruction Fuzzy Hash: BE018430F21229A7EF64396E8D6472F51CED7C97A0F60482AD40ADB3D8D859CC8103E6

Uniqueness

Uniqueness Score: -1.00%

Function 06F13FC0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6986315a8b67e954a0bcb2312043f6f503b7a49ac0e523a50a3a38bf2793f5c2
Instruction ID: 618a756130922101861794737391a1d3b0ed4edaeda749ad7d69e44374283c4e
Opcode Fuzzy Hash: 6986315a8b67e954a0bcb2312043f6f503b7a49ac0e523a50a3a38bf2793f5c2
Instruction Fuzzy Hash: D4118E36F001298FDF549A69DD146AE73EAEBC8790B008439D40AEB354EE65DC028B91

Uniqueness

Uniqueness Score: -1.00%

Function 06F13FAF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5c4cd7754d101e8cd5d0e3cd266b29853a3f89b67010fbc1bd3d0176c8968c
Instruction ID: 81c7f9db7951ee0af8e8475f6df347d565f25c26e0987540f210c1dadff287a0
Opcode Fuzzy Hash: fe5c4cd7754d101e8cd5d0e3cd266b29853a3f89b67010fbc1bd3d0176c8968c
Instruction Fuzzy Hash: 44019E36B102195BDF58AA69DC186EB72FAEBC8691F044439D40AD7344FEA49C0247E1

Uniqueness

Uniqueness Score: -1.00%

Function 06F141F8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61ee26a3d8a154eda41c68f8b3b5512f1271c6ae371f6dc9702f1c8d783f7dc
Instruction ID: 7e0b870f5634cd1720c08184ef3ae4d96054d2950302b2cb169e1fd406018a7a
Opcode Fuzzy Hash: d61ee26a3d8a154eda41c68f8b3b5512f1271c6ae371f6dc9702f1c8d783f7dc
Instruction Fuzzy Hash: 4D01A231F000210BDB649ABE9814B7BB6DBDBC9790F108439E10ACB744E961DC8247D5

Uniqueness

Uniqueness Score: -1.00%

Function 016FD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931574454.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16fd000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: af563f16462d5b5ed9a0da3b285e052f3722d148d64d0a3f21acf5c06f8f65e1
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: B711BB75504284CFDB12CF54C9C4B16BFA2FB84314F24C6AED9494B352C33AE44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 016FD207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931574454.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16fd000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: 4484f8258e615d40c76b3c53821242fe131be6a4d9e57619c6b7088950880b3f
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: E111907A504284CFDB12CF54D9C4B56BF61FB84224F24C6AEDA494B756C33AE40ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 016FD3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931574454.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16fd000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: bb25b94216037e551cd497dc713013b49f10b8c9100af27416465aa293680844
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 9C11BB75504280DFDB02CF58D9C4B55BFA2FB84214F24C6AED9494B356C33AE40ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06F13C7F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbaf69fa020a81a8ed60af58d04d051393856de18240d0def33f8d72dc2f04cb
Instruction ID: 13ac7feb2f615899162aab6790ee36fbc74ad3e86f765201d7b4ea0572943d40
Opcode Fuzzy Hash: fbaf69fa020a81a8ed60af58d04d051393856de18240d0def33f8d72dc2f04cb
Instruction Fuzzy Hash: 0B11D3B5D01259AFCB00DF9AD884ACEFFB8FB49310F10812AE918A7240C375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 016FD127 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931574454.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16fd000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction ID: 44d275868c7d312c1868c243e5cddae5400da9c831896ce5ce89ddcfb064bb98
Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction Fuzzy Hash: 87119D75504280CFDB16CF58D9C4B16BFA2FB84318F24C6ADD9494B766C33AE44ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 06F13C80 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce9263b1ea5d78f0443ac355992167a5cb2b33ee1296a79a2d6a67bb5e649cf
Instruction ID: d4b1327b58e92f6c2dde658ca0928804438fbea3cbc9276028131f0581e4d6ea
Opcode Fuzzy Hash: 2ce9263b1ea5d78f0443ac355992167a5cb2b33ee1296a79a2d6a67bb5e649cf
Instruction Fuzzy Hash: D911D3B5D01259AFCB00DF9AD884ACEFFB8FB49310F10812AE918A7240C375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F14208 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a90d980ae1529ce3c060d521b5c570efbc2b5ed224705d113d1989b7f09cc3e
Instruction ID: 139afb97dbe1afc8bab1751051a39fdb118a7c392f7d9b0d9bdf78d0123c581b
Opcode Fuzzy Hash: 6a90d980ae1529ce3c060d521b5c570efbc2b5ed224705d113d1989b7f09cc3e
Instruction Fuzzy Hash: D5018131F000220BDB649ABE9814B6FB2DBDBC9B60F108839E50ACB744EA65DC424795

Uniqueness

Uniqueness Score: -1.00%

Function 06F1F170 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6f8838c67b3c5232bbdb4f31fb83dab8eab2a85284b6f6f4ff37f32adf1ad9
Instruction ID: 486f13566fceb8602007a05316f5781684a6eb413dda4adcfe93ebb79ae5680d
Opcode Fuzzy Hash: 2c6f8838c67b3c5232bbdb4f31fb83dab8eab2a85284b6f6f4ff37f32adf1ad9
Instruction Fuzzy Hash: 3C018175F005220BCB65957DDC6073E72D7E7C9BA0F108839E10BDB344EA66DC024395

Uniqueness

Uniqueness Score: -1.00%

Function 06F1A2D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896814e11b2006b2a5a89a564dda3eacc6654c2764e2c6ec0fd37ae5eb19b86a
Instruction ID: 2c522efe24915ae47d8d7dbd8d84aa93183cd8c368d5cc7c13d536aabfeafc80
Opcode Fuzzy Hash: 896814e11b2006b2a5a89a564dda3eacc6654c2764e2c6ec0fd37ae5eb19b86a
Instruction Fuzzy Hash: E2013134F012294FDB64DA7DE55572EB3D6E789B90F108828E10ACB354EE26DC428784

Uniqueness

Uniqueness Score: -1.00%

Function 016ED8C5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931389769.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16ed000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c24a9b59a3847f761c6c2a97f3e53689a2270b87e882d50d8714676f361e85
Instruction ID: a823ac456bf1e1fa32b2a4ba6ea9daa7b36526b2edc0ea0061c4b203d9764962
Opcode Fuzzy Hash: 98c24a9b59a3847f761c6c2a97f3e53689a2270b87e882d50d8714676f361e85
Instruction Fuzzy Hash: 9B01DB3100A3449AE7114A5ADD88767BFECEF45324F18C62AED4D4B286C779D841C671

Uniqueness

Uniqueness Score: -1.00%

Function 016C0E9C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931172192.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70bb13592626ae47639ffefeeb5c382de008a384d3fcc97102786af1c37e30ab
Instruction ID: 2ca10493030f6f274d1e705cd4cf998736486736b39b5b3513ec04f86ff9deb8
Opcode Fuzzy Hash: 70bb13592626ae47639ffefeeb5c382de008a384d3fcc97102786af1c37e30ab
Instruction Fuzzy Hash: 6B010C74844219DBEB10CF6AC8043AABEB5EB48754F148569F824AA290D7754A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016C0F38 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931172192.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b761adf48cf8f169337058c60b263482dd7e1f0b8fe130b21fcfea143128637
Instruction ID: cebc9d3a7023117000aca9f0674062209a4646cb4a80520b140d7a5860822daa
Opcode Fuzzy Hash: 8b761adf48cf8f169337058c60b263482dd7e1f0b8fe130b21fcfea143128637
Instruction Fuzzy Hash: C6F054717042046FD3049A6A9C84F57FBEEEFD5720F2581AEF144D7351DAB1AC018664

Uniqueness

Uniqueness Score: -1.00%

Function 06F1C790 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6fc4ec8cb91ac277b41f5d8317b1617b84cf7a3a34a78f925306ebfe21f4fcd
Instruction ID: a9e3691ef5cdb49fc4ff9802ae604032f421a185cc3212a0d5e92b3056c1c5e6
Opcode Fuzzy Hash: e6fc4ec8cb91ac277b41f5d8317b1617b84cf7a3a34a78f925306ebfe21f4fcd
Instruction Fuzzy Hash: 99F0F635E113649BCF645A6AD80099EBB39EB85394F104429E911EB284D7355D04CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 016ED8C4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931389769.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16ed000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550cb4623a73f55d3c8d846a653a699e44cd69f31c52f8354a1997cf422b378b
Instruction ID: 80bcc99de0ebb1b21b2efa2627f7652e383fbc9d728359ddcb018fe575fd82e9
Opcode Fuzzy Hash: 550cb4623a73f55d3c8d846a653a699e44cd69f31c52f8354a1997cf422b378b
Instruction Fuzzy Hash: BDF06272405344AAE7118E1ADD88B66FFE8EB45624F18C55AED484F286C3799844CA71

Uniqueness

Uniqueness Score: -1.00%

Function 016C0EA8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931172192.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecbf80e874afda2017aeebcd68567134ddd4fe4ecf2adb9062ca7c49b99f0dc
Instruction ID: c089f62c2b42ac071eba8f3753df90c62f0c184f088ab3b6ff3023a6ffa4b338
Opcode Fuzzy Hash: fecbf80e874afda2017aeebcd68567134ddd4fe4ecf2adb9062ca7c49b99f0dc
Instruction Fuzzy Hash: C301FB74804219DFEB14DF6AC8043AEBFF5FF48764F148629E824AA290D7744A84CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 06F1FF70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bea4512af6c7cdc0c13af6666a921265204cda95de085fc2a1b3aab4a2bfd7
Instruction ID: fbdda26afdeb0ad12b5f6d6cbcd4fa025545c26ef804fe1406bfe4b7bf97765d
Opcode Fuzzy Hash: 54bea4512af6c7cdc0c13af6666a921265204cda95de085fc2a1b3aab4a2bfd7
Instruction Fuzzy Hash: 29F06D71E00304ABCB34CFA9D84059ABBF8EF49300B50465AE4559B250CB71EA14CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016C0F48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931172192.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88a580cc8cfb58c3107a7768c7392376fa1c33cf94af20e2e8c5e2dabbaf84e
Instruction ID: 4ff23ff09d464ebab7d061cfae557e4e00c133f0cf08292dd64edece5165beab
Opcode Fuzzy Hash: a88a580cc8cfb58c3107a7768c7392376fa1c33cf94af20e2e8c5e2dabbaf84e
Instruction Fuzzy Hash: 67E06D717002186FD3049A5E9C44E6BFBEEFFD9620B21807AE544D7360CAB0AC0086A8

Uniqueness

Uniqueness Score: -1.00%

Function 016C0F88 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931172192.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06bdb387a06815e495a2aa9c77886510364533f5f38e54df5105d486d911e069
Instruction ID: 00911364a6e46cafb141145366436779f37024fb9760827a064682781c945c5a
Opcode Fuzzy Hash: 06bdb387a06815e495a2aa9c77886510364533f5f38e54df5105d486d911e069
Instruction Fuzzy Hash: CDE065353001005FD314CA1EDC84E46FBD9EB99324F60506AF509CB360CA31AC028A54

Uniqueness

Uniqueness Score: -1.00%

Function 06F1FF80 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a761804e5aca482e04b9022504f099600293514f5eeb7a53952b851286015e30
Instruction ID: 5b346622f58318994d7d39b9a2c5e8cda475945123b3cf16fbd53048320b49cb
Opcode Fuzzy Hash: a761804e5aca482e04b9022504f099600293514f5eeb7a53952b851286015e30
Instruction Fuzzy Hash: 90F03075E00714EF8B34CFA9D84049AFBF9EF49610B408A6EE45697600D771EA14CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016C0F98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2931172192.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16c0000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc02f45c2fe130b520a69752fa2506276bd3d0f9c25e0d02b8dc5aba074d8e5
Instruction ID: 2184a8146a936b16163e577e17b118fd891a4fee55e0feb71df48c2793c5ab72
Opcode Fuzzy Hash: 2dc02f45c2fe130b520a69752fa2506276bd3d0f9c25e0d02b8dc5aba074d8e5
Instruction Fuzzy Hash: 37E046363001106FC3108A0EEC88D06FBE9EB88630B50802AFA09C7360CA30AC018AA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06F17658 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$kq, xrefs: 06F17C0A
$kq, xrefs: 06F17BFE
$kq, xrefs: 06F17B55
$kq, xrefs: 06F17BF4
$kq, xrefs: 06F177C9
$kq, xrefs: 06F17B49
$kq, xrefs: 06F1778C
$kq, xrefs: 06F17BE8
$kq, xrefs: 06F17798
$kq, xrefs: 06F177BD

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: 9852478f34c58964c48f9576c1a9786c50e3fb97ce9340fcc6c3b948ae0a7544
Instruction ID: 0614a4c67adeb8ccc3bae91906de56c0b5c527c4bb16bd38419af575f14a0100
Opcode Fuzzy Hash: 9852478f34c58964c48f9576c1a9786c50e3fb97ce9340fcc6c3b948ae0a7544
Instruction Fuzzy Hash: E0121C34E012198FDB64EF69C954A9EB7F2FF88340F208569D409AB364DB359D85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 071C80C8 Relevance: 4.6, APIs: 3, Instructions: 84keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 071C8125
GetKeyState.USER32(00000011), ref: 071C816A
GetKeyState.USER32(00000012), ref: 071C81AF

Memory Dump Source

Source File: 0000000F.00000002.2974155040.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_71c0000_eDnxmGWzJ.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 82ea4368c1f2c345e64f47fd06e2c299601de127331038ca4a5695c93c4af046
Instruction ID: 97798d9ca166e5c74356d558063ee320012352d2808a944c83da43922d6ea677
Opcode Fuzzy Hash: 82ea4368c1f2c345e64f47fd06e2c299601de127331038ca4a5695c93c4af046
Instruction Fuzzy Hash: 9731AEB08007998FDB11DF99D9487EFBFF4AB19308F14845ED489BB290C3799585CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 071C80D8 Relevance: 4.6, APIs: 3, Instructions: 76keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 071C8125
GetKeyState.USER32(00000011), ref: 071C816A
GetKeyState.USER32(00000012), ref: 071C81AF

Memory Dump Source

Source File: 0000000F.00000002.2974155040.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_71c0000_eDnxmGWzJ.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 88aac0b2531c5402391d7e0a32c841eaa42c988549d34574c1b6fa51f7cbbd57
Instruction ID: 72acd85c3338800653ae3fe5088b4db0c78c7da56fb80fcaba96203b8cadb0be
Opcode Fuzzy Hash: 88aac0b2531c5402391d7e0a32c841eaa42c988549d34574c1b6fa51f7cbbd57
Instruction Fuzzy Hash: 08318DB080075A8EDB11DF9AD9487EFBFF4AB58308F20841DD448BB280C3B99585CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F1A900 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$kq, xrefs: 06F1AA02
$kq, xrefs: 06F1AA88
$kq, xrefs: 06F1AA7C
$kq, xrefs: 06F1AA51
$kq, xrefs: 06F1AABE
$kq, xrefs: 06F1A9F6
$kq, xrefs: 06F1AA5D
$kq, xrefs: 06F1AAB2

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 8d12ca3d14ae88e8150ab4022cb3da76f84fa062e958c4b0791a0f562dd7611c
Instruction ID: 9cd72a9597e9cadb83c3d0aabaa80c9dabf0364feec42bd7a516c1d55026661e
Opcode Fuzzy Hash: 8d12ca3d14ae88e8150ab4022cb3da76f84fa062e958c4b0791a0f562dd7611c
Instruction Fuzzy Hash: 29918F30E02209DFEB64DF69DA54B6EBBB2EF84340F208529E4019B394DB79DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06F1AC98 Relevance: 10.2, Strings: 8, Instructions: 175COMMON

Download Yara Rule

Strings

$kq, xrefs: 06F1ADC5
$kq, xrefs: 06F1AE3B
$kq, xrefs: 06F1AE0C
$kq, xrefs: 06F1ADB9
$kq, xrefs: 06F1AE64
$kq, xrefs: 06F1AE70
$kq, xrefs: 06F1AE47
$kq, xrefs: 06F1AE18

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: c7196dcad5a957f9a3e24fe060538c311c2115c6728c8fde03cf9e191d79c3bd
Instruction ID: 90211d0952fbe89cf3169f27e1cf9d7549e10ef372e71f22485021e8189f549a
Opcode Fuzzy Hash: c7196dcad5a957f9a3e24fe060538c311c2115c6728c8fde03cf9e191d79c3bd
Instruction Fuzzy Hash: 5E51A034E122098FDF69EB69D98066EB7B3EF88340F208529D405DB395DB38ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F17058 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$kq, xrefs: 06F1733A
$kq, xrefs: 06F173A0
$kq, xrefs: 06F17394
$kq, xrefs: 06F174F4
$kq, xrefs: 06F1756C
$kq, xrefs: 06F17560

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: c95c08af3a786f10a3998c5d1119b708b44591a8dbccc48d745a353f0bea41d0
Instruction ID: 95e6b81881000d61404e949e5b034d5a8c8a5c0433503602be0dc50e14fe2d08
Opcode Fuzzy Hash: c95c08af3a786f10a3998c5d1119b708b44591a8dbccc48d745a353f0bea41d0
Instruction Fuzzy Hash: CBF14C34B01209CFDB59EB69C554A6EB7B6FF88340F208568D4059F3A8DB35EC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F1B9D0 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$kq, xrefs: 06F1BBAB
$kq, xrefs: 06F1BB4F
$kq, xrefs: 06F1BBB7
$kq, xrefs: 06F1BB83
$kq, xrefs: 06F1BB77
$kq, xrefs: 06F1BB43

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: a63bd76b498d58bae4586ea7af80d82a4b9b9f6679b7aa2c65b5526870189c29
Instruction ID: 387ad87360f0f2493093083fa02ab3905c8288f9474dfe98055067e69710a40a
Opcode Fuzzy Hash: a63bd76b498d58bae4586ea7af80d82a4b9b9f6679b7aa2c65b5526870189c29
Instruction Fuzzy Hash: 9C71AB30E00219CFDB68DF69D99066EB7A2FF84380F20856AD406EF758DB75E845CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06F18390 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$kq, xrefs: 06F1865B
$kq, xrefs: 06F185EA
$kq, xrefs: 06F1864F
$kq, xrefs: 06F185F6

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: b3236cc3b3470567fab4217724f1db9abe9b05924e0379734c3e21ff4202f3aa
Instruction ID: d5e7dd9c919eccd150aac2cfac221074531ab51bae5bbc36a70d1c28832e5f1d
Opcode Fuzzy Hash: b3236cc3b3470567fab4217724f1db9abe9b05924e0379734c3e21ff4202f3aa
Instruction Fuzzy Hash: D1B13A34E112098FDB64EF69C69466EB7B2FF84390F248529D416DB394DB75DC82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06F1AC8F Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

$kq, xrefs: 06F1AE3B
$kq, xrefs: 06F1AE0C
$kq, xrefs: 06F1ADB9
$kq, xrefs: 06F1AE64

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 026a978b5503ca8bdaebb6708b1adc0139525ce64c735148faf401d7e87f9de9
Instruction ID: 2f13d5ee6ab35b135a5088f86d5eae6cdee73fad798e0f8991f6fed4341340a8
Opcode Fuzzy Hash: 026a978b5503ca8bdaebb6708b1adc0139525ce64c735148faf401d7e87f9de9
Instruction Fuzzy Hash: 6851D034E122058FDF65DB69D9806AEB7B2EF89380F20456AD805DF395CB34DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06F187A8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRkq, xrefs: 06F188EA
$kq, xrefs: 06F18833
$kq, xrefs: 06F18827
LRkq, xrefs: 06F1889B

Memory Dump Source

Source File: 0000000F.00000002.2971682482.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f10000_eDnxmGWzJ.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: 4b7129a1dc25c0e8a2279dbccd2863981c8e9016a03282254024470b6f350c33
Instruction ID: a1198b2aebfcec8eb4f92e7b746a1c979d60dc91bdc902f48a3270797e08e24e
Opcode Fuzzy Hash: 4b7129a1dc25c0e8a2279dbccd2863981c8e9016a03282254024470b6f350c33
Instruction Fuzzy Hash: 9151D434B002058FDB64DB28CA90A6EB7E6FF88380F14856DE4159F3A9DB34EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BjTxJte.exePID: 7788, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	228
Total number of Limit Nodes:	10

Executed Functions

Function 0549B7A0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35b3bf125774e7b504034e6ca015b4c175206603617d70abfe3c6df5b629b5a
Instruction ID: 6ac7c7d2c8d9bdb9be014c0fdd82adc2cfa1fe2dcf137427a6990db81c88795c
Opcode Fuzzy Hash: e35b3bf125774e7b504034e6ca015b4c175206603617d70abfe3c6df5b629b5a
Instruction Fuzzy Hash: 5E21E6B0D046188BEB18CFA7D8557EEBFB6BFC9300F14C06AD409A6265DB740945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04891165 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 048913A6

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 99fe16911a794ba61b240de47453c9d001d39da186125c21897fd983595b8fbc
Instruction ID: b593a0a50261cae51d310442831eb9e3a4b37a9ba127a70fd07e32281c620cd7
Opcode Fuzzy Hash: 99fe16911a794ba61b240de47453c9d001d39da186125c21897fd983595b8fbc
Instruction Fuzzy Hash: 1FA15C71D0461ACFEF14DFA8C94479DBBF2AF48314F1886A9E808E7250DB74A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04891170 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 048913A6

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 846505fcde709bdc14b6449f4646da8510d9cb98ef3e4fa1b8d878b504d2f809
Instruction ID: 262f89e0e0ba70dca60e41d8745a9342b77298bbfefb21d13968736215d8176f
Opcode Fuzzy Hash: 846505fcde709bdc14b6449f4646da8510d9cb98ef3e4fa1b8d878b504d2f809
Instruction Fuzzy Hash: 56916B71D0461ACFEF14DFA8C94479DBBF2AF48314F0886A9E808E7250DB74A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D397 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D9D5FE

Memory Dump Source

Source File: 00000011.00000002.1920756748.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d90000_BjTxJte.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c56a09d42acd48d2d461194de587826deb2918f846cd2b65a440b58c0ee7c97c
Instruction ID: 3933e7cd9d8c9c2dce114bd03759bb14cf32fca4dac24ac0f22b417696689409
Opcode Fuzzy Hash: c56a09d42acd48d2d461194de587826deb2918f846cd2b65a440b58c0ee7c97c
Instruction Fuzzy Hash: 00812070A00B058FDB24DF69D14175ABBF2FF88304F148A2AD48AD7B50DB75E849CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0549F268 Relevance: 1.6, Strings: 1, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'kq, xrefs: 0549F778

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: c6a3aa7bc939465508e082360702d40f2ec40d9e61e23d5d75366b815f863302
Instruction ID: d0b80f70abf7e328b101105d12b44b67b51a2157e42e8090fff9b86e79615e0a
Opcode Fuzzy Hash: c6a3aa7bc939465508e082360702d40f2ec40d9e61e23d5d75366b815f863302
Instruction Fuzzy Hash: 04E17F74A00209DFCF09EFB8C594AAEBFB2FB89310F108455D905A7368DB35AD89DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00D958EC Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D959A9

Memory Dump Source

Source File: 00000011.00000002.1920756748.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d90000_BjTxJte.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b4b6b5688d96be9bccdc0d6cd314bf9dfab8531fb10d3aa9cca81345ce895837
Instruction ID: 02cdb74fff8c581d6a1c2824a70addf3610264570f51fe42a8c8ba3884244fb6
Opcode Fuzzy Hash: b4b6b5688d96be9bccdc0d6cd314bf9dfab8531fb10d3aa9cca81345ce895837
Instruction Fuzzy Hash: 804100B0D00619CFDF24CFA9D884BDDBBB5BF48304F24816AD408AB255DB75694ACFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D944B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D959A9

Memory Dump Source

Source File: 00000011.00000002.1920756748.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d90000_BjTxJte.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d6e72aad16902809d4ce39bf812d5b6dea9df0d87a178ffc9ce699352c9f3c44
Instruction ID: 9bcfced290bfe3789d74307fa113d56b9e8c6d5ab6e379421effbd10c7c11f1e
Opcode Fuzzy Hash: d6e72aad16902809d4ce39bf812d5b6dea9df0d87a178ffc9ce699352c9f3c44
Instruction Fuzzy Hash: 6441D1B0C00719CBDF24DFA9C884B9DBBF5BF48304F24816AD408AB255DB75A946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04890EE0 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04890F78

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 203ecf74e29f1f4a88ebc80b1e2f19e52a0cfe19478d3ee9f4a3dcda3b7c5a8f
Instruction ID: a43f365c0c311c6247ce75301763bfffadf800b95417467bd7d38d71e87628fd
Opcode Fuzzy Hash: 203ecf74e29f1f4a88ebc80b1e2f19e52a0cfe19478d3ee9f4a3dcda3b7c5a8f
Instruction Fuzzy Hash: 9C2146B1900249CFCB10CFA9C884BDEBBF1FF48310F148829E959A7290C778A944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04890EE8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04890F78

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ef0248013da6598e1bc552d87ae1f4a70c8b0cb90a6bce9756eae46bb8bafa31
Instruction ID: 408941f81ff1c4ceb54fa4a56946e6c0955903b8061dd970d702c32f604ebb13
Opcode Fuzzy Hash: ef0248013da6598e1bc552d87ae1f4a70c8b0cb90a6bce9756eae46bb8bafa31
Instruction Fuzzy Hash: 892126B19003599FCB10CFA9C985BDEBBF5FF48310F148829E959A7250C778A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04890D49 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04890DCE

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e2bc235716d8b69eb95bbb47c85d131c99a02f0c22828698711db92de1b7b1c3
Instruction ID: 003a4d32084854a510264707282ddcb8ac4c9c9d700a5cc5a2f3db6f9b412388
Opcode Fuzzy Hash: e2bc235716d8b69eb95bbb47c85d131c99a02f0c22828698711db92de1b7b1c3
Instruction Fuzzy Hash: 882125B19003098FDB10DFAAC4857EEBFF5EF88324F14842AD459A7241CB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04890FD0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04891058

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c11b209341cb37c69d22f4177b85f729713ee51c6a0522b00b1e7aca756be260
Instruction ID: e687fbe2a5da70682a7d4a10095ff04e271422df6d44339c13c81feb92092a96
Opcode Fuzzy Hash: c11b209341cb37c69d22f4177b85f729713ee51c6a0522b00b1e7aca756be260
Instruction Fuzzy Hash: 8D2139B1D003599FDB10DFAAC884BDEBBF5FF48320F108829E959A7251C7799944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9DD90 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D9FC46,?,?,?,?,?), ref: 00D9FD07

Memory Dump Source

Source File: 00000011.00000002.1920756748.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d90000_BjTxJte.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2a18cab5334a78e40d56c1118fb64a5fb078ec02249d8965ad391eb5cc15c978
Instruction ID: d23f19265253e2e0c3c24b4d665c5c4a82fd3bdbe2f3ebff8bd80fc578957136
Opcode Fuzzy Hash: 2a18cab5334a78e40d56c1118fb64a5fb078ec02249d8965ad391eb5cc15c978
Instruction Fuzzy Hash: 5B21E3B5D002499FDB10CFAAD984ADEBFF4EB48310F14842AE958A7311D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04890D50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04890DCE

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 66de8f96d21f7547ef37ecb2d69230488fa55323b5f782a0092a2eed3bb63a31
Instruction ID: 58155cee6771f8a1467e24d42404e4a909c549b6c51ce174fc311f18a2f8219a
Opcode Fuzzy Hash: 66de8f96d21f7547ef37ecb2d69230488fa55323b5f782a0092a2eed3bb63a31
Instruction Fuzzy Hash: 84212C71D003098FDB10DFAAC4857EEBBF4EF48324F148429D559A7241C778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04890FD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04891058

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b3996fb893f7793dfb34c9a3984f60ccac496c615ea0ae1f5e39faed1a4a5a91
Instruction ID: dec20d7f870520ce972ee3813133417e8c9b03471569a0783ced553bfdc7b938
Opcode Fuzzy Hash: b3996fb893f7793dfb34c9a3984f60ccac496c615ea0ae1f5e39faed1a4a5a91
Instruction Fuzzy Hash: 662128B1D003599FDB10DFAAC944BDEBBF5FF48320F108829E558A7250C779A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D9C768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D9D679,00000800,00000000,00000000), ref: 00D9D88A

Memory Dump Source

Source File: 00000011.00000002.1920756748.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d90000_BjTxJte.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ef73ce7951ce1e86a63261b4528d7595e8e1fb34540c9b81f387253084a596f4
Instruction ID: aaf4357c3e7179d84738b8f8e5a2d6fd8e874bd3172f50c000743d91b14a46eb
Opcode Fuzzy Hash: ef73ce7951ce1e86a63261b4528d7595e8e1fb34540c9b81f387253084a596f4
Instruction Fuzzy Hash: 451112B6D002099FDB10CF9AD848BDEFBF5EB48324F14842AE519A7311C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04890E20 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04890E96

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3a104969626a98aa1ce2c705d4ac3f4dbd50f913333aa61c78b7f3af22ef5917
Instruction ID: eeb9538ae2b4cb77d50f60da9a06efea1a1d44a82a106b761e51ead255da1197
Opcode Fuzzy Hash: 3a104969626a98aa1ce2c705d4ac3f4dbd50f913333aa61c78b7f3af22ef5917
Instruction Fuzzy Hash: 511136B28002498FDB10DFA9C944BEFBFF5AF88320F148819D555A7260C735A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04890E28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04890E96

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2e42bafc6ac8b195c06068bae61c405e0dea26ba65286888130dd0331c5503ef
Instruction ID: b81d8a455e45ad5dbe8d8b5929eda363dd13795e4a0572128b2522227b4496a2
Opcode Fuzzy Hash: 2e42bafc6ac8b195c06068bae61c405e0dea26ba65286888130dd0331c5503ef
Instruction Fuzzy Hash: E61126729002499FCB10DFAAC844BDFBFF5EF48320F148819E555A7250C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D819 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D9D679,00000800,00000000,00000000), ref: 00D9D88A

Memory Dump Source

Source File: 00000011.00000002.1920756748.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d90000_BjTxJte.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c6f13a13f58d12d714347acdf775e18e09b411ce9e019d052509af0e062ee301
Instruction ID: 43af16576f1e516d9a40eb36d57d3c7392bd51809ec76315973bcb8a79e78c25
Opcode Fuzzy Hash: c6f13a13f58d12d714347acdf775e18e09b411ce9e019d052509af0e062ee301
Instruction Fuzzy Hash: AA1150B6C003098FCB10CF9AD444BDEFBF5EB48320F10842AD918A7250C3B9A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04890868 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 048908CA

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 26cf9bb47da07bdd131f1e7d167e7965a1d6786bd79d724cb940c14a6b06fab3
Instruction ID: b5b0de06a20d9278a6c8e181445bbf42cd923464b1d24967ac336e059a55fdeb
Opcode Fuzzy Hash: 26cf9bb47da07bdd131f1e7d167e7965a1d6786bd79d724cb940c14a6b06fab3
Instruction Fuzzy Hash: 711128B1D002498BDB10DFAAC8457DEFBF4EB88324F248829D559A7250CA75A944CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04890860 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 048908CA

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4dc906d192e56aed6c12a59efd1e0c331f0de2e20285ffe4930f9710ccac0f52
Instruction ID: 48ea968e9eb086f4fabe59ef8ea3fc44922ecad8dc2645b786198d8f55f68b77
Opcode Fuzzy Hash: 4dc906d192e56aed6c12a59efd1e0c331f0de2e20285ffe4930f9710ccac0f52
Instruction Fuzzy Hash: 961158B2D002498FDB10DFAAC8457DEFBF4EF88324F248819D559A7250C778A944CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04891CC4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04894BBD

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f497cff50eea846343616203c3d3ff67714a2cf33b17ff7af8201eaa9114ea55
Instruction ID: 6ec4b0e8e256e9c2df757fa7b87d86cbf3de630a44ad0562b68ab62364d1dc17
Opcode Fuzzy Hash: f497cff50eea846343616203c3d3ff67714a2cf33b17ff7af8201eaa9114ea55
Instruction Fuzzy Hash: B61133B5804308DFDB10DF9AD888BDEBBF8EB48324F108859E558A7300C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04894B58 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04894BBD

Memory Dump Source

Source File: 00000011.00000002.1925003468.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4890000_BjTxJte.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 33d86cebcfec1c4dcfc5404ebcf3b0385ed5e713ecd30eb1bff0a1d25beacaa9
Instruction ID: 2f020e664fee0cf1a83a16893976a2fb0533de65a1a1c9ebd51ffe146c23120b
Opcode Fuzzy Hash: 33d86cebcfec1c4dcfc5404ebcf3b0385ed5e713ecd30eb1bff0a1d25beacaa9
Instruction Fuzzy Hash: 571143B5804348CFDB10CF99D984BDEBFF4EB08324F208869D554A7640C379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D598 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D9D5FE

Memory Dump Source

Source File: 00000011.00000002.1920756748.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d90000_BjTxJte.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3aad0d466a8f6cc1a05bce00781a7fd493461646b30f3b0430a35128a606c2cf
Instruction ID: 2647fe2fb6f5fef33a8c09c16b97a1ec71aff52d33bcf01154a1ebdc8ff6cd60
Opcode Fuzzy Hash: 3aad0d466a8f6cc1a05bce00781a7fd493461646b30f3b0430a35128a606c2cf
Instruction Fuzzy Hash: AF111DB6C002498FCB10CF9AD844BDEFBF5EF89324F14842AD828A7210C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0549A8A9 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0549A959

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: d3142c0fc4aa2322e354b5eed14500b3b234bc100cbaa5616c5d447ff1213247
Instruction ID: 491172c4c7b86985382642462067c22038cc63ff6c31e7a667be3fda693c7269
Opcode Fuzzy Hash: d3142c0fc4aa2322e354b5eed14500b3b234bc100cbaa5616c5d447ff1213247
Instruction Fuzzy Hash: 4131EA74E04208CBDF18CFAAC9557DEBBB6FF89300F10902AD41AAB355DB745906CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0549A8B8 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0549A959

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 9cd81966d7e9d24fe90cd6b69d1b9b6121653523044b5484082c578a62108ad0
Instruction ID: e8cced0bc127aafb763ec4e72f8c6a4795d7157e141400e2f7a3b7c44e53d9f1
Opcode Fuzzy Hash: 9cd81966d7e9d24fe90cd6b69d1b9b6121653523044b5484082c578a62108ad0
Instruction Fuzzy Hash: 2331A974E042188BDF18DFAAC9456EEBBB6FF89300F10902AD41AAB355DB745906CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05497C90 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

2, xrefs: 05497DA8

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 27f7db79a5c201f8566714e93b30baebf6d1175ec1f81533be0386d34f538fc5
Instruction ID: 743238084e17cd04c94e7436fb0b00f42f98160fb8a0cc6c47a33d728290626c
Opcode Fuzzy Hash: 27f7db79a5c201f8566714e93b30baebf6d1175ec1f81533be0386d34f538fc5
Instruction Fuzzy Hash: 89219130754214DFCB2C8B189816BBA3E66FBC7701F25C1ABE0164F3A6DA36C8428795

Uniqueness

Uniqueness Score: -1.00%

Function 0549DD0E Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

0, xrefs: 0549DD0F

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b69dedfa5f43a43864b2837b7f0eadbba20a79657e550bf4a166f9d01ee889b6
Instruction ID: d57e5d19b3e6a8c9620a4c60ec6db0786fc7b78fc325a5c7bca76c30fd1ac10c
Opcode Fuzzy Hash: b69dedfa5f43a43864b2837b7f0eadbba20a79657e550bf4a166f9d01ee889b6
Instruction Fuzzy Hash: DB311A34A05128CFCB35DF24D945BA8BBBAEFC9301F00819AD40EA774ADE745E868F50

Uniqueness

Uniqueness Score: -1.00%

Function 0549A97D Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0549A98D

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: ae00fdfe7164f5473ca67e938bc1346b51d40b95cecf9e9a7eb27909713b425e
Instruction ID: df1f7e659affe23c6bba7ec1f17a5c2d479fd22dd186678b592ac9e587370c96
Opcode Fuzzy Hash: ae00fdfe7164f5473ca67e938bc1346b51d40b95cecf9e9a7eb27909713b425e
Instruction Fuzzy Hash: E4115075E002098FCF04DFE8D9849ADFBB2FB88314F20816AE919AB355D6316956DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0549AAD7 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3b34365c9bd247c6faca0b8ed32e6e26086d177b80946dc120d433cd6863a5
Instruction ID: 164eb13c7a4cfaa8d2b13fa6d87047ab4fa2ec9e3e0f0d9e1f7cc332f43880e8
Opcode Fuzzy Hash: 2b3b34365c9bd247c6faca0b8ed32e6e26086d177b80946dc120d433cd6863a5
Instruction Fuzzy Hash: D7A1FA74E052198FCF04DBA9C5815EDFBB6FF89301F10962AD419AB356DB30A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 054970B5 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f8cc51a8ca1f82a314973fde9614d962c746b8cf2309ffac02e7d3b80ce11f
Instruction ID: afa6824b7a41ad0b279516fdb6e593d93ae9451921cd9c0c8e1c064883e7200c
Opcode Fuzzy Hash: 41f8cc51a8ca1f82a314973fde9614d962c746b8cf2309ffac02e7d3b80ce11f
Instruction Fuzzy Hash: 0F618970E106189FDB08DBA9C8427FEBAA2FF85301F1082A6F515A63D5DB349942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0549B078 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ceb187cb33d562ff2314b09df36ccef0eaf680ded02ae5902b5ba5689238721
Instruction ID: 24cb5b58f61bdfabf3b76d1b916acc3b775584277c357a45683a7b2c01069717
Opcode Fuzzy Hash: 1ceb187cb33d562ff2314b09df36ccef0eaf680ded02ae5902b5ba5689238721
Instruction Fuzzy Hash: 5E51E474D092198FCF08CFAAE4466EEBFF6EB89340F24D06AD419A7252D7345942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05496680 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2f4e4b1954d3cc591c020f5b8639d38a69e642bebedb6ca76006a00934e244
Instruction ID: 81bcb334886724b1a527328bdf1742dfb9b486022ee9bf5dda9219885216284c
Opcode Fuzzy Hash: 6a2f4e4b1954d3cc591c020f5b8639d38a69e642bebedb6ca76006a00934e244
Instruction Fuzzy Hash: 0441E476B00208AFDF08DF65DD46AEE7BFAEFC5204F1584BAE405D7211EA30AD058790

Uniqueness

Uniqueness Score: -1.00%

Function 0549B981 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ddd36b9e63d6fafd5a85afde317db4850a8642fb287fd10963d6be27bce6710
Instruction ID: 998d42ea844414660d274649433c7fd0c10c6aa699b468d36a8ba0d4e6e868d3
Opcode Fuzzy Hash: 7ddd36b9e63d6fafd5a85afde317db4850a8642fb287fd10963d6be27bce6710
Instruction Fuzzy Hash: 7851B574D09218CFCB64CFA4D585AECBBB6FF49311F20919AD809A7356C731A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0549DD24 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc17b54a8e793605670b1b8d230bfafb428c12abfdda2f75b1d0219bccf7954b
Instruction ID: bd8537959d31eb0157e1521e2e7ed0215c0ef3f2a21589ec7c70132bcd976373
Opcode Fuzzy Hash: cc17b54a8e793605670b1b8d230bfafb428c12abfdda2f75b1d0219bccf7954b
Instruction Fuzzy Hash: 25412E74906255CFCB18DF68E1899AEBFF9FB89301B00A05EE40ADB356DB34A841CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D110 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1919667593.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a5d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6c0761f36b427b6fcb5623b2ca11cd0a94d94ad20106d3e92564c572da8f17
Instruction ID: 1e90c8dd92851f6b122fd889093be1cdc81c04d7c8eca3006b0a656c7f5359b6
Opcode Fuzzy Hash: 9f6c0761f36b427b6fcb5623b2ca11cd0a94d94ad20106d3e92564c572da8f17
Instruction Fuzzy Hash: CD210071604600DFDB25DF14D9C0B27BF66FB98315F208669ED094B256C336D85ACAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1919667593.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a5d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f35f9f8a84db86ce9f84e364d6168a70c97dd3575658ad54e214664ea0035fc
Instruction ID: 42c8c19858d1a8cc5c3c72c7a70d21c9d53841c7ca56cb70f137093431caeaa3
Opcode Fuzzy Hash: 9f35f9f8a84db86ce9f84e364d6168a70c97dd3575658ad54e214664ea0035fc
Instruction Fuzzy Hash: 9E2125B1500204EFDB25DF14D9C0B26BF75FB98325F20C569ED094F256C33AE85ACAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0549AA1A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390d75966752698d2da2d07752527133a0df33a9fbcf556f71316eefc611c50e
Instruction ID: a84a6f13e98d3352303a16f12b7c6b1f29b313bf2d92f2fa01b6ea3f6bfdbb75
Opcode Fuzzy Hash: 390d75966752698d2da2d07752527133a0df33a9fbcf556f71316eefc611c50e
Instruction Fuzzy Hash: EE21C974D09219CFCF08CFA6D985AEDBBF5BF49301F24A46AE406AB261D7349901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1919729792.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a6d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a108266f4ce20443ba847648eef9ea376cb8486f447ac51754ff12c51a2275
Instruction ID: cc2a475ffcf47cc462d7e0dd2d542ef55e43e4e3ca01a5abf78d41e67d921716
Opcode Fuzzy Hash: 35a108266f4ce20443ba847648eef9ea376cb8486f447ac51754ff12c51a2275
Instruction Fuzzy Hash: 502104B1A44200EFCB04DF24D9D0B66BBB5FB94314F24C56DD8094F296C376D846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1919729792.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a6d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bf5fbae47b8c2c574ce153e783809318c38f27d2702f4ff5cc9aae31da6cf6
Instruction ID: 7b83a64d2e8bde2bc7a9cdd021f894bdc47c320910c24c16c20f2f42e76aaa9c
Opcode Fuzzy Hash: 29bf5fbae47b8c2c574ce153e783809318c38f27d2702f4ff5cc9aae31da6cf6
Instruction Fuzzy Hash: D521FF75A04240EFCB14DF24D984B26BFB5FB88354F24C569E80A4B296C33BD847CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0549B240 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee707ab2a29f2a14f50bc4216fa5d9cecc6ba9131834f24aac4be669ad03928
Instruction ID: 557fa8b33701941dc4e07b9ecf1c2f347c43043caca1a728e730236d82626ded
Opcode Fuzzy Hash: 7ee707ab2a29f2a14f50bc4216fa5d9cecc6ba9131834f24aac4be669ad03928
Instruction Fuzzy Hash: 1E2128B4D0D249CFCB49CFA9D586AEEBFF5EF4A300F21509AD409A7712C2309A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0549AE3A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2c54cc6e3390fc28f7f3308cc438ac68e56a3161c1ba862e233880391211e4
Instruction ID: 6a9350604f8144e8825dd8b9594b3e56cb690fa001673ae7e67decb33c4eeb66
Opcode Fuzzy Hash: 4a2c54cc6e3390fc28f7f3308cc438ac68e56a3161c1ba862e233880391211e4
Instruction Fuzzy Hash: E7215B35A4410A8FCF04DBA9C5416EEBBBAFF89300F20866AD41577755DB306E4A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05497C80 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a19662abdb08bb74ee597c56da24687bd05e37cc3b6f58cbb727966360722cc
Instruction ID: 7d31da179e58c15df2f4ffeb70c12232a093da2c39775a9988deb68a82d999eb
Opcode Fuzzy Hash: 2a19662abdb08bb74ee597c56da24687bd05e37cc3b6f58cbb727966360722cc
Instruction Fuzzy Hash: 90216A30B54610DFDB288B14D906BBA7F62FBC7701F2581ABE51A4F2A2D676C8428785

Uniqueness

Uniqueness Score: -1.00%

Function 0549AE48 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac600e934aca654560412618726591eb4a0d422a1c0b378d816990b88eefb55c
Instruction ID: a33285d1eb2956e25615ee34c5bb506916c68a3b6d84dc912c2deda14810b6ce
Opcode Fuzzy Hash: ac600e934aca654560412618726591eb4a0d422a1c0b378d816990b88eefb55c
Instruction Fuzzy Hash: 45216D35E4021A8FCF04DBA9C5416EEBBBAFF89300F10856AD41577355EB306E4A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0549F1B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c627322027dd3305606559593742318f0e263d581c062acfd87c41a8f8b97f9
Instruction ID: 0a10e0343bbc09e07f0953efdb82b9a7ce9c56b4b42a2353a4167ead71f1934a
Opcode Fuzzy Hash: 7c627322027dd3305606559593742318f0e263d581c062acfd87c41a8f8b97f9
Instruction Fuzzy Hash: 0611C434B00218ABCF1D9A799D11BBBBAA7FB84750F14852AE816DB340EA71CD49C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0549B250 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7121eab11af61c7f3d04867248aa7e6ad81071165b7d9005e3e96a2c8e6f548e
Instruction ID: 534fd3005e938f96b62a4599e033edf575c5aa7c4b1955b1dc1202ce32afac08
Opcode Fuzzy Hash: 7121eab11af61c7f3d04867248aa7e6ad81071165b7d9005e3e96a2c8e6f548e
Instruction Fuzzy Hash: 1B21C9B4D08209DFCB48CF99D185AEEBBF5EB49300F60909AD819A7715D7309A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0549B7B0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcd116afd9565bde5cab58aaff5368402c9b288a9e7cd1e8e1bf3a38e5df473
Instruction ID: f8838b6970b19fc3f02aa95a78224b37c3760e9fa08bc4741a7010404bdfcc4f
Opcode Fuzzy Hash: 1bcd116afd9565bde5cab58aaff5368402c9b288a9e7cd1e8e1bf3a38e5df473
Instruction Fuzzy Hash: 3F21C3B1D046188BEB18CF9BD8457EEFAB6BFC8300F14C06AD419A6254DB74094A8F90

Uniqueness

Uniqueness Score: -1.00%

Function 0549B2F9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5656ff69b8b8aa7ec3a87f69224be186fe276c2534684d8b7e2c2445c3d127
Instruction ID: ca299071dd89a887417cd0adb43afd3f4736da7d1d34455bdfe676ee0a476e3a
Opcode Fuzzy Hash: 0a5656ff69b8b8aa7ec3a87f69224be186fe276c2534684d8b7e2c2445c3d127
Instruction Fuzzy Hash: 3C11297090D248DFCB18CFA9E5819EDBFF5EF49300F1491D6C41997216D6709A058B41

Uniqueness

Uniqueness Score: -1.00%

Function 05494CA4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdcdcf3904edbc1ed5a45b78161403e5aca1dc103ffab09a7d73050495073f8a
Instruction ID: 7d28d1b1808f401373b8fd86fc4747ca9199308ad02212e58c36cd22be08306a
Opcode Fuzzy Hash: fdcdcf3904edbc1ed5a45b78161403e5aca1dc103ffab09a7d73050495073f8a
Instruction Fuzzy Hash: BE21D3B5D042499FCB10DF9AD844ADEBFF4FB48354F10842AE919A7310C375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D10B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1919667593.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a5d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: bd115a635606b791df834fb76cd9c19e091d9c3257d36068aa137bbf3a0a67b6
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 4311D076504680CFDB16CF10D9C4B16BF72FB94324F24C6A9DD094B266C33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1919667593.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a5d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: bfe54f2c8eaaff998692f10a5dc1f85e155bdeb1fb5bf2ace57b02cd894ddb66
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 9A110372404240DFDB16CF00D5C4B16BF72FB94324F24C2A9DC090B256C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 054967FA Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda8e9be6eefd88ed5a936a4c4f4b40e9a67224c9f64d6d3e1da8bb3ad759a7a
Instruction ID: 65c908f0737a80ea71ce8a3fda109c27d666d52cdbb99679772254cadeccda64
Opcode Fuzzy Hash: eda8e9be6eefd88ed5a936a4c4f4b40e9a67224c9f64d6d3e1da8bb3ad759a7a
Instruction Fuzzy Hash: A921D3B6D002499FCB10CF9AD845ADEBFF4FB48354F10841AE959A7310C379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0549DE1D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a32fcbcd391f21280e12890ceea93000df02f36f15262377b11746b36fd99a7
Instruction ID: df07fc61f3edbc91ca0e99d469f8aa5e77860a90e6571f18421169f3486a8b83
Opcode Fuzzy Hash: 7a32fcbcd391f21280e12890ceea93000df02f36f15262377b11746b36fd99a7
Instruction Fuzzy Hash: E7212C34A05324CFCB74DB24D954BA9B7BAEFC6301F00819D944AA7B0ACF745E858F51

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1919729792.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a6d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: d47bc4b3893ebaeee1f1fb2eac39beaf73846b62c990f549068bc78fbfdb63e8
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: DA11DD75A04280CFCB01CF20D5D4B55BFB2FB84318F28C6AAD8094F256C33AD80ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1919729792.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a6d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: f1207bd946ca82f01e8fec816543dec262a8304aff231f08e99448f49b38fd32
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: E7118E75A04280DFDB15CF14D5C4B15BB71FB84318F24C6AAD84A4B656C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0549A940 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40940c35b93d804bcfe2a7182dcc2e84c0e5cea12f419ce8b2008af54d8d87dd
Instruction ID: 7c581aadd26d0cdbbb3f4ca6a0362a890d38429060782a20987e3acdfea91459
Opcode Fuzzy Hash: 40940c35b93d804bcfe2a7182dcc2e84c0e5cea12f419ce8b2008af54d8d87dd
Instruction Fuzzy Hash: 3D11C6749082488FCB04DFA5C54559DBBB6FF8A301F209159D41AAB356D7386D06CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0549C628 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7e3912935cabc4f133f46b47247176f8404ecc7d2b499ada2d4b2b13b3814b
Instruction ID: e6536c0b5d21e94cbc0818e4b1a8c346a28327ddf6b1ba6974618e08710468ca
Opcode Fuzzy Hash: 3b7e3912935cabc4f133f46b47247176f8404ecc7d2b499ada2d4b2b13b3814b
Instruction Fuzzy Hash: 82116D75908244EFCB04DFA4C595AEDBFF9EF59300F2590D9E4099B262D7309E01DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0549C5B1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dd2a36b2cb30fcba82736c79bd2c731998b325b2c384ebaede428d2badd1b0
Instruction ID: c7b5d5ec3d0eb23d2a73f7b9fcb90b4bc586cb3870cf94a13c41ff14817e0a62
Opcode Fuzzy Hash: 49dd2a36b2cb30fcba82736c79bd2c731998b325b2c384ebaede428d2badd1b0
Instruction Fuzzy Hash: A901B17094C254DFCF0CCB55C5C6AE9BFBAAF4A310B1491EBD00AAB622D7308E46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0549DC81 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3554d4007af61d224155506b0a62f82e95045186bd8fdbac71740fa73d1acf0
Instruction ID: 4fe83f1b3139d1333ef9fb5ce8ec951e63f7a26d4a1e4be2a20bc83160b2a91d
Opcode Fuzzy Hash: a3554d4007af61d224155506b0a62f82e95045186bd8fdbac71740fa73d1acf0
Instruction Fuzzy Hash: 88115E34905154CFCB38DF58D985AA8BBB9FF88301F0491AED40A97756DB306D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0549672A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e09cba28281a8132d5041885942ea5d3a2c88b7e85ca0cb5458af05f7a528a
Instruction ID: 448aa726c6fa187fd406197ea17a871dbb0bcc6f91533dafe4e82186abb15c83
Opcode Fuzzy Hash: f9e09cba28281a8132d5041885942ea5d3a2c88b7e85ca0cb5458af05f7a528a
Instruction Fuzzy Hash: A1F01276A001047FDF09EF5AD841EEB7BBAEBC4354B05C16AE918D7315D630D9058B94

Uniqueness

Uniqueness Score: -1.00%

Function 0549C5C0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12263e2b6d0edf2acf177eca027e22e2b660e3e06edfc0828acfbaad2a6425f3
Instruction ID: 9cd845b336df85bf7f0dc02ba5c9696825d2523ab2fb495f9b51ccf93658570c
Opcode Fuzzy Hash: 12263e2b6d0edf2acf177eca027e22e2b660e3e06edfc0828acfbaad2a6425f3
Instruction Fuzzy Hash: EEF03170948258DBCB08CB55C58AAF9BFBEBF99310F14A1A6940A57212D7309E45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 05494C94 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eaac881c781c96013b2c412310fafc02a329ae9f452bd26e922356112a76e28
Instruction ID: efbb65f5c886237558e1cb5fc9ae14ddacb3d1171b96c38d20d6d7ce1914d52a
Opcode Fuzzy Hash: 9eaac881c781c96013b2c412310fafc02a329ae9f452bd26e922356112a76e28
Instruction Fuzzy Hash: 29F012766001046F9F09EF5AD841CAABBBAEBC4354705C46AE918D7214D631D9158B94

Uniqueness

Uniqueness Score: -1.00%

Function 05494C54 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350f085c7fb5a2fd1774b3e3b762596466776a9825e8755b8b446d779151f2d7
Instruction ID: 79fc970f0b97100ac4394ab9e29bf127383f0238faa5b738b13ca51713bf5acf
Opcode Fuzzy Hash: 350f085c7fb5a2fd1774b3e3b762596466776a9825e8755b8b446d779151f2d7
Instruction Fuzzy Hash: 24F02430788344AFDF08EB74CA16AAD7FE9EB91204F2504EAE406C3251EA30DC068315

Uniqueness

Uniqueness Score: -1.00%

Function 05496700 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9855bd9cf542bfb39dab74abd97aad9a108727a105e8632edcd0c74f3ac9636a
Instruction ID: 36dede232373a6759d71ba38bf33a6c5b052890b4f9db2a8353dd9dc792c57a5
Opcode Fuzzy Hash: 9855bd9cf542bfb39dab74abd97aad9a108727a105e8632edcd0c74f3ac9636a
Instruction Fuzzy Hash: C7F0B47B3001057FDF09EB45D942EEA7B7AFBD4359B0180A7E50886214D630D8159B94

Uniqueness

Uniqueness Score: -1.00%

Function 0549C2EB Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8cf3b0d548e7eef5bced91354ebedd60633cbe1cc20b971b895e761836c47c
Instruction ID: 688767fe3b107a673a437f0784e6a00845c0ef4de549060bd796e2f1b2af4ec5
Opcode Fuzzy Hash: 4b8cf3b0d548e7eef5bced91354ebedd60633cbe1cc20b971b895e761836c47c
Instruction Fuzzy Hash: 27F03AB4E4D148D7DF1CCB9AC5C24F8FF6BAB8E300754E196E00A67606C73099868A51

Uniqueness

Uniqueness Score: -1.00%

Function 0549C7BA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad022d86ca6e473b7429372d0d4cdfc82ebcdc13129cbf301a29ea2c4df5e55
Instruction ID: 2bb478e6b32a45a971996dcc5672438e6cee282995424d3ea5222d1311d94d8d
Opcode Fuzzy Hash: 8ad022d86ca6e473b7429372d0d4cdfc82ebcdc13129cbf301a29ea2c4df5e55
Instruction Fuzzy Hash: 4CF01970D04245DFCB48DFA8C895AEEBFF4AF49300F1084AAD401E7211D3709500CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0549DD74 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888f515e6f6e05751b86a4881a59d4b91c1294c06e6844d3a0d9da8e9c63606c
Instruction ID: a4f3f2c1b149e0ad9f1b98656539d8b5a5f205be2612cc61618f4122a5c7f3fe
Opcode Fuzzy Hash: 888f515e6f6e05751b86a4881a59d4b91c1294c06e6844d3a0d9da8e9c63606c
Instruction Fuzzy Hash: 91012834905214CFCB24DB64D945BA8BBB5FBC8301F0082AED40AA7756DB345D82CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0549F140 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7401cf9755ad4539739e27c6eda2dc02cec18afe9e547100f50379fb43eab790
Instruction ID: bc0efb58e64a29cebdf82da4d5c9366accacc73578ad8512b70f449ed3982349
Opcode Fuzzy Hash: 7401cf9755ad4539739e27c6eda2dc02cec18afe9e547100f50379fb43eab790
Instruction Fuzzy Hash: 39F06D34A09248AFCB15DFA8D94558CBFB1FF89301F1180EAE8459B361D6344A04DB82

Uniqueness

Uniqueness Score: -1.00%

Function 0549C7C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fe3d427d0148373690477837f24ba63060cd464dbded25f596ed35d41e87e3
Instruction ID: 8132733c3d90b1d09a191b696adba9760fbf0ee04b0db7bccbe1cff1f1cf987e
Opcode Fuzzy Hash: d4fe3d427d0148373690477837f24ba63060cd464dbded25f596ed35d41e87e3
Instruction Fuzzy Hash: 2DF0B7B0D0420A9FDB54DFA9D846AAEBFF4BB48300F5085AA9919E7201E7709A018BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0549DF57 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6b055c361fcba60835302ac46918f6aeb0c3e32dbf4b0458000bbdd5ee99b6
Instruction ID: 7069b26ece47736936fb943751aa91aceb5d1c508b31c671630a48fd65ce1922
Opcode Fuzzy Hash: bb6b055c361fcba60835302ac46918f6aeb0c3e32dbf4b0458000bbdd5ee99b6
Instruction Fuzzy Hash: E7011974900255CFCB64DF64D884AADBBB5FF89301F10889AD006E7715CB7099818FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0549F0E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0e3a5505dbb7f94ecc89a0b2e55cd17800f2208743804cb3a0887af8b88b9f
Instruction ID: 3e7f891698f1e332c9917d5bb37e353e4dea09b5ba1ea16b903b7cd0f59c938d
Opcode Fuzzy Hash: 4e0e3a5505dbb7f94ecc89a0b2e55cd17800f2208743804cb3a0887af8b88b9f
Instruction Fuzzy Hash: F1F04934904248AFCF26DFA8D45569CBFB1FF89311F1080EEE81597691D6341A54DF42

Uniqueness

Uniqueness Score: -1.00%

Function 0549E1AE Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd517fbb4b1a1691b219ca9313f1f49621340243e7fc6f679caf616134feb78b
Instruction ID: 38a9796ad4e683b89d5161b93e1a74453dfa3bd5480e14dcd6b935e4e3c0592c
Opcode Fuzzy Hash: bd517fbb4b1a1691b219ca9313f1f49621340243e7fc6f679caf616134feb78b
Instruction Fuzzy Hash: 4EF03034945359CFCB14DF98D9546AC7BBAFB84311F108219D4169B39DDB345945CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0549BFF1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721ba233814d381ff093ba7c031f12c80cd7739076a8d0a844b0dc7ecb715747
Instruction ID: 71a7c97cb400facf8344fa8297c60a23a058ba0892da4c84fd4b659c0234c8e0
Opcode Fuzzy Hash: 721ba233814d381ff093ba7c031f12c80cd7739076a8d0a844b0dc7ecb715747
Instruction Fuzzy Hash: B8E0397080D199CACF48CBA9E8C64BDBF7AFF87345B0415EB841E5A15BD6210500DE91

Uniqueness

Uniqueness Score: -1.00%

Function 0549C760 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6d1c9e8ec877c1ee7e2f2d2d26300453188bec176aa6ce7a080b54fffe49ed
Instruction ID: f7168c9a108d071705f235bca03555a925e155eb5c98ab205095052f51b9575b
Opcode Fuzzy Hash: ad6d1c9e8ec877c1ee7e2f2d2d26300453188bec176aa6ce7a080b54fffe49ed
Instruction Fuzzy Hash: CFF039B4844246DFDB40DF79C58579ABFF0AF48214F2085BAC055EB212E7748606CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0549F0F0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aba931ab0dfe1a90b016bbad89ece8757eb769db5037cdbe688dc3ee2ed6a4c
Instruction ID: 4e4224bdda944e1f38158a72328b681e0a026b6d11be40d18de8711794bea7e3
Opcode Fuzzy Hash: 3aba931ab0dfe1a90b016bbad89ece8757eb769db5037cdbe688dc3ee2ed6a4c
Instruction Fuzzy Hash: CFF01574E00208EBCF54EFA8D506A9DBBB5FF88301F10C0AAE81592350EA345A54DF81

Uniqueness

Uniqueness Score: -1.00%

Function 0549C770 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2c89809607ee31d4d8d6af836682edfd154248d09211b90838d6450f1716c0
Instruction ID: efcdd485d8779a24a76eb0e44b6a2c1d5fad148b54fa32e234bf309301b7a5f8
Opcode Fuzzy Hash: 3b2c89809607ee31d4d8d6af836682edfd154248d09211b90838d6450f1716c0
Instruction Fuzzy Hash: 70E0BFB4D4020ADFDB40DF79C54569EBFF1BF08200F1185A6D015E7211E7749A058F91

Uniqueness

Uniqueness Score: -1.00%

Function 0549C308 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8b6daf3a1faa9c2ce93e32820979e20eed6750345770396c4f683641cef2e8
Instruction ID: f2abc1fd7278daa5d7971358d9186bdd32ad51b58ad132a01e67acbb279f4d55
Opcode Fuzzy Hash: 3f8b6daf3a1faa9c2ce93e32820979e20eed6750345770396c4f683641cef2e8
Instruction Fuzzy Hash: B6E09274A09268DFCB08CF99C9908ECBBBABF89301B009099E40997212C73099028F40

Uniqueness

Uniqueness Score: -1.00%

Function 0549DDCF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8977a150c0a2302fba29f7f87c8bb090bf53b3dfc3a10f4511ed893fbfed3b
Instruction ID: 610e8a50b3d8acd1d167da2e04e3915ab4ce370e2e6214fb4d31170e65c16525
Opcode Fuzzy Hash: 3c8977a150c0a2302fba29f7f87c8bb090bf53b3dfc3a10f4511ed893fbfed3b
Instruction Fuzzy Hash: CDE04F34909219CFCB28EB98C5515ACBBBEFBC4305B00861984069B719CB344806CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0549C858 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2e3859845b7565ec76a1b854d60f9cecd5484cf521e6289c7d6cea64c37d68
Instruction ID: 4a5fe98566d74b2aae774e957a3ecac83cccfebd3cd95baf1f56086dc0f34603
Opcode Fuzzy Hash: 0c2e3859845b7565ec76a1b854d60f9cecd5484cf521e6289c7d6cea64c37d68
Instruction Fuzzy Hash: 08E0C23520C2851FCB02DFA1DC60DA23FE87F9620030544E7E1C0CB133D211D524D751

Uniqueness

Uniqueness Score: -1.00%

Function 0549BAD5 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243d7a93cda442ded9dd97a7f896fb84649be036bc83d522718f24033f3422d8
Instruction ID: 496cf908b0a88cab5608db21823e55b9a5d8c6e62b8f1a228ebc0f310cb048d6
Opcode Fuzzy Hash: 243d7a93cda442ded9dd97a7f896fb84649be036bc83d522718f24033f3422d8
Instruction Fuzzy Hash: 7CD05E3110D6A9CFDB49CB64E04B5E43F77FB4A11174545DAC04A8BE13C62A8946C710

Uniqueness

Uniqueness Score: -1.00%

Function 0549BD1D Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9b5ab79ca6c0211e434d2370f1b18ad357e1d12bf8c250a5a774d0acff6f66
Instruction ID: 2966f4ce237b959615c01b99bbff9f448131cde9226e952e588a0c2960de9a6e
Opcode Fuzzy Hash: 1e9b5ab79ca6c0211e434d2370f1b18ad357e1d12bf8c250a5a774d0acff6f66
Instruction Fuzzy Hash: 5AE0EC3010C210CFCB28DB54E54A6F47B7AFB4E322F10529ED41F66692CB319986CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0549BB03 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7788265251ed959c011eccd08c0ab4aaee576879a143d88182de68b7e1516dca
Instruction ID: e8f7c4d3e65ce4caf8c3013d5803787086b28ef80d2c1f127a7b526caa532c86
Opcode Fuzzy Hash: 7788265251ed959c011eccd08c0ab4aaee576879a143d88182de68b7e1516dca
Instruction Fuzzy Hash: 8AD09270108210CFC728DB54E54AAA47B7AFB4A312F01509ED00F57612CB32A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05499F10 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ca95381cca61de3b08391111f8a3b03bb52d7e37f1420383e5c2b9b05ddcc8
Instruction ID: ef79480bb285828e5db63f0a5b43f0c6d4caf1fc02f8f10c86de334fd06c3f05
Opcode Fuzzy Hash: 96ca95381cca61de3b08391111f8a3b03bb52d7e37f1420383e5c2b9b05ddcc8
Instruction Fuzzy Hash: 18C08C300012058BC63827E8B40E3A97A7CEB80312F1041ACA10B40C124EB04080C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 0549A412 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce47f2aec357d7816f463c698d527c126a7f539084b9d0444a2056b01cd6e479
Instruction ID: 840787b63b8c4fee4451e7b26d9db1d2bb2c00bb3e1e8e8836d8c8aed1e51ecf
Opcode Fuzzy Hash: ce47f2aec357d7816f463c698d527c126a7f539084b9d0444a2056b01cd6e479
Instruction Fuzzy Hash: AFC01230906219CFCF24DF28DA45BACBBBAEB44300F0081E8800E9221AC7341E80CF00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 054976C0 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

]\`, xrefs: 05497AA2
[V~*, xrefs: 0549797E
[V~*, xrefs: 05497985
T+-q, xrefs: 05497B5A

Memory Dump Source

Source File: 00000011.00000002.1927071184.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5490000_BjTxJte.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$[V~*$]\`
API String ID: 0-1849991408
Opcode ID: 883a375d05ca089f00a44a24e2e6e6e592ae830f7bad3dcfe066d9bd9a4554a8
Instruction ID: d486a6d619605febe742d00c634503a104df3de805429612f1766c3fe999e1cc
Opcode Fuzzy Hash: 883a375d05ca089f00a44a24e2e6e6e592ae830f7bad3dcfe066d9bd9a4554a8
Instruction Fuzzy Hash: F1315075929244CBCF14CF7DC9462FEBFB1FF06314F0485ABA86697282D234A951C762

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BjTxJte.exePID: 7996, Parent PID: 7788COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	4

Executed Functions

Function 06AEB208 Relevance: 8.3, Strings: 6, Instructions: 767COMMON

Download Yara Rule

Strings

$kq, xrefs: 06AEBB4B
$kq, xrefs: 06AEBB7F
$kq, xrefs: 06AEBBBF
$kq, xrefs: 06AEBB57
$kq, xrefs: 06AEBBB3
$kq, xrefs: 06AEBB8B

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 94ce6b262c3794cd4e2ce05997d4e06f9b7e0716be8d64533af6aaaa7b65d56b
Instruction ID: 77b0c73a55e52b3b43d86c56431d0dfffc11c61f4fed8eaa130542a4263f3057
Opcode Fuzzy Hash: 94ce6b262c3794cd4e2ce05997d4e06f9b7e0716be8d64533af6aaaa7b65d56b
Instruction Fuzzy Hash: C5525030E102098FDF64EB68D6987AEB7B6FB45310F20886AD405EB395DB35DC85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06AE3468 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06AE3BC0
$kq, xrefs: 06AE3B67
$kq, xrefs: 06AE3BB4
$kq, xrefs: 06AE3B9C
$kq, xrefs: 06AE3B90
$kq, xrefs: 06AE3B73

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 5d1f462d37223450694878c53be499dcdef3966949b387c3856ed74384820143
Instruction ID: 71e21460d5a93a6d17681aa0a6ebad223563ef449b948a4343394dfb49cccc10
Opcode Fuzzy Hash: 5d1f462d37223450694878c53be499dcdef3966949b387c3856ed74384820143
Instruction Fuzzy Hash: 9F320030E1065A8FCB15EF75D99459DB7B2FFD9300F20C6A9D409AB264EF30A985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06AE7D40 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06AE82DB
$kq, xrefs: 06AE82E7

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: ce6419568f445054c358c503e4f9fd27d56c69048d274750044bd8c877cb5a76
Instruction ID: a164b0577b57ab6b39f7419ed0223882b9130b7cfc649443a105fdb09b1b158b
Opcode Fuzzy Hash: ce6419568f445054c358c503e4f9fd27d56c69048d274750044bd8c877cb5a76
Instruction Fuzzy Hash: CB02D330B006098FCB54EB69D594A6EB7F2FF84350F148469E415EB3A8DB35EC86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06AE65C0 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fb7d0cfed577d345bad7893131dcfa8339e390a918628ec23a81015cdd174c
Instruction ID: b698d27a9b715bbc3c5eb8e9890657d80542f99496e312a793b233aa5b72a924
Opcode Fuzzy Hash: 77fb7d0cfed577d345bad7893131dcfa8339e390a918628ec23a81015cdd174c
Instruction Fuzzy Hash: D5626D34F002098FDB54EB68D594AADB7F2EF84354F249869E406EB3A5DB35EC45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06AE55A8 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e14fdd1ae9656dd811ee41dea17b62208f098a406a2184ca7a3e14583dd437
Instruction ID: 8f1fd8dc5deb9c9fdc05d72fc52b5f405c1d9d5ab41825f4b19b008b53d30576
Opcode Fuzzy Hash: 55e14fdd1ae9656dd811ee41dea17b62208f098a406a2184ca7a3e14583dd437
Instruction Fuzzy Hash: C912E175F102159BDF64EB64E9806AEB7B2FF84318F24842AD8069F395CB35EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06AEACA0 Relevance: 10.4, Strings: 8, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06AEAE20
$kq, xrefs: 06AEAE4F
$kq, xrefs: 06AEAE43
$kq, xrefs: 06AEAE6C
$kq, xrefs: 06AEAE78
$kq, xrefs: 06AEADC1
$kq, xrefs: 06AEADCD
$kq, xrefs: 06AEAE14

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 50173d658d5a82a7536de3824d461bc7623ff382398805179a0e9bb212b7ced1
Instruction ID: 19288c51456fcf965dccd71ec30f478935c45be11c44767b748dbc5d0057134d
Opcode Fuzzy Hash: 50173d658d5a82a7536de3824d461bc7623ff382398805179a0e9bb212b7ced1
Instruction Fuzzy Hash: BAE1A130F1020A8FCB65EBA9D5946AEB7F2FF85304F20852AD506AB354DB74DC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06AE9110 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06AE9157
$kq, xrefs: 06AE9192
$kq, xrefs: 06AE9163
$kq, xrefs: 06AE919E

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 6e74939a83908ef1fced0b38150d7486c76d2f10e54cf50045ec900cd4238a5e
Instruction ID: 3ccda1ceb1be84d09ad535d78fa91efb5341609841ee3bed6a356e256be17a1e
Opcode Fuzzy Hash: 6e74939a83908ef1fced0b38150d7486c76d2f10e54cf50045ec900cd4238a5e
Instruction Fuzzy Hash: 42914230F1021A8FDB54EF65D9607AFB7F6AF88240F108569C409EB398EB75DC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 06AECF18 Relevance: 4.5, Strings: 3, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06AED323
$kq, xrefs: 06AED317
$kq, xrefs: 06AED30F

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq
API String ID: 0-2086306503
Opcode ID: 038d43d03047f74d2dc5f12f1bfe477b8b79859f3940bb68d9918aeaa6ddd016
Instruction ID: f56a0810e354c8ddd6f2b46e72614aa85654ad8f16e890665ae658af9d4731d4
Opcode Fuzzy Hash: 038d43d03047f74d2dc5f12f1bfe477b8b79859f3940bb68d9918aeaa6ddd016
Instruction Fuzzy Hash: 7E621030A0020A8FCB55EF68E6A0A5EB7F2FF84304B258569D4159F369DB75ED46CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 06AE4B70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fpq, xrefs: 06AE527D
\Opq, xrefs: 06AE4D27
XPpq, xrefs: 06AE4C9D

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: 95c2c7b78ff4c92f6128ed29c94207cda09a576a00bf120d34d87469a437b4c8
Instruction ID: e8aa0fb6fa918b58aad80bfbda9abf91eba05ba04e307d65460d0cbffbec626e
Opcode Fuzzy Hash: 95c2c7b78ff4c92f6128ed29c94207cda09a576a00bf120d34d87469a437b4c8
Instruction Fuzzy Hash: 41615174F002099FEB54ABA9C9547AEBBF6FF88304F208429D506AB395DE754C45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06AE90FF Relevance: 2.7, Strings: 2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06AE9157
$kq, xrefs: 06AE9192

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 81684efd53c9b7fb62a1fe94fd6f3cc78f52c69f2053c6a712489faeeb6da741
Instruction ID: af0b0d6341bcd03add9faa174c285409d8e3c1fd9bd0add7cf2d82239a09e17f
Opcode Fuzzy Hash: 81684efd53c9b7fb62a1fe94fd6f3cc78f52c69f2053c6a712489faeeb6da741
Instruction Fuzzy Hash: 0E515030F1020A8FDB54EFB5D960BAF77F6AB88690F508469C409DB398EB75DC418B91

Uniqueness

Uniqueness Score: -1.00%

Function 0146EFB7 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0146F037

Memory Dump Source

Source File: 00000016.00000002.1983082242.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1460000_BjTxJte.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 5c2317261de711fda87538f0f7a0e177a753b2e44981237e5eaa371de920ce3a
Instruction ID: f01a209caf9e81e035b327b4456300c3c58636c91a1f0dfd88d961c75aed2de9
Opcode Fuzzy Hash: 5c2317261de711fda87538f0f7a0e177a753b2e44981237e5eaa371de920ce3a
Instruction Fuzzy Hash: 382142B2C00269CFCB10CFAAD5447DEFBF4AF08220F14856AD418B7255C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0146EFD0 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0146F037

Memory Dump Source

Source File: 00000016.00000002.1983082242.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1460000_BjTxJte.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: bbbdb4cc9d6763ca9dc700795f72c251dc6871e9ddffa95d8e79e3b8725c2fb8
Instruction ID: 5aec018a058771064296a728d92aa19c731d4c40e80490ad3f29278263383fc0
Opcode Fuzzy Hash: bbbdb4cc9d6763ca9dc700795f72c251dc6871e9ddffa95d8e79e3b8725c2fb8
Instruction Fuzzy Hash: 7B1123B2C00269DBCB10DF9AD444BDEFBF4AF48324F10812AD818B7255D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06AE4B61 Relevance: 1.4, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPpq, xrefs: 06AE4C9D

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: XPpq
API String ID: 0-1266478781
Opcode ID: dbe6a4e9a4ca4690268de4d08e1fe0b5221174f56dbc610c06804a53441693ed
Instruction ID: 6dbeef2088eddb518d2250714458c5f62013702def99b4f6bab1192f7f16f4f1
Opcode Fuzzy Hash: dbe6a4e9a4ca4690268de4d08e1fe0b5221174f56dbc610c06804a53441693ed
Instruction Fuzzy Hash: D0415374F002099FDB54AFA5C954BAEBBF6FF88300F208529D505AB3A5DE719C45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06AEDAA0 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHkq, xrefs: 06AEDBE9

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: db85ff75e3895da3674b05e3f2a4522fc26f1f096eaec0299ed89dac4ce11b78
Instruction ID: 6f8a32bdfbded31d594138fb56d3e77fea2f1726715c5bd6fe6b362776c9e33f
Opcode Fuzzy Hash: db85ff75e3895da3674b05e3f2a4522fc26f1f096eaec0299ed89dac4ce11b78
Instruction Fuzzy Hash: 5241AF30E0020A9FDB64FFA5D59069EBBF6BF85340F204529E402EB254EB75E846CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06AEDA8D Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06AEDBE9

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 98dae029c4798526ed5ea2cd143d75be0a8826d052c7fcc232bcabcd5b2468f3
Instruction ID: 69b2cf70d9f8089588f02da1b2f4d38736898d907b0dbf1199db02965107f91d
Opcode Fuzzy Hash: 98dae029c4798526ed5ea2cd143d75be0a8826d052c7fcc232bcabcd5b2468f3
Instruction Fuzzy Hash: 58419130E102099FDB64BF75D59069EBBB6FF85340F108529E801EB254EB75D846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06AE21BD Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06AE230B

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 32fd3003a44b8dd16ee417f8add930e436f731e9a6fa9f9e6f1ca89beece6652
Instruction ID: c009dc57b3d61d22f7c3994097b1b89d8973f2ba8772a9ed38e8bab8088997e1
Opcode Fuzzy Hash: 32fd3003a44b8dd16ee417f8add930e436f731e9a6fa9f9e6f1ca89beece6652
Instruction Fuzzy Hash: 51310170B002028FDB65AB74D65476E7BEAEB89340F24446CD402DB399DF39DD46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AE21D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06AE230B

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 12996925ea4e4ec8a7b3f2c0c3ce742004681e09175369edb4a82e553cbe0847
Instruction ID: 07f8bb63168784f5132a97cb4c9655cbb9d4f3d3aff3969e56b55ff2aa1a2e9e
Opcode Fuzzy Hash: 12996925ea4e4ec8a7b3f2c0c3ce742004681e09175369edb4a82e553cbe0847
Instruction Fuzzy Hash: 4531E270B002068FDB65AB78D65476E7BEBBB89340F208468D406DB399DF35DD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AE82B6 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

$kq, xrefs: 06AE82DB

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq
API String ID: 0-3037731980
Opcode ID: 8742d49fc95cebc0c7c28003ca36f05eff03d0b933f08e32b4f3f2655b2e0244
Instruction ID: 236a67f4432b6fcbe19c6406320a36e1faf8c72d12a8478bd6c816916524fab2
Opcode Fuzzy Hash: 8742d49fc95cebc0c7c28003ca36f05eff03d0b933f08e32b4f3f2655b2e0244
Instruction Fuzzy Hash: C4F0A936A00206CFEFA4AA94EEA16A9F375AB60290F2000B2D901AB154C239DA01CA50

Uniqueness

Uniqueness Score: -1.00%

Function 06AE4A59 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Opq, xrefs: 06AE4A65

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: \Opq
API String ID: 0-3546586535
Opcode ID: 74bad28dc0b062f619c402a12c8f3de14ab8922a247c9418e5c8eccf12c5f181
Instruction ID: a8b78426cde0cb9980eb4b28f82e064c2fd152eebc7f312e6dec413eaf0f5c75
Opcode Fuzzy Hash: 74bad28dc0b062f619c402a12c8f3de14ab8922a247c9418e5c8eccf12c5f181
Instruction Fuzzy Hash: 36F05E30A5422ADFDF14EF90E859BADBBF6FF48710F24012AE402A7294CB701C45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06AEC158 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c936036304cbb5d870de6a54266bcd5c295b61020085ed056abb77f4d3fb0b
Instruction ID: e757280fb3a045fbcc03a5e9a665c2778bd63d939d0a99577d4c1c85ad679538
Opcode Fuzzy Hash: d1c936036304cbb5d870de6a54266bcd5c295b61020085ed056abb77f4d3fb0b
Instruction Fuzzy Hash: EF328334B102098FDF54EB68D594BAEB7B2FB88360F108529E416EB359DB35EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06AEB1F8 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f7b0c9ee5fe6ea62f45c2afc2aa90c60e6bd9037d603f576ee9410013ad8b7
Instruction ID: 51a25c3885921dbe584651e3c79a5eed993bcb9bfdf77ba65e34f9bb262560ad
Opcode Fuzzy Hash: 13f7b0c9ee5fe6ea62f45c2afc2aa90c60e6bd9037d603f576ee9410013ad8b7
Instruction Fuzzy Hash: 9AA17770F101098FEF64EBACD6987AEB6B6FB49310F204829D406EB795DA35DC818771

Uniqueness

Uniqueness Score: -1.00%

Function 06AE61B8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dae89c9738ea072f50d165699ffa7d75222de6b2f0226ecb2b0b3913fbe3c5d
Instruction ID: 51b0d860eabbe67425951c63424322a2eb39f070f2bc9d578d0700cc2935675f
Opcode Fuzzy Hash: 5dae89c9738ea072f50d165699ffa7d75222de6b2f0226ecb2b0b3913fbe3c5d
Instruction Fuzzy Hash: 8E61E4B1F001124FCF51AB7DC88066EBAEBAFE4610B154479E80ADB379DE65DC0287D1

Uniqueness

Uniqueness Score: -1.00%

Function 06AE42A3 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54f668ad3be991d90df2e09aa630bcde5d39055a07d9c7dc114f6f27a99021e
Instruction ID: f4b69f6db441d22d414c52f806cb23b7c80982f8ef4d0311bb2d5b36250c1e8b
Opcode Fuzzy Hash: d54f668ad3be991d90df2e09aa630bcde5d39055a07d9c7dc114f6f27a99021e
Instruction Fuzzy Hash: CE812C30B1060A8BDF54EFA9D55466EB7F6EB89300F108469D40AEB399EA34DC468B51

Uniqueness

Uniqueness Score: -1.00%

Function 06AE42B0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3cd43c759ef7dff038aa038f6486bc9a583e1623af339672fd8305c3bb691c
Instruction ID: 6cd1d89917d0220e3311b79e5cf14a7e8bf1a404884e14999fb10d0541c42d83
Opcode Fuzzy Hash: 9f3cd43c759ef7dff038aa038f6486bc9a583e1623af339672fd8305c3bb691c
Instruction Fuzzy Hash: 82811C30B0060A8BDF54EFA9D55466EB7F6EF89340F108469E40AEB399EB34DC468B51

Uniqueness

Uniqueness Score: -1.00%

Function 06AE45C4 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c852848eb13772c3cad93c7966f44b165fa58a2e78e19743132d7967a5bac9f6
Instruction ID: 08edde48aed2fcb8f152356e74143a270aa948cac7c9d00b1687bf9720ee74af
Opcode Fuzzy Hash: c852848eb13772c3cad93c7966f44b165fa58a2e78e19743132d7967a5bac9f6
Instruction Fuzzy Hash: DD915C34E1061A8FDF60DF68C880B9DB7B5FF89304F208699D549BB295DB70A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06AE45D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b087c1216b7600e09df4cfe2a8a0077f909ee8a04085555097377bd0641416
Instruction ID: 458550c345a2985f854344419e1f895f319f0fc691f29c758a7fe7377a493bd7
Opcode Fuzzy Hash: a1b087c1216b7600e09df4cfe2a8a0077f909ee8a04085555097377bd0641416
Instruction Fuzzy Hash: CC912C34E1061A8BDF60DF68C880B9DB7B5FF89304F208699D549BB355DB70A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06AEEEE8 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbbc8d4b3b0ec447be612d4007e2e6766e801b61697516751feed50a5d5dca6d
Instruction ID: 18a4af9bc2d9be81cd0880ae5d930623fe682258a89e692a514b7b41b56eabce
Opcode Fuzzy Hash: bbbc8d4b3b0ec447be612d4007e2e6766e801b61697516751feed50a5d5dca6d
Instruction Fuzzy Hash: 5F713D70E002099FCB54EBA9D990AAEB7F6FF84304F258529D505EB369DB30EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06AEEEF8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58a6f32be053dd21f5745ac6bb264efce2e54b11fe46887d27217747ad21b44
Instruction ID: a7f672e44d31f72986660092ec8c599c7c387d5622634875bd423db91f880e82
Opcode Fuzzy Hash: c58a6f32be053dd21f5745ac6bb264efce2e54b11fe46887d27217747ad21b44
Instruction Fuzzy Hash: 7E712C70A002099FCB54EFA9D990A9EBBF6FF88304F158529D105EB369DB30EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06AEFC58 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d66c3edf9e77595e6bcf49722f4ac8cf9ab5359c5b71e56f02b9cde6db18c88
Instruction ID: 0280ffba4d39d89321200fcc7fa4f938d7354b84898a5a638a2733f390a2d544
Opcode Fuzzy Hash: 9d66c3edf9e77595e6bcf49722f4ac8cf9ab5359c5b71e56f02b9cde6db18c88
Instruction Fuzzy Hash: 5C51D131F00109DFDB64BF78E4946ADBBB2FB89315F20886AE106DB264DB359855CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06AEF9F7 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde4e2a38266a49684353a8253cc7b229fe562fd93a7f5cd01d5374daba4e653
Instruction ID: 9e60e475c3d1f862d45e9e5c8afc168e41f7ce4f04704128aac7a5bae6c6e80d
Opcode Fuzzy Hash: cde4e2a38266a49684353a8253cc7b229fe562fd93a7f5cd01d5374daba4e653
Instruction Fuzzy Hash: 6C51D830F202058FEF64776CE97476F365ED789310F20082AE50ADB3A9CA69CC8547E2

Uniqueness

Uniqueness Score: -1.00%

Function 06AEFA08 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebfa36d0673643de37ef37a12483f0a4fe183f36bcfaa3f27322f0f88830fd5
Instruction ID: 514e0c916efe8748e91c96ad727e04408b4393c8603045591a077cc70b922d20
Opcode Fuzzy Hash: 5ebfa36d0673643de37ef37a12483f0a4fe183f36bcfaa3f27322f0f88830fd5
Instruction Fuzzy Hash: 7951EC30F202058FEF64776CD97476F365ED789710F20482AE40ADB3A9CA69CC8547E2

Uniqueness

Uniqueness Score: -1.00%

Function 06AE5598 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aceb2a5512154b07af6d3f87c67aa55682e5e65ecaff69f567b62337d5db01f
Instruction ID: c3fc648faf9bffed873bf7f36a898710253b9fe9f5a9853ca10d70f741230b34
Opcode Fuzzy Hash: 9aceb2a5512154b07af6d3f87c67aa55682e5e65ecaff69f567b62337d5db01f
Instruction Fuzzy Hash: 0A518F74E1011A9BDF64AB68D480B7EFBB2FB44318F288926E515DF281C735E891CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06AE5428 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304089be4d9a4780b54dd90e3e685378150a724ca6a194e18a5a782a2b36f272
Instruction ID: d6379bf98bd13db818512774943e29531ff5458eb24dbfd75ee507e8f57bf3c8
Opcode Fuzzy Hash: 304089be4d9a4780b54dd90e3e685378150a724ca6a194e18a5a782a2b36f272
Instruction Fuzzy Hash: B7412D71E006098FDF70DF99E880AAFF7F2EB84314F10492AD116DB654D731E9558B91

Uniqueness

Uniqueness Score: -1.00%

Function 06AED940 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce91b155c2134de27d499d35cbb4fc8b54eb0fd04914681e5db5ae0726ad35d
Instruction ID: 307f43070d924b6d37fce713b049b1ed228d15471dccd21c6372aa90348caf8d
Opcode Fuzzy Hash: 8ce91b155c2134de27d499d35cbb4fc8b54eb0fd04914681e5db5ae0726ad35d
Instruction Fuzzy Hash: 12318470E1020A9FCF24EF69D990A9EBBF5FF85300F144529E405AB754EB70E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06AE2080 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee31434a060f72fe687dfb62882b8af62e3e3eede242cdad4e2c28a47e21257
Instruction ID: 00f22f14f3126c6cfc11a6442963026ea16a7bd0c4d84216f29002bb4053e3a5
Opcode Fuzzy Hash: cee31434a060f72fe687dfb62882b8af62e3e3eede242cdad4e2c28a47e21257
Instruction Fuzzy Hash: 5531A334E1020A9BCB05DFA4D9957AEBBB6FF89300F108929E806EB354DB75DD46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06AE2090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec614dc3685e54ab751df719ca07260d7622e581f0812ebfcd38c978330ca136
Instruction ID: d59e9d0fc130910bffd19728efd2d1413d75d2b6dba4ccd1afbe1b1e2a09efbc
Opcode Fuzzy Hash: ec614dc3685e54ab751df719ca07260d7622e581f0812ebfcd38c978330ca136
Instruction Fuzzy Hash: DA318230E102099BCB14DFA4D854BAEBBF6BF89700F108929E806EB354DB71ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0140D006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1982634392.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_140d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf66a573f671c67b0559a9ffd435826e5b58db0c303183dd6194b00c642cc63
Instruction ID: 46f3c8b11623330446dfbfa79761bc215a2ae73d7c5acdbd95994d556d8d3c47
Opcode Fuzzy Hash: edf66a573f671c67b0559a9ffd435826e5b58db0c303183dd6194b00c642cc63
Instruction Fuzzy Hash: 4F312B7150D3C09FC703CB64D994611BF71AB47214F29C5EBD8898F2A3C27A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06AE3EB8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f03999d0368790ac858cf19b79fb802e979c4ef12147f13d4c89d675aa7320f
Instruction ID: ac324c0d23a79845787e80a5b03257f220fc21d5cdabe95d725265ff82e5f52c
Opcode Fuzzy Hash: 4f03999d0368790ac858cf19b79fb802e979c4ef12147f13d4c89d675aa7320f
Instruction Fuzzy Hash: 51216975F116199FDF40EFA9E981AAEB7F1AF48650F10802AE905EB354EB34D8408B90

Uniqueness

Uniqueness Score: -1.00%

Function 06AE3EA9 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ba27e2a126743cada526e3b56bf43b793e12bda3d22e493730fda702117592
Instruction ID: 1c3bdc74ae18a108250c731daa48dd47b84d0cd7caec2c64bb2b5b288ad51ac2
Opcode Fuzzy Hash: 97ba27e2a126743cada526e3b56bf43b793e12bda3d22e493730fda702117592
Instruction Fuzzy Hash: EE217C75F112099FDF40DF79D951AAEBBF1AF48650F148029E905EB354EB34D801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0140D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1982634392.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_140d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c85c5a46034dc6a446e03c2e4080f842dd304985c2fc289eff2c2df931dfc7
Instruction ID: f8e971da43b59074b0e652e9b3f58e505e3ca42c7d67299882108cdbec1612a9
Opcode Fuzzy Hash: 71c85c5a46034dc6a446e03c2e4080f842dd304985c2fc289eff2c2df931dfc7
Instruction Fuzzy Hash: C82103B1904204DFCB16DF99C984B26BB65EB84318F20C57AE94D4B3A6C736D44BCA61

Uniqueness

Uniqueness Score: -1.00%

Function 06AEA2D0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e392d70f03dd54aaf1d9ca0087919bc7a0971bfbba68b3c12b21bf59399342
Instruction ID: 9c791538759e5e354db7ee2f9906e93e18f7c19740bce4a35174c27627638ac3
Opcode Fuzzy Hash: 99e392d70f03dd54aaf1d9ca0087919bc7a0971bfbba68b3c12b21bf59399342
Instruction Fuzzy Hash: 5B11E335F100154BDBA0FBADD89576EB7E6EB84724F148435F20AEB3A4EA26DC458780

Uniqueness

Uniqueness Score: -1.00%

Function 06AE3458 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02dd01f6679bc52ffb8656adae355aabee9d17df1325dac0dc48b4604cfd90a
Instruction ID: de557833dcbf068a88e72dabd99004cb77733061862ab5e434cd59ec20726b63
Opcode Fuzzy Hash: d02dd01f6679bc52ffb8656adae355aabee9d17df1325dac0dc48b4604cfd90a
Instruction Fuzzy Hash: 9A11BE71E002299FCF54EB68D9906EEB7F1FB89310F1484AAD10AEB354DA31D985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06AE3FC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c5a8a8cc178edae35713db96e8b914bb7475f6830f2398aa459323bb0900f4
Instruction ID: 5f251ce507d1358d61cbabe67691aee8344f92b48e6528562043c2e2318e4583
Opcode Fuzzy Hash: 39c5a8a8cc178edae35713db96e8b914bb7475f6830f2398aa459323bb0900f4
Instruction Fuzzy Hash: F711A131B104284FDF54AB69C914ABE77FAEBC8650B00453AD406EB358EE79DC028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 06AE4200 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2ed50560c6c9e7a33e514601df9664710a8f6e6b8cc028e0def65a2e6810be
Instruction ID: 6897ce4962222d87cb092e42620b566ab3e71de6e11fc266ae616d7c0881fc5c
Opcode Fuzzy Hash: 4a2ed50560c6c9e7a33e514601df9664710a8f6e6b8cc028e0def65a2e6810be
Instruction Fuzzy Hash: 7701F735B004110BDB64A6BDD450B2BB7DBEBD9B20F10887AE50ADB385EE21DC034390

Uniqueness

Uniqueness Score: -1.00%

Function 06AE541B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efedd94473ca5766c2b6369ca33d235063db10862caeb870edc94f66b3e4e23d
Instruction ID: 073262ac37c19627c4404415cc628c2a9536494ba40ca915917c28d720f15ffa
Opcode Fuzzy Hash: efedd94473ca5766c2b6369ca33d235063db10862caeb870edc94f66b3e4e23d
Instruction Fuzzy Hash: 56118C72E007058FCB60DFA9EDC1AAFFBB2FF84304F14892AD11697654D731A8558B90

Uniqueness

Uniqueness Score: -1.00%

Function 06AEF168 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207065bdad87359546fc7cde24426ec9829ec803a96002aedbd4b94119be3555
Instruction ID: 61d46f2fd84c558a66b904e548fedb19a620160d223cf227afe82b5cf03df3d8
Opcode Fuzzy Hash: 207065bdad87359546fc7cde24426ec9829ec803a96002aedbd4b94119be3555
Instruction Fuzzy Hash: 4001D472B001150FCB11A6BC996476A6BE2DB89660F14882BE20ADB344EE25CC478390

Uniqueness

Uniqueness Score: -1.00%

Function 06AE3C80 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6300b3c4f5adb3755552c9d069e2128cb857932be5dd2f2c4a6a7e137c7444f
Instruction ID: 8a283b015b515e92987aa4ed8e7def64d3128f0a9adb6f542b8e559f9941c47e
Opcode Fuzzy Hash: d6300b3c4f5adb3755552c9d069e2128cb857932be5dd2f2c4a6a7e137c7444f
Instruction Fuzzy Hash: 2221CEB5D01259AFCB00DF9AD884ADEFBB4FB48324F10852AE918B7241C374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06AE3C88 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573445da9565001719c49a02ca4da2738c90a6f397850c336de1680591ada602
Instruction ID: 692b21b93614d1d66fe9048f9d6b888edb0f9256a0b92abc9aeddf37ea3d44cc
Opcode Fuzzy Hash: 573445da9565001719c49a02ca4da2738c90a6f397850c336de1680591ada602
Instruction Fuzzy Hash: 9811AFB5D01259AFCB00DF9AD884ADEFBB5FB48324F10852AE918A7240C374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06AE4210 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1090560e6e00c69bcfb35cb2d8c8cf54b05bacf82c9bfabf6223b169e86e497
Instruction ID: 70907516a22cdc09f2b785ad039762396ddc12732f2f275fbd7ab64c7daf0ffb
Opcode Fuzzy Hash: e1090560e6e00c69bcfb35cb2d8c8cf54b05bacf82c9bfabf6223b169e86e497
Instruction Fuzzy Hash: 00018135B104110BDB64A6BD9454B2BB7DFDBD9B20F10887AE50ACB354EE62DC064395

Uniqueness

Uniqueness Score: -1.00%

Function 06AE3FB7 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c94aa07d125db30aa6881f3864cbe104c1efb0ebc0f75dd4e806f1a824b70c7
Instruction ID: 8af7154eec0a6d119312aaf460b2ad08e545147ee5e6ae6a75220745ca30a3bb
Opcode Fuzzy Hash: 6c94aa07d125db30aa6881f3864cbe104c1efb0ebc0f75dd4e806f1a824b70c7
Instruction Fuzzy Hash: DE01D436F100254BDF94AAA8DD157EE73FAAF88250F044136D406E7348EF65CC1287D1

Uniqueness

Uniqueness Score: -1.00%

Function 06AEF178 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7a79526c803e1e6ca10ca3a2853639ba90b2a4014f40fa55784345ec168219
Instruction ID: 4a0d5e1e9a45dca8e1b55326e830054b977dfedd52d6853c30d65392e34b99d4
Opcode Fuzzy Hash: ad7a79526c803e1e6ca10ca3a2853639ba90b2a4014f40fa55784345ec168219
Instruction Fuzzy Hash: 5701A471B104150FDB64A67CD960B3F67D6DBC9660F10883AE20ACB344EE51DC068391

Uniqueness

Uniqueness Score: -1.00%

Function 06AEA2E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d854cb9d5ee61709654c1cdecde9b376de6373f9199ab963a6b1931e6c2cfe6f
Instruction ID: 1a914ad4961241f74be6920d19d3df88a5e49c2b3e7b71015bd9a65d7c52fac0
Opcode Fuzzy Hash: d854cb9d5ee61709654c1cdecde9b376de6373f9199ab963a6b1931e6c2cfe6f
Instruction Fuzzy Hash: 42018134B100154BDB61FB7CD465B2EB7D6EB89760F108829E60ADB354EE22EC468785

Uniqueness

Uniqueness Score: -1.00%

Function 06AEFC48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af458a690c939c36ea7cace3755f3ac4627eda6f3fdbb47380b85f8e24b4384
Instruction ID: 49be67d2d5e9a87ae95fa30db9a30a9e6bc93bcdb80c520f40bc9ffc7a648d72
Opcode Fuzzy Hash: 8af458a690c939c36ea7cace3755f3ac4627eda6f3fdbb47380b85f8e24b4384
Instruction Fuzzy Hash: 94F0F635F201155BCF64AA79A8546EEB766EBC4264F22087BED05EB340EA355C0783C1

Uniqueness

Uniqueness Score: -1.00%

Function 06AEC798 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822098d9cd42fe5272d749380cc9627b06a9d4eaaad34cd7fbf5f7efb85f7ba9
Instruction ID: 8596ab6de2e5c056353884bdb442d0aa606558755e36f445340e56b160f4cf98
Opcode Fuzzy Hash: 822098d9cd42fe5272d749380cc9627b06a9d4eaaad34cd7fbf5f7efb85f7ba9
Instruction Fuzzy Hash: 3CF0E93AF20268DBDB14AA78EC506EA7376EB84364F104426E951F7244DB315D41CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 06AEC7A8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769214e84b032e21e43026525e562a6d1e6de10d789225fe9ae9be95a5067c47
Instruction ID: 933bb2631632689e51c65aa2ce7021f012f610751c106a8e2821c004974d788e
Opcode Fuzzy Hash: 769214e84b032e21e43026525e562a6d1e6de10d789225fe9ae9be95a5067c47
Instruction Fuzzy Hash: 30F0A736E202689BDB14AA65E8105DAB37AE784364F104429E911E7344DB71680087C0

Uniqueness

Uniqueness Score: -1.00%

Function 06AE6441 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d94d7882b67d17ea119d57b4c09acfd8427fabcbb60e8252ad6552572f8182a
Instruction ID: bc727d6d6e7303a99a240f6696fe1434b2f5d3306d0425c1296d9ffb327fddcf
Opcode Fuzzy Hash: 5d94d7882b67d17ea119d57b4c09acfd8427fabcbb60e8252ad6552572f8182a
Instruction Fuzzy Hash: 57E0D870E10108BBDF50EFB0CA5575EB7B8EB11204F1188E6D858DF502E532D9114781

Uniqueness

Uniqueness Score: -1.00%

Function 06AE6450 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60989437eb31f36a88b24c626a9401e03f262ae62647aa4789d74cd00d0c7935
Instruction ID: f0f302feaa5ee191fe4b51e5c92d39b1628e8964625973fcc1af377158d3ebce
Opcode Fuzzy Hash: 60989437eb31f36a88b24c626a9401e03f262ae62647aa4789d74cd00d0c7935
Instruction Fuzzy Hash: AAE01271E10108BBDF50EFB4CB5575E77ADD711214F2089A6D409DF201E577DA014780

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06AE7660 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$kq, xrefs: 06AE77D1
$kq, xrefs: 06AE7BFC
$kq, xrefs: 06AE7B5D
$kq, xrefs: 06AE77C5
$kq, xrefs: 06AE7B51
$kq, xrefs: 06AE7C12
$kq, xrefs: 06AE77A0
$kq, xrefs: 06AE7794
$kq, xrefs: 06AE7C06
$kq, xrefs: 06AE7BF0

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: 81bd0bd08a2199a4358b54b54b23321e6ab259d19f49b3b6c097bf8f4d516e7b
Instruction ID: 33c9c8704e387fd2f4eda5d2acc9b99cae3fd167fe6ae91e980519352c3ffb65
Opcode Fuzzy Hash: 81bd0bd08a2199a4358b54b54b23321e6ab259d19f49b3b6c097bf8f4d516e7b
Instruction Fuzzy Hash: FB120B30E002198FDB64EF69C954A9EB7B6BF88304F208569D509AB364DB35ED85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06AEA908 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$kq, xrefs: 06AEAA0A
$kq, xrefs: 06AEAABA
$kq, xrefs: 06AEAA90
$kq, xrefs: 06AEAA65
$kq, xrefs: 06AEA9FE
$kq, xrefs: 06AEAA59
$kq, xrefs: 06AEAAC6
$kq, xrefs: 06AEAA84

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: b97c0bc676833eec374aa832f24220c575e537eb845cb25a2ad82384ad1d0f65
Instruction ID: 4925aa21ee541e5bb66010e4ff90bb38819efcaeed6af310076c74cd2e9c07b9
Opcode Fuzzy Hash: b97c0bc676833eec374aa832f24220c575e537eb845cb25a2ad82384ad1d0f65
Instruction Fuzzy Hash: C0916E30E502099FDB64FFA5D69476EBBF6BF84304F208429E5029B394DB79AC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06AE7060 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$kq, xrefs: 06AE7568
$kq, xrefs: 06AE74FC
$kq, xrefs: 06AE73A8
$kq, xrefs: 06AE7342
$kq, xrefs: 06AE7574
$kq, xrefs: 06AE739C

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: b234fd6379a75976bb3a3329c1e5d903f65e1165b2ff1101fde857d467ffe6cd
Instruction ID: bfea463720b322bf763387d30f360a1906a1db8bfd37caad2db16ad39d0bb4ac
Opcode Fuzzy Hash: b234fd6379a75976bb3a3329c1e5d903f65e1165b2ff1101fde857d467ffe6cd
Instruction Fuzzy Hash: E5F16E30B00209CFDB54EFA9D554A6EB7B6BF94344F208569D4069B3A8DB35EC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06AE8398 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$kq, xrefs: 06AE85F2
$kq, xrefs: 06AE8663
$kq, xrefs: 06AE8657
$kq, xrefs: 06AE85FE

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: b35bdc3660559b3f44dcb19f606c9a8ba01fe7d2edc4787ad1e279ae0d6229e5
Instruction ID: be21e37c7c01b72c48186c92211bf886569f31289d194dc29bb3403dfec4d92c
Opcode Fuzzy Hash: b35bdc3660559b3f44dcb19f606c9a8ba01fe7d2edc4787ad1e279ae0d6229e5
Instruction Fuzzy Hash: 39B14D30F102098FDB64EF69D55469EB7B6FF84304F248429D006AB3A8DB79DC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06AE87B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$kq, xrefs: 06AE882F
$kq, xrefs: 06AE883B
LRkq, xrefs: 06AE88A3
LRkq, xrefs: 06AE88F2

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: 63cf341b71d1c7d208f98eba3b91d84992296a21f234aa84f18c080debebba62
Instruction ID: 6e45da03826c80611227b270e35f785d3c98e616ba52dff827f5e5e91a50daaa
Opcode Fuzzy Hash: 63cf341b71d1c7d208f98eba3b91d84992296a21f234aa84f18c080debebba62
Instruction Fuzzy Hash: 3251AF30B002069FDB54FB68D954A6AB7F2FF88340F14856DE4069B3A9DB35EC44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06AEAC93 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

$kq, xrefs: 06AEAE43
$kq, xrefs: 06AEAE6C
$kq, xrefs: 06AEADC1
$kq, xrefs: 06AEAE14

Memory Dump Source

Source File: 00000016.00000002.1994473714.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6ae0000_BjTxJte.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 0bbfad3e972b2444ca93408196f0786a49bf201260bd777e754e47d5c129d7c5
Instruction ID: c9a8a32c34c56724e4bedfc295ed5c2f8aa2e1ac35d5ac6e0638fa05a1b73854
Opcode Fuzzy Hash: 0bbfad3e972b2444ca93408196f0786a49bf201260bd777e754e47d5c129d7c5
Instruction Fuzzy Hash: 9F518F30E102098FDF64EB68D5906AEB7F2EF85311F14852AE506EB354DB34EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BjTxJte.exePID: 8172, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	168
Total number of Limit Nodes:	11

Executed Functions

Function 08AD0458 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b761f3862524f9280dd95ec38d2231d4c8f18ee55134dfaf12988feb87cd14
Instruction ID: 5d1163d65e5d20b24ecaab51b57766273d349d9f611c4d7b803c6e9ea4f95155
Opcode Fuzzy Hash: d0b761f3862524f9280dd95ec38d2231d4c8f18ee55134dfaf12988feb87cd14
Instruction Fuzzy Hash: C18122B4E05619CFCB04CFA9D980AEEFBB1FB88300F00995AD406B72A5D7349912CF58

Uniqueness

Uniqueness Score: -1.00%

Function 08AD0468 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ccc3e5c6820fac7c38f68368f356c2e3736f939e37b7e17f2c8de9bd76caea
Instruction ID: d64dc45c0909a03cfc044424c1dc48a0db1e0c19f700c9e7eec54d39050cc555
Opcode Fuzzy Hash: c2ccc3e5c6820fac7c38f68368f356c2e3736f939e37b7e17f2c8de9bd76caea
Instruction Fuzzy Hash: E08111B4E05619CFCB04CFA9D980AEEFBB1FB88300F10A55AD406B7265D7349902CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0309FA28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0309FAB6
GetCurrentThread.KERNEL32 ref: 0309FAF3
GetCurrentProcess.KERNEL32 ref: 0309FB30
GetCurrentThreadId.KERNEL32 ref: 0309FB89

Strings

aH, xrefs: 0309FA54

Memory Dump Source

Source File: 00000019.00000002.2002799019.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_3090000_BjTxJte.jbxd

Similarity

API ID: Current$ProcessThread
String ID: aH
API String ID: 2063062207-2191227055
Opcode ID: 57def838b34f901855901a0327b4c2f3fd8693d1c3e9d04ba07aa5ed4f90aff2
Instruction ID: e19227132e6f19924a0d2e183d0d2d2a72e48165a581df3586be998fd2edfda9
Opcode Fuzzy Hash: 57def838b34f901855901a0327b4c2f3fd8693d1c3e9d04ba07aa5ed4f90aff2
Instruction Fuzzy Hash: 795136B09012098FEB14DFA9D948BDEFBF1FF48314F24802AE419A7360DB759944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0309FA38 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0309FAB6
GetCurrentThread.KERNEL32 ref: 0309FAF3
GetCurrentProcess.KERNEL32 ref: 0309FB30
GetCurrentThreadId.KERNEL32 ref: 0309FB89

Strings

aH, xrefs: 0309FA54

Memory Dump Source

Source File: 00000019.00000002.2002799019.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_3090000_BjTxJte.jbxd

Similarity

API ID: Current$ProcessThread
String ID: aH
API String ID: 2063062207-2191227055
Opcode ID: 1bfa5875dea0fbfdf688cf05b06ec58bcc47a714469d69efe0d76dd65738596e
Instruction ID: d137dae9324382dceb2a1b004c0f3bd11f2aadc3382861083e12dfe6ecb7e33e
Opcode Fuzzy Hash: 1bfa5875dea0fbfdf688cf05b06ec58bcc47a714469d69efe0d76dd65738596e
Instruction Fuzzy Hash: 145146B09012098FDB14DFAAD548B9EFBF1FF48314F24802AE419A7360DB749984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02ED17A6

Strings

aH, xrefs: 02ED15DA
aH, xrefs: 02ED15AB

Memory Dump Source

Source File: 00000019.00000002.2002489786.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ed0000_BjTxJte.jbxd

Similarity

API ID: CreateProcess
String ID: aH$aH
API String ID: 963392458-615657674
Opcode ID: 62e07d8be8b27e1f5925b21c8e65b1052a7a6d881768db2787a11cb124232ce4
Instruction ID: 12c0f059d9338723869e9da0598f42e89552f2c7206e965380512d4cdf646f45
Opcode Fuzzy Hash: 62e07d8be8b27e1f5925b21c8e65b1052a7a6d881768db2787a11cb124232ce4
Instruction Fuzzy Hash: 9F916A75D40219CFEB20CFA8C9417EDBBB2FF48314F1491A9E818AB250DB749986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0309D397 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0309D5FE

Strings

aH, xrefs: 0309D5B7

Memory Dump Source

Source File: 00000019.00000002.2002799019.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_3090000_BjTxJte.jbxd

Similarity

API ID: HandleModule
String ID: aH
API String ID: 4139908857-2191227055
Opcode ID: 0d7212d8dc5bc2ce565056639ffede53427bf6d7506aca5049dc1124d350c307
Instruction ID: b21ba1697335f2a34ed1231f38bdee76cdd615bb1a742943719c70bff962b6bc
Opcode Fuzzy Hash: 0d7212d8dc5bc2ce565056639ffede53427bf6d7506aca5049dc1124d350c307
Instruction Fuzzy Hash: BD814470A01B058FEB64DF29D44079ABBF5FF88204F04896ED48ADBB50D734E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030958EC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030959A9

Strings

aH, xrefs: 0309592C

Memory Dump Source

Source File: 00000019.00000002.2002799019.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_3090000_BjTxJte.jbxd

Similarity

API ID: Create
String ID: aH
API String ID: 2289755597-2191227055
Opcode ID: 49d5d3cde17c796c1738b447fee4bc0c27ac0ad8ad1a63718fff893044119c84
Instruction ID: d79bb7309772d5f67280118dc751bc1f73813b1deffd0da3a1de2b1f246895e3
Opcode Fuzzy Hash: 49d5d3cde17c796c1738b447fee4bc0c27ac0ad8ad1a63718fff893044119c84
Instruction Fuzzy Hash: 7A41D1B1D00619CEDF24CFAAC984BDEBBF5BF49304F24806AD408AB255DB755946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 030944B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030959A9

Strings

aH, xrefs: 0309592C

Memory Dump Source

Source File: 00000019.00000002.2002799019.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_3090000_BjTxJte.jbxd

Similarity

API ID: Create
String ID: aH
API String ID: 2289755597-2191227055
Opcode ID: 6b63a3b1d5228afaa3f1d7910753b9767d4f23cdc255d482a3f46bdee04c1bcb
Instruction ID: 4bda398609fd49d7baa1ff4f7a38d99f48489272e491aabf08fe4683e6911b28
Opcode Fuzzy Hash: 6b63a3b1d5228afaa3f1d7910753b9767d4f23cdc255d482a3f46bdee04c1bcb
Instruction Fuzzy Hash: 4941BEB0C0471DCBDB24DFAAC984A9EBBF5BF49304F24806AD408AB255DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0EE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02ED0F78

Strings

aH, xrefs: 02ED0F07

Memory Dump Source

Source File: 00000019.00000002.2002489786.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ed0000_BjTxJte.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: aH
API String ID: 3559483778-2191227055
Opcode ID: fd901803eaac21efca2ff501549a0d702cd62cd2ca7fd88e9bb44151e65ac8bd
Instruction ID: d4494d74991e4ae5cdc0d88cb07392bbec2673a63214e854be0e06edfe28e9eb
Opcode Fuzzy Hash: fd901803eaac21efca2ff501549a0d702cd62cd2ca7fd88e9bb44151e65ac8bd
Instruction Fuzzy Hash: D12169B1900319DFCB10CFAAC981BDEBBF5FF48324F108429E958A7250C7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0D48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02ED0DCE

Strings

aH, xrefs: 02ED0D6C

Memory Dump Source

Source File: 00000019.00000002.2002489786.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ed0000_BjTxJte.jbxd

Similarity

API ID: ContextThreadWow64
String ID: aH
API String ID: 983334009-2191227055
Opcode ID: 1cf680e2e6e034923e065343fa630e9fda9da80c1ebc18d1a01d1f1dd3278754
Instruction ID: 7a8e6597bad84b5e5a80eb6a207e1d0495cce894ee18311aad4c544a9b29aa1f
Opcode Fuzzy Hash: 1cf680e2e6e034923e065343fa630e9fda9da80c1ebc18d1a01d1f1dd3278754
Instruction Fuzzy Hash: 3B2159719003088FCB10DFADC5857EEBFF5AF88324F14842AD499A7241C7789946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0309FC78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0309FD07

Strings

aH, xrefs: 0309FC9F

Memory Dump Source

Source File: 00000019.00000002.2002799019.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_3090000_BjTxJte.jbxd

Similarity

API ID: DuplicateHandle
String ID: aH
API String ID: 3793708945-2191227055
Opcode ID: c09d9f5c80b733cb2bbb81e5e90001a1c495d50a3fcbdce09935e50c42174caf
Instruction ID: 091b08d35e2862ddcc5052cc8c2b998eaf9e68bf3a9036e915972a441b1c0f6e
Opcode Fuzzy Hash: c09d9f5c80b733cb2bbb81e5e90001a1c495d50a3fcbdce09935e50c42174caf
Instruction Fuzzy Hash: A421E3B5901219AFDB10CFAAD984ADEFFF9FB48310F14841AE958A3310D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0FD1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02ED1058

Strings

aH, xrefs: 02ED0FF7

Memory Dump Source

Source File: 00000019.00000002.2002489786.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ed0000_BjTxJte.jbxd

Similarity

API ID: MemoryProcessRead
String ID: aH
API String ID: 1726664587-2191227055
Opcode ID: a0f217758c6a9f3bc61e520bbb99bad63b8513e3176bea61371a086547a179d8
Instruction ID: 8d382991b92e02dd06f93514bf4ad7cbd82be546373842abc78e846bb703f09f
Opcode Fuzzy Hash: a0f217758c6a9f3bc61e520bbb99bad63b8513e3176bea61371a086547a179d8
Instruction Fuzzy Hash: 3A2159B1900359DFCB10DFA9C980BEEBBF5FF48310F10842AE559A7250C7389941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0FD8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02ED1058

Strings

aH, xrefs: 02ED0FF7

Memory Dump Source

Source File: 00000019.00000002.2002489786.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ed0000_BjTxJte.jbxd

Similarity

API ID: MemoryProcessRead
String ID: aH
API String ID: 1726664587-2191227055
Opcode ID: b0a02cedce406da8c850e992afa315d848957ef3d5cf753920f27b1c93878217
Instruction ID: b94b3c6624828f54cc221bfdb1788f508b6b4518035d9ebe7e1e021cb51f5bf7
Opcode Fuzzy Hash: b0a02cedce406da8c850e992afa315d848957ef3d5cf753920f27b1c93878217
Instruction Fuzzy Hash: B42125B1900359DFCB10DFAAC981BEEBBF5FF48320F50842AE558A7250C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0D50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02ED0DCE

Strings

aH, xrefs: 02ED0D6C

Memory Dump Source

Source File: 00000019.00000002.2002489786.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ed0000_BjTxJte.jbxd

Similarity

API ID: ContextThreadWow64
String ID: aH
API String ID: 983334009-2191227055
Opcode ID: 12dc34797d099e854b5b955834755afd23daa15c9b600ad677b5897d6ddf5133
Instruction ID: 88114f3c373fb0f41caee1bb4cc75614af8f076673a973c37fa7d646667eda95
Opcode Fuzzy Hash: 12dc34797d099e854b5b955834755afd23daa15c9b600ad677b5897d6ddf5133
Instruction Fuzzy Hash: 1C2147B19003098FDB10DFAAC5857EEBBF4EF88324F14C42AD459A7241CB78A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0309FC80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0309FD07

Strings

aH, xrefs: 0309FC9F

Memory Dump Source

Source File: 00000019.00000002.2002799019.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_3090000_BjTxJte.jbxd

Similarity

API ID: DuplicateHandle
String ID: aH
API String ID: 3793708945-2191227055
Opcode ID: 14513847e9e7b01760f5f23666e2d689c55e0ca695d0db71aecf677f021358da
Instruction ID: ba5934f477f1aa88578a31c238da0713c1f445b437fa5ffcbe78f02e9658f096
Opcode Fuzzy Hash: 14513847e9e7b01760f5f23666e2d689c55e0ca695d0db71aecf677f021358da
Instruction Fuzzy Hash: C221E2B5901219DFDB10CFAAD984ADEFFF9EB48320F14841AE918A3310D374A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0E20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02ED0E96

Strings

aH, xrefs: 02ED0E3F

Memory Dump Source

Source File: 00000019.00000002.2002489786.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ed0000_BjTxJte.jbxd

Similarity

API ID: AllocVirtual
String ID: aH
API String ID: 4275171209-2191227055
Opcode ID: 27654589bd7216395603cda93d31659987f9e6de28aa070ff52245506e19dcdf
Instruction ID: 0693d47746b70bc7487c67587f4480bae23fbd353f3ac5f8e01c7b3ace8a6fb2
Opcode Fuzzy Hash: 27654589bd7216395603cda93d31659987f9e6de28aa070ff52245506e19dcdf
Instruction Fuzzy Hash: 291144729002488FCB10DFA9C945BEEBFF6EF88320F248819E459A7260C7359955CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0309C768 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0309D679,00000800,00000000,00000000), ref: 0309D88A

Strings

aH, xrefs: 0309D83F

Memory Dump Source

Source File: 00000019.00000002.2002799019.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_3090000_BjTxJte.jbxd

Similarity

API ID: LibraryLoad
String ID: aH
API String ID: 1029625771-2191227055
Opcode ID: 00cbe9eb921492aa1524e9a8b5036f8050c1c3118dbd9ebef8aaf94068c3b72d
Instruction ID: f586e90aea4eab167a9166499a74ac12c01bd88bdc5891e67ba04c96108edffa
Opcode Fuzzy Hash: 00cbe9eb921492aa1524e9a8b5036f8050c1c3118dbd9ebef8aaf94068c3b72d
Instruction Fuzzy Hash: 401123B6D003089FDB10CF9AC948BDEFBF4EB48320F14846AE519A7211C375A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0E28 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02ED0E96

Strings

aH, xrefs: 02ED0E3F

Memory Dump Source

Source File: 00000019.00000002.2002489786.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ed0000_BjTxJte.jbxd

Similarity

API ID: AllocVirtual
String ID: aH
API String ID: 4275171209-2191227055
Opcode ID: c8e897afb43d8de13dd7cb112cd0dcedf6ff823d5295e33633a641d49aaa77df
Instruction ID: d95758e39144d063771a7285428394c9f5532a9dc71b0302a66d6a841453f3dc
Opcode Fuzzy Hash: c8e897afb43d8de13dd7cb112cd0dcedf6ff823d5295e33633a641d49aaa77df
Instruction Fuzzy Hash: B61156729002488FCB10DFAAC945BDFBFF5EB48320F148819E559A7260C735A540CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0309D819 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0309D679,00000800,00000000,00000000), ref: 0309D88A

Strings

aH, xrefs: 0309D83F

Memory Dump Source

Source File: 00000019.00000002.2002799019.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_3090000_BjTxJte.jbxd

Similarity

API ID: LibraryLoad
String ID: aH
API String ID: 1029625771-2191227055
Opcode ID: c94f7cf60c2ec7ef3e4ccb6a84a6b2274b3bf8e340bc74eb189d98a481d676d9
Instruction ID: 5eaa64bb9d8a88c0831dbbd16cf486957256d117aaf4b6c80174dc34ccf81f0a
Opcode Fuzzy Hash: c94f7cf60c2ec7ef3e4ccb6a84a6b2274b3bf8e340bc74eb189d98a481d676d9
Instruction Fuzzy Hash: EA1120B6D003088FDB10CF9AC944BDEFBF4AB48320F14842AD819B7621C379A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0861 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 02ED08CA

Strings

aH, xrefs: 02ED087F

Memory Dump Source

Source File: 00000019.00000002.2002489786.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ed0000_BjTxJte.jbxd

Similarity

API ID: ResumeThread
String ID: aH
API String ID: 947044025-2191227055
Opcode ID: d0cd9577616ff484476e9d77de0342312fb2c94669efd1bd53a3db4db85b22f8
Instruction ID: 6be5dd5f10ae1490de5b8d81b3589a504d9cf26df1940ae3f4ebbc843ac877fa
Opcode Fuzzy Hash: d0cd9577616ff484476e9d77de0342312fb2c94669efd1bd53a3db4db85b22f8
Instruction Fuzzy Hash: 7C1158B1D003488FCB20DFAAC5857EEFBF5EB88324F248829C459A7250C779A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0868 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 02ED08CA

Strings

aH, xrefs: 02ED087F

Memory Dump Source

Source File: 00000019.00000002.2002489786.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ed0000_BjTxJte.jbxd

Similarity

API ID: ResumeThread
String ID: aH
API String ID: 947044025-2191227055
Opcode ID: 64812d31bf8c24f5a01109e0bfddfcfd0250e54ebcbc965971b2e230adf0f2ad
Instruction ID: 87f9cda19e704c92455f8d46d1bc9185532c560d579d60f7fa0d735f25e080f1
Opcode Fuzzy Hash: 64812d31bf8c24f5a01109e0bfddfcfd0250e54ebcbc965971b2e230adf0f2ad
Instruction Fuzzy Hash: 1E1136B1D003498FCB20DFAAC5457DEFBF8EB88324F248829D459A7250CB75A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0309D598 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0309D5FE

Strings

aH, xrefs: 0309D5B7

Memory Dump Source

Source File: 00000019.00000002.2002799019.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_3090000_BjTxJte.jbxd

Similarity

API ID: HandleModule
String ID: aH
API String ID: 4139908857-2191227055
Opcode ID: 9059e2be930bc7b413a829793600373ed715cb21aad4db648dcf23ecbba5a94a
Instruction ID: b01e6770c6bf9e5b245e5920d321683f51c6204dbed24de734883d34ee025048
Opcode Fuzzy Hash: 9059e2be930bc7b413a829793600373ed715cb21aad4db648dcf23ecbba5a94a
Instruction Fuzzy Hash: B311E0B6C003498FDB10DF9AC544ADEFBF4AB89324F14842AD459A7210D375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1278 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02ED4AFD

Strings

aH, xrefs: 02ED4ABA

Memory Dump Source

Source File: 00000019.00000002.2002489786.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ed0000_BjTxJte.jbxd

Similarity

API ID: MessagePost
String ID: aH
API String ID: 410705778-2191227055
Opcode ID: 73adac6086ef62189c6331b816e8a1b9284634f96082a4e746c55647ba8ea83f
Instruction ID: 01ac528c9369a28672946a2ec355ca1cb280e7413ca018ecf2a498780487c795
Opcode Fuzzy Hash: 73adac6086ef62189c6331b816e8a1b9284634f96082a4e746c55647ba8ea83f
Instruction Fuzzy Hash: 511133B5900348DFCB20DF8AD985BDEBBF8EB58320F10841AE518A7240D375A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 08AD62B0 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

aH, xrefs: 08AD681F

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: aH
API String ID: 0-2191227055
Opcode ID: 1572b5bfb75dc24b5789ce4ccd931043670bd8b134e77bc0553203c2980644c9
Instruction ID: edb0a3e172fb17e0b1f654ee19f47e743b1f1e4acf1d9a005645fe991773e0cb
Opcode Fuzzy Hash: 1572b5bfb75dc24b5789ce4ccd931043670bd8b134e77bc0553203c2980644c9
Instruction Fuzzy Hash: 5C910270A00314DFDB008F68D944BAEBBB5FB65706F04406AE503EBA92D7358C82CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 08AD4DF0 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

Tekq, xrefs: 08AD4F51

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: ad746bed3f336d1f8f4603d718d45e949fb67bce7886ce49af2f0501e5cf57ef
Instruction ID: 2193302573fe65582a387fb7dd2baa3e2e6b9d1e9279a91c737489b838bb583d
Opcode Fuzzy Hash: ad746bed3f336d1f8f4603d718d45e949fb67bce7886ce49af2f0501e5cf57ef
Instruction Fuzzy Hash: 9941BF35B013158FCB01DFB998449AEBBF6FFC82617248529E416DB3A1EB30DD068790

Uniqueness

Uniqueness Score: -1.00%

Function 08AD41B8 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

aH, xrefs: 08AD523B

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: aH
API String ID: 0-2191227055
Opcode ID: 3dbd2363c573cff1fd749112ee3296b7bb265d20fdd1a5bf0fa3381396737308
Instruction ID: e0c7ce8429f93a6a168d0f287ab7e2108d1daa4114f171427e317c3262538677
Opcode Fuzzy Hash: 3dbd2363c573cff1fd749112ee3296b7bb265d20fdd1a5bf0fa3381396737308
Instruction Fuzzy Hash: 3F410FB1C00349DFDB20DFA9C584A8EBBB5BF48304F24842AD409AB215D7B56A89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08AD41C4 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

aH, xrefs: 08AD523B

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: aH
API String ID: 0-2191227055
Opcode ID: 533b6efc468be58819bb5ccc708672692cb6abc348872bec56d512f2b475da03
Instruction ID: 7ab96123a33dcef965ef7d7e3d787332df32e9728e3aa5e42d00b8c013a8df1e
Opcode Fuzzy Hash: 533b6efc468be58819bb5ccc708672692cb6abc348872bec56d512f2b475da03
Instruction Fuzzy Hash: BB41E2B1D00309DFDB20DFA9C584ADEBBB5BF48305F64842AD409BB215D7B56A49CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08ADA9D8 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

Tekq, xrefs: 08ADAA89

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: efbb91059041a673314220e12c678ef5ce4db572de514e3a5b1e2b74661fa21f
Instruction ID: eb29243e9ab2ad6f44f346588357250f65eef9d4bc4d1d016d2eba12ee7a6662
Opcode Fuzzy Hash: efbb91059041a673314220e12c678ef5ce4db572de514e3a5b1e2b74661fa21f
Instruction Fuzzy Hash: 9C31F674E043588FDB04CFAAC954BEEBBB6BF89301F10812AD41AAB765DB745906CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08ADA9E8 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

Tekq, xrefs: 08ADAA89

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: b8e49ec3cffbc2e6a3780b934dab87d0fa187de6cea8a6df95d34050bde9c653
Instruction ID: eb6505f18266ab84db546f80bf0a008335a0d690fbabeb2e7c3e1101b5ad0c5e
Opcode Fuzzy Hash: b8e49ec3cffbc2e6a3780b934dab87d0fa187de6cea8a6df95d34050bde9c653
Instruction Fuzzy Hash: 5C31C474E043188FDB04DFAAC9547AEBBB6BF89701F109129D81AAB754DB746906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 08AD4F94 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

aH, xrefs: 08AD4FC5

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: aH
API String ID: 0-2191227055
Opcode ID: a6db656b2487efa88754b6c0a182caeb82441f5952a21d14669a54f2ee536a57
Instruction ID: f570906ae9b274e5dc0a5f6f85018069d016da1b0a8eed7a504d5f0ffb9c733c
Opcode Fuzzy Hash: a6db656b2487efa88754b6c0a182caeb82441f5952a21d14669a54f2ee536a57
Instruction Fuzzy Hash: 2331D1B0C01358DFDB20DF99D588BDEBFB4AB48314F24805AE409BB651C7B95885CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08AD4194 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

aH, xrefs: 08AD4FC5

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: aH
API String ID: 0-2191227055
Opcode ID: f2acf1de4ec6d621ba7564e71cf84a9403383f01bb5fbee9567342423a456fe7
Instruction ID: 95c3b3f15c04503a052825cf335b029f88d9850076aeb9b2bc4777218983e801
Opcode Fuzzy Hash: f2acf1de4ec6d621ba7564e71cf84a9403383f01bb5fbee9567342423a456fe7
Instruction Fuzzy Hash: 1F31E0B0C01318DFDB20DF99C588BCEBFF4AB08314F24845AE409BB650C7B95885CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 08AD20E0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Tekq, xrefs: 08AD214B

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: b8def17f040df53025026304fa65512deb13d211b73fbcf778049c6070d78c8c
Instruction ID: 5e066052a2b042f055cbe377306c0ad691a4716d77d259a1c8ed8045a7a73500
Opcode Fuzzy Hash: b8def17f040df53025026304fa65512deb13d211b73fbcf778049c6070d78c8c
Instruction Fuzzy Hash: AF115E71B0031A8BCB18EBB999006EFB7B6AF89211F104079D515E7354EB359E11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08AD4CA4 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

aH, xrefs: 08AD681F

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: aH
API String ID: 0-2191227055
Opcode ID: 78d28e5d6e946a0a7bcc1786d0c30c235b326a0ec580aeaeffcb49d868bd44a2
Instruction ID: d07ae734eaeae10a471ced6a93ed8cbdb745de4cf0069ec36290b887b24ad1dc
Opcode Fuzzy Hash: 78d28e5d6e946a0a7bcc1786d0c30c235b326a0ec580aeaeffcb49d868bd44a2
Instruction Fuzzy Hash: 3D2112B6900349DFCB10DF9AD984BDEBBF4FB48320F10842AE919A7210D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08AD41A0 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

aH, xrefs: 08AD5812

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: aH
API String ID: 0-2191227055
Opcode ID: f3b1e82d7327f66cf373a4e2270dc14f6b3e8fe5c82e26ce002a0702831b699d
Instruction ID: 878c2f8c33cddd772f32507524c67d66ee3df00b3037179e797db058db2d4f41
Opcode Fuzzy Hash: f3b1e82d7327f66cf373a4e2270dc14f6b3e8fe5c82e26ce002a0702831b699d
Instruction Fuzzy Hash: DD11E0B59003488FCB20DF9AD584B9EBBF4EB48320F20841AE569A7610D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08ADAAAD Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Tekq, xrefs: 08ADAABD

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 4e2c45d136963336e5cb17ae05165d13f58a5c947a857b9ad5626793687aed55
Instruction ID: d7ed4c7c36819ab38fc45a0fa657fc9e016591cb4c5c6a7bc11862d0fa36c8ce
Opcode Fuzzy Hash: 4e2c45d136963336e5cb17ae05165d13f58a5c947a857b9ad5626793687aed55
Instruction Fuzzy Hash: 75118075E00209CFCB04DFE8C8809ADFBB2FB88310F20812AD918AB355C6316956DF50

Uniqueness

Uniqueness Score: -1.00%

Function 08ADC42B Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

@, xrefs: 08ADC440

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2bff64661f68eb92610a8876f600a8e81bcc37af843c82a8b4e68a53b9b1db6f
Instruction ID: de402619f0b513b3d5dc71eaa2fc4bfc2e36b9839a05d88345e150699297728a
Opcode Fuzzy Hash: 2bff64661f68eb92610a8876f600a8e81bcc37af843c82a8b4e68a53b9b1db6f
Instruction Fuzzy Hash: 42E0DFB5D4C384DBD701CB20C4A87E4BF7AEB5B602F08A098D84E4E687E7388003CB00

Uniqueness

Uniqueness Score: -1.00%

Function 08ADAC16 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7739f6ed2201001773354fe2a895bb56569d08d4141bcd244dfca36f10c53f72
Instruction ID: db5e972612c23847f591c8d1bdfe764933f719d61bcbae380c06039ed9d36cc9
Opcode Fuzzy Hash: 7739f6ed2201001773354fe2a895bb56569d08d4141bcd244dfca36f10c53f72
Instruction Fuzzy Hash: 0AA10774E0421ACFCB44DBA8C9406EDBBB6FF89301F10D629D81AAB755DB30A946CB54

Uniqueness

Uniqueness Score: -1.00%

Function 08AD4C44 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4305e3a3a9f39b8cfc9a49b74ac24384ffc6684752e0f3042672844e57aeee4a
Instruction ID: 34424cc9cf077538b566e3e1cf0fa37538d7e1c378382596790eae019d3e2adb
Opcode Fuzzy Hash: 4305e3a3a9f39b8cfc9a49b74ac24384ffc6684752e0f3042672844e57aeee4a
Instruction Fuzzy Hash: 29415676E09348AFCB01DB75DD40BEE7FB5EF96201B1445ABE406EF612D6309A06C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 08AD0039 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b292e5c2f6e8b3e510bb78ddff45cbf98b729a7102f58570a57ff060b9755f7
Instruction ID: aa0e74a29577557b739bb3090820f624a708dcf6562179a25f2b888a4d1b0771
Opcode Fuzzy Hash: 9b292e5c2f6e8b3e510bb78ddff45cbf98b729a7102f58570a57ff060b9755f7
Instruction Fuzzy Hash: 54415D75E0020ADFCB44CF95D841AEEFBB2FB88311F14952AE506B7364D7749A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08AD0040 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50b079b23bd037af71733a89d9920dda586e6a34a7c691e5d1f3b7f36432012
Instruction ID: 448bb088d6b0dd607898cc398946a1ae061e9ab73c4644adeba5ed95cedd478f
Opcode Fuzzy Hash: c50b079b23bd037af71733a89d9920dda586e6a34a7c691e5d1f3b7f36432012
Instruction Fuzzy Hash: 74415C74E0020ADFCB44CF96D8419EEFBB2FB89311F10952AE506A7364D7749A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08ADAB4A Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2eb1c37fe2860c6205be3456a432d836883bbd33f840d014fd6c787dfe0c55f
Instruction ID: 8c877887ac46c567e3befe1a12ac7b656d4e75dac8cf609ec61375aba96d2e1a
Opcode Fuzzy Hash: c2eb1c37fe2860c6205be3456a432d836883bbd33f840d014fd6c787dfe0c55f
Instruction Fuzzy Hash: 31310774E05229DFCF04CFA8D984AEDBBB6FF49706F209559E416AB621D731A906CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0165D110 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2001880214.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_165d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6b09206445854ff9f0de1cd4189fd077dfe5279254199d6950066d698987e1
Instruction ID: c00d647d871c5b36e4406f28451f7a0e7c5293efba1f4b584aeb5d97eb6d4b61
Opcode Fuzzy Hash: 2a6b09206445854ff9f0de1cd4189fd077dfe5279254199d6950066d698987e1
Instruction Fuzzy Hash: AA210071604200DFDB65DF58DDC0B2BBF66FB98315F208169ED094B396C336D856CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0166D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2001956078.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_166d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ca39537fe0c918161defa9eaafc41cbf19919544b6d165377695f57f6d720b
Instruction ID: b2053659ec1d9d975fe491a0d63dfcfc19f1c2727d61096ba76b225cc2b7277b
Opcode Fuzzy Hash: 82ca39537fe0c918161defa9eaafc41cbf19919544b6d165377695f57f6d720b
Instruction Fuzzy Hash: 10210471644200EFDB05DF98D9C0B26BBADFB84324F24C56DDA894B396C376D846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0166D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2001956078.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_166d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612c499ff0c3b2fcfc5b8495172702bbb6081d6fb537be17e6dfef6e6817be60
Instruction ID: 9f611dfdd4a897deeccf787878313c776c85289c2cf5ed943194479eb93893e5
Opcode Fuzzy Hash: 612c499ff0c3b2fcfc5b8495172702bbb6081d6fb537be17e6dfef6e6817be60
Instruction Fuzzy Hash: 7D212271604240DFCB15DF58D984B26BFA9EB88314F20C56DE88A4B396C33BD847CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0165D10B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2001880214.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_165d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 327094963b4df779ecc760577ec13a347fd88d9f94919d7c3dfac7ca9172f56f
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5E11CA72504280CFDB12CF44D9C4B16BF62FB84324F24C2A9DD094B6A6C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0166D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2001956078.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_166d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 54633054939c70a19e77b29e36898298e4e1d0ba9ecc0fd66c305019e5a32999
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: AD11D075604240DFDB02CF54D9C4B15BF65FB84324F24C6AAD9494B356C33AD40ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0166D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2001956078.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_166d000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 5b89551a8a3db1d218a4fc84090697ee0266ae43f4183a1725a49c9d517c9834
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: AA118E75604280DFDB16CF54D9C4B15BF61FB84314F24C6AAD8494B756C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 08ADAA70 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440a4a08009072d379b078a6c7220423f2c30785244769fafe239864fb35c256
Instruction ID: ade81f09b016ca6278fab52cd3d220bad56bb40b325c3cb0010bd48c279e48ec
Opcode Fuzzy Hash: 440a4a08009072d379b078a6c7220423f2c30785244769fafe239864fb35c256
Instruction Fuzzy Hash: 3711E378A093588FCB40DFA8C454A9DBBB6FF4A705F109159D81AAF75ADB386C06CF01

Uniqueness

Uniqueness Score: -1.00%

Function 08AD4C80 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a1c19a02f03da42a7d22de45fbb7bdd03f613e928175ce0121210cab26b9aa
Instruction ID: 86d0404cc458d3c82b2588f44af1aa48e33b0a2a1a592606ef13001541503d47
Opcode Fuzzy Hash: 32a1c19a02f03da42a7d22de45fbb7bdd03f613e928175ce0121210cab26b9aa
Instruction Fuzzy Hash: B601A2326052186FCB01EF6ED8509EE7FEADFC5314704C0A6E545DB225D630D8058B98

Uniqueness

Uniqueness Score: -1.00%

Function 08AD4C94 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e72fddc4e34e3079b9102cf81b8a43517b9f37897de64b981a1764cdeb4981f
Instruction ID: 01914a2fb13d15030f2874cf2168300949d4888bb98e983646786ba599eab9f3
Opcode Fuzzy Hash: 2e72fddc4e34e3079b9102cf81b8a43517b9f37897de64b981a1764cdeb4981f
Instruction Fuzzy Hash: BFF096766012086FCB04DF5ADC40DAEBBFAEFD8750704C476E915DB314D631D9118B94

Uniqueness

Uniqueness Score: -1.00%

Function 08ADE1A7 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b6214bbadec211843443f2b2fa1cccee1e91410b108f28adc256ce7208e138
Instruction ID: e3f6bba098c179e32f029a5c38185a8c9c8ac1690d8101846eae9e005471a906
Opcode Fuzzy Hash: e7b6214bbadec211843443f2b2fa1cccee1e91410b108f28adc256ce7208e138
Instruction Fuzzy Hash: E6F06D34A45348CFCB04DFA9D94469CBBBAFB84701F209625D806EF769DB345D06CB40

Uniqueness

Uniqueness Score: -1.00%

Function 08ADE18F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd8d3ca7bab64a139f7eb306560c668bb89e00c9dcce375d4daaaaa4f705441
Instruction ID: 346556cca700d441e87766eb7f06cc96b4cc58837e031e3ce094f70e4fd6d534
Opcode Fuzzy Hash: 2fd8d3ca7bab64a139f7eb306560c668bb89e00c9dcce375d4daaaaa4f705441
Instruction Fuzzy Hash: CCF05E30A493488FCB44DF98C944A9CBBB5FF55341F105665D81AEF79AC7355906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 08AD4C18 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6427defb2355e221a38a92c2a09fe3c54f3f6b300e7b62a58f7fd847546bbb9f
Instruction ID: 8c3dfc55dc9dd73a0f6a710676e5731750e03498b72c856e6b8743568a653649
Opcode Fuzzy Hash: 6427defb2355e221a38a92c2a09fe3c54f3f6b300e7b62a58f7fd847546bbb9f
Instruction Fuzzy Hash: C3E0EC2509E7D05DD2036B3C89645997F60DE53618B1948D7D1C58A067C454849DC39F

Uniqueness

Uniqueness Score: -1.00%

Function 08AD20A9 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe54859ac5bf1dc0528a6e0df00dba7985c7d8fbdb4752cbd73950fcf9df00d
Instruction ID: cb1a19cabbe0c67015734257c84ad834a5899e315acc8f7834f7607788739f17
Opcode Fuzzy Hash: dbe54859ac5bf1dc0528a6e0df00dba7985c7d8fbdb4752cbd73950fcf9df00d
Instruction Fuzzy Hash: C8D0123600E3446FD703A7609D80C72BF75FB5221835542A3F080C6032C2178D28DB72

Uniqueness

Uniqueness Score: -1.00%

Function 08ADC155 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f6de38256d2744718dc37b18408a41a09ec7da2b46aec8618ee26218072bfb
Instruction ID: c35948eed25e8facd4b512272600e7aaf524352029b4f5896bf1be089c69cca2
Opcode Fuzzy Hash: f5f6de38256d2744718dc37b18408a41a09ec7da2b46aec8618ee26218072bfb
Instruction Fuzzy Hash: 1BD01730808259CBC714DB99DC046BDB339EB9A332F809695802FA2A958B304841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 08ADA040 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bcc925230a60fe4ad9a351a58a5a46839244a97eb358bdfe1b350d731e8f4d
Instruction ID: efe7414cff60a3ff9bd646a0d36bb14187fac2ef1dadc1f67f664a3c84ef217f
Opcode Fuzzy Hash: 45bcc925230a60fe4ad9a351a58a5a46839244a97eb358bdfe1b350d731e8f4d
Instruction Fuzzy Hash: E5C08C300417088FC6003BD8B81C3247768E710306F405818A00944C528F745042C761

Uniqueness

Uniqueness Score: -1.00%

Function 08AD4C34 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2027537236.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_8ad0000_BjTxJte.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38ec2191d6291e19504f1e26bc5d07ada4c7079976c4454f1416c29183b0b14
Instruction ID: 0fefc41293736d0e979c5ee9c2ea0c2e8bd7b38e48bba3bda49e302cacd7eb16
Opcode Fuzzy Hash: d38ec2191d6291e19504f1e26bc5d07ada4c7079976c4454f1416c29183b0b14
Instruction Fuzzy Hash: 61B012791DA305B1C40027644AC0B2AE630EBB9B02F909C22F307D0414C8319476D11F

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BKG#SGN2106728.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BKG#SGN2106728.PDF.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BjTxJte.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eDnxmGWzJ.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1p2awkjv.ak2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hvnzv503.kgs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kokkn5tx.1eq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_moeippkc.0oq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spio0q4i.pq1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmrbabsa.hh2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vdp1yt0x.gcn.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yv1yxft0.g02.psm1

C:\Users\user\AppData\Local\Temp\tmp5779.tmp

Windows Analysis Report
BKG#SGN2106728.PDF.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre