Edit tour

Windows Analysis Report
1iO53raUh69l6nV.exe

Overview

General Information

Sample name:	1iO53raUh69l6nV.exe
Analysis ID:	1428885
MD5:	99fa062716a6d9165bfffcc4785b0b2e
SHA1:	ec14cebd52752062cf64162b31ae37871daaeb88
SHA256:	7875849482751dfe7a259d0ffb80345bd55c879df7b69074fde58355746ba077
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

1iO53raUh69l6nV.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\1iO53raUh69l6nV.exe" MD5: 99FA062716A6D9165BFFFCC4785B0B2E)

1iO53raUh69l6nV.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\1iO53raUh69l6nV.exe" MD5: 99FA062716A6D9165BFFFCC4785B0B2E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "jb@hargeisawateragancy.com", "Password": "cVRkXnN1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2472852502.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2472852502.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2472852502.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 1iO53raUh69l6nV.exe PID: 7632	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 1iO53raUh69l6nV.exe PID: 7632	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 1iO53raUh69l6nV.exe PID: 7712	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 1iO53raUh69l6nV.exe PID: 7712	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x320af:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32121:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x321ab:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3223d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x322a7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32319:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x323af:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3243f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.1iO53raUh69l6nV.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.1iO53raUh69l6nV.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.1iO53raUh69l6nV.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33eaf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33f21:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33fab:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3403d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x340a7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34119:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x341af:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3423f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x320af:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32121:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x321ab:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3223d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x322a7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32319:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x323af:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3243f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33eaf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33f21:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33fab:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3403d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x340a7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34119:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x341af:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3423f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xc24cf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xc2541:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xc25cb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xc265d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xc26c7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xc2739:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xc27cf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xc285f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33eaf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f4cf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33f21:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f541:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33fab:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f5cb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3403d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f65d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x340a7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f6c7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34119:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f739:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x341af:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f7cf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3423f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f85f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x150cef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x150d61:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x150deb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x150e7d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x150ee7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x150f59:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x150fef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x15107f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.224, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\1iO53raUh69l6nV.exe, Initiated: true, ProcessId: 7712, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49704

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "jb@hargeisawateragancy.com", "Password": "cVRkXnN1"}

Multi AV Scanner detection for submitted file

Source: 1iO53raUh69l6nV.exe

ReversingLabs: Detection: 23%

Machine Learning detection for sample

Source: 1iO53raUh69l6nV.exe

Joe Sandbox ML: detected

Source: 1iO53raUh69l6nV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1iO53raUh69l6nV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RZSu.pdb source: 1iO53raUh69l6nV.exe
Source:	Binary string: RZSu.pdbSHA256 source: 1iO53raUh69l6nV.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.224:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.198.143:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.225:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.223:587

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225
Source: Joe Sandbox View	IP Address: 208.91.199.223 208.91.199.223
Source: Joe Sandbox View	IP Address: 208.91.199.224 208.91.199.224

Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.224:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.198.143:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.225:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.223:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: 1iO53raUh69l6nV.exe, 00000002.00000002.2472852502.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, 1iO53raUh69l6nV.exe, 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, cPKWk.cs	.Net Code: PWYyNOa
Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, cPKWk.cs	.Net Code: PWYyNOa

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 1.2.1iO53raUh69l6nV.exe.4b70000.4.raw.unpack, LoginForm.cs

Large array initialization: : array initializer size 33603

.NET source code contains very large strings

Source: 1iO53raUh69l6nV.exe, Frm_Initialize.cs

Long String: Length: 127053

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_0230DC74	1_2_0230DC74
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F32030	1_2_04F32030
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F32020	1_2_04F32020
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F341E8	1_2_04F341E8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F341D9	1_2_04F341D9
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F302E0	1_2_04F302E0
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F302D1	1_2_04F302D1
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F32EE8	1_2_04F32EE8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F32ED9	1_2_04F32ED9
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33491	1_2_04F33491
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F39768	1_2_04F39768
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F39758	1_2_04F39758
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F310A0	1_2_04F310A0
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F31190	1_2_04F31190
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F35150	1_2_04F35150
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F35141	1_2_04F35141
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F3B288	1_2_04F3B288
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F3B278	1_2_04F3B278
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33258	1_2_04F33258
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33248	1_2_04F33248
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33ED0	1_2_04F33ED0
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33EC0	1_2_04F33EC0
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F31E39	1_2_04F31E39
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F31AB1	1_2_04F31AB1
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_090639C8	1_2_090639C8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09064808	1_2_09064808
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09062311	1_2_09062311
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09062320	1_2_09062320
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09068BF8	1_2_09068BF8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09063E00	1_2_09063E00
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09061EE8	1_2_09061EE8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CEDB57	2_2_00CEDB57
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CEA068	2_2_00CEA068
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CEBB58	2_2_00CEBB58
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_02834A98	2_2_02834A98
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_02839BF2	2_2_02839BF2
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_02833E80	2_2_02833E80
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_0283CE98	2_2_0283CE98
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_028341C8	2_2_028341C8

Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1240206329.0000000007FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1235745210.0000000002703000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename30e7bd5c-bf01-43c1-b417-4b8cd9ce37cc.exe4 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename30e7bd5c-bf01-43c1-b417-4b8cd9ce37cc.exe4 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000000.1221429388.00000000000E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRZSu.exe: vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1238927547.0000000004B70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000002.00000002.2470990729.00000000007E9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000002.00000002.2470688902.000000000043E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename30e7bd5c-bf01-43c1-b417-4b8cd9ce37cc.exe4 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe	Binary or memory string: OriginalFilenameRZSu.exe: vs 1iO53raUh69l6nV.exe

Source: 1iO53raUh69l6nV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 1iO53raUh69l6nV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.SetAccessControl
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.AddAccessRule
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, IYZ53VXbxXwObATeYM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.SetAccessControl
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.AddAccessRule
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.SetAccessControl
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.AddAccessRule
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, IYZ53VXbxXwObATeYM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, IYZ53VXbxXwObATeYM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/4

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1iO53raUh69l6nV.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Mutant created: NULL

Source: 1iO53raUh69l6nV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1iO53raUh69l6nV.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1iO53raUh69l6nV.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File read: C:\Users\user\Desktop\1iO53raUh69l6nV.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1iO53raUh69l6nV.exe "C:\Users\user\Desktop\1iO53raUh69l6nV.exe"
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process created: C:\Users\user\Desktop\1iO53raUh69l6nV.exe "C:\Users\user\Desktop\1iO53raUh69l6nV.exe"
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process created: C:\Users\user\Desktop\1iO53raUh69l6nV.exe "C:\Users\user\Desktop\1iO53raUh69l6nV.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 1iO53raUh69l6nV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1iO53raUh69l6nV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 1iO53raUh69l6nV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RZSu.pdb source: 1iO53raUh69l6nV.exe
Source:	Binary string: RZSu.pdbSHA256 source: 1iO53raUh69l6nV.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 1iO53raUh69l6nV.exe, Frm_Initialize.cs	.Net Code: InitializeComponent
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	.Net Code: OfqWjVrG5E System.Reflection.Assembly.Load(byte[])
Source: 1.2.1iO53raUh69l6nV.exe.4b70000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	.Net Code: OfqWjVrG5E System.Reflection.Assembly.Load(byte[])
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	.Net Code: OfqWjVrG5E System.Reflection.Assembly.Load(byte[])

Source: 1iO53raUh69l6nV.exe

Static PE information: 0x9A6EEF3E [Wed Feb 7 23:31:10 2052 UTC]

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F30BE7 pushad ; retf	1_2_04F30BE8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F30BDD pushad ; retf	1_2_04F30BDE
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CE4CB0 pushfd ; iretd	2_2_00CE4CB9
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CE12D0 push ecx; iretd	2_2_00CE12DA
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CE12BF push ecx; iretd	2_2_00CE12CA
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_02839B40 push eax; retf 02A0h	2_2_02839BF1

Source: 1iO53raUh69l6nV.exe

Static PE information: section name: .text entropy: 7.246440036496841

Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, JNo5aAuf1evRt1lPgP.cs	High entropy of concatenated method names: 'KO6mVFbbZw', 'Atkm9VN4aw', 'tjamW6NUG0', 'BtGmqHObRI', 'qkymSyNAn0', 'NUUmUMxYFQ', 'XCxmnemLLQ', 'XSxN4YNGvH', 'nm8NArcTwA', 'CGIN68Exs8'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, pv44dh69OxkXse9LugM.cs	High entropy of concatenated method names: 'JbcmY9Dkel', 'VP0ms2HiI2', 'pYGmjmMXjF', 'GONmpZjaBC', 'lVmmXFR43s', 'HnIm72EoMc', 'EM3moe44sD', 'nuDmlv4v5a', 'h3umriw2HQ', 'EjVm2n61lE'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, KYwJwe2MQNtymlYNMg.cs	High entropy of concatenated method names: 'bWAdl29MSo', 'UQJdrFCt7q', 'on1dC3TdFa', 'p9Bd5tHgg6', 'dtcdbCdInt', 'Anjd07dJu7', 'cmSdigvsLg', 'XmGdMgsUnn', 'VpAdQTSGF5', 'YWCdEFDGRA'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, IYZ53VXbxXwObATeYM.cs	High entropy of concatenated method names: 'ulCS3eFpWx', 'I98S801CRy', 'pPwSvvO4yl', 'lOnShj0TWk', 'pHiSxc4jLm', 'OmTStweKfn', 'swFS4ZhsUo', 'gXKSAthHlE', 'mGHS6gdEXc', 'DCYSOkCq8S'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, DQe1HhAG2ZWVNAEk3r.cs	High entropy of concatenated method names: 'YSLkQ8tf5x', 'sKekagDbVJ', 'xqok3FWTFr', 'BGOk8bB1Ae', 'm6uk5Zf0r0', 'nvtkHBG3an', 'j1IkbIuXOF', 'zayk0ofUbM', 'DuIkcd5NCi', 'rVtkii5DFM'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, BBg2Y7jIWxvOriNXUm.cs	High entropy of concatenated method names: 'CuENqMgqHc', 'j0RNSaubEf', 'thrNeSfKsH', 'XAGNUOEE8p', 'mmBNnreeTN', 'I7tNg3kOWo', 'D9uNZFgUX5', 'UcYNFOIAE0', 'a5PNLPC4FB', 'L15NTEoSll'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, idhxbnecpeZAsitbF9.cs	High entropy of concatenated method names: 'LpIUXahvRu', 'gYsUoQT9bq', 'D8UeHWNK4O', 'trNeb8dXSG', 'VuMe0vA40a', 'VlWecsOkHQ', 'j61eioIoL9', 'T1ceMqxKe0', 'tETefmwq0x', 'fjLeQFFjiY'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, lsQA76HNqrX4BikMLF.cs	High entropy of concatenated method names: 'x2RgY9D8VD', 'vR4gsaX1CI', 'S0xgjc3tYu', 'q01gp4jLZh', 'FOKgX9CkV1', 'P82g7qCEiX', 'BPvgoMOJ23', 'qwuglDiOsl', 'hHmgrJjJvY', 'eEsg2lcFJd'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	High entropy of concatenated method names: 'Sfa9uHFi4P', 'riS9qWXRtk', 'cnh9SXb65m', 'rQ19elyBGI', 'wR69UwLJ0F', 'K2u9nu37VT', 'cxY9gHErh4', 'f8U9ZqjXPO', 'Lv69FHcC0I', 'Ryy9LOv92A'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, YG1QWTMKBlq2lrPaKR.cs	High entropy of concatenated method names: 'dlCnuhQIIP', 'KGcnS0p9tB', 'WTjnU7YjND', 'BgxngPmx0s', 'Kc4nZPhlnT', 'chYUx98KqB', 'LN8UtcEL0f', 'AVuU4NtDil', 'PtuUAf2WLn', 'hrEU6AHFZe'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, UKoJlhq4dhgqka6men.cs	High entropy of concatenated method names: 'QD1jsw5IO', 'gJ3p47PZk', 'vG07V00ot', 'tFGoKvplv', 'FNLr8tfJ9', 'TsF2Hi16Q', 'RiJHq23CWovSk9esxh', 'NxerK3FJ2KVmtXHyaG', 'OxgNMUJNP', 'AbKy4AJGs'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, MVRrFKnI179dQDHU5g.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'a0WB66F3Jv', 'L6bBOnfK7J', 'puNBz3Zu8g', 'eQc9RQvUAV', 'vVO9VaSf9M', 'JOn9BWWXtU', 'htV996NPbr', 'yjqsbhi5Kcy4cxhkTZ4'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, Nu0M8u8wMpySfZCVwB.cs	High entropy of concatenated method names: 'Dispose', 'DPfV6gZ4ur', 'MygB5XRAMT', 'GXTKK23eGU', 'ABvVO3wSK6', 'PfgVz5n1GT', 'ProcessDialogKey', 'BYSBRBKUvx', 'GOJBVKh9or', 'GBCBBUaMg1'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, s8W0FW66VmDbecc4pUf.cs	High entropy of concatenated method names: 'ToString', 'n3Iy90Rxlg', 'CK3yWwg1Bt', 'fBvyukaC1o', 'bFiyqmKkWP', 'ENAySvmVVi', 'CUZyecmJdh', 'olEyUDqHm6', 'GFgXEDCFmFL1HJRRA4O', 'mI9Qy2CLqwhHHT24xhk'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, vM4pkdQhgCgho4invJ.cs	High entropy of concatenated method names: 'l59JAfIunQ', 'l7mJO89hXn', 'MFHNRHnuhd', 'EQ5NVJnPtu', 'Ae0JEtrUM5', 'ksKJaSKAXS', 'gmGJG0FBig', 'KgYJ3pB3Qg', 'OyTJ8klmk6', 'qQIJv9crwb'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, cDSYvoo2jIECEdk31y.cs	High entropy of concatenated method names: 'ToString', 'UgNwESsXnc', 'gnsw5d1X90', 'lynwHFjLjA', 'Ni4wbXCNxT', 'onQw0FTb0L', 'JHDwcdKshw', 'Beswi4wE20', 'iCBwMEchoa', 'L1OwfL9728'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, I8WSH91ugPBrVbT72f.cs	High entropy of concatenated method names: 'ho5VgH6WIv', 'DgFVZNUlet', 'oLYVLRbkH3', 'lgUVTIv31C', 'PugVkXBsT2', 'CT6VwwW4PR', 'EeFkZ8SCX6xPEDynIR', 'bHEwSnwZh3SVhdjy4b', 'gA5VVjJ80j', 'I6fV9WN82N'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, N162suOFhMp83rR8YW.cs	High entropy of concatenated method names: 'blTgqVHS9L', 'n2JgeUDLVG', 'YEygnC8AdF', 'EeLnOVB4p2', 'vqcnzRN9ZL', 'ag7gRMPVAs', 'nO9gVVyiTp', 'ycOgBDK6SL', 'YyFg9FtOxS', 'hfPgWdUON0'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, sZ3VmRhklnRckKFXBQ.cs	High entropy of concatenated method names: 'k09JLU5745', 'AmtJTYNa5I', 'ToString', 'jqpJq0Hjba', 'U7uJSkIduq', 'd3HJeBCtkE', 'rDlJUVuBDe', 'fgfJnHUsrD', 'G2GJgMQrod', 'poZJZpgU5I'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, byeJX0zrkYWomtClHa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EbwmdXukOn', 'EFkmkAT2XU', 'FyBmwCb29p', 'PkGmJ3KW2g', 'rDCmN8I6Fi', 'Fp2mmsXNst', 'NAKmyqv9LX'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, yUcjGLUKCl2sD1MjiU.cs	High entropy of concatenated method names: 'T9cepk51v0', 'B2Ge7h7hsv', 'dhLel0rWOD', 'l2werP8wBo', 'l23ekJXDn6', 'WL8ewGwg2Y', 'uDgeJTEJwI', 'iUheNQs8Fi', 'WbFemZgQxK', 'g8Xey1RWgu'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, JNo5aAuf1evRt1lPgP.cs	High entropy of concatenated method names: 'KO6mVFbbZw', 'Atkm9VN4aw', 'tjamW6NUG0', 'BtGmqHObRI', 'qkymSyNAn0', 'NUUmUMxYFQ', 'XCxmnemLLQ', 'XSxN4YNGvH', 'nm8NArcTwA', 'CGIN68Exs8'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, pv44dh69OxkXse9LugM.cs	High entropy of concatenated method names: 'JbcmY9Dkel', 'VP0ms2HiI2', 'pYGmjmMXjF', 'GONmpZjaBC', 'lVmmXFR43s', 'HnIm72EoMc', 'EM3moe44sD', 'nuDmlv4v5a', 'h3umriw2HQ', 'EjVm2n61lE'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, KYwJwe2MQNtymlYNMg.cs	High entropy of concatenated method names: 'bWAdl29MSo', 'UQJdrFCt7q', 'on1dC3TdFa', 'p9Bd5tHgg6', 'dtcdbCdInt', 'Anjd07dJu7', 'cmSdigvsLg', 'XmGdMgsUnn', 'VpAdQTSGF5', 'YWCdEFDGRA'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, IYZ53VXbxXwObATeYM.cs	High entropy of concatenated method names: 'ulCS3eFpWx', 'I98S801CRy', 'pPwSvvO4yl', 'lOnShj0TWk', 'pHiSxc4jLm', 'OmTStweKfn', 'swFS4ZhsUo', 'gXKSAthHlE', 'mGHS6gdEXc', 'DCYSOkCq8S'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, DQe1HhAG2ZWVNAEk3r.cs	High entropy of concatenated method names: 'YSLkQ8tf5x', 'sKekagDbVJ', 'xqok3FWTFr', 'BGOk8bB1Ae', 'm6uk5Zf0r0', 'nvtkHBG3an', 'j1IkbIuXOF', 'zayk0ofUbM', 'DuIkcd5NCi', 'rVtkii5DFM'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, BBg2Y7jIWxvOriNXUm.cs	High entropy of concatenated method names: 'CuENqMgqHc', 'j0RNSaubEf', 'thrNeSfKsH', 'XAGNUOEE8p', 'mmBNnreeTN', 'I7tNg3kOWo', 'D9uNZFgUX5', 'UcYNFOIAE0', 'a5PNLPC4FB', 'L15NTEoSll'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, idhxbnecpeZAsitbF9.cs	High entropy of concatenated method names: 'LpIUXahvRu', 'gYsUoQT9bq', 'D8UeHWNK4O', 'trNeb8dXSG', 'VuMe0vA40a', 'VlWecsOkHQ', 'j61eioIoL9', 'T1ceMqxKe0', 'tETefmwq0x', 'fjLeQFFjiY'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, lsQA76HNqrX4BikMLF.cs	High entropy of concatenated method names: 'x2RgY9D8VD', 'vR4gsaX1CI', 'S0xgjc3tYu', 'q01gp4jLZh', 'FOKgX9CkV1', 'P82g7qCEiX', 'BPvgoMOJ23', 'qwuglDiOsl', 'hHmgrJjJvY', 'eEsg2lcFJd'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	High entropy of concatenated method names: 'Sfa9uHFi4P', 'riS9qWXRtk', 'cnh9SXb65m', 'rQ19elyBGI', 'wR69UwLJ0F', 'K2u9nu37VT', 'cxY9gHErh4', 'f8U9ZqjXPO', 'Lv69FHcC0I', 'Ryy9LOv92A'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, YG1QWTMKBlq2lrPaKR.cs	High entropy of concatenated method names: 'dlCnuhQIIP', 'KGcnS0p9tB', 'WTjnU7YjND', 'BgxngPmx0s', 'Kc4nZPhlnT', 'chYUx98KqB', 'LN8UtcEL0f', 'AVuU4NtDil', 'PtuUAf2WLn', 'hrEU6AHFZe'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, UKoJlhq4dhgqka6men.cs	High entropy of concatenated method names: 'QD1jsw5IO', 'gJ3p47PZk', 'vG07V00ot', 'tFGoKvplv', 'FNLr8tfJ9', 'TsF2Hi16Q', 'RiJHq23CWovSk9esxh', 'NxerK3FJ2KVmtXHyaG', 'OxgNMUJNP', 'AbKy4AJGs'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, MVRrFKnI179dQDHU5g.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'a0WB66F3Jv', 'L6bBOnfK7J', 'puNBz3Zu8g', 'eQc9RQvUAV', 'vVO9VaSf9M', 'JOn9BWWXtU', 'htV996NPbr', 'yjqsbhi5Kcy4cxhkTZ4'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, Nu0M8u8wMpySfZCVwB.cs	High entropy of concatenated method names: 'Dispose', 'DPfV6gZ4ur', 'MygB5XRAMT', 'GXTKK23eGU', 'ABvVO3wSK6', 'PfgVz5n1GT', 'ProcessDialogKey', 'BYSBRBKUvx', 'GOJBVKh9or', 'GBCBBUaMg1'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, s8W0FW66VmDbecc4pUf.cs	High entropy of concatenated method names: 'ToString', 'n3Iy90Rxlg', 'CK3yWwg1Bt', 'fBvyukaC1o', 'bFiyqmKkWP', 'ENAySvmVVi', 'CUZyecmJdh', 'olEyUDqHm6', 'GFgXEDCFmFL1HJRRA4O', 'mI9Qy2CLqwhHHT24xhk'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, vM4pkdQhgCgho4invJ.cs	High entropy of concatenated method names: 'l59JAfIunQ', 'l7mJO89hXn', 'MFHNRHnuhd', 'EQ5NVJnPtu', 'Ae0JEtrUM5', 'ksKJaSKAXS', 'gmGJG0FBig', 'KgYJ3pB3Qg', 'OyTJ8klmk6', 'qQIJv9crwb'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, cDSYvoo2jIECEdk31y.cs	High entropy of concatenated method names: 'ToString', 'UgNwESsXnc', 'gnsw5d1X90', 'lynwHFjLjA', 'Ni4wbXCNxT', 'onQw0FTb0L', 'JHDwcdKshw', 'Beswi4wE20', 'iCBwMEchoa', 'L1OwfL9728'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, I8WSH91ugPBrVbT72f.cs	High entropy of concatenated method names: 'ho5VgH6WIv', 'DgFVZNUlet', 'oLYVLRbkH3', 'lgUVTIv31C', 'PugVkXBsT2', 'CT6VwwW4PR', 'EeFkZ8SCX6xPEDynIR', 'bHEwSnwZh3SVhdjy4b', 'gA5VVjJ80j', 'I6fV9WN82N'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, N162suOFhMp83rR8YW.cs	High entropy of concatenated method names: 'blTgqVHS9L', 'n2JgeUDLVG', 'YEygnC8AdF', 'EeLnOVB4p2', 'vqcnzRN9ZL', 'ag7gRMPVAs', 'nO9gVVyiTp', 'ycOgBDK6SL', 'YyFg9FtOxS', 'hfPgWdUON0'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, sZ3VmRhklnRckKFXBQ.cs	High entropy of concatenated method names: 'k09JLU5745', 'AmtJTYNa5I', 'ToString', 'jqpJq0Hjba', 'U7uJSkIduq', 'd3HJeBCtkE', 'rDlJUVuBDe', 'fgfJnHUsrD', 'G2GJgMQrod', 'poZJZpgU5I'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, byeJX0zrkYWomtClHa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EbwmdXukOn', 'EFkmkAT2XU', 'FyBmwCb29p', 'PkGmJ3KW2g', 'rDCmN8I6Fi', 'Fp2mmsXNst', 'NAKmyqv9LX'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, yUcjGLUKCl2sD1MjiU.cs	High entropy of concatenated method names: 'T9cepk51v0', 'B2Ge7h7hsv', 'dhLel0rWOD', 'l2werP8wBo', 'l23ekJXDn6', 'WL8ewGwg2Y', 'uDgeJTEJwI', 'iUheNQs8Fi', 'WbFemZgQxK', 'g8Xey1RWgu'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, JNo5aAuf1evRt1lPgP.cs	High entropy of concatenated method names: 'KO6mVFbbZw', 'Atkm9VN4aw', 'tjamW6NUG0', 'BtGmqHObRI', 'qkymSyNAn0', 'NUUmUMxYFQ', 'XCxmnemLLQ', 'XSxN4YNGvH', 'nm8NArcTwA', 'CGIN68Exs8'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, pv44dh69OxkXse9LugM.cs	High entropy of concatenated method names: 'JbcmY9Dkel', 'VP0ms2HiI2', 'pYGmjmMXjF', 'GONmpZjaBC', 'lVmmXFR43s', 'HnIm72EoMc', 'EM3moe44sD', 'nuDmlv4v5a', 'h3umriw2HQ', 'EjVm2n61lE'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, KYwJwe2MQNtymlYNMg.cs	High entropy of concatenated method names: 'bWAdl29MSo', 'UQJdrFCt7q', 'on1dC3TdFa', 'p9Bd5tHgg6', 'dtcdbCdInt', 'Anjd07dJu7', 'cmSdigvsLg', 'XmGdMgsUnn', 'VpAdQTSGF5', 'YWCdEFDGRA'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, IYZ53VXbxXwObATeYM.cs	High entropy of concatenated method names: 'ulCS3eFpWx', 'I98S801CRy', 'pPwSvvO4yl', 'lOnShj0TWk', 'pHiSxc4jLm', 'OmTStweKfn', 'swFS4ZhsUo', 'gXKSAthHlE', 'mGHS6gdEXc', 'DCYSOkCq8S'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, DQe1HhAG2ZWVNAEk3r.cs	High entropy of concatenated method names: 'YSLkQ8tf5x', 'sKekagDbVJ', 'xqok3FWTFr', 'BGOk8bB1Ae', 'm6uk5Zf0r0', 'nvtkHBG3an', 'j1IkbIuXOF', 'zayk0ofUbM', 'DuIkcd5NCi', 'rVtkii5DFM'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, BBg2Y7jIWxvOriNXUm.cs	High entropy of concatenated method names: 'CuENqMgqHc', 'j0RNSaubEf', 'thrNeSfKsH', 'XAGNUOEE8p', 'mmBNnreeTN', 'I7tNg3kOWo', 'D9uNZFgUX5', 'UcYNFOIAE0', 'a5PNLPC4FB', 'L15NTEoSll'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, idhxbnecpeZAsitbF9.cs	High entropy of concatenated method names: 'LpIUXahvRu', 'gYsUoQT9bq', 'D8UeHWNK4O', 'trNeb8dXSG', 'VuMe0vA40a', 'VlWecsOkHQ', 'j61eioIoL9', 'T1ceMqxKe0', 'tETefmwq0x', 'fjLeQFFjiY'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, lsQA76HNqrX4BikMLF.cs	High entropy of concatenated method names: 'x2RgY9D8VD', 'vR4gsaX1CI', 'S0xgjc3tYu', 'q01gp4jLZh', 'FOKgX9CkV1', 'P82g7qCEiX', 'BPvgoMOJ23', 'qwuglDiOsl', 'hHmgrJjJvY', 'eEsg2lcFJd'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	High entropy of concatenated method names: 'Sfa9uHFi4P', 'riS9qWXRtk', 'cnh9SXb65m', 'rQ19elyBGI', 'wR69UwLJ0F', 'K2u9nu37VT', 'cxY9gHErh4', 'f8U9ZqjXPO', 'Lv69FHcC0I', 'Ryy9LOv92A'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, YG1QWTMKBlq2lrPaKR.cs	High entropy of concatenated method names: 'dlCnuhQIIP', 'KGcnS0p9tB', 'WTjnU7YjND', 'BgxngPmx0s', 'Kc4nZPhlnT', 'chYUx98KqB', 'LN8UtcEL0f', 'AVuU4NtDil', 'PtuUAf2WLn', 'hrEU6AHFZe'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, UKoJlhq4dhgqka6men.cs	High entropy of concatenated method names: 'QD1jsw5IO', 'gJ3p47PZk', 'vG07V00ot', 'tFGoKvplv', 'FNLr8tfJ9', 'TsF2Hi16Q', 'RiJHq23CWovSk9esxh', 'NxerK3FJ2KVmtXHyaG', 'OxgNMUJNP', 'AbKy4AJGs'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, MVRrFKnI179dQDHU5g.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'a0WB66F3Jv', 'L6bBOnfK7J', 'puNBz3Zu8g', 'eQc9RQvUAV', 'vVO9VaSf9M', 'JOn9BWWXtU', 'htV996NPbr', 'yjqsbhi5Kcy4cxhkTZ4'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, Nu0M8u8wMpySfZCVwB.cs	High entropy of concatenated method names: 'Dispose', 'DPfV6gZ4ur', 'MygB5XRAMT', 'GXTKK23eGU', 'ABvVO3wSK6', 'PfgVz5n1GT', 'ProcessDialogKey', 'BYSBRBKUvx', 'GOJBVKh9or', 'GBCBBUaMg1'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, s8W0FW66VmDbecc4pUf.cs	High entropy of concatenated method names: 'ToString', 'n3Iy90Rxlg', 'CK3yWwg1Bt', 'fBvyukaC1o', 'bFiyqmKkWP', 'ENAySvmVVi', 'CUZyecmJdh', 'olEyUDqHm6', 'GFgXEDCFmFL1HJRRA4O', 'mI9Qy2CLqwhHHT24xhk'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, vM4pkdQhgCgho4invJ.cs	High entropy of concatenated method names: 'l59JAfIunQ', 'l7mJO89hXn', 'MFHNRHnuhd', 'EQ5NVJnPtu', 'Ae0JEtrUM5', 'ksKJaSKAXS', 'gmGJG0FBig', 'KgYJ3pB3Qg', 'OyTJ8klmk6', 'qQIJv9crwb'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, cDSYvoo2jIECEdk31y.cs	High entropy of concatenated method names: 'ToString', 'UgNwESsXnc', 'gnsw5d1X90', 'lynwHFjLjA', 'Ni4wbXCNxT', 'onQw0FTb0L', 'JHDwcdKshw', 'Beswi4wE20', 'iCBwMEchoa', 'L1OwfL9728'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, I8WSH91ugPBrVbT72f.cs	High entropy of concatenated method names: 'ho5VgH6WIv', 'DgFVZNUlet', 'oLYVLRbkH3', 'lgUVTIv31C', 'PugVkXBsT2', 'CT6VwwW4PR', 'EeFkZ8SCX6xPEDynIR', 'bHEwSnwZh3SVhdjy4b', 'gA5VVjJ80j', 'I6fV9WN82N'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, N162suOFhMp83rR8YW.cs	High entropy of concatenated method names: 'blTgqVHS9L', 'n2JgeUDLVG', 'YEygnC8AdF', 'EeLnOVB4p2', 'vqcnzRN9ZL', 'ag7gRMPVAs', 'nO9gVVyiTp', 'ycOgBDK6SL', 'YyFg9FtOxS', 'hfPgWdUON0'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, sZ3VmRhklnRckKFXBQ.cs	High entropy of concatenated method names: 'k09JLU5745', 'AmtJTYNa5I', 'ToString', 'jqpJq0Hjba', 'U7uJSkIduq', 'd3HJeBCtkE', 'rDlJUVuBDe', 'fgfJnHUsrD', 'G2GJgMQrod', 'poZJZpgU5I'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, byeJX0zrkYWomtClHa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EbwmdXukOn', 'EFkmkAT2XU', 'FyBmwCb29p', 'PkGmJ3KW2g', 'rDCmN8I6Fi', 'Fp2mmsXNst', 'NAKmyqv9LX'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, yUcjGLUKCl2sD1MjiU.cs	High entropy of concatenated method names: 'T9cepk51v0', 'B2Ge7h7hsv', 'dhLel0rWOD', 'l2werP8wBo', 'l23ekJXDn6', 'WL8ewGwg2Y', 'uDgeJTEJwI', 'iUheNQs8Fi', 'WbFemZgQxK', 'g8Xey1RWgu'

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 4470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 57A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 67A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 68D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 78D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 8060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 9090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: A090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: B090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Window / User API: threadDelayed 1848			Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Window / User API: threadDelayed 8011			Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7836	Thread sleep count: 1848 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7836	Thread sleep count: 8011 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98997s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98230s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97012s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96900s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -94937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -94828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -94718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -94608s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99436	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98997	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98780	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98230	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97999	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97233	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97012	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96900	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96686	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96356	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96249	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96030	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95921	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95593	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95155	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95046	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 94718	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 94608	Jump to behavior

Source: 1iO53raUh69l6nV.exe, 00000002.00000002.2471164684.0000000000C34000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Memory written: C:\Users\user\Desktop\1iO53raUh69l6nV.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Process created: C:\Users\user\Desktop\1iO53raUh69l6nV.exe "C:\Users\user\Desktop\1iO53raUh69l6nV.exe"

Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Users\user\Desktop\1iO53raUh69l6nV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Users\user\Desktop\1iO53raUh69l6nV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7712, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7712, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7712, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1iO53raUh69l6nV.exe	24%	ReversingLabs
1iO53raUh69l6nV.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.224	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.dyn.com/	1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, 1iO53raUh69l6nV.exe, 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://us2.smtp.mailhostbox.com	1iO53raUh69l6nV.exe, 00000002.00000002.2472852502.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.91.198.143	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.225	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.223	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.224	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428885
Start date and time:	2024-04-19 19:13:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1iO53raUh69l6nV.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 130 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 1iO53raUh69l6nV.exe

Simulations

Behavior and APIs

Time	Type	Description
19:13:51	API Interceptor	87128x Sleep call for process: 1iO53raUh69l6nV.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
208.91.198.143	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse
	rks18.doc	Get hash	malicious	AgentTesla	Browse
	PayFmc6FL4.exe	Get hash	malicious	AgentTesla	Browse
	DHL 0028374.exe	Get hash	malicious	AgentTesla	Browse
	J2TDUpZm2s.exe	Get hash	malicious	AgentTesla	Browse
208.91.199.225	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse
	rks18.doc	Get hash	malicious	AgentTesla	Browse
	PayFmc6FL4.exe	Get hash	malicious	AgentTesla	Browse
	DHL 0028374.exe	Get hash	malicious	AgentTesla	Browse
	J2TDUpZm2s.exe	Get hash	malicious	AgentTesla	Browse
208.91.199.223	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse
	rks18.doc	Get hash	malicious	AgentTesla	Browse
	PayFmc6FL4.exe	Get hash	malicious	AgentTesla	Browse
	DHL 0028374.exe	Get hash	malicious	AgentTesla	Browse
	J2TDUpZm2s.exe	Get hash	malicious	AgentTesla	Browse
208.91.199.224	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse
	rks18.doc	Get hash	malicious	AgentTesla	Browse
	PayFmc6FL4.exe	Get hash	malicious	AgentTesla	Browse
	DHL 0028374.exe	Get hash	malicious	AgentTesla	Browse
	J2TDUpZm2s.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.91.198.143
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	rks18.doc	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	PayFmc6FL4.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	DHL 0028374.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	J2TDUpZm2s.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	INVOICE pdf.wsf	Get hash	malicious	GuLoader	Browse	216.10.249.248
	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.91.199.224
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	F723838674.vbs	Get hash	malicious	Remcos	Browse	116.206.104.215
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	order 4500381478001.exe	Get hash	malicious	AgentTesla	Browse	162.215.248.214
	Bill-Transcript_6ZB6-IJYD3B-SEH0.html	Get hash	malicious	Unknown	Browse	45.113.122.212
PUBLIC-DOMAIN-REGISTRYUS	INVOICE pdf.wsf	Get hash	malicious	GuLoader	Browse	216.10.249.248
	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.91.199.224
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	F723838674.vbs	Get hash	malicious	Remcos	Browse	116.206.104.215
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	order 4500381478001.exe	Get hash	malicious	AgentTesla	Browse	162.215.248.214
	Bill-Transcript_6ZB6-IJYD3B-SEH0.html	Get hash	malicious	Unknown	Browse	45.113.122.212
PUBLIC-DOMAIN-REGISTRYUS	INVOICE pdf.wsf	Get hash	malicious	GuLoader	Browse	216.10.249.248
	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.91.199.224
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	F723838674.vbs	Get hash	malicious	Remcos	Browse	116.206.104.215
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	order 4500381478001.exe	Get hash	malicious	AgentTesla	Browse	162.215.248.214
	Bill-Transcript_6ZB6-IJYD3B-SEH0.html	Get hash	malicious	Unknown	Browse	45.113.122.212
PUBLIC-DOMAIN-REGISTRYUS	INVOICE pdf.wsf	Get hash	malicious	GuLoader	Browse	216.10.249.248
	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.91.199.224
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	F723838674.vbs	Get hash	malicious	Remcos	Browse	116.206.104.215
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	order 4500381478001.exe	Get hash	malicious	AgentTesla	Browse	162.215.248.214
	Bill-Transcript_6ZB6-IJYD3B-SEH0.html	Get hash	malicious	Unknown	Browse	45.113.122.212

Process:	C:\Users\user\Desktop\1iO53raUh69l6nV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.237841370951035
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	1iO53raUh69l6nV.exe
File size:	917'504 bytes
MD5:	99fa062716a6d9165bfffcc4785b0b2e
SHA1:	ec14cebd52752062cf64162b31ae37871daaeb88
SHA256:	7875849482751dfe7a259d0ffb80345bd55c879df7b69074fde58355746ba077
SHA512:	be8ae28b32acb0d7fc19bfe52358417a80295c4681cb4bed2e9a915419bf9dcc79d49c3f83aefcc965fe2f7fb18c3c78cee27041326779948f6ba840f430ca1a
SSDEEP:	12288:ACbRo0StGrJcnh+k/LKmHEJl0OsBUHL1PFp4GsaCP:A2Ro7kmn4OKmHEJWOUg1dNsa
TLSH:	1815C03D4CBD22BB81B9C6A9CFD98827F440E47B7151AD7998D787A58306A4339C313E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>.n...............0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4e13de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9A6EEF3E [Wed Feb 7 23:31:10 2052 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe138b	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe2000	0x620	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe02ac	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdf3e4	0xdf400	dd02317b11d4c865ab437d7a948d565d	False	0.7839631596444568	data	7.246440036496841	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe2000	0x620	0x800	6a7067bd0d94ce9619e720f56365f2f7	False	0.3359375	data	3.4420169225935946	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe4000	0xc	0x200	1714a7467d54f380e79eb4790b539421	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe2090	0x390	data			0.4232456140350877
RT_MANIFEST	0xe2430	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 19:13:54.326581001 CEST	49704	587	192.168.2.10	208.91.199.224
Apr 19, 2024 19:13:55.328001022 CEST	49704	587	192.168.2.10	208.91.199.224
Apr 19, 2024 19:13:57.343625069 CEST	49704	587	192.168.2.10	208.91.199.224
Apr 19, 2024 19:14:01.343761921 CEST	49704	587	192.168.2.10	208.91.199.224
Apr 19, 2024 19:14:09.343605995 CEST	49704	587	192.168.2.10	208.91.199.224
Apr 19, 2024 19:14:15.364607096 CEST	49704	587	192.168.2.10	208.91.198.143
Apr 19, 2024 19:14:16.374912024 CEST	49704	587	192.168.2.10	208.91.198.143
Apr 19, 2024 19:14:18.390465021 CEST	49704	587	192.168.2.10	208.91.198.143
Apr 19, 2024 19:14:22.390619993 CEST	49704	587	192.168.2.10	208.91.198.143
Apr 19, 2024 19:14:30.390579939 CEST	49704	587	192.168.2.10	208.91.198.143
Apr 19, 2024 19:14:36.390969038 CEST	49704	587	192.168.2.10	208.91.199.225
Apr 19, 2024 19:14:37.406131029 CEST	49704	587	192.168.2.10	208.91.199.225
Apr 19, 2024 19:14:39.421796083 CEST	49704	587	192.168.2.10	208.91.199.225
Apr 19, 2024 19:14:43.421838045 CEST	49704	587	192.168.2.10	208.91.199.225
Apr 19, 2024 19:14:51.437467098 CEST	49704	587	192.168.2.10	208.91.199.225
Apr 19, 2024 19:14:58.545648098 CEST	49704	587	192.168.2.10	208.91.199.223
Apr 19, 2024 19:14:59.546869040 CEST	49704	587	192.168.2.10	208.91.199.223
Apr 19, 2024 19:15:01.562427044 CEST	49704	587	192.168.2.10	208.91.199.223
Apr 19, 2024 19:15:05.562402964 CEST	49704	587	192.168.2.10	208.91.199.223
Apr 19, 2024 19:15:13.562561989 CEST	49704	587	192.168.2.10	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 19:13:54.211230040 CEST	62912	53	192.168.2.10	1.1.1.1
Apr 19, 2024 19:13:54.319845915 CEST	53	62912	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 19:13:54.211230040 CEST	192.168.2.10	1.1.1.1	0x3452	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 19:13:54.319845915 CEST	1.1.1.1	192.168.2.10	0x3452	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)	false
Apr 19, 2024 19:13:54.319845915 CEST	1.1.1.1	192.168.2.10	0x3452	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)	false
Apr 19, 2024 19:13:54.319845915 CEST	1.1.1.1	192.168.2.10	0x3452	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)	false
Apr 19, 2024 19:13:54.319845915 CEST	1.1.1.1	192.168.2.10	0x3452	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	19:13:50
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\1iO53raUh69l6nV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1iO53raUh69l6nV.exe"
Imagebase:	0xe0000
File size:	917'504 bytes
MD5 hash:	99FA062716A6D9165BFFFCC4785B0B2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:13:51
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\1iO53raUh69l6nV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1iO53raUh69l6nV.exe"
Imagebase:	0x570000
File size:	917'504 bytes
MD5 hash:	99FA062716A6D9165BFFFCC4785B0B2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2472852502.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2472852502.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2472852502.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	165
Total number of Limit Nodes:	6

Executed Functions

Function 09064F7C Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 090651BE

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ea849af9d47485408f53dc231f1464330583a72b571960b8af045d875988c6f9
Instruction ID: 964aab1176d150dd366b47b3f3161c05bbcc9037585b28800d589d89e7689797
Opcode Fuzzy Hash: ea849af9d47485408f53dc231f1464330583a72b571960b8af045d875988c6f9
Instruction Fuzzy Hash: 00A15971D002598FEB64CFA8CC417EDBBF2BF49310F1489A9E848A7290DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 09064F88 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 090651BE

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a24f649c4d7e1f7b6d774b945fe9e20b10fe8b65b4cf7fc51adc6131446ec80e
Instruction ID: d3dc2e11fa87113dac91dba333ae1a81aa6d43dd32ae1dfb70950701eec463eb
Opcode Fuzzy Hash: a24f649c4d7e1f7b6d774b945fe9e20b10fe8b65b4cf7fc51adc6131446ec80e
Instruction Fuzzy Hash: 14915A71D002198FEB64CFA8CC417EDBBF2BF49310F1485A9E849A7290DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0230AE30 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0230B086

Memory Dump Source

Source File: 00000001.00000002.1235525935.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2300000_1iO53raUh69l6nV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8dd47e99210b97aaeebd1f24aa5c3cbf4d6401922ad635f4aee1c0015f22d4c3
Instruction ID: e167aa360f334d51b74676e5974e4de16ad71d4fd2dfed01296c9a677f9867da
Opcode Fuzzy Hash: 8dd47e99210b97aaeebd1f24aa5c3cbf4d6401922ad635f4aee1c0015f22d4c3
Instruction Fuzzy Hash: 12714770A00B058FEB24DF29D49075ABBF1FF88704F00892DE19ADBA90D774E945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0230590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 023059C9

Memory Dump Source

Source File: 00000001.00000002.1235525935.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2300000_1iO53raUh69l6nV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d8d9baf7514460640232c455299f85e79eb4a48bba1edb5453031a25378b87b6
Instruction ID: c8b204cd3a99e0530875e44c52b837e5e309d80fc4cf676256f6e735b1e454da
Opcode Fuzzy Hash: d8d9baf7514460640232c455299f85e79eb4a48bba1edb5453031a25378b87b6
Instruction Fuzzy Hash: 3941D271D01718CFEB24DFAAC884BDDBBB5BF48304F60806AD409AB291DB756986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0230449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 023059C9

Memory Dump Source

Source File: 00000001.00000002.1235525935.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2300000_1iO53raUh69l6nV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e24c0c7774ed4ff23a73ea48ae317572ede10edf9c5c57f7a1fdad63251bfd15
Instruction ID: 375187388ed0cedc1a28a59d8d234d2c04fc418fccc70e017274d7d91d861d90
Opcode Fuzzy Hash: e24c0c7774ed4ff23a73ea48ae317572ede10edf9c5c57f7a1fdad63251bfd15
Instruction Fuzzy Hash: 1441B270D00719CFEB25DFAAC894B9DBBF5BF48304F60806AD409AB251D7756946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 09064CF8 Relevance: 1.6, APIs: 1, Instructions: 75
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09064D90

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 13c99332062122567d5d40667b4232d39671d8f531742a5c3719f78c5ac9bed4
Instruction ID: 4bf4d4ea6dcdaad1b07920afe807eecdcc4ef0879a65348b0ecd67a19ef323ba
Opcode Fuzzy Hash: 13c99332062122567d5d40667b4232d39671d8f531742a5c3719f78c5ac9bed4
Instruction Fuzzy Hash: DE214875D003499FDB10CFAAC881BEEBBF4FF48310F108829E959A7250D779A950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 09064D00 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09064D90

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 198f88c074dcfb4cc9ba74449f631f246fd840926c22f3101c03f65d9f89a351
Instruction ID: 6a03162c169f8d5916745a4d957df8db4f5f1c94064bb28adc33617e1e47580e
Opcode Fuzzy Hash: 198f88c074dcfb4cc9ba74449f631f246fd840926c22f3101c03f65d9f89a351
Instruction Fuzzy Hash: 34212671D003599FDB10CFAAC881BEEBBF5FF48310F108829E959A7250D779A954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 09064728 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 090647AE

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 03856c52d6dd0f39d477f62b99de56d638b904baf48f6d45ea0093d8781bf6f5
Instruction ID: 7050016d98ff8d2669ccaefe25488bc8dc1fe50c0fce592dbef2b7d373479b61
Opcode Fuzzy Hash: 03856c52d6dd0f39d477f62b99de56d638b904baf48f6d45ea0093d8781bf6f5
Instruction Fuzzy Hash: 1D215975D003088FDB10CFAAC4857EEBBF5EF48320F14842AD459A7250DB78A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09064DE8 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09064E70

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e23227d62c8f3ad3bdabf0e99ece102a16dd53e60b4f39ab0daefaa98fc2f920
Instruction ID: f3b56190028ed73402f0225030a8243aaa8a6eb34c6d00cb0a9fe3ec9e5e1e2f
Opcode Fuzzy Hash: e23227d62c8f3ad3bdabf0e99ece102a16dd53e60b4f39ab0daefaa98fc2f920
Instruction Fuzzy Hash: A52126B1D003499FDB10CFAAC8407EEBBF4FF48320F10882AE558A7250D7799951CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0230C9A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0230D2C6,?,?,?,?,?), ref: 0230D387

Memory Dump Source

Source File: 00000001.00000002.1235525935.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2300000_1iO53raUh69l6nV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f0faf5ec8b84931507e30667c5084eab9d0d7eedf1c5d212638da1b3b6d4dd5b
Instruction ID: 3a02ba52826393f21c54a3ee69135f59ad937c3de91d48cdf13f2dc6aaab2bdf
Opcode Fuzzy Hash: f0faf5ec8b84931507e30667c5084eab9d0d7eedf1c5d212638da1b3b6d4dd5b
Instruction Fuzzy Hash: D221E3B5900308DFDB10CF9AD984BEEBBF8EB48310F14845AE918A7350D374A950CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09064DF0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09064E70

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a60abe2cc20039c4793b34e8ec7e50ea980e74a8c585dfa0565316d99e166e1d
Instruction ID: d4cb7316691792e2f0e646b8f71dac94065d1990d80c33883676e7ec01919a91
Opcode Fuzzy Hash: a60abe2cc20039c4793b34e8ec7e50ea980e74a8c585dfa0565316d99e166e1d
Instruction Fuzzy Hash: 6F2105B1D003499FDB10CFAAC840BEEBBF5FF48310F108829E959A7250D7799951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 09064730 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 090647AE

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ace260eb89269d46b946e1c05a81143e8dfe7e77ffc086bfd01c5404aa3870ed
Instruction ID: 7506ac006838b428ab4f036b0db883fa5e1f03345efa765d8a5f0e0615334110
Opcode Fuzzy Hash: ace260eb89269d46b946e1c05a81143e8dfe7e77ffc086bfd01c5404aa3870ed
Instruction Fuzzy Hash: 00213871D003088FDB10CFAAC4857EEBBF5EF48310F148429D559A7250DB78A985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0230D2F9 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0230D2C6,?,?,?,?,?), ref: 0230D387

Memory Dump Source

Source File: 00000001.00000002.1235525935.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2300000_1iO53raUh69l6nV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 70b165dc2a6c541850056f37de0dcd22965d89e50f3623cff630a4bb3ab9ad02
Instruction ID: ff4a4ffaa34272721dba09d245afb14d17c422a3308e46ad0e6c0b1acf847929
Opcode Fuzzy Hash: 70b165dc2a6c541850056f37de0dcd22965d89e50f3623cff630a4bb3ab9ad02
Instruction Fuzzy Hash: 8D21E3B5900248DFDB10CFAAD584AEEBBF5EB48314F14845AE958A7350D374A950CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09064C38 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09064CAE

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d216dbe24199a144eee0fe94a9450e52f3d88fa2a5ae89d4dd5ea8ea3f905504
Instruction ID: e53662ad8a9ab85bb9f663fc0dc1a61f38671400a42142f931182ac1ecdddbaa
Opcode Fuzzy Hash: d216dbe24199a144eee0fe94a9450e52f3d88fa2a5ae89d4dd5ea8ea3f905504
Instruction Fuzzy Hash: 251147769002489FDB20DFAAC8447EEBBF5EB48320F148819E959A7250C7799955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0230A870 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0230B101,00000800,00000000,00000000), ref: 0230B312

Memory Dump Source

Source File: 00000001.00000002.1235525935.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2300000_1iO53raUh69l6nV.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2cb34ee966ecf07ebda0a3e52ed39756f00e2202952a92ee9733af032216005d
Instruction ID: 6c0b6d2ebe8168434aabe4c759e8c43f7b6eb64bec4db0d423c776e70310528d
Opcode Fuzzy Hash: 2cb34ee966ecf07ebda0a3e52ed39756f00e2202952a92ee9733af032216005d
Instruction Fuzzy Hash: 911114B69003499FDB10CF9AC484BAEFBF9EB48314F10846AE919A7240C375A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0230B2A1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0230B101,00000800,00000000,00000000), ref: 0230B312

Memory Dump Source

Source File: 00000001.00000002.1235525935.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2300000_1iO53raUh69l6nV.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc5397fcc7c6d315ed868cb057630d34b3ae7cf7a71d6e632be835fa209128fd
Instruction ID: a4b1ead28a7d968f63b5e6b35cc37d784334b3852cb0a9c7e38c39293c34aae7
Opcode Fuzzy Hash: dc5397fcc7c6d315ed868cb057630d34b3ae7cf7a71d6e632be835fa209128fd
Instruction Fuzzy Hash: 231126B6D003498FDB10CFAAC584BDEFBF5EB48314F10846AD819A7640C375A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 09068170 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,09068029,?,?), ref: 090681D0

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e040e392bda169fbe2ae9c972c2e7f321e42bb0a213cd912056ac53c43005ac7
Instruction ID: 33bc7346f6650ddfbf723a52c506138c6e10cdcb2f0a4de1d758122c3ac179c1
Opcode Fuzzy Hash: e040e392bda169fbe2ae9c972c2e7f321e42bb0a213cd912056ac53c43005ac7
Instruction Fuzzy Hash: AE113AB5900349CFDB20DF9AC445BDEBBF8EB48320F108819E968A7750D379A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09064C40 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09064CAE

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fee29117f31667e803a6676b0596fb06e2b0ecfbbaa944f749053a118111bba8
Instruction ID: 607d5094fbf94da129ae00b5a9d21eaa73d7920618b56683e3f57b032f2f2578
Opcode Fuzzy Hash: fee29117f31667e803a6676b0596fb06e2b0ecfbbaa944f749053a118111bba8
Instruction Fuzzy Hash: A81126719003489FDB20DFAAC845BEEBBF5EB48320F148819E519A7250C779A950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 09064679 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 090646E2

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9358b37a0ddfe1bb15510ef08bf585c6c73918607e1803e5058db9160637d057
Instruction ID: 02b764ba874e384f1dd1fff1e100bbb046f513643905c3b3a4a4649dce0c3765
Opcode Fuzzy Hash: 9358b37a0ddfe1bb15510ef08bf585c6c73918607e1803e5058db9160637d057
Instruction Fuzzy Hash: 7D116AB5D003488FDB20DFAAC4457EEFBF4EB88320F14881AD559A7650CB79A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 090673C0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,09068029,?,?), ref: 090681D0

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d6b33dd228d6712133a0b093a5aabf2e0c60ad3cbc92b2d4aeda46393c6a4b8a
Instruction ID: 82175ccce5519afc7397d686cf62b43578147166c7221326c6e495fcd51e15b2
Opcode Fuzzy Hash: d6b33dd228d6712133a0b093a5aabf2e0c60ad3cbc92b2d4aeda46393c6a4b8a
Instruction Fuzzy Hash: 2A113AB5900349CFDB20DF9AC445BEEBBF8EB48320F108419D968A7740D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09064680 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 090646E2

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 73c70fe7325b8fe084f6605864a231c9a00c44c922b0353bcfff2552c55f1948
Instruction ID: a9f3ea22b145e9be579577c9defca22522231877be11a4434b5b772bfb62d4d8
Opcode Fuzzy Hash: 73c70fe7325b8fe084f6605864a231c9a00c44c922b0353bcfff2552c55f1948
Instruction Fuzzy Hash: 89116AB1D003488FDB20DFAAC4447EEFBF4EB88320F108819D419A7250CB79A944CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0230B019 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0230B086

Memory Dump Source

Source File: 00000001.00000002.1235525935.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2300000_1iO53raUh69l6nV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0cb420714493c22b2b9435879c7ef8af10e1f60a8f00e49e8284734a10ed8e85
Instruction ID: 4b162447856c550fbbdb83064151e02183133e97f9df62628c41db0f69c37ce6
Opcode Fuzzy Hash: 0cb420714493c22b2b9435879c7ef8af10e1f60a8f00e49e8284734a10ed8e85
Instruction Fuzzy Hash: 03110FB6D012498FDB20CFAAC484BDEFBF5EB88214F10C45AD469A7650C379A546CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 09062C50 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 090676BD

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9ead29905c9a0d33a748a3a351efd43a07d064780f11bbc99e5321432a20a0ff
Instruction ID: 0b1fad706702c3a7283d4b19e992f706c92af69b187ebfe015edb3aebda5e1d5
Opcode Fuzzy Hash: 9ead29905c9a0d33a748a3a351efd43a07d064780f11bbc99e5321432a20a0ff
Instruction Fuzzy Hash: 8311F2B5900348DFDB20DF9AC845BEEBBF8EB48714F108819E918A7310D375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0230B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0230B086

Memory Dump Source

Source File: 00000001.00000002.1235525935.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2300000_1iO53raUh69l6nV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 51f474f8675a980371290a0002760d3af0543fee421ec2591e08f2c446041844
Instruction ID: 58e399cd12539059cf938a8754dfe3c3d3f1729363034884be389f48bcb4a22e
Opcode Fuzzy Hash: 51f474f8675a980371290a0002760d3af0543fee421ec2591e08f2c446041844
Instruction Fuzzy Hash: 5D11DFB6D003498FDB20CF9AC444B9EFBF5EB88214F10842AD869A7250D379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09067658 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 090676BD

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fd458ee24e73b86cbce5671c701766794bf50eef39fcf554c75d3905e01bba4f
Instruction ID: 059bbd7cb610a3b85d4b6f51ee9ce22b43d562c2d2e4a11e525da838ea2919c6
Opcode Fuzzy Hash: fd458ee24e73b86cbce5671c701766794bf50eef39fcf554c75d3905e01bba4f
Instruction Fuzzy Hash: 901110B59003488FDB20CF9AC444BEEBFF4EB48320F20885AE568A7610C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04F39D18 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f839ab2f2213fb5a6a31632ca592a08b04567a5df8a902c70dda32e9515675ab
Instruction ID: af5eb763d596948a170ea7babc40e350a51de675a03447be49bbf8fd0441dda7
Opcode Fuzzy Hash: f839ab2f2213fb5a6a31632ca592a08b04567a5df8a902c70dda32e9515675ab
Instruction Fuzzy Hash: 5B91E3B2B04214DFE7008B69D885FAE77B5EB44306F008026F5569B291E7F5ED83D761

Uniqueness

Uniqueness Score: -1.00%

Function 04F3E2C8 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8211536aa94cb850b2c06c4661d95aae3f2091a2acd9bafa57a5f9008400bc9c
Instruction ID: dae1fd433a445048f3a03441285455c07a8e1343a313da6e819762e64da18abc
Opcode Fuzzy Hash: 8211536aa94cb850b2c06c4661d95aae3f2091a2acd9bafa57a5f9008400bc9c
Instruction Fuzzy Hash: 5B61C275E05218CFDB08CFA5C984AEEBBB6FF89301F14902AD419AB355EB706946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F38858 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2827e04d9eddd7ae8d95e263728288754930750ad169a0e0942e3675f5892e
Instruction ID: bc3162b03f0f05ac73eaa9e3b1056aec7ceb289ddfe6f99485d63a9cf204817b
Opcode Fuzzy Hash: 8b2827e04d9eddd7ae8d95e263728288754930750ad169a0e0942e3675f5892e
Instruction Fuzzy Hash: 1D41D131B002058FDB14EF7998485AEBBF6FFC4261714856AE419DB391EF34AD0687A1

Uniqueness

Uniqueness Score: -1.00%

Function 04F385AC Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8e053c46e4b001a9a4e311983af4f60b075d0de573a102c9239993dd3cd5b7
Instruction ID: 879ff2fcc74f839debf8c6527dc8a53f45528693bd6ce6ad571a02d608a68605
Opcode Fuzzy Hash: 5b8e053c46e4b001a9a4e311983af4f60b075d0de573a102c9239993dd3cd5b7
Instruction Fuzzy Hash: 60416B72E093845FEB06DB709C555EE7FB5DF86200B0584EBD804DB252EA34AD0BCBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F3D758 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b50d1236b011616455dfe52dae5207f4c97f1b873467e25b39c9cecd3f8f4a
Instruction ID: 588dd2c6ab2467d4aed77063e074bd61e9f4f1a61178d383a0974d7e12c431d6
Opcode Fuzzy Hash: 17b50d1236b011616455dfe52dae5207f4c97f1b873467e25b39c9cecd3f8f4a
Instruction Fuzzy Hash: BC51C271E09304CFE7059B68C8826FABBF0EF05342F04846BD455EB252E738A847CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04F39D09 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d8e8a8b2b763d6ff298bc2f28f7bae727a12695b836eb5f2568ec88ace92b4
Instruction ID: 6ab54706657ea08ab6d32c64ccaa008759689d436b213ef399e15de389bf38b0
Opcode Fuzzy Hash: 66d8e8a8b2b763d6ff298bc2f28f7bae727a12695b836eb5f2568ec88ace92b4
Instruction Fuzzy Hash: 6B4184B2B00214DFEB148B99D945EBEB7F6EB44302F004026F545AB291D7F5BD829B51

Uniqueness

Uniqueness Score: -1.00%

Function 04F3EE68 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d51ab5d185c50906d23221128a0326b66db02a235480987a20e20bb95c5c2d2
Instruction ID: 97fcc539fa286d327a6bca493d03cc7a6abb967b51f1f18c9bade5e6f17c0d74
Opcode Fuzzy Hash: 6d51ab5d185c50906d23221128a0326b66db02a235480987a20e20bb95c5c2d2
Instruction Fuzzy Hash: 4F411A75E04108CBDB04CFA9C480AEDBBF9FF88321F159025E409A7315D770A982CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F37C24 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfdccda6782356ddae40d65945c2b44745be8ea11636ab9e77070f22472c656e
Instruction ID: 411ae30198796f804b8bd558cb7899f908ae367f8c129c22210a7423266f5651
Opcode Fuzzy Hash: bfdccda6782356ddae40d65945c2b44745be8ea11636ab9e77070f22472c656e
Instruction Fuzzy Hash: 1241C2B1D01309DBEB24DFAAC584ADDBBF5BF48305F248429E408BB214D7B56A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F3B808 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8930c12f1bc379675ed319954af9b33e1c0cb1fc0d1396b71cd64c7b684233a5
Instruction ID: 1adc1c60b28a922ed182c8aeb46332a719135a46dbe723143cfe2a51d56f40c8
Opcode Fuzzy Hash: 8930c12f1bc379675ed319954af9b33e1c0cb1fc0d1396b71cd64c7b684233a5
Instruction Fuzzy Hash: 83315E76E05525CBC7008F68D8606BAB7B1FF44316F488166E459EB293E338F943CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F38C76 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43aa7ce871e6f9f7ab1b3079ca9036fb7e2dee0bc0b45da3ab296823f865080
Instruction ID: b1ff82beb118519ff59b1385b349bdd093c777fae4d0c81892898051847cb767
Opcode Fuzzy Hash: a43aa7ce871e6f9f7ab1b3079ca9036fb7e2dee0bc0b45da3ab296823f865080
Instruction Fuzzy Hash: 4B41B2B1D01309CBEB24DFA9C584ADDBBF5BF48305F248429E408BB254D7756A86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F3B814 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b0aa70a027ce2a8c19781000971dcd2c517956fc28ffa867d3ea0c4255734c
Instruction ID: ec84ddd5c6af7bfabe0efc223f9f79549addd241a98427d97be696d716894837
Opcode Fuzzy Hash: c8b0aa70a027ce2a8c19781000971dcd2c517956fc28ffa867d3ea0c4255734c
Instruction Fuzzy Hash: AB316F76E00526CBC7409F69C8506BEB7B1FF44316F588126E459EB292D734F943CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F3B818 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b35c7cb03874c986b6f29b7920d050c3fe9fe79ac472d3ab1504a0e7ae2fc5
Instruction ID: a811c2343164bcf938981f87ea35f0876bc38521ba5ee1b58afbe73b3e87f362
Opcode Fuzzy Hash: f8b35c7cb03874c986b6f29b7920d050c3fe9fe79ac472d3ab1504a0e7ae2fc5
Instruction Fuzzy Hash: 9E315E76E04526CBC7009F69C8506BEB7B1FF44316F588126E459EB292E734F943CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F3B6F8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9533d80951389fc8f80952337019df08eaa06d98f7319d4babe051305dff0a7b
Instruction ID: ba874687a8712b4e17571a930d589da819aafb9d2272700975891fdeb9713140
Opcode Fuzzy Hash: 9533d80951389fc8f80952337019df08eaa06d98f7319d4babe051305dff0a7b
Instruction Fuzzy Hash: 85218E34B04254DBDB248A15892573936A2EB81702F2580BBD0169F3A7DA79FC43CB55

Uniqueness

Uniqueness Score: -1.00%

Function 009BD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1235062351.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9bd000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8507e76f2bfa6c1582e411acf8562968d92d76ee5869e22d74ed5a29665dd903
Instruction ID: 943d3e1f5cf453a9a0116b18dc5b833b3e37f4e6f21458836febb96ef2ad840f
Opcode Fuzzy Hash: 8507e76f2bfa6c1582e411acf8562968d92d76ee5869e22d74ed5a29665dd903
Instruction Fuzzy Hash: 0D214C72501304DFDB04DF10DAC0B56BB6AFB94334F20C56DE9090B2A6D33AE856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04F3FC80 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c2b1a61cd7a96a4f0d04dd777610fb4b4f194d641b51c7a908f35086bca366
Instruction ID: 0582fdf701e84a0046cbb0ab07a6f69ffa4bf0a59eb0bad016ce451400854e31
Opcode Fuzzy Hash: c5c2b1a61cd7a96a4f0d04dd777610fb4b4f194d641b51c7a908f35086bca366
Instruction Fuzzy Hash: 07212F76E09214DBC708CF66D4444ADBBBAFF8E302F00D169E809A7361DB34A942DF60

Uniqueness

Uniqueness Score: -1.00%

Function 009CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1235148159.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cd000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8741747e483b9304f089afd8dc61422cf40ffc1022085343d4664102a675c3
Instruction ID: 7f019204f823ac559609aa6bf8156ca610f5b1839fbb6117e5e33b877e4c90e7
Opcode Fuzzy Hash: 5a8741747e483b9304f089afd8dc61422cf40ffc1022085343d4664102a675c3
Instruction Fuzzy Hash: 0221D371905244DFDB14DF18D584F16BB65EB84314F20C97DD80A4B286C33AD847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 009CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1235148159.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cd000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a04841919b669932a5e3ca8193b3f8d528a3bcc0bccfbb20c31bf40a0123e4b
Instruction ID: 302ae12a3180dbb7ffc955ef5c3d92e85a8eb6943ac70bd2901816a4ad57eef4
Opcode Fuzzy Hash: 7a04841919b669932a5e3ca8193b3f8d528a3bcc0bccfbb20c31bf40a0123e4b
Instruction Fuzzy Hash: 8A21F271905204EFEB05DF10D9C0F26BBA5FB84314F24C9BDE8094B292C33AD846CA62

Uniqueness

Uniqueness Score: -1.00%

Function 04F3B6E8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feadbeb02f6109c5042437bd1a95faadef291d44b6fe60a666426aeb8ca818cf
Instruction ID: 8d69df8deca335ed9b8a11cb749296f87cbea57154ef77669d87216b7bf7e61b
Opcode Fuzzy Hash: feadbeb02f6109c5042437bd1a95faadef291d44b6fe60a666426aeb8ca818cf
Instruction Fuzzy Hash: EE21BB35B04210DBDB248F10C96277877A2EB81702F2580ABE0164F2A7DA7AFC43CB56

Uniqueness

Uniqueness Score: -1.00%

Function 04F38B70 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98ba2e690ff41274ec97dddfa19a4ada6758a15633be7ea655981c7d461a1dd
Instruction ID: 25321210a6a676fbaa55ffe618298e7bee898484e1b960a60a9f47274e2e0c07
Opcode Fuzzy Hash: d98ba2e690ff41274ec97dddfa19a4ada6758a15633be7ea655981c7d461a1dd
Instruction Fuzzy Hash: 0E21A171A002044FDB10EB79C5545EE7BF6EF85611B00886AE506EB361EF78FD0A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F38848 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c807c781a68a7b17970ee27932c4b0c3292a2c634185b9fa32e42cf70b114c3
Instruction ID: 422f819ebba528009b89a43e7360722a1fca254bc71c97872e80c5357eeb10b9
Opcode Fuzzy Hash: 4c807c781a68a7b17970ee27932c4b0c3292a2c634185b9fa32e42cf70b114c3
Instruction Fuzzy Hash: F411E6B6E042159BAB11EE799C405BFB7F6FBC42A13158569E418D7340EB34ED0783A0

Uniqueness

Uniqueness Score: -1.00%

Function 04F37BD4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0da6f37c2386161f44227423647b2613910eedde437238b657f7f4268a9c7da
Instruction ID: ec1c853968caf75e05db7c2515cf115271715f9c361806c26b7a24d47524c213
Opcode Fuzzy Hash: d0da6f37c2386161f44227423647b2613910eedde437238b657f7f4268a9c7da
Instruction Fuzzy Hash: 8E31E5B0D01258EFEB20DF99C984B8EBBF5EF48354F248059E404B7240D7B96846CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04F38A06 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a049ce488b5cccf5927bb9bf9159333e0c90263cebae455b67132fe490a3ebca
Instruction ID: fe68c363df1f323bd0c0b3c71a4572b09bd7b327a86de861767e3271323614a8
Opcode Fuzzy Hash: a049ce488b5cccf5927bb9bf9159333e0c90263cebae455b67132fe490a3ebca
Instruction Fuzzy Hash: AC21D3B0D01218DFEB20DF99C984B8EBBF1EF48314F248459E404BB240D7B96946CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 009CD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1235148159.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cd000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c3414d62a108738862c884fcef99a3ccdf4d0f29e953fdbf42838a3d9f722b
Instruction ID: 69b28b723b2d114b47597e5c7f97afff75b5c97c50880337d47b405987122322
Opcode Fuzzy Hash: 68c3414d62a108738862c884fcef99a3ccdf4d0f29e953fdbf42838a3d9f722b
Instruction Fuzzy Hash: 8F2180755093808FCB02CF24D990B15BF71EB46314F28C5EED8498B6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 04F38B60 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20728e2fa014a7b11cfc5a24c058a1b8b558c3112107e06e2062593b2a7943e
Instruction ID: d7263d0b45ba01d3e82101d6ea783bc4376e12e24f460e7a6c5e81d3ac42bd67
Opcode Fuzzy Hash: a20728e2fa014a7b11cfc5a24c058a1b8b558c3112107e06e2062593b2a7943e
Instruction Fuzzy Hash: D011D2716002008FD710EB29C6109EB77E6AFC5614B00C8AAE102EB3A1DF74ED098B91

Uniqueness

Uniqueness Score: -1.00%

Function 04F385E8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c111c642eb789af6c2388d3f3d735957d11665beb42e5212f99cb18e661578a
Instruction ID: 61eff979e50294909994c0801ad87c56dd456d0aee2e79ce9671f32ac7a31ab5
Opcode Fuzzy Hash: 2c111c642eb789af6c2388d3f3d735957d11665beb42e5212f99cb18e661578a
Instruction Fuzzy Hash: 2E114C72A082846FEB02EB35D8109EA3FFAEFC1354304C097E148DB261DA34DD068BA5

Uniqueness

Uniqueness Score: -1.00%

Function 04F3EC80 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b95b75b2b82af04e26596b1d381b8a75d094c82ca6a4ab959a9e2358350376
Instruction ID: 0efc28c3cbe1e486adbaf8cde7968d7aa9820dc50042e4e75aceb7da058f7c1e
Opcode Fuzzy Hash: 77b95b75b2b82af04e26596b1d381b8a75d094c82ca6a4ab959a9e2358350376
Instruction Fuzzy Hash: 2221C7B4E08209DFCB44CFA9C1809AEBBF5EF49342F209065D809A7351D730AE41DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009BD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1235062351.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9bd000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a736483c7301ab0b942446287a2da93ee8c90a3553c7a0be40e84c1f23337044
Instruction ID: 91776e5e7120ba560961d1fdd798c0a380de3bf76cd2b9f442c5ddbfad9de022
Opcode Fuzzy Hash: a736483c7301ab0b942446287a2da93ee8c90a3553c7a0be40e84c1f23337044
Instruction Fuzzy Hash: A5112672404240CFCB05CF00D6C4B56BF72FB94324F24C6A9D8090B266C33AE85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04F3860C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de66ed6765a4d037d6ec25dabd970f8dee0cbf09e17095501837e785b0a47484
Instruction ID: fb0e824fc5dbc502cf79f3520a45c121bc28666607a5f7f0f56d1d9007daa27d
Opcode Fuzzy Hash: de66ed6765a4d037d6ec25dabd970f8dee0cbf09e17095501837e785b0a47484
Instruction Fuzzy Hash: 522103B6D003499FDB10CF9AC844ADEBBF4FB48310F108429E959A7310D375A955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04F3A260 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96753e657d0d743de67ccae9be26f5bbe310f1c46a386ca0d666011bc5a95d8e
Instruction ID: 90938bc95e6e8d7dfe370279d9103fb33ac6c42e269cbafbff9faeb75ea02a9f
Opcode Fuzzy Hash: 96753e657d0d743de67ccae9be26f5bbe310f1c46a386ca0d666011bc5a95d8e
Instruction Fuzzy Hash: 202100B5D002499FDB10CF9AD984BDEBBF4FB48310F10841AE969A7310C375A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1235148159.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9cd000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0032d31c21eee98164703ed9ecbad4511e5bcd2f12e312fdd1ff5dc5c24f5f
Instruction ID: dcffe616236be5a998003cfafc2b4a0428e07a7f9a21aac5bf31a26c9b7fd20c
Opcode Fuzzy Hash: af0032d31c21eee98164703ed9ecbad4511e5bcd2f12e312fdd1ff5dc5c24f5f
Instruction Fuzzy Hash: 6E11DD76904280DFDB05CF10C9C0B15FBB1FB84314F24C6AED8494B296C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 04F3ED78 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d84e16de3f76866dbb7c626d9d258ddcc5e4a00464861ee573501d81f38bca
Instruction ID: f534035049a7e5eb913f1baf1c9b544b945960b55b90dcf5c9b518dc72ddfba6
Opcode Fuzzy Hash: e3d84e16de3f76866dbb7c626d9d258ddcc5e4a00464861ee573501d81f38bca
Instruction Fuzzy Hash: E411E575E08208EFCB04DFA9C544AADBBF9AF89311F1095959418A7315E770BA429B40

Uniqueness

Uniqueness Score: -1.00%

Function 04F37BE0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a3a61d35816ab752b940b9c45fc576eb6f79de0bfe51f2a935487c3dd53792
Instruction ID: 81ceb0cbd214139cfaa525ab3d76dc95277279055ef62a1e85273b329a67e27f
Opcode Fuzzy Hash: f6a3a61d35816ab752b940b9c45fc576eb6f79de0bfe51f2a935487c3dd53792
Instruction Fuzzy Hash: 1E1103B59047488FEB20DF9AC444BDEFBF4EB48320F10845AE929A7300D3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 009BD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1235062351.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9bd000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7e41df5c3aad3ecc5be978bf85a2b42bbc1c996d2c7a522d0b6b9f34357d77
Instruction ID: f08cd2e4acdae0fceedd2cd02085fb3d5ff69158462d7cad39ca5105a6a9fee9
Opcode Fuzzy Hash: 0a7e41df5c3aad3ecc5be978bf85a2b42bbc1c996d2c7a522d0b6b9f34357d77
Instruction Fuzzy Hash: B101F7B10063449BF7104E11CEC4BE6BB9CDF41334F14C91AED095E282EA799841CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 04F38DF4 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8836b40030f9b1db04972876d9bfddd55163c57fd462405ae0ccc8a596fe1cb2
Instruction ID: 6bbc0dd495474b940a63e9cf8d094ba3543b8076d778c9e0d4e6ea14d23bb9c9
Opcode Fuzzy Hash: 8836b40030f9b1db04972876d9bfddd55163c57fd462405ae0ccc8a596fe1cb2
Instruction Fuzzy Hash: D3111E71D00208DFDB24DF99C5847DEBFF1BB88365F24C129E8286B290C7749986CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04F3925E Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372195b88206e1a8aa7d66016124675a4e5596e44e449fa81b03fb72de663dfb
Instruction ID: fcb96a34354e61e9a64e38bf03c9312869a660a7711fb1f9bccd44c8548f1ce1
Opcode Fuzzy Hash: 372195b88206e1a8aa7d66016124675a4e5596e44e449fa81b03fb72de663dfb
Instruction Fuzzy Hash: DC1112B5900648CFDB20DF9AC544BDEFBF4EB48320F20841AE919A7340C3B8A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04F3A310 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da05d33135d229be8562b28e94101f0e2ad42a702aa5d099f690f6fe19842fe8
Instruction ID: a2893bd8e5784be76818e9612938c7f24f63f9e6539013f9d78ce8faca5137dd
Opcode Fuzzy Hash: da05d33135d229be8562b28e94101f0e2ad42a702aa5d099f690f6fe19842fe8
Instruction Fuzzy Hash: F201D1B2D043088FDB20CBAAA8053DEBBF4EB84315F14815ED858A7252D37A9547CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 04F38E00 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7a6846b72f3122355e126b60b854b2041fec502d09c032087cc82a29aad3ad
Instruction ID: 63b99f655bd15b45ecb9d2149066990f95b4621b63cdb7a19b8d0e2998cf7108
Opcode Fuzzy Hash: 6d7a6846b72f3122355e126b60b854b2041fec502d09c032087cc82a29aad3ad
Instruction Fuzzy Hash: 5F01ED71900208DFDB24DF9AC4847DEBEF5BB883A1F24C169E918AB290C7749985CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04F3A190 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c7dbafa90fb1fa3e520c83480e6184e634515bb37eca2ce47d359468164405
Instruction ID: 86a375625fd436c05062e989aea103552e54ec7865af61c9d99b814c1af83b0f
Opcode Fuzzy Hash: c2c7dbafa90fb1fa3e520c83480e6184e634515bb37eca2ce47d359468164405
Instruction Fuzzy Hash: 21F06276B082086FDB05EF56DC419AE7BBBEFC9264704C166E808DB225D63599068B90

Uniqueness

Uniqueness Score: -1.00%

Function 04F385FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634d39d8ea0da9904a74b61b5aa1502a723531f0e55c255b1859828493637552
Instruction ID: 80f6f92e76bc387436208191c2b7e913eb753c25c01dd40a97ae98090601823b
Opcode Fuzzy Hash: 634d39d8ea0da9904a74b61b5aa1502a723531f0e55c255b1859828493637552
Instruction Fuzzy Hash: 9BF09672B001086FAB04EF5ADC409AF7BEAEFC4364700C466F404DB214DA35ED018F94

Uniqueness

Uniqueness Score: -1.00%

Function 009BD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1235062351.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9bd000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d0e6289ec134fa090813cbc3648a13eab7356264be3ed023c6763bb13da265
Instruction ID: d2ed574e8cfc5bdabdab3402eaf8defc5a216f36bb0ec15acfaa2f68d953d61d
Opcode Fuzzy Hash: 63d0e6289ec134fa090813cbc3648a13eab7356264be3ed023c6763bb13da265
Instruction Fuzzy Hash: 01F062714053449EE7108E15CDC8BA2FF9CEB91734F18C45AED095E286D6799C45CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 04F38563 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be67a43935f5c8e009f9f0a78c2c29d2c61044237d94f58fb824150147ba437
Instruction ID: d64aec1a9cd121b310d021a8252b9a157358e80e94a01f8c6101bd99ea8c94e1
Opcode Fuzzy Hash: 0be67a43935f5c8e009f9f0a78c2c29d2c61044237d94f58fb824150147ba437
Instruction Fuzzy Hash: A3E092DA80A7C02BF31752309CA039E3F208B72241F0940D7C3C14A2E3E8684C4BCB1A

Uniqueness

Uniqueness Score: -1.00%

Function 04F3EE10 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c633f4bfc98241b3ac3cf29a7c8f200877cc04bdfade43709ad0077e0052898e
Instruction ID: 9c13640013809ccab4ed68134c96a6f4b7af9d19c0bc6d0a5253bf0215ca0547
Opcode Fuzzy Hash: c633f4bfc98241b3ac3cf29a7c8f200877cc04bdfade43709ad0077e0052898e
Instruction Fuzzy Hash: 21F01574E09308EFCB00DFA4D1449ADBBB8FB0A302F0084AAD808A3350D735AA91DF44

Uniqueness

Uniqueness Score: -1.00%

Function 04F38B07 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dafd03e9561074d727048a9b9a5f403431b665a522c99804bb26b7b38bd7178
Instruction ID: 8c7c6d26b4f901188d235c072d8420dcdf670c7a12141b62a33284be44a64ab5
Opcode Fuzzy Hash: 2dafd03e9561074d727048a9b9a5f403431b665a522c99804bb26b7b38bd7178
Instruction Fuzzy Hash: 93E02B71901105EFC700EF68E6804DC7BF5EF842243108197D804B7315D9362F07DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04F38B18 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee98f785ca4d581c5cf530d48fae39c8473047917132aad09ad695a4a37c167
Instruction ID: c2eb5a6eee91bf8e7d3b2e5ff85d7380c1c49e6913ef981d0a97ee332935aae8
Opcode Fuzzy Hash: 2ee98f785ca4d581c5cf530d48fae39c8473047917132aad09ad695a4a37c167
Instruction Fuzzy Hash: 0AE04F70A01209EBC700EFA8E54155CBBF9EB8421071081A5D804A7314EA322E00DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F3EA98 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98847e5cecd377e8e06e68dd28b33ef9c8b367c0ad0d0699bf55f784647ec19d
Instruction ID: e834d8c28b2e2117dff217c0ef6534116df9041d5ee8080237e0520dccb86931
Opcode Fuzzy Hash: 98847e5cecd377e8e06e68dd28b33ef9c8b367c0ad0d0699bf55f784647ec19d
Instruction Fuzzy Hash: FCD01770C05208EBCB04DFA4E60466DBB78EB46302F1081AAC80423280DB755E91DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04F3DD30 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1118ceb6414832f88e95ea76f0db4e21c9f1f184c33f23b15ac750073de8bd0f
Instruction ID: 8ea4b8cc7a41e4fc21562aa72fe904a960665496fb3ed490a3444b4407e50380
Opcode Fuzzy Hash: 1118ceb6414832f88e95ea76f0db4e21c9f1f184c33f23b15ac750073de8bd0f
Instruction Fuzzy Hash: F9D05E35A05218CFDB10CB14EA407E8BB75EB88211F0001D2C10CA2125D7301E808E02

Uniqueness

Uniqueness Score: -1.00%

Function 04F3D8F8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a03e6c7f3ca857ff3ecea6542927ae0a5fa4a56758f1e10107d2337c83c6ab7
Instruction ID: ee208b925b588347013ba146f7342ceb7ee943e1eb74d600bd3be43adb52b7a8
Opcode Fuzzy Hash: 6a03e6c7f3ca857ff3ecea6542927ae0a5fa4a56758f1e10107d2337c83c6ab7
Instruction Fuzzy Hash: 6ED0C77504A2859FD701A7A4E6193643F78DB13715F0414B6D149970A1D99C4C52C72A

Uniqueness

Uniqueness Score: -1.00%

Function 04F3859C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb52837e291aa0458d1ec9e9a576927ad3465b0d021b623f4f6d2b3b5232f85f
Instruction ID: a7e8ab240c224e95d5ad7418646cc6f0bbc5488219621cf6fc8354165d3979a0
Opcode Fuzzy Hash: bb52837e291aa0458d1ec9e9a576927ad3465b0d021b623f4f6d2b3b5232f85f
Instruction Fuzzy Hash: 67B01226694204E3724172706C50B3F7040ABB6706B40DC11B2482004088A3BCA7B92F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04F3B278 Relevance: 4.0, Strings: 3, Instructions: 256COMMON

Download Yara Rule

Strings

]\`, xrefs: 04F3B50A
[V~*, xrefs: 04F3B3F4
T+-q, xrefs: 04F3B5C2

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$]\`
API String ID: 0-3978741314
Opcode ID: af39afbdaeccf3d0136b643702af64d3715ee5e965d546eab1012c5ff00459bf
Instruction ID: b23e83735ad76e6eb526cd1d0f23001f9a2cb80be1d2837f4b1a9a3376d2c13d
Opcode Fuzzy Hash: af39afbdaeccf3d0136b643702af64d3715ee5e965d546eab1012c5ff00459bf
Instruction Fuzzy Hash: A4B11771E056199FCB04CFAAD99099EFBF2FF89300B14D52AD419BB259E730A902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04F3B288 Relevance: 4.0, Strings: 3, Instructions: 253COMMON

Download Yara Rule

Strings

]\`, xrefs: 04F3B50A
[V~*, xrefs: 04F3B3F4
T+-q, xrefs: 04F3B5C2

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$]\`
API String ID: 0-3978741314
Opcode ID: 90b1a9fe4c6b1385b8a2b36709b5cfcdfad8b55fa152c8cb9b383a51eb05787e
Instruction ID: a730ac75cc3fbb41843f1d303b2a87f51661e407bedd9385d50208dc08f58c01
Opcode Fuzzy Hash: 90b1a9fe4c6b1385b8a2b36709b5cfcdfad8b55fa152c8cb9b383a51eb05787e
Instruction Fuzzy Hash: 98B11671E156199FCB04CFAAD99099EFBF2FF89300F14D52AD419BB219E330A9028F54

Uniqueness

Uniqueness Score: -1.00%

Function 04F31E39 Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

Z;ya, xrefs: 04F31EEB
Kk, xrefs: 04F31E86

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: Kk$Z;ya
API String ID: 0-687208382
Opcode ID: d6a1bb992ebc37250a403bc2a3793d166f637b27809990fc66ada3f94f9248cf
Instruction ID: a490f62957531d2d96e12231444c18068516cce427658dfcc5d0229cccb4b837
Opcode Fuzzy Hash: d6a1bb992ebc37250a403bc2a3793d166f637b27809990fc66ada3f94f9248cf
Instruction Fuzzy Hash: C6414C74E05209DFDB04CFA9D6805AEFBB2FF89341F24C599C405A7205E734BA82DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F310A0 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

tIh, xrefs: 04F31545

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: 3647320d820bd21da7313e39cc6c53ca0e8fc121a19cc1352716f1b1ee5f2bd9
Instruction ID: f217a85ee05bbcaa8788a7b3cbd7c198f209a07059f5572233d0b193cfdac054
Opcode Fuzzy Hash: 3647320d820bd21da7313e39cc6c53ca0e8fc121a19cc1352716f1b1ee5f2bd9
Instruction Fuzzy Hash: 28E14BB1E0021ADFDB08CFA5C6808EEFBB2FB49305B149556D455AB215E738EA43CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04F31190 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

tIh, xrefs: 04F31545

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: 2aae2327a3b4da28a146bc0d3f01e4f1286f93f5060ec35c3e7151c16c2f6ce8
Instruction ID: 8beabca1eed6e8dc08857637aa110d3f2088a30ae29232ef8fe7cb3cfd12fd64
Opcode Fuzzy Hash: 2aae2327a3b4da28a146bc0d3f01e4f1286f93f5060ec35c3e7151c16c2f6ce8
Instruction Fuzzy Hash: 38D13A70E0460ADFCB08CF95C6848AEFBB2FF89306B10D55AD416AB254D734EA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 09068BF8 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d55465e89e14c77475a6ebb159807316ebf056509122591615ebd9bafe2e28
Instruction ID: cc1a402aa4459a361d88ed54ea7f54f1a24f7627b26502ff45824304d4632a6d
Opcode Fuzzy Hash: 05d55465e89e14c77475a6ebb159807316ebf056509122591615ebd9bafe2e28
Instruction Fuzzy Hash: 9DC1AC717017048FEB69EB75D460BAEB7E7AF89700F148869D6468B3A0CF35E801CB61

Uniqueness

Uniqueness Score: -1.00%

Function 090639C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8baae71f3b82d985b7758e9a2bb0b8749660adad5a44662ebbd37609917a053c
Instruction ID: 7956fbeced25e46b73d1e021738f7eb822d140b0230db0f0061e725a0437528e
Opcode Fuzzy Hash: 8baae71f3b82d985b7758e9a2bb0b8749660adad5a44662ebbd37609917a053c
Instruction Fuzzy Hash: E8E1FD74E002198FDB14DFA9C580AAEFBF2FF89314F248559D414AB366D731A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09064808 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296050d36072c767ee85030c87f4683bfcbb242452125c082c5604b0aa5222e4
Instruction ID: bf9ef6da3246507169d0e142ceaeee7c30b17dc909b222cddc4cef46956835d6
Opcode Fuzzy Hash: 296050d36072c767ee85030c87f4683bfcbb242452125c082c5604b0aa5222e4
Instruction Fuzzy Hash: E9E10B74E002198FDB14DFA9C580AAEFBF2FF89314F248569D454AB36AD770A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 09062320 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e72d59ffdcd9c7e4e6e892716e2b7862d9ee5b602fcd9ba94265b1dc7c27d57
Instruction ID: 63f6e5ba9ec75dd10509a9bfd4a407686958cb4e79d8314ced1e361d39fc4840
Opcode Fuzzy Hash: 3e72d59ffdcd9c7e4e6e892716e2b7862d9ee5b602fcd9ba94265b1dc7c27d57
Instruction Fuzzy Hash: 7DE1EA74E002198FDB14DFA9C580AAEFBF2FF89314F248559D414AB36AD731A942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 09063E00 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afae5b4f9d86700598f28bacb4e75669c6d0d5d23c06cbf04970bb297a2977d2
Instruction ID: 2122b4b078c1e5b3921ca0bae85db338c2c66401694c8071b0b642516ff7dbf9
Opcode Fuzzy Hash: afae5b4f9d86700598f28bacb4e75669c6d0d5d23c06cbf04970bb297a2977d2
Instruction Fuzzy Hash: 0EE1EC74E002198FDB14DF99C580AAEFBF2FF89304F248569D414AB366D7719942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09061EE8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e2e6f5c28e4c683e12ec88c1f757286e26a1e6bf619ef70bf271658fb4dbcf
Instruction ID: b90397bb6662032b3cf9ad09845858361b6b1f84fdaadb5deca6a7b59203cb71
Opcode Fuzzy Hash: 79e2e6f5c28e4c683e12ec88c1f757286e26a1e6bf619ef70bf271658fb4dbcf
Instruction Fuzzy Hash: A8E10C74E042198FDB14DFA9C580AAEFBF2FF89304F248569D414AB36AD731A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04F39758 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67424dfde950433f30b3277336147dc01eb9a3941f2737091e65462d0c3810bb
Instruction ID: 2a9767de3834dd0714733673df8a4d9e7ba8de7ecf1a927605f187ec7825f5d9
Opcode Fuzzy Hash: 67424dfde950433f30b3277336147dc01eb9a3941f2737091e65462d0c3810bb
Instruction Fuzzy Hash: 6ED10735D1075A8ADB14EB68DA50699B7B1FFD6300F50C79AE0093B225FB70AAC4CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0230DC74 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1235525935.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2300000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24e0ce2523266a983146ab554e4346b7bf9b35383406e025fbe4ed6c2c7cd7c
Instruction ID: 1b28906343281075db60474a0fe40597845c9f8c970072259db5bbdc87a2ae1b
Opcode Fuzzy Hash: b24e0ce2523266a983146ab554e4346b7bf9b35383406e025fbe4ed6c2c7cd7c
Instruction Fuzzy Hash: 94A17D36E002098FCF19DFB5C8905DEB7B6FF84300B15856AE805AB2A5DB71E955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F39768 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7acb7027de422805d16095ff1e599ec575d094f7bade0cc526ff5f7ddc5849a8
Instruction ID: d8ff71e9aa974bca7e95353d7ff7061c1afddb656f48d1f8ec371c47fd98b849
Opcode Fuzzy Hash: 7acb7027de422805d16095ff1e599ec575d094f7bade0cc526ff5f7ddc5849a8
Instruction Fuzzy Hash: 9ED1F735D1075A8ADB14EB68D950699B7B1FFD6300F50C79AE4093B224EB70AAC4CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04F341E8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8d8123a597498a54abb05265bce43c047b12b103de6c13290b6d6058ebaa96
Instruction ID: 6bd9d688f32980f8e15c5b1bd8bc8dd89be8b614ddb2a9e87a9c78315846669f
Opcode Fuzzy Hash: 1b8d8123a597498a54abb05265bce43c047b12b103de6c13290b6d6058ebaa96
Instruction Fuzzy Hash: 81910A71E05209EFCB48CFE5D580A9DFBB2FB89311F20A42AD416BB264D734A946DF14

Uniqueness

Uniqueness Score: -1.00%

Function 04F341D9 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea9d9900111a344357c786e3670eae286c353d935195732bfa5102cb5ea5248
Instruction ID: 547c45f4e0839b0379af087242bfa386cb683997bc6dccbb399ee1be7d09362b
Opcode Fuzzy Hash: 9ea9d9900111a344357c786e3670eae286c353d935195732bfa5102cb5ea5248
Instruction Fuzzy Hash: 39912975E05209EFCB48CFA5E58099DFBF2FB89301F20A42AD416BB264D734A946DF14

Uniqueness

Uniqueness Score: -1.00%

Function 04F33ED0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86b73d6975bc77c658d73de1d4730822cd66af7e01a488d1da7b8cdb98874a3
Instruction ID: 09d2f664048d25f9fe2c1d9fc755456bef9bf1389cdf7d5309b8f0d0c6214343
Opcode Fuzzy Hash: f86b73d6975bc77c658d73de1d4730822cd66af7e01a488d1da7b8cdb98874a3
Instruction Fuzzy Hash: A8811475E05229DFCB08CFA9D9809EEFBB1FB88301F50955AE801B7254D735A942CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04F33EC0 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87b1eb62d1da39732a19e02ea34452dc944885cd609d5126f09c4f8b8ea0786
Instruction ID: e31e1f5fd2ff78b73a3e32c0e56750e922c56bb2fc969f496c6be524fc48fbf1
Opcode Fuzzy Hash: c87b1eb62d1da39732a19e02ea34452dc944885cd609d5126f09c4f8b8ea0786
Instruction Fuzzy Hash: 94812575E05229DFCB08CFA9D9809AEFBB1FF88300F40955AE801B7254D739A912CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04F32030 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020f3f83961748a67eca306c62db40fab12fb68205ac07f09d586b6d0328ba22
Instruction ID: 3e6572f2c093cadb5f95bc4d0c1336509dd41a607ccb312e0e25006c3e7fa895
Opcode Fuzzy Hash: 020f3f83961748a67eca306c62db40fab12fb68205ac07f09d586b6d0328ba22
Instruction Fuzzy Hash: 8681FF74E04219CFCB44CFA9C98499EFBF2FF88311B15959AE415AB324D330AA46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04F32020 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49604c192943adea7a5b1a7f3a8396505b43f781fcaa4e936bca8c0fb3215f0e
Instruction ID: a0f1995c58dbe199d42af557c516f1afb89fbcf9dafcb51417f4a121596f33d3
Opcode Fuzzy Hash: 49604c192943adea7a5b1a7f3a8396505b43f781fcaa4e936bca8c0fb3215f0e
Instruction Fuzzy Hash: 94810E75E10219CFCB44CFA9C98499EBBF2FF88311B1595AAE415AB325D330AA46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F33491 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fa37627b0f56de068796f1374cca7003b6d189dc52fb3b19aff0615aa4ebf2
Instruction ID: 4e7d2f527b18322804e1266daa872b50bf054529cb11deece572a71c04f429d1
Opcode Fuzzy Hash: f6fa37627b0f56de068796f1374cca7003b6d189dc52fb3b19aff0615aa4ebf2
Instruction Fuzzy Hash: 106191B1E0A609FBD708CF91F285159BFB2FB89302B20D8D6C48597158DB3C9E65D724

Uniqueness

Uniqueness Score: -1.00%

Function 04F32EE8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec8868a04cc980e075e3645bbaacb2fbdb12908ee7fd300d495e868fd5ab43a
Instruction ID: ec32fb6cb6afecbd4389691fc2eb412aafddfd79c44f3b16176f8e652efeff58
Opcode Fuzzy Hash: 4ec8868a04cc980e075e3645bbaacb2fbdb12908ee7fd300d495e868fd5ab43a
Instruction Fuzzy Hash: 166108B5E1520ADFCB04CFA9C5815EEFBB2BF89301F158456E515AB240E334AA42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04F32ED9 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af79aa5ec4057536912f30a5bb2fdfc32da5c41eafc5304c2ea16923962a3592
Instruction ID: 7eeb2f87564a966c2e3181a713ec2116b2926a39f52d02e68a75b5911dcb4c0c
Opcode Fuzzy Hash: af79aa5ec4057536912f30a5bb2fdfc32da5c41eafc5304c2ea16923962a3592
Instruction Fuzzy Hash: 4F512AB5E0520ADFCB04CFA9C5815EEFBB2FF84301F158466E515AB240E334AA46CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04F35141 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89717e7c0c09e3c927cd0f6e3af3ae428158994916a2ee738a2ae14ae6836f8
Instruction ID: 0e350931c64c7d8e6944b3e2a22c6921dc86afb2824ade6c54151387252b3d91
Opcode Fuzzy Hash: d89717e7c0c09e3c927cd0f6e3af3ae428158994916a2ee738a2ae14ae6836f8
Instruction Fuzzy Hash: 24514871E0524AAFDB08CFE6D5855AEFBB2FFC9311F10A42AD411A7254E7385A02CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04F35150 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49851d478683f5308342fe55974f2c19aebdba98cd65d627961e3d6065a99da
Instruction ID: bff104fb883ff3f3a77ecd3fc2fb0ecf1714956a3fb370af35fd9290cf353147
Opcode Fuzzy Hash: d49851d478683f5308342fe55974f2c19aebdba98cd65d627961e3d6065a99da
Instruction Fuzzy Hash: 1E512871E0520AAFDB08CFE6D5455AEFBB2EFC8311F10A42AD401A7254E7345A028F94

Uniqueness

Uniqueness Score: -1.00%

Function 09062311 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1240589831.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9060000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab8f963cb4b8300f6a6d8a93c3c8508a21518629d3f9360e7424cd9de1165ff
Instruction ID: ef1c78c56bb0f88ba3aa6a4751abe5c16f83b59b4655668baf812d66ad32c2ed
Opcode Fuzzy Hash: 2ab8f963cb4b8300f6a6d8a93c3c8508a21518629d3f9360e7424cd9de1165ff
Instruction Fuzzy Hash: 7A513974E002198FDB14DFA9C5805AEFBF2FF89310F248569D418AB36AD7319942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F33258 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f06c8f33bf9ae7c837a79d8a143db5aab557475124a938f76f0e496fa60345
Instruction ID: e87db3bf33cdcfcfd12c8b60be4a3f9e8acdfc1ec29afc74f7a37af1ee84c97b
Opcode Fuzzy Hash: b8f06c8f33bf9ae7c837a79d8a143db5aab557475124a938f76f0e496fa60345
Instruction Fuzzy Hash: 1D41D6B1E0460A9BDB44CFAAC4815EEFBF2FF88301F14D46AC815A7254D734AA428F95

Uniqueness

Uniqueness Score: -1.00%

Function 04F33248 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039c8626f0e496b5551dbf9a49d77013bd88298e31a530ae0a2c13d0c115ab8f
Instruction ID: 90d9f90eaf740475b15fc70570022163e0076758966b3c23c89cc6d127344102
Opcode Fuzzy Hash: 039c8626f0e496b5551dbf9a49d77013bd88298e31a530ae0a2c13d0c115ab8f
Instruction Fuzzy Hash: A641F8B1E0560A9FDB44CFAAC5805AEFBF2FF88300F14C46AC815E7254E734AA468F55

Uniqueness

Uniqueness Score: -1.00%

Function 04F31AB1 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3513421a4aaeafefeee35a9b84d3d9613c0bd018a3334ee11fbbdd08c08b6767
Instruction ID: 1f2bfaec4bec7fe1302d7e55118774a65c14ba0f8a5ba040f50a8970af9fd034
Opcode Fuzzy Hash: 3513421a4aaeafefeee35a9b84d3d9613c0bd018a3334ee11fbbdd08c08b6767
Instruction Fuzzy Hash: 5A310CB1E0520ADFDB44CFA9C5805AEFBB2FB89301F15C5AAC415A7315E734AA42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04F302E0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937399aa1315b5a4a575d85c85ebe10a4168af5f7d3193769a8e626df78dcde2
Instruction ID: c9e4a85436c52be2e86f0a5807d79e8be8e45fc77d2af9e22faaf50fdb582f05
Opcode Fuzzy Hash: 937399aa1315b5a4a575d85c85ebe10a4168af5f7d3193769a8e626df78dcde2
Instruction Fuzzy Hash: 892109B1E006189BEB18CFABD9402DEFBF3AFC8310F14C07AD408A6258DB741A46CA50

Uniqueness

Uniqueness Score: -1.00%

Function 04F302D1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb3f6606523cff3763b05b6f51de9944153fb9199e4622208dc75c0180063c4
Instruction ID: f6071bdcaa0133e2bc90616df1da5328a6f95e60e927af8d7fe29bd20db69269
Opcode Fuzzy Hash: 1fb3f6606523cff3763b05b6f51de9944153fb9199e4622208dc75c0180063c4
Instruction Fuzzy Hash: 1821CDB1E006588FEB19CFABC9542DEBBF3AFC9300F14C56AD409A7258DA741946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F3B128 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

]\`, xrefs: 04F3B50A
[V~*, xrefs: 04F3B3F4
T+-q, xrefs: 04F3B5C2
[V~*, xrefs: 04F3B3ED

Memory Dump Source

Source File: 00000001.00000002.1239516541.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f30000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$[V~*$]\`
API String ID: 0-1849991408
Opcode ID: 17dc2a1b092ecc20a4d3d31bc0755a487bd1acddcec95e5429a1207953917e88
Instruction ID: 25f844192f3f8f101d789dda4e4c65fbc5495580fc1e72cfa0b9eb82f461a66b
Opcode Fuzzy Hash: 17dc2a1b092ecc20a4d3d31bc0755a487bd1acddcec95e5429a1207953917e88
Instruction Fuzzy Hash: DA317172A04204CBDB11DF68C8603BEBBB0EF05342F05856BA4659B287E335FD52DB66

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 1iO53raUh69l6nV.exePID: 7712, Parent PID: 7632COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	141
Total number of Limit Nodes:	14

Executed Functions

Function 02833E80 Relevance: 4.0, Strings: 3, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VPm, xrefs: 028340CB
>{kq, xrefs: 02833E9F
>{kq, xrefs: 02833EBF

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: >{kq$>{kq$\VPm
API String ID: 0-3322164955
Opcode ID: 85c6d0b55f6d59f54715566fced1dd62f0750aa47690863de0c290c8687652d5
Instruction ID: 499fc2e26abeee37b6a514de0e5bf58a1bc7be95c3455412d903d135fd4dac9c
Opcode Fuzzy Hash: 85c6d0b55f6d59f54715566fced1dd62f0750aa47690863de0c290c8687652d5
Instruction Fuzzy Hash: C2915D78E00209CFDF15CFA9D99579EBBF2AF88314F148129E419E7294EB749846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02834A98 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

>{kq, xrefs: 02834AB7
>{kq, xrefs: 02834AD7

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: >{kq$>{kq
API String ID: 0-1695889010
Opcode ID: 5f0d3c060433515f49e94d51d0934be5f9a4233a101fdbe24460992e07fb45a4
Instruction ID: 4841d83c335849148996f6a7bdfcbb5a84eaffe786253c6cb9930104ecc3dcd9
Opcode Fuzzy Hash: 5f0d3c060433515f49e94d51d0934be5f9a4233a101fdbe24460992e07fb45a4
Instruction Fuzzy Hash: 0FB13E78E002098FDB15CFA9D8817DDBBF2BF88314F148529D819E7394EB749886CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02839BF2 Relevance: 2.8, Instructions: 2759COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39856f77d926cea0e87d58dcbaff0b0e33577e94ca277e8723693788f39817d
Instruction ID: 2fb1b74ba3ade59947f795d3e0aee4a5d4c5859ccfb90e609e30608893c9aea9
Opcode Fuzzy Hash: a39856f77d926cea0e87d58dcbaff0b0e33577e94ca277e8723693788f39817d
Instruction Fuzzy Hash: 4C530935D10B1A8ACB51EF68C8446A9F7B1FF99300F15D79AE458B7121EB70AAC4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0283CE98 Relevance: 2.3, Instructions: 2291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a6bdb4fe3a655c771748a1f940ce0896d77598b66210b2775fcac821e994db
Instruction ID: 1284745b999d07cd020f88a1cd3fe4feeb6b7b7b6e4d6424050d84c1d8451001
Opcode Fuzzy Hash: 88a6bdb4fe3a655c771748a1f940ce0896d77598b66210b2775fcac821e994db
Instruction Fuzzy Hash: 6E331C35D10B198EDB11EF68C8846ADF7B1FF99300F14D69AE448B7211EB70AAD5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2E08 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CE2E86
GetCurrentThread.KERNEL32 ref: 00CE2EC3
GetCurrentProcess.KERNEL32 ref: 00CE2F00
GetCurrentThreadId.KERNEL32 ref: 00CE2F59

Strings

>{kq, xrefs: 00CE2E24

Memory Dump Source

Source File: 00000002.00000002.2471825922.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_1iO53raUh69l6nV.jbxd

Similarity

API ID: Current$ProcessThread
String ID: >{kq
API String ID: 2063062207-3357484281
Opcode ID: 9b9aae754e54d97ade5937c1dcb493064adfc496385954a4c6809df2c66f565f
Instruction ID: aeeb3bb06467471d781bbfcbf38db420425a91abc2784f8ae0af1883d2e87574
Opcode Fuzzy Hash: 9b9aae754e54d97ade5937c1dcb493064adfc496385954a4c6809df2c66f565f
Instruction Fuzzy Hash: 8C5157B09013498FDB54CFAAD548BAEFBF5EF48300F208059E019A7360D7B46985CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2E03 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CE2E86
GetCurrentThread.KERNEL32 ref: 00CE2EC3
GetCurrentProcess.KERNEL32 ref: 00CE2F00
GetCurrentThreadId.KERNEL32 ref: 00CE2F59

Strings

>{kq, xrefs: 00CE2E24

Memory Dump Source

Source File: 00000002.00000002.2471825922.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_1iO53raUh69l6nV.jbxd

Similarity

API ID: Current$ProcessThread
String ID: >{kq
API String ID: 2063062207-3357484281
Opcode ID: 967b1b6a15af17f824f018f75fd2ba4f7ca39be903f3d40ab3019a1247687006
Instruction ID: 41d3452c0e865b7a4850e0afb4657c80aed5b210db8054d341d2fd0699541bea
Opcode Fuzzy Hash: 967b1b6a15af17f824f018f75fd2ba4f7ca39be903f3d40ab3019a1247687006
Instruction Fuzzy Hash: 175146B0901349CFDB54CFAAD548BAEBBF1EF48300F248459E419A7360D7745985CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00CED7C5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00CED922

Strings

>{kq, xrefs: 00CED85E
>{kq, xrefs: 00CED83E

Memory Dump Source

Source File: 00000002.00000002.2471825922.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_1iO53raUh69l6nV.jbxd

Similarity

API ID: CreateWindow
String ID: >{kq$>{kq
API String ID: 716092398-1695889010
Opcode ID: bb445c66b2c7cfd1404c0e3521a0c3628bd130ce3ede3a52ef59c918deb61d74
Instruction ID: 17ec2a2579265dad5fd982905b652bbd9f085703bffab70c62ac267c29509910
Opcode Fuzzy Hash: bb445c66b2c7cfd1404c0e3521a0c3628bd130ce3ede3a52ef59c918deb61d74
Instruction Fuzzy Hash: 0651E471C00289EFDF15CF9AC884ADEBFB1BF48300F24816AE819AB261D7759955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CED804 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00CED922

Strings

>{kq, xrefs: 00CED85E
>{kq, xrefs: 00CED83E

Memory Dump Source

Source File: 00000002.00000002.2471825922.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_1iO53raUh69l6nV.jbxd

Similarity

API ID: CreateWindow
String ID: >{kq$>{kq
API String ID: 716092398-1695889010
Opcode ID: 55073811fe08361dbaef0ea3f8ffb24f8b5d5e709867653aec89dd31bd13ba13
Instruction ID: df27fc33218843495221542a82549d4d8f8f1f48a8a8d06badec2f41b3ecd757
Opcode Fuzzy Hash: 55073811fe08361dbaef0ea3f8ffb24f8b5d5e709867653aec89dd31bd13ba13
Instruction Fuzzy Hash: B651C0B1D00348DFDB14CFAAC884ADEBFB5BF48310F64812AE819AB251D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CED810 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00CED922

Strings

>{kq, xrefs: 00CED85E
>{kq, xrefs: 00CED83E

Memory Dump Source

Source File: 00000002.00000002.2471825922.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_1iO53raUh69l6nV.jbxd

Similarity

API ID: CreateWindow
String ID: >{kq$>{kq
API String ID: 716092398-1695889010
Opcode ID: 74c703336d3bdb917b7603c6c914cc6800cef65c4042e4091f9d891a1645d0f4
Instruction ID: 11a1af18bd67a138da7b31e86eefd7101ed9fa3dc0f7dc175f5a49c1a61d2b98
Opcode Fuzzy Hash: 74c703336d3bdb917b7603c6c914cc6800cef65c4042e4091f9d891a1645d0f4
Instruction Fuzzy Hash: F541B0B1D00349DFDB24CF9AC884ADEBBB5FF48310F64812AE819AB251D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02834810 Relevance: 5.2, Strings: 4, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>{kq, xrefs: 0283482F
\VPm, xrefs: 0283487F
\VPm, xrefs: 028349D2
>{kq, xrefs: 0283484F

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: >{kq$>{kq$\VPm$\VPm
API String ID: 0-603843921
Opcode ID: 424cfa5c72c78f5fbfd53bdf379948ddb37c92243efc0b0f63e4fff5ab847dc5
Instruction ID: 91c9965d452f1510280f0291d3f7e5916e8471d02e7800516dad0a41de95b633
Opcode Fuzzy Hash: 424cfa5c72c78f5fbfd53bdf379948ddb37c92243efc0b0f63e4fff5ab847dc5
Instruction Fuzzy Hash: 9C713BB8E002498FDB15CFA9D88479EBBF2BF88314F148129E419E7254EB749846CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02834804 Relevance: 5.2, Strings: 4, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>{kq, xrefs: 0283482F
\VPm, xrefs: 0283487F
\VPm, xrefs: 028349D2
>{kq, xrefs: 0283484F

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: >{kq$>{kq$\VPm$\VPm
API String ID: 0-603843921
Opcode ID: a179964d355d4fd35e5b1ed192a944416895691db2270f7ed45d6594b6a295c3
Instruction ID: 81196d03d49b287587b2f4921e23cca2cc83e168330b73ad81540ecbc0914496
Opcode Fuzzy Hash: a179964d355d4fd35e5b1ed192a944416895691db2270f7ed45d6594b6a295c3
Instruction Fuzzy Hash: 44715CB8E00249CFDB11CFA9C88579EBBF2BF48314F148129E419E7254EB749882CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02833E74 Relevance: 4.0, Strings: 3, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VPm, xrefs: 028340CB
>{kq, xrefs: 02833E9F
>{kq, xrefs: 02833EBF

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: >{kq$>{kq$\VPm
API String ID: 0-3322164955
Opcode ID: a1571f117019fba61e06ed88584597809741aea794703c3754eb7ef741a81d19
Instruction ID: 7c47455a8775355bdf802229e26eedb312c08b397c78345654fd4c0317029896
Opcode Fuzzy Hash: a1571f117019fba61e06ed88584597809741aea794703c3754eb7ef741a81d19
Instruction Fuzzy Hash: 4E915B78E00209DFDB21CFA9D9857DEBBF1AF48314F148129E419E7294DB749886CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CEB218 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CEB47E

Strings

>{kq, xrefs: 00CEB437

Memory Dump Source

Source File: 00000002.00000002.2471825922.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_1iO53raUh69l6nV.jbxd

Similarity

API ID: HandleModule
String ID: >{kq
API String ID: 4139908857-3357484281
Opcode ID: 158d2f2ca07a6ff7c6fdc27232a431a31c5836b5f14a892cfbea33c9d98c2cf5
Instruction ID: 2f11cf7255e126269be9f203c7fb34fe516d0e14dbe6c9811a504c482a39ba00
Opcode Fuzzy Hash: 158d2f2ca07a6ff7c6fdc27232a431a31c5836b5f14a892cfbea33c9d98c2cf5
Instruction Fuzzy Hash: 32814770A00B858FDB24DF2AD4457ABBBF1BF88300F008A2ED496D7A50D775E945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00CECD6C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00CEFE91

Strings

>{kq, xrefs: 00CEFDE7

Memory Dump Source

Source File: 00000002.00000002.2471825922.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_1iO53raUh69l6nV.jbxd

Similarity

API ID: CallProcWindow
String ID: >{kq
API String ID: 2714655100-3357484281
Opcode ID: c25961836752731899972a0cc9939934e4b68837f4ecf3ccf0913a3f5309713e
Instruction ID: 4d35dc20193c1fafcc417fa762087acbc8ae28c0f5c3f0cb38e4501d25d11709
Opcode Fuzzy Hash: c25961836752731899972a0cc9939934e4b68837f4ecf3ccf0913a3f5309713e
Instruction Fuzzy Hash: C74119B5A00349CFDB54CF5AC448AAABBF5FB88314F24845DD519AB321D375A942CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3048 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CE30D7

Strings

>{kq, xrefs: 00CE306F

Memory Dump Source

Source File: 00000002.00000002.2471825922.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_1iO53raUh69l6nV.jbxd

Similarity

API ID: DuplicateHandle
String ID: >{kq
API String ID: 3793708945-3357484281
Opcode ID: e97d7756ecc14b3a58f212412c46c4ea19eb4a75365f1e046159c18ad3d03c27
Instruction ID: 79c071216baaed4818e4fec13664b2ae6e2f9a9c58652dc4f3898ccda91bb963
Opcode Fuzzy Hash: e97d7756ecc14b3a58f212412c46c4ea19eb4a75365f1e046159c18ad3d03c27
Instruction Fuzzy Hash: A721E4B5D002489FDB10CFAAD484BEEFBF4EB48310F24801AE918A7350D375AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3050 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CE30D7

Strings

>{kq, xrefs: 00CE306F

Memory Dump Source

Source File: 00000002.00000002.2471825922.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_1iO53raUh69l6nV.jbxd

Similarity

API ID: DuplicateHandle
String ID: >{kq
API String ID: 3793708945-3357484281
Opcode ID: 528c7774cbbb43dbbcf5d15bbcd84cb90c15631ae84d90974d145871a2e2a639
Instruction ID: 9f026042f8c1e353b27b22fb7bb29278e7a598bda6c0b45e3a915e9bdc8d4b84
Opcode Fuzzy Hash: 528c7774cbbb43dbbcf5d15bbcd84cb90c15631ae84d90974d145871a2e2a639
Instruction Fuzzy Hash: 0E21C4B59002489FDB10CF9AD584ADEFBF4EB48310F14841AE914A3350D375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CEA1C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CEB4F9,00000800,00000000,00000000), ref: 00CEB6EA

Strings

>{kq, xrefs: 00CEB69F

Memory Dump Source

Source File: 00000002.00000002.2471825922.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_1iO53raUh69l6nV.jbxd

Similarity

API ID: LibraryLoad
String ID: >{kq
API String ID: 1029625771-3357484281
Opcode ID: dadfc25f90c78060ececf8d76c2f27af443d3ba83042bd12f6dab4d9ba7a42cd
Instruction ID: e357eb7bb62fc4c07ef9775ed2ec05aba91adea674651ac64a28da6b36d9912b
Opcode Fuzzy Hash: dadfc25f90c78060ececf8d76c2f27af443d3ba83042bd12f6dab4d9ba7a42cd
Instruction Fuzzy Hash: 6C1117B69003498FDB24CF9AC444BAEFBF8EB48310F10842AE515A7300C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CEB679 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CEB4F9,00000800,00000000,00000000), ref: 00CEB6EA

Strings

>{kq, xrefs: 00CEB69F

Memory Dump Source

Source File: 00000002.00000002.2471825922.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_1iO53raUh69l6nV.jbxd

Similarity

API ID: LibraryLoad
String ID: >{kq
API String ID: 1029625771-3357484281
Opcode ID: e30172faff3e26b0a36d57f7d9ac737cfb66c22427e0399e2904200c56324338
Instruction ID: 26b7572501d756b8a28ca1c600441fbb787eb85f9add3fbceb0013f71a9a36e4
Opcode Fuzzy Hash: e30172faff3e26b0a36d57f7d9ac737cfb66c22427e0399e2904200c56324338
Instruction Fuzzy Hash: 371117B6D002498FDB24CF9AD444BEEFBF5AB88310F15852EE415A7640C379A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CEB418 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CEB47E

Strings

>{kq, xrefs: 00CEB437

Memory Dump Source

Source File: 00000002.00000002.2471825922.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ce0000_1iO53raUh69l6nV.jbxd

Similarity

API ID: HandleModule
String ID: >{kq
API String ID: 4139908857-3357484281
Opcode ID: 6d9785c1e5ae76f5743e373767d578e34934ce27d2f1d0a4e0d4921fb7fa09d4
Instruction ID: 93ff9f2e35d08703e167444e814380b7ec68fb0a4b000c1857b9280760ca5b7d
Opcode Fuzzy Hash: 6d9785c1e5ae76f5743e373767d578e34934ce27d2f1d0a4e0d4921fb7fa09d4
Instruction Fuzzy Hash: 8311D2B6C002498FDB20CF9AC444A9EFBF4EB48314F10841AD429A7355D379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02834A8E Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

>{kq, xrefs: 02834AB7
>{kq, xrefs: 02834AD7

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: >{kq$>{kq
API String ID: 0-1695889010
Opcode ID: 37efe698e07391a7980d357916646ad06f9bca8db5cdbda62beda3d2c0042c18
Instruction ID: eeb0a8dd242aaef1101747ac74f95f6c387197614ea01ec820bd11c8c9858cb4
Opcode Fuzzy Hash: 37efe698e07391a7980d357916646ad06f9bca8db5cdbda62beda3d2c0042c18
Instruction Fuzzy Hash: CEB13C78E002198FDB11CFA9D8857DDBBF1BF48314F248529D819EB294EB749886CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02836CD4 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

>{kq, xrefs: 02836D05
>{kq, xrefs: 02836D25

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: >{kq$>{kq
API String ID: 0-1695889010
Opcode ID: faa8f627489514f7a986cab0bda5563ea6d77886320c1408a0bc690caa8c7d3d
Instruction ID: 8f62b6b228417133a66a8363cc14015acf2c27fa682fdd55fc3045817e4f82c6
Opcode Fuzzy Hash: faa8f627489514f7a986cab0bda5563ea6d77886320c1408a0bc690caa8c7d3d
Instruction Fuzzy Hash: FD511278D002689FDB15CFAAC884B9DBBF5BF48304F248129D819AB354E775A845CF98

Uniqueness

Uniqueness Score: -1.00%

Function 02836CE0 Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

>{kq, xrefs: 02836D05
>{kq, xrefs: 02836D25

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: >{kq$>{kq
API String ID: 0-1695889010
Opcode ID: f5cc0b7063a5c730fa3094e6c633a5833e7c318f27a7957032aa9a378c046fd3
Instruction ID: 725ae5cd2f4e14901e7d7c55c4c9072df5f2d6ea4d8d4f313a34cb7a68d5ea39
Opcode Fuzzy Hash: f5cc0b7063a5c730fa3094e6c633a5833e7c318f27a7957032aa9a378c046fd3
Instruction Fuzzy Hash: 63512478D002289FDB15CFAEC884B9DBBF5BF48314F248119D819AB390E775A844CF98

Uniqueness

Uniqueness Score: -1.00%

Function 028326DE Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

>{kq, xrefs: 02832710

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: >{kq
API String ID: 0-3357484281
Opcode ID: a724aaa8636843152cf8468ccbc54731763900404bdca449c32934f3e7b78bef
Instruction ID: 739f394ba3fb7bf7045dee1f2684880980413b6cc75ad7bd9e9e819bb2057160
Opcode Fuzzy Hash: a724aaa8636843152cf8468ccbc54731763900404bdca449c32934f3e7b78bef
Instruction Fuzzy Hash: F041C2B4D00348DFDB21CFA9C484ADEBBF5FF48314F248429E819AB254DB759946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 028326E8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

>{kq, xrefs: 02832710

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID: >{kq
API String ID: 0-3357484281
Opcode ID: 78447ca5e2c8889cd568b494587ce01e86f973a9c8466aa113cfddd84ed4ebce
Instruction ID: 25184a0fe93fb800a2df76e79ec1dcf70c8549016c6b705096b92a14aede3026
Opcode Fuzzy Hash: 78447ca5e2c8889cd568b494587ce01e86f973a9c8466aa113cfddd84ed4ebce
Instruction Fuzzy Hash: 7941C0B4D00348DFDB20DF99C484ADEBBB5FF48314F248429E819AB254DB75A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02837918 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0cd0a9aa3b0f055753f7944f687f097776686dbd891c888c1b9cf98b4e49f4
Instruction ID: c2b0d99acd0e52c787dc689d62f5e711c22f8c99b79a02a2718db3cd14e646b1
Opcode Fuzzy Hash: ec0cd0a9aa3b0f055753f7944f687f097776686dbd891c888c1b9cf98b4e49f4
Instruction Fuzzy Hash: 6B12A134B003068BDB96AB38E49472C73A3EB89351B204DADD105CB7A4DF75EC92DB95

Uniqueness

Uniqueness Score: -1.00%

Function 028396F0 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a17c11f88933b620d78e11dc33ca6c56c88283120b7bbc42f4daa9fff72ee7e
Instruction ID: 94f8803d002e5cd4decb2f47fcde5c40204cf3ca2b47cd1934bc0db730490511
Opcode Fuzzy Hash: 5a17c11f88933b620d78e11dc33ca6c56c88283120b7bbc42f4daa9fff72ee7e
Instruction Fuzzy Hash: 2EC1A078A002058FDB15DF68D8807AEBBB2FF88310F248569D909EB395DBB4DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02839374 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815d3614566ddb145bf8bf6229dc33b6fae5e7210cc462ffc04c08ac5d26cfb2
Instruction ID: 1f048e1773187dce14429998ed7bc706a847c1af4f19509537e2443fa90d2b06
Opcode Fuzzy Hash: 815d3614566ddb145bf8bf6229dc33b6fae5e7210cc462ffc04c08ac5d26cfb2
Instruction Fuzzy Hash: 66B18038B012458FDB05DF68D594AADBBB2FF89310F148469E906EB3A5DB74DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02836ED2 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5074d59f1e1e14b32d7edf3bdb4d2ce9b609266d90409cd3d0f5a1f3ad72dec2
Instruction ID: 36b2a6eab30ea6168012036086b4f65b775e9bd2bae1193a3978e4d373620f22
Opcode Fuzzy Hash: 5074d59f1e1e14b32d7edf3bdb4d2ce9b609266d90409cd3d0f5a1f3ad72dec2
Instruction Fuzzy Hash: 2351A378E002599FDB56DB78C4547AEBBB2FF85300F20846AE405EB391EB75D842CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02831128 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61f18990cc7cea6306c045941b972bce82bd36b3b123c7fb32e67ffce438392
Instruction ID: f1505f387ebd7098860e556211a250b017d15d0f16c8c3f812d2c2bfefd50c75
Opcode Fuzzy Hash: a61f18990cc7cea6306c045941b972bce82bd36b3b123c7fb32e67ffce438392
Instruction Fuzzy Hash: E0510635611345CFEB06EF68F994B583B62FBE5320700D9A9D1005B27ADAB0295ACF81

Uniqueness

Uniqueness Score: -1.00%

Function 02831138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b1262691456b013a6d829827e4765b665a8abd945b86f39da34ebaed32b8bf
Instruction ID: 1793a5ef2419721660e3d4d76fab93f26dbae9d99f0dd7477c64d39fb292b7b7
Opcode Fuzzy Hash: c3b1262691456b013a6d829827e4765b665a8abd945b86f39da34ebaed32b8bf
Instruction Fuzzy Hash: BA51F435A11345CFEB06FF68F994B583B62F7E5320700D9A8D1005B27EDAB0299ACF81

Uniqueness

Uniqueness Score: -1.00%

Function 0283F3DD Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf140164ce5326d9eb33ead7a83fa11ce547095b7a9a2f18a7591304c1969c00
Instruction ID: 74ee2790d3fc316eec6574c8531d0a4c2313046b84a0377cbad3fab09b215959
Opcode Fuzzy Hash: cf140164ce5326d9eb33ead7a83fa11ce547095b7a9a2f18a7591304c1969c00
Instruction Fuzzy Hash: 3641FF38B002458FDB2A9F38955476E3BB2BF85210B14856DC406EB796DF35CC42CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0283F2A0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d32d491a34fd74d078d6322d481ba4d748bfaf787129b07047563a23190586
Instruction ID: 8518cec28c63df920e8eddc9bfa6eccc880350f53de28aa713d5fc14a9aebc3d
Opcode Fuzzy Hash: 86d32d491a34fd74d078d6322d481ba4d748bfaf787129b07047563a23190586
Instruction Fuzzy Hash: 62315038E102069FDB16CF65D49569EBBB2FF89310F148519E90AE7740DB75AC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02836F70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9087a065c77311b886dea5d189590eba8f00498517a944b9a8fe9889c073549a
Instruction ID: c2233c10f75611a4ef1c60cc30993494c6bf3804b1adee9d4a1c68ea8fde2b77
Opcode Fuzzy Hash: 9087a065c77311b886dea5d189590eba8f00498517a944b9a8fe9889c073549a
Instruction Fuzzy Hash: 8831A378E102199FDB15DFA8C4547AEF7B2FF85310F208869E505EB290EBB1D941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02831380 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a8ff7c0d4e121435f76f762da15fe369147031e08cbe5bd6c69a96d0d9a583
Instruction ID: 171abed4c75e810e94f229a9c9b3b5733ee2e00a4837580ad58271a4e8b9fcb3
Opcode Fuzzy Hash: 43a8ff7c0d4e121435f76f762da15fe369147031e08cbe5bd6c69a96d0d9a583
Instruction Fuzzy Hash: 9A31C83CA013054FEFA3AB28E48876D3762F781768F148D25D10ECB299DB749897CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0283F2B0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ec22d5302b8313c5ed5f3c3fa9ab5d3e642752000e8c38ad09d8ac7c16bf88
Instruction ID: d690a969b6a8253cf645773c2b099e11a195b23a9a16e036080237d846b33bd3
Opcode Fuzzy Hash: e8ec22d5302b8313c5ed5f3c3fa9ab5d3e642752000e8c38ad09d8ac7c16bf88
Instruction Fuzzy Hash: 1A316E38E1020A9FCB19CF65D555A9EBBF2FF89310F108529E90AE7740DB75AC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 028317C0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3636315162161c859296e93b735c3a1c57c57cd779bf6f94b17749e76b49853c
Instruction ID: 246bd20df8e367404376ab5bdf95362cc606e1aee25a82f04bc5ed311b6389c7
Opcode Fuzzy Hash: 3636315162161c859296e93b735c3a1c57c57cd779bf6f94b17749e76b49853c
Instruction Fuzzy Hash: A431E67DB442548FEF52AB78D8087AA3BB5FB84750F144925D94EC7349EB34C8428BD1

Uniqueness

Uniqueness Score: -1.00%

Function 028316A0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fa86a555000badc673a66ce087a011cc8ea4d88e22ac73e806397aa5fe4ecd
Instruction ID: 877bdf3548070c285945c46cf1fcaddb3c64616917dcebcf93b1bed023fff015
Opcode Fuzzy Hash: 70fa86a555000badc673a66ce087a011cc8ea4d88e22ac73e806397aa5fe4ecd
Instruction Fuzzy Hash: 6521C73C6042444FEF63AB68E8887693761FB85744F045A65D00ECB2AAEB64D846CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 02839261 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d98f6db73b0a95c8bca89f23c1108de10790602d1bb35d2ee26ea5deec79faf
Instruction ID: a6a4dee927a9238d8f57341a4c38ed671c93b41e7943ee42788aab127c5b61e0
Opcode Fuzzy Hash: 9d98f6db73b0a95c8bca89f23c1108de10790602d1bb35d2ee26ea5deec79faf
Instruction Fuzzy Hash: CE318179E0020A9BDB06CFA4D59179EF7B2FF89300F148619E805EB341DBB1D842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0283148A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41f7dc4b24375821a49751abe327d31799e0329929e9ec04e87038854819244
Instruction ID: b0c34fcbb06d79f0ef693dea211dc409e8db0e5a13b7e1d0da081ef3a8843d0e
Opcode Fuzzy Hash: c41f7dc4b24375821a49751abe327d31799e0329929e9ec04e87038854819244
Instruction Fuzzy Hash: 0A21CF3DA012118FDF23AFB890483ADBBA2EB45725F14487AD80ED7280E735C842CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02839270 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e556130ed9de270ed810c5b1cc1355070d0ccf7c9e9692c57c27b17e1ed58fc
Instruction ID: 9a75b293de6bdf2d3d456bb37d3091913e39a34621372e6b7f30bf72668489ec
Opcode Fuzzy Hash: 5e556130ed9de270ed810c5b1cc1355070d0ccf7c9e9692c57c27b17e1ed58fc
Instruction Fuzzy Hash: AB216279E0060A9BDF16CFA5D48579EF7B2FF89300F148619E809EB355DBB19842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0270D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472230604.000000000270D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0270D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_270d000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fda3b612aa2230bcc58b73d300e8408976416cfe62760814bcb843c0a46b2cd
Instruction ID: d06d6277e7b550ad42a6c1d679bbb054c31b7fe64f5352f2b7508005653d8fb0
Opcode Fuzzy Hash: 4fda3b612aa2230bcc58b73d300e8408976416cfe62760814bcb843c0a46b2cd
Instruction Fuzzy Hash: C421F271604344EFEB24DF54D9C4F16BBA5EB88314F20C569E80E4B286C376D84BCA62

Uniqueness

Uniqueness Score: -1.00%

Function 02839160 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c410b680ebe6055c5caa3a8cde6a755e69d3ee06bd70bbd3362e8142f2840c
Instruction ID: 0cf72f344e45f0a1dc1260c2b2e617fc81e88c0c0fcd08ee4ebf0d09c5362b18
Opcode Fuzzy Hash: b6c410b680ebe6055c5caa3a8cde6a755e69d3ee06bd70bbd3362e8142f2840c
Instruction Fuzzy Hash: 6B219239E046058BDB19CFA8D454ADEFBB2BF89300F10861AE815FB340DBB49841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02834F88 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1e354eba2663a9d8c75a28613d9b432d6bc77dc41b08d64519003a6e612aed
Instruction ID: 6b41fd4c4c5a54f096bcf12fb98c01d85831fd2994c69e32fdb7fe0ed798a90e
Opcode Fuzzy Hash: 7e1e354eba2663a9d8c75a28613d9b432d6bc77dc41b08d64519003a6e612aed
Instruction Fuzzy Hash: 2D212A38A002448FCB55EB78C468BAD7BF1EF8D704B1044A9E80AEB361DB769D41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02839170 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de452a3d167cf7ab87754099d125f2a5b1c1e70b3516e683ebdf8ab94cb8069a
Instruction ID: 50e7ec3d0cc0776196d61661d78d32f5bf7a94dcaf4241b174290b8d35676e3f
Opcode Fuzzy Hash: de452a3d167cf7ab87754099d125f2a5b1c1e70b3516e683ebdf8ab94cb8069a
Instruction Fuzzy Hash: BC214539E006099BDB19CFA9D554A9EF7B2BF89310F10851AE815F7340EBB4D945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02831888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7609a8edde38e88029ae094da608c305800444e6e27e62b734c58fdd108da44
Instruction ID: 2e5fd7048e73784994481da0b6e707583d2ffc6d84c9627e10ad147729313e5a
Opcode Fuzzy Hash: c7609a8edde38e88029ae094da608c305800444e6e27e62b734c58fdd108da44
Instruction Fuzzy Hash: BF213038B002098FDB19EB78C5587AD77F6AF49B45F500468D50AEB354DF358D41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02831878 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d930a6bf9924cf7cf4f04727e7b17088ee7ea2561908e9336d6a6a0305492ae7
Instruction ID: aaafc356bb5e914ccb63ed884930ea4389920ae2c4beec40d6b6d146472ce6d3
Opcode Fuzzy Hash: d930a6bf9924cf7cf4f04727e7b17088ee7ea2561908e9336d6a6a0305492ae7
Instruction Fuzzy Hash: ED214C38B002458FDB15EB78C5587AE77F2AF89745F5004A8D409EB750DB358D41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 028316B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5b6b8f61f7471b409b02077cfb2e09602df7ef95650d51b855684ae126beca
Instruction ID: c708d5a885cd50d7630881ba1801cba8969faea049d41f88afbf530a350593c4
Opcode Fuzzy Hash: db5b6b8f61f7471b409b02077cfb2e09602df7ef95650d51b855684ae126beca
Instruction Fuzzy Hash: 4921A23C6102044FEF63EB68E8887693365FB84754F149A24D00FC72AAEB74D8868FD1

Uniqueness

Uniqueness Score: -1.00%

Function 02836B99 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4952405fff44e09660f7d0bbb9943a4c1ea042afab55f1df9f38c0f7e0bb93
Instruction ID: a707cfa8a6bef899ba017e1fda671c7bb3b33df87b8861c0418ad9577eee511b
Opcode Fuzzy Hash: 0b4952405fff44e09660f7d0bbb9943a4c1ea042afab55f1df9f38c0f7e0bb93
Instruction Fuzzy Hash: D92102307082905FCB42AB3C90647AE7FB6EF86710F1448EEC085DB356EE658C56CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02834F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837253002b975fa81d11f4605c14b2b70ccfacebb5f787095d5880988357ccbe
Instruction ID: 3f6ec670b78b6eb65a33fd05f96cf5df6e7767c5ca83d09bf11979f5064dcc64
Opcode Fuzzy Hash: 837253002b975fa81d11f4605c14b2b70ccfacebb5f787095d5880988357ccbe
Instruction Fuzzy Hash: 6221E938A002048FDB55EB78C568BAD77F1EF8D704B104468E80AEB3A0EB769D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02830848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eeb39953a3406db69e97649f5bcfc6cefa9ae10778ecafaf985883b794dc321
Instruction ID: 0cb61e61a5a2175c5701510c7c072ba063d855a6e2e91c79b8b6c3ea9a759051
Opcode Fuzzy Hash: 0eeb39953a3406db69e97649f5bcfc6cefa9ae10778ecafaf985883b794dc321
Instruction Fuzzy Hash: D511A03CB003088BEF66AB79D8047393395EB85759F208879D50ACF395DBA1CC868BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0270D007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472230604.000000000270D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0270D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_270d000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b392b32aa9625ab4d6983ca1fbcc22e7127d790ec6c516b666136f9755ef4922
Instruction ID: 1a98241b1a9f6ba0a756a1b1232b52bd1427e9b06b851e31c6f5fcf431cc65de
Opcode Fuzzy Hash: b392b32aa9625ab4d6983ca1fbcc22e7127d790ec6c516b666136f9755ef4922
Instruction Fuzzy Hash: DA215E75509380CFCB16CF64D9D4B15BFB1EB46214F28C5DAD8498B6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 02830838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1aca2cb0d3c8f90af94ef10e8fffc023b7b2826116076c181a018b8fadcb0ab
Instruction ID: c3ae864451c18c3a7a81c7f058a5df859d5deea5cf668b53030d89cc00c74195
Opcode Fuzzy Hash: b1aca2cb0d3c8f90af94ef10e8fffc023b7b2826116076c181a018b8fadcb0ab
Instruction Fuzzy Hash: AB11CE3CB003084BEF266B78DC1437A3359EB81359F104839D50ACF386DB65C8868BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02831498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc008112ff5e19cbcc33b80f27fceeb9a36be7b84285f27462fae0c6f12b128
Instruction ID: 6aea926d316e8a8a2e6296daec20718b3c39e962dccf73616fe49de52bfbce8f
Opcode Fuzzy Hash: 1bc008112ff5e19cbcc33b80f27fceeb9a36be7b84285f27462fae0c6f12b128
Instruction Fuzzy Hash: 4401843DA012158BCF22EFB884542ADBBF6EB48721B14447AD80AE7380E735D8428BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02837088 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4d2d0ecfb5da60d86a875366bd00aa86c024b50a82b7340761189a12cfad59
Instruction ID: 5e0363d15b8ea76d65995f572e7fa45b6a343140bf8ef7653e97a46b8ef0b925
Opcode Fuzzy Hash: 8d4d2d0ecfb5da60d86a875366bd00aa86c024b50a82b7340761189a12cfad59
Instruction Fuzzy Hash: FD012839B40204CFC794DB64D4A8B6C77B2FF88325F1044A8E206CB3A4CB70AD52CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02838100 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a039004337e20cb872483623af8d4ac0eb754a3cdc03e3f090e1c9a063155fa5
Instruction ID: c8c16406a3b38833f868de3eacfca3ea827ed2415c93c5af244962301ad9ca27
Opcode Fuzzy Hash: a039004337e20cb872483623af8d4ac0eb754a3cdc03e3f090e1c9a063155fa5
Instruction Fuzzy Hash: A101F7345003898FEF02EBA8F88078D7B72EF41300B0046E8C0405B196DE715A42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02831524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a51219c43be0d24a80cff9d65f7ea1f32fcd4e1e418e5511a892832feb26326
Instruction ID: cc44e9d7547ccf767e8600d82a1b4b55202e775ad20a6369dcee0e441c71f544
Opcode Fuzzy Hash: 6a51219c43be0d24a80cff9d65f7ea1f32fcd4e1e418e5511a892832feb26326
Instruction Fuzzy Hash: 58F02B3FA04250CFDB138BE884551ACBBB1FA4472171840E7C80EDB241D735D442CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02838110 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2472414296.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2830000_1iO53raUh69l6nV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a5cd4afa72cbad2575dcfac93d793a4bb798901cf9d586eb6de4085812e11d
Instruction ID: a097f2829df7c93f1f6f8e36923aa083a04214f555f1539069b4dc09adcce21c
Opcode Fuzzy Hash: 87a5cd4afa72cbad2575dcfac93d793a4bb798901cf9d586eb6de4085812e11d
Instruction Fuzzy Hash: BCF0313490034CDFDF41FFA8F840B9DB7B2EF94340F5096A9C005A7254DA716E559B95

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1iO53raUh69l6nV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1iO53raUh69l6nV.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
1iO53raUh69l6nV.exe

Function 09064F7C Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 09064F88 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0230AE30 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Function 0230590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 0230449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 09064CF8 Relevance: 1.6, APIs: 1, Instructions: 75
injectionCOMMON

Function 09064D00 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 09064728 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Function 09064DE8 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 0230C9A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 09064DF0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 09064730 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 0230D2F9 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 09064C38 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Function 0230A870 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre