Edit tour

Windows Analysis Report
PO No. 2430800015.exe

Overview

General Information

Sample name:	PO No. 2430800015.exe
Analysis ID:	1430133
MD5:	a36ff2c09d921fbd6ee2f39d14c36dba
SHA1:	e41e7ab38156164ac96518d6d558b7f63d0dd31d
SHA256:	e0478198dfc6be28c91fdf8ea0935c80040936e79dcf037219ebdfb94e71e960
Tags:	jar
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PO No. 2430800015.exe (PID: 2968 cmdline: "C:\Users\user\Desktop\PO No. 2430800015.exe" MD5: A36FF2C09D921FBD6EE2F39D14C36DBA)

powershell.exe (PID: 1440 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6472 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6348 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp5967.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO No. 2430800015.exe (PID: 3060 cmdline: "C:\Users\user\Desktop\PO No. 2430800015.exe" MD5: A36FF2C09D921FBD6EE2F39D14C36DBA)

PO No. 2430800015.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\PO No. 2430800015.exe" MD5: A36FF2C09D921FBD6EE2F39D14C36DBA)

yHoBWWkdpyxFI.exe (PID: 2764 cmdline: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe MD5: A36FF2C09D921FBD6EE2F39D14C36DBA)

schtasks.exe (PID: 6292 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp69E2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

yHoBWWkdpyxFI.exe (PID: 5016 cmdline: "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe" MD5: A36FF2C09D921FBD6EE2F39D14C36DBA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.leema.lk", "Username": "channa@leema.lk", "Password": "V[3ALIg~jl}T"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3232135567.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.3232135567.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3235207096.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.3235098698.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3235098698.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PO No. 2430800015.exe PID: 2968	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO No. 2430800015.exe PID: 2968	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO No. 2430800015.exe PID: 2968	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PO No. 2430800015.exe PID: 6508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO No. 2430800015.exe PID: 6508	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: yHoBWWkdpyxFI.exe PID: 2764	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: yHoBWWkdpyxFI.exe PID: 5016	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: yHoBWWkdpyxFI.exe PID: 5016	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PO No. 2430800015.exe.4ffd7b0.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO No. 2430800015.exe.4ffd7b0.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO No. 2430800015.exe.4ffd7b0.10.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df17:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8737:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33569:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df89:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa87a9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e013:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8833:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33685:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0a5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa88c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e10f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa892f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33761:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e181:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa89a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e217:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8a37:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x12b937:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x166357:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1a0b77:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x12b9a9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1663c9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1a0be9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x12ba33:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x166453:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1a0c73:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x12bac5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1664e5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1a0d05:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x12bb2f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16654f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1a0d6f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x12bba1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1665c1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1a0de1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x12bc37:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x166657:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1a0e77:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xaf717:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xea137:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x124957:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaf789:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xea1a9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1249c9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaf813:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xea233:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x124a53:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaf8a5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xea2c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x124ae5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaf90f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xea32f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x124b4f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaf981:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xea3a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x124bc1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xafa17:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xea437:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x124c57:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO No. 2430800015.exe", ParentImage: C:\Users\user\Desktop\PO No. 2430800015.exe, ParentProcessId: 2968, ParentProcessName: PO No. 2430800015.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe", ProcessId: 1440, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp69E2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp69E2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe, ParentImage: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe, ParentProcessId: 2764, ParentProcessName: yHoBWWkdpyxFI.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp69E2.tmp", ProcessId: 6292, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.241.225.141, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\PO No. 2430800015.exe, Initiated: true, ProcessId: 6508, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49709

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp5967.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp5967.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO No. 2430800015.exe", ParentImage: C:\Users\user\Desktop\PO No. 2430800015.exe, ParentProcessId: 2968, ParentProcessName: PO No. 2430800015.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp5967.tmp", ProcessId: 6348, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO No. 2430800015.exe", ParentImage: C:\Users\user\Desktop\PO No. 2430800015.exe, ParentProcessId: 2968, ParentProcessName: PO No. 2430800015.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe", ProcessId: 1440, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp5967.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp5967.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO No. 2430800015.exe", ParentImage: C:\Users\user\Desktop\PO No. 2430800015.exe, ParentProcessId: 2968, ParentProcessName: PO No. 2430800015.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp5967.tmp", ProcessId: 6348, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.leema.lk", "Username": "channa@leema.lk", "Password": "V[3ALIg~jl}T"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Virustotal: Detection: 33%			Perma Link

Multi AV Scanner detection for submitted file

Source: PO No. 2430800015.exe	ReversingLabs: Detection: 75%
Source: PO No. 2430800015.exe	Virustotal: Detection: 33%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO No. 2430800015.exe

Joe Sandbox ML: detected

Source: PO No. 2430800015.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49712 version: TLS 1.2

Source: PO No. 2430800015.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 162.241.225.141:587

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 162.241.225.141:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.leema.lk
Source: PO No. 2430800015.exe, 00000008.00000002.3248095696.0000000006782000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232718695.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232718695.0000000001220000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3234137857.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3233386057.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: PO No. 2430800015.exe, 00000008.00000002.3248095696.0000000006782000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232718695.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232718695.0000000001220000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3234137857.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3233386057.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: PO No. 2430800015.exe, 00000000.00000002.2015258568.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 00000009.00000002.2057014438.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO No. 2430800015.exe, 00000008.00000002.3232718695.00000000011F2000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3248095696.0000000006782000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232718695.0000000001220000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3233386057.000000000120C000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3234137857.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3233386057.000000000127E000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3248989926.000000000670B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: PO No. 2430800015.exe, 00000008.00000002.3232718695.00000000011F2000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3248095696.0000000006782000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232718695.0000000001220000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3233386057.000000000120C000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3234137857.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3233386057.000000000127E000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3248989926.000000000670B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: PO No. 2430800015.exe, 00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232135567.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: PO No. 2430800015.exe, 00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232135567.0000000000432000.00000040.00000400.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49712 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, J4qms1IPBw.cs

.Net Code: _8pauJbZz

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: PO No. 2430800015.exe, ItemForm.cs

Large array initialization: : array initializer size 624858

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_0316E714	0_2_0316E714
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F0E760	0_2_07F0E760
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F026B0	0_2_07F026B0
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F065B8	0_2_07F065B8
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F03560	0_2_07F03560
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F013C0	0_2_07F013C0
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F062A0	0_2_07F062A0
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F0E750	0_2_07F0E750
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F026A0	0_2_07F026A0
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F05628	0_2_07F05628
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F05618	0_2_07F05618
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F065A8	0_2_07F065A8
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F03531	0_2_07F03531
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F07538	0_2_07F07538
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F07529	0_2_07F07529
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F004A8	0_2_07F004A8
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F00499	0_2_07F00499
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F03471	0_2_07F03471
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F04400	0_2_07F04400
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F043F1	0_2_07F043F1
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F013B1	0_2_07F013B1
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F052B8	0_2_07F052B8
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F052A8	0_2_07F052A8
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F06291	0_2_07F06291
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F02110	0_2_07F02110
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F02100	0_2_07F02100
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F08C60	0_2_07F08C60
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F01C48	0_2_07F01C48
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F08C4F	0_2_07F08C4F
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F01C38	0_2_07F01C38
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F03A11	0_2_07F03A11
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F05860	0_2_07F05860
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F0A830	0_2_07F0A830
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_082891D0	0_2_082891D0
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_08283300	0_2_08283300
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_082813B8	0_2_082813B8
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_08281388	0_2_08281388
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_08281C28	0_2_08281C28
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_08282EC8	0_2_08282EC8
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_082817F0	0_2_082817F0
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014AC5CB	8_2_014AC5CB
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014ADBD8	8_2_014ADBD8
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014A4A98	8_2_014A4A98
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014A3E80	8_2_014A3E80
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014A41C8	8_2_014A41C8
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_06AC5CF0	8_2_06AC5CF0
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_06AC4560	8_2_06AC4560
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_06AC3548	8_2_06AC3548
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_06AC0308	8_2_06AC0308
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_06ACE090	8_2_06ACE090
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_06AC91A8	8_2_06AC91A8
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_06ACA100	8_2_06ACA100
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_06AC5610	8_2_06AC5610
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_06AC3C68	8_2_06AC3C68
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_06ACC320	8_2_06ACC320
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_00E0E714	9_2_00E0E714
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_0540B306	9_2_0540B306
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_0540BE38	9_2_0540BE38
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_05408B68	9_2_05408B68
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E326A0	9_2_06E326A0
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E3E760	9_2_06E3E760
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E365A8	9_2_06E365A8
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E33560	9_2_06E33560
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E362A0	9_2_06E362A0
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E313C0	9_2_06E313C0
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E33B90	9_2_06E33B90
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E35628	9_2_06E35628
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E35618	9_2_06E35618
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E324F0	9_2_06E324F0
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E30499	9_2_06E30499
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E33471	9_2_06E33471
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E34400	9_2_06E34400
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E37529	9_2_06E37529
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E33531	9_2_06E33531
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E37538	9_2_06E37538
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E352A8	9_2_06E352A8
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E36291	9_2_06E36291
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E343F2	9_2_06E343F2
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E313B1	9_2_06E313B1
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E32100	9_2_06E32100
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E31FB8	9_2_06E31FB8
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E38C60	9_2_06E38C60
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E38C4F	9_2_06E38C4F
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E31C38	9_2_06E31C38
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E35860	9_2_06E35860
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E3A840	9_2_06E3A840
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_094982E8	9_2_094982E8
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_09493300	9_2_09493300
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_09491388	9_2_09491388
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_094913B8	9_2_094913B8
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_09492C5A	9_2_09492C5A
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_09491C28	9_2_09491C28
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_094917F0	9_2_094917F0
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_09492EC8	9_2_09492EC8
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_02E341C8	13_2_02E341C8
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_02E3C5CB	13_2_02E3C5CB
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_02E34A98	13_2_02E34A98
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_02E3DBD8	13_2_02E3DBD8
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_02E33E80	13_2_02E33E80
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_069F5CF0	13_2_069F5CF0
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_069F3548	13_2_069F3548
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_069F4560	13_2_069F4560
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_069F0308	13_2_069F0308
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_069FE0A0	13_2_069FE0A0
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_069F91A8	13_2_069F91A8
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_069FA100	13_2_069FA100
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_069F5610	13_2_069F5610
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_069F3C68	13_2_069F3C68
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_069FC320	13_2_069FC320
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_06B4A068	13_2_06B4A068
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_06B4BB58	13_2_06B4BB58
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_02E3C5CF	13_2_02E3C5CF

Source: PO No. 2430800015.exe, 00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PO No. 2430800015.exe
Source: PO No. 2430800015.exe, 00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename559759cf-80b4-4325-ac7f-adf0e7ffd502.exe4 vs PO No. 2430800015.exe
Source: PO No. 2430800015.exe, 00000000.00000002.2015258568.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs PO No. 2430800015.exe
Source: PO No. 2430800015.exe, 00000000.00000002.2023770428.0000000005F10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs PO No. 2430800015.exe
Source: PO No. 2430800015.exe, 00000000.00000002.2015258568.00000000035A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename559759cf-80b4-4325-ac7f-adf0e7ffd502.exe4 vs PO No. 2430800015.exe
Source: PO No. 2430800015.exe, 00000000.00000002.2013524217.00000000015AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO No. 2430800015.exe
Source: PO No. 2430800015.exe, 00000000.00000002.2027870891.000000000AAD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PO No. 2430800015.exe
Source: PO No. 2430800015.exe, 00000008.00000002.3232135567.0000000000432000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename559759cf-80b4-4325-ac7f-adf0e7ffd502.exe4 vs PO No. 2430800015.exe
Source: PO No. 2430800015.exe, 00000008.00000002.3232558000.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO No. 2430800015.exe
Source: PO No. 2430800015.exe	Binary or memory string: OriginalFilenamedaxe.exe` vs PO No. 2430800015.exe

Source: PO No. 2430800015.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: PO No. 2430800015.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yHoBWWkdpyxFI.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, Lds5plxAPDj.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, LZYJybC.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, wDxPSW1p.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, E0w8WLnyggK.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, ZBSJHga2buE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, M4oIYVa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, kSS2HMsB8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, kSS2HMsB8.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, yW92TwO1jAbvXWrslx.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, yW92TwO1jAbvXWrslx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, yW92TwO1jAbvXWrslx.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, yW92TwO1jAbvXWrslx.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, yW92TwO1jAbvXWrslx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, yW92TwO1jAbvXWrslx.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, ctXwysqK1hFWnXrN7A.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, ctXwysqK1hFWnXrN7A.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/11@2/2

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

File created: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5967.tmp

Jump to behavior

Source: PO No. 2430800015.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO No. 2430800015.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO No. 2430800015.exe	ReversingLabs: Detection: 75%
Source: PO No. 2430800015.exe	Virustotal: Detection: 33%

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

File read: C:\Users\user\Desktop\PO No. 2430800015.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO No. 2430800015.exe "C:\Users\user\Desktop\PO No. 2430800015.exe"
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp5967.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Users\user\Desktop\PO No. 2430800015.exe "C:\Users\user\Desktop\PO No. 2430800015.exe"
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Users\user\Desktop\PO No. 2430800015.exe "C:\Users\user\Desktop\PO No. 2430800015.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp69E2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process created: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe"
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp5967.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Users\user\Desktop\PO No. 2430800015.exe "C:\Users\user\Desktop\PO No. 2430800015.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Users\user\Desktop\PO No. 2430800015.exe "C:\Users\user\Desktop\PO No. 2430800015.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp69E2.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process created: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: PO No. 2430800015.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO No. 2430800015.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, yW92TwO1jAbvXWrslx.cs	.Net Code: QPFEYtimf8 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, yW92TwO1jAbvXWrslx.cs	.Net Code: QPFEYtimf8 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F02FB7 pushad ; retf	0_2_07F02FB8
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 0_2_07F02FAD pushad ; retf	0_2_07F02FAE
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014AB16A push edi; retf	8_2_014AB16B
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014AB09D push edi; retf	8_2_014AB09E
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014AB364 push edi; retf	8_2_014AB365
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014AB3C3 push edi; retf	8_2_014AB3C5
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014AB5D6 push edx; retf	8_2_014AB5D7
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014AB62D push esp; retf	8_2_014AB62F
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014AB683 push esp; retf	8_2_014AB684
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014AB87F push edx; retf	8_2_014AB881
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014AB8D4 push edx; retf	8_2_014AB8D6
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014A0B4D push edi; ret	8_2_014A0CC2
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014AAA7A push esp; ret	8_2_014AAA7B
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014ABA03 push ecx; retf	8_2_014ABA04
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014ABAE6 push eax; retf	8_2_014ABAE8
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Code function: 8_2_014A0C95 push edi; retf	8_2_014A0C3A
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_05405A10 push dword ptr [edx+edx-75h]; iretd	9_2_054059F8
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E33471 push es; retf E32Bh	9_2_06E334D0
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E3D150 pushad ; iretd	9_2_06E3D154
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E32FAD pushad ; retf	9_2_06E32FAE
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_06E32FB7 pushad ; retf	9_2_06E32FB8
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 9_2_094982E8 pushad ; retf	9_2_094986F1
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_02E3AA7A push esp; ret	13_2_02E3AA7B
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_02E30C95 push edi; retf	13_2_02E30C3A
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Code function: 13_2_02E30C3D push edi; ret	13_2_02E30CC2

Source: PO No. 2430800015.exe	Static PE information: section name: .text entropy: 7.983713256417978
Source: yHoBWWkdpyxFI.exe.0.dr	Static PE information: section name: .text entropy: 7.983713256417978

Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, HKMSmc5Qv724vUcm4V.cs	High entropy of concatenated method names: 'dHBVc56DN3', 'aE4VNJoqxY', 's3NVoRCC61', 'AX6VlqOvZB', 'hpYV73vdwB', 'CpgVmFKGai', 'pGgVpcj3vm', 'nTXVnBChAc', 'ImoVGLlP0L', 'n4nVZNdcfA'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, jR1ufq1DpFKffeZ2jn.cs	High entropy of concatenated method names: 'EEs7aw2gE0', 'tpG7NYRilL', 'tJN7l52vL6', 'Nol7mYVwsn', 'plB7piv2pl', 'oY7lMe4hhv', 'HkilfoGA5q', 'TTxleyLGgQ', 'dNXl3JXUNS', 'YsBlQgta4l'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, ctXwysqK1hFWnXrN7A.cs	High entropy of concatenated method names: 'n0qN0yte8L', 'NqDNOs5qPD', 'rRpNULMTes', 'hTKNviYd28', 'B4ONM6Hugw', 'PXNNf6aEv8', 'yAMNeSyjbQ', 'ziAN3eVW18', 'Y5xNQlBwyK', 'Rg5NbNXJJ5'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, cGqPciDRPgWVpuXw1r.cs	High entropy of concatenated method names: 'ydiKmCi1f3', 'Ut1KpMx0CU', 'kyFKGBmBY7', 'dh4KZaTdkZ', 'kJYKxJW8kY', 'ne7KyOfUHL', 'eeKWRjR6BmBF29DdMS', 'Xm60CO58uGfGXnAKuI', 'KroKKQW0Wr', 'VMgKw1np3c'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, QML7eKQvx7sGwmKsFV.cs	High entropy of concatenated method names: 'p2lA3gNdFR', 'NnuAbOBGOS', 'n2PVLGhO1B', 'D2oVKf5Cay', 'ktkAig9lh7', 'b0TATYWliO', 'M04A6O8ZXx', 'c7gA03AMMM', 'w1FAO6W9HK', 'e77AUgbKTB'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, YtnERFgMYtHsMHUWB0.cs	High entropy of concatenated method names: 'shbxR24Jl5', 'sG0xTG3dQE', 'kh3x04Cs62', 'mxlxO9vcNm', 'tevxH3PEdJ', 'wIWxFxrW7U', 'Uc0xIoZjp3', 'HwZxsTH2i8', 'z93x95Ud1K', 'jIixq43klA'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, N6OG3KfyVWbkeyYWvh.cs	High entropy of concatenated method names: 'Dispose', 'OwuKQ4YKYc', 'w965H1QrsS', 'UQxWW9x1WU', 'w5MKbwbrya', 'cnbKzwRe92', 'ProcessDialogKey', 'Q5J5LmdGem', 'Vkv5K7B5Ag', 'gnX55faKWM'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, POlgXEie7ZMK5nOGIF4.cs	High entropy of concatenated method names: 'PKwgDyouUs', 'km4g2xJ3bx', 'frYgYN6uNY', 'vYigClUAZ6', 'yyKgtxcrGH', 'siwgk4xwP8', 'vdNg4jJ0AK', 'j5Sg8llo3C', 'XaqgXGpViT', 'X8JgPkWda4'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, yW92TwO1jAbvXWrslx.cs	High entropy of concatenated method names: 'f2QwaNYEPV', 'KGZwcd2WK5', 'n2bwNY1SKm', 'DjswoxHG6s', 'T8fwlCbjSu', 'ErMw7AF5Gt', 'b45wml8xXi', 'jmZwpiGJVb', 'panwnfHEsv', 'TscwGRoZhy'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, TjVbjuIZ6oeRE44e6A.cs	High entropy of concatenated method names: 'VGwVdRl0N9', 'K3lVHnN23i', 'pCoVFLbdbu', 'bhmVIBwZIS', 'ldWV0QZbJa', 'WSwVsPOLFa', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, URXnlXScY83tHHiO7j.cs	High entropy of concatenated method names: 'IhVoCFVMc5', 'Gm2okADtk1', 'SJmo8BMTwi', 'pVOoXttqYs', 'zgOoxdC098', 'O0EoyjI6BC', 'SjaoAy4lxE', 'u1hoVMT9Fb', 'iisogm3pSs', 'tAToJM6J64'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, oKGQAFEJFjyjjxhPS8.cs	High entropy of concatenated method names: 'PKOgK2u0RU', 'N3AgwyhTyZ', 'J3kgEfDGUQ', 'FNPgcLGutA', 'dvxgNM2Z1K', 'D8FglqL1CW', 'UNog7wtgLH', 'Fr3VeLXK1D', 'hLyV3ETsPS', 'shgVQ5yikv'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, JmuTN5x4uXvM94WQKM.cs	High entropy of concatenated method names: 'auOltEiJqb', 'Y1cl4FfyFG', 'BOAoFYQHgF', 'x2GoIZinLm', 'bWgos8rXWT', 'NxHo9f0efV', 'DrloqGw80u', 'pWrorYhB36', 'YFroSxIlAL', 'D4NoRSZ6hX'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, HhlSsua6kSSGsirMhS.cs	High entropy of concatenated method names: 'ToString', 'rKOyiIyinl', 'mqryHoWlZl', 'O2ByFo0FXH', 'k3ryIPwRBD', 'X1SysCheGN', 'xYuy9XVFAW', 'zGryqMv8ja', 'Q51yrytAxc', 'cIsySc4HrV'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, n0Q2VbiZmi5M4QgypgU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g5fJ0Oh2KZ', 'AgrJOFq3l0', 'rs3JU8lQUZ', 'SSuJvHYBYI', 'qTYJMuBV7x', 'yakJffUpbF', 'x0UJe74i0C'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, a9BrNyzVCoPWt1qoUV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vUgghTGdt5', 'C2agxVENYQ', 'BnOgyQ3O1O', 'u4rgAKBlxU', 'pBYgVv8bwh', 'kWGgg2dNPt', 'k7lgJp0i1i'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, FcPDYsAjnYKrLqe0SU.cs	High entropy of concatenated method names: 'GADh8YcjEd', 'kCfhXykTPK', 'uYahd2ktD2', 'XD7hHIlgmo', 'Vt1hIfStgB', 'UFghsNEcf4', 'e6Xhqjn3y4', 'NMfhrcClS2', 'AsThRnBJW3', 'G6HhiXJsbM'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, UBNqHflGnDLgAiVQvZ.cs	High entropy of concatenated method names: 'NXWmDkBqjx', 'Tq6m2dTaGg', 'sxDmYwVrjF', 'URpmCUbC5d', 'zXTmtt5OUt', 'o92mkQvGa2', 'KhIm4bS3eT', 'y5mm82X3UE', 'hIVmXAhwvk', 'hR5mPlyYY8'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, qppqwUsmNK3VdwqZ0c.cs	High entropy of concatenated method names: 'iRRY4RjAM', 'jBHCpm1Og', 'YYLk74xex', 'xTB4MAWMi', 'EUHXDHfRA', 'dWPPGTs9q', 'XQRwiDWncM7cKvDjBO', 'ALHQnp9XLCUJc8xlSy', 'pOKV9Qf4O', 'RtuJQ71Gp'
Source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, Caj0m37yPQ56a6iCPE.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xUZ5QqhriE', 'uU95bEt9Qc', 'lD35z6wb2Y', 'BUTwLTfYYJ', 'X3iwK2bgIS', 'IfQw5hbGpa', 'PtLww9l0lj', 'JNCLD1gcP0xsPi78fTP'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, HKMSmc5Qv724vUcm4V.cs	High entropy of concatenated method names: 'dHBVc56DN3', 'aE4VNJoqxY', 's3NVoRCC61', 'AX6VlqOvZB', 'hpYV73vdwB', 'CpgVmFKGai', 'pGgVpcj3vm', 'nTXVnBChAc', 'ImoVGLlP0L', 'n4nVZNdcfA'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, jR1ufq1DpFKffeZ2jn.cs	High entropy of concatenated method names: 'EEs7aw2gE0', 'tpG7NYRilL', 'tJN7l52vL6', 'Nol7mYVwsn', 'plB7piv2pl', 'oY7lMe4hhv', 'HkilfoGA5q', 'TTxleyLGgQ', 'dNXl3JXUNS', 'YsBlQgta4l'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, ctXwysqK1hFWnXrN7A.cs	High entropy of concatenated method names: 'n0qN0yte8L', 'NqDNOs5qPD', 'rRpNULMTes', 'hTKNviYd28', 'B4ONM6Hugw', 'PXNNf6aEv8', 'yAMNeSyjbQ', 'ziAN3eVW18', 'Y5xNQlBwyK', 'Rg5NbNXJJ5'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, cGqPciDRPgWVpuXw1r.cs	High entropy of concatenated method names: 'ydiKmCi1f3', 'Ut1KpMx0CU', 'kyFKGBmBY7', 'dh4KZaTdkZ', 'kJYKxJW8kY', 'ne7KyOfUHL', 'eeKWRjR6BmBF29DdMS', 'Xm60CO58uGfGXnAKuI', 'KroKKQW0Wr', 'VMgKw1np3c'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, QML7eKQvx7sGwmKsFV.cs	High entropy of concatenated method names: 'p2lA3gNdFR', 'NnuAbOBGOS', 'n2PVLGhO1B', 'D2oVKf5Cay', 'ktkAig9lh7', 'b0TATYWliO', 'M04A6O8ZXx', 'c7gA03AMMM', 'w1FAO6W9HK', 'e77AUgbKTB'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, YtnERFgMYtHsMHUWB0.cs	High entropy of concatenated method names: 'shbxR24Jl5', 'sG0xTG3dQE', 'kh3x04Cs62', 'mxlxO9vcNm', 'tevxH3PEdJ', 'wIWxFxrW7U', 'Uc0xIoZjp3', 'HwZxsTH2i8', 'z93x95Ud1K', 'jIixq43klA'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, N6OG3KfyVWbkeyYWvh.cs	High entropy of concatenated method names: 'Dispose', 'OwuKQ4YKYc', 'w965H1QrsS', 'UQxWW9x1WU', 'w5MKbwbrya', 'cnbKzwRe92', 'ProcessDialogKey', 'Q5J5LmdGem', 'Vkv5K7B5Ag', 'gnX55faKWM'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, POlgXEie7ZMK5nOGIF4.cs	High entropy of concatenated method names: 'PKwgDyouUs', 'km4g2xJ3bx', 'frYgYN6uNY', 'vYigClUAZ6', 'yyKgtxcrGH', 'siwgk4xwP8', 'vdNg4jJ0AK', 'j5Sg8llo3C', 'XaqgXGpViT', 'X8JgPkWda4'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, yW92TwO1jAbvXWrslx.cs	High entropy of concatenated method names: 'f2QwaNYEPV', 'KGZwcd2WK5', 'n2bwNY1SKm', 'DjswoxHG6s', 'T8fwlCbjSu', 'ErMw7AF5Gt', 'b45wml8xXi', 'jmZwpiGJVb', 'panwnfHEsv', 'TscwGRoZhy'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, TjVbjuIZ6oeRE44e6A.cs	High entropy of concatenated method names: 'VGwVdRl0N9', 'K3lVHnN23i', 'pCoVFLbdbu', 'bhmVIBwZIS', 'ldWV0QZbJa', 'WSwVsPOLFa', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, URXnlXScY83tHHiO7j.cs	High entropy of concatenated method names: 'IhVoCFVMc5', 'Gm2okADtk1', 'SJmo8BMTwi', 'pVOoXttqYs', 'zgOoxdC098', 'O0EoyjI6BC', 'SjaoAy4lxE', 'u1hoVMT9Fb', 'iisogm3pSs', 'tAToJM6J64'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, oKGQAFEJFjyjjxhPS8.cs	High entropy of concatenated method names: 'PKOgK2u0RU', 'N3AgwyhTyZ', 'J3kgEfDGUQ', 'FNPgcLGutA', 'dvxgNM2Z1K', 'D8FglqL1CW', 'UNog7wtgLH', 'Fr3VeLXK1D', 'hLyV3ETsPS', 'shgVQ5yikv'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, JmuTN5x4uXvM94WQKM.cs	High entropy of concatenated method names: 'auOltEiJqb', 'Y1cl4FfyFG', 'BOAoFYQHgF', 'x2GoIZinLm', 'bWgos8rXWT', 'NxHo9f0efV', 'DrloqGw80u', 'pWrorYhB36', 'YFroSxIlAL', 'D4NoRSZ6hX'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, HhlSsua6kSSGsirMhS.cs	High entropy of concatenated method names: 'ToString', 'rKOyiIyinl', 'mqryHoWlZl', 'O2ByFo0FXH', 'k3ryIPwRBD', 'X1SysCheGN', 'xYuy9XVFAW', 'zGryqMv8ja', 'Q51yrytAxc', 'cIsySc4HrV'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, n0Q2VbiZmi5M4QgypgU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g5fJ0Oh2KZ', 'AgrJOFq3l0', 'rs3JU8lQUZ', 'SSuJvHYBYI', 'qTYJMuBV7x', 'yakJffUpbF', 'x0UJe74i0C'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, a9BrNyzVCoPWt1qoUV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vUgghTGdt5', 'C2agxVENYQ', 'BnOgyQ3O1O', 'u4rgAKBlxU', 'pBYgVv8bwh', 'kWGgg2dNPt', 'k7lgJp0i1i'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, FcPDYsAjnYKrLqe0SU.cs	High entropy of concatenated method names: 'GADh8YcjEd', 'kCfhXykTPK', 'uYahd2ktD2', 'XD7hHIlgmo', 'Vt1hIfStgB', 'UFghsNEcf4', 'e6Xhqjn3y4', 'NMfhrcClS2', 'AsThRnBJW3', 'G6HhiXJsbM'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, UBNqHflGnDLgAiVQvZ.cs	High entropy of concatenated method names: 'NXWmDkBqjx', 'Tq6m2dTaGg', 'sxDmYwVrjF', 'URpmCUbC5d', 'zXTmtt5OUt', 'o92mkQvGa2', 'KhIm4bS3eT', 'y5mm82X3UE', 'hIVmXAhwvk', 'hR5mPlyYY8'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, qppqwUsmNK3VdwqZ0c.cs	High entropy of concatenated method names: 'iRRY4RjAM', 'jBHCpm1Og', 'YYLk74xex', 'xTB4MAWMi', 'EUHXDHfRA', 'dWPPGTs9q', 'XQRwiDWncM7cKvDjBO', 'ALHQnp9XLCUJc8xlSy', 'pOKV9Qf4O', 'RtuJQ71Gp'
Source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, Caj0m37yPQ56a6iCPE.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xUZ5QqhriE', 'uU95bEt9Qc', 'lD35z6wb2Y', 'BUTwLTfYYJ', 'X3iwK2bgIS', 'IfQw5hbGpa', 'PtLww9l0lj', 'JNCLD1gcP0xsPi78fTP'

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

File created: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp5967.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO No. 2430800015.exe PID: 2968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yHoBWWkdpyxFI.exe PID: 2764, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: 3320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: 5320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: 85D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: 8060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: 95D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: A5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: AB50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: BB50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: CB50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: 14A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory allocated: 4F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: 2750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: 6F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: 7F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: 8120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: 9120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: 97F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: A7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: B7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory allocated: 4EA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7331	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1923	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Window / User API: threadDelayed 3021	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Window / User API: threadDelayed 6830	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Window / User API: threadDelayed 1216	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Window / User API: threadDelayed 7052	Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5624	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3948	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3572	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 1960	Thread sleep count: 3021 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 1960	Thread sleep count: 6830 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -99662s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -99421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -99093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -98983s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -98874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -98635s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -98515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -98296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -98187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -98077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -97958s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -97718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -97499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -97387s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -97265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -97046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -96717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -96593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -96483s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -96373s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -96262s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -96031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -95921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -95703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -95593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -95484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -95375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -95265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -95156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -95046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -94937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -94828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -94718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -94609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe TID: 5744	Thread sleep time: -94499s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 4616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 6348	Thread sleep count: 1216 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 6348	Thread sleep count: 7052 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -99780s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -99560s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -99232s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -99123s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -99016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -98766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -98657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -98532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -98407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -98297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -98188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -98063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -97938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -97813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -97688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -97469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -97344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -97125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -97016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -96907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -96782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -96657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -96532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -96422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -96313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -96188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -96063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -95938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -95813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -95672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -95562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -95324s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe TID: 2656	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 99662	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 98983	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 98635	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 98515	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 98296	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 98187	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 98077	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 97958	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 97718	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 97499	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 97387	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 97046	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 96717	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 96593	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 96483	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 96373	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 96262	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 95921	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 95593	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 95156	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 95046	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 94718	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 94609	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Thread delayed: delay time: 94499	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 99780	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 99560	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 99232	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 99123	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 99016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 98766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 98657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 98532	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 98407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 98188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 98063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 97938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 97688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 97344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 97016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 96907	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 96782	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 96657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 96532	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 96422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 96313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 96188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 96063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 95938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 95813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 95562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 95324	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: yHoBWWkdpyxFI.exe, 0000000D.00000002.3234137857.00000000012A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: PO No. 2430800015.exe, 00000008.00000002.3232718695.0000000001220000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe"
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Memory written: C:\Users\user\Desktop\PO No. 2430800015.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Memory written: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp5967.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Users\user\Desktop\PO No. 2430800015.exe "C:\Users\user\Desktop\PO No. 2430800015.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Process created: C:\Users\user\Desktop\PO No. 2430800015.exe "C:\Users\user\Desktop\PO No. 2430800015.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp69E2.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Process created: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Users\user\Desktop\PO No. 2430800015.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Users\user\Desktop\PO No. 2430800015.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Queries volume information: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Queries volume information: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO No. 2430800015.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3232135567.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3235207096.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3235098698.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO No. 2430800015.exe PID: 2968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO No. 2430800015.exe PID: 6508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yHoBWWkdpyxFI.exe PID: 5016, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PO No. 2430800015.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 2430800015.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3232135567.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3235098698.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO No. 2430800015.exe PID: 2968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO No. 2430800015.exe PID: 6508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yHoBWWkdpyxFI.exe PID: 5016, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4ffd7b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4f05370.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO No. 2430800015.exe.4f81590.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3232135567.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3235207096.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3235098698.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO No. 2430800015.exe PID: 2968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO No. 2430800015.exe PID: 6508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yHoBWWkdpyxFI.exe PID: 5016, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO No. 2430800015.exe	75%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
PO No. 2430800015.exe	34%	Virustotal		Browse
PO No. 2430800015.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	75%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe	34%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mail.leema.lk	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://mail.leema.lk	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		high
mail.leema.lk	162.241.225.141	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	PO No. 2430800015.exe, 00000008.00000002.3248095696.0000000006782000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232718695.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232718695.0000000001220000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3234137857.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3233386057.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org	PO No. 2430800015.exe, 00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232135567.0000000000432000.00000040.00000400.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.leema.lk	PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://account.dyn.com/	PO No. 2430800015.exe, 00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232135567.0000000000432000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO No. 2430800015.exe, 00000000.00000002.2015258568.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 00000009.00000002.2057014438.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	PO No. 2430800015.exe, 00000008.00000002.3232718695.00000000011F2000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3248095696.0000000006782000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232718695.0000000001220000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3233386057.000000000120C000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3234137857.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3233386057.000000000127E000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3248989926.000000000670B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	PO No. 2430800015.exe, 00000008.00000002.3232718695.00000000011F2000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3248095696.0000000006782000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232718695.0000000001220000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3233386057.000000000120C000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3234137857.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3233386057.000000000127E000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3248989926.000000000670B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r3.i.lencr.org/0	PO No. 2430800015.exe, 00000008.00000002.3248095696.0000000006782000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232718695.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, PO No. 2430800015.exe, 00000008.00000002.3232718695.0000000001220000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3234137857.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, yHoBWWkdpyxFI.exe, 0000000D.00000002.3233386057.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
162.241.225.141	mail.leema.lk	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430133
Start date and time:	2024-04-23 08:07:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO No. 2430800015.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/11@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 333 Number of non-executed functions: 37
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:08:12	API Interceptor	52x Sleep call for process: PO No. 2430800015.exe modified
08:08:14	API Interceptor	18x Sleep call for process: powershell.exe modified
08:08:15	Task Scheduler	Run new task: yHoBWWkdpyxFI path: C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe
08:08:17	API Interceptor	42x Sleep call for process: yHoBWWkdpyxFI.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	ArenaWarSetup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.RATX-gen.31127.4101.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
162.241.225.141	rockk5674321.exe	Get hash	malicious	FormBook	Browse	www.incredsolutions.com/r1e3/?W0GTK=/RQHJvzU6iSrd8lmEFlwaI3iYnLng10L9vJ/rufnoihzj1PYGKmlR/+40Yx7zIWS7bwp&7nlp=nJExkj

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.leema.lk	ungziped_file.exe	Get hash	malicious	AgentTesla	Browse	162.241.225.141
	dcCml5UasF.exe	Get hash	malicious	AgentTesla	Browse	162.241.225.141
	file.exe	Get hash	malicious	AgentTesla	Browse	162.241.225.141
api.ipify.org	Texas_Tool_Purchase_Order#T18834-1.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	DHL_RF_20200712_BN_N0095673441.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	TRANSPORT_INSTRUCTION_MR.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	gmb.xls	Get hash	malicious	Unknown	Browse	104.26.12.205
	Swift_Message#1234323456.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	QUOTE RNP002673CC1F68.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://florideskser.online/login	Get hash	malicious	Unknown	Browse	172.67.74.152
	CE1KVxYp5t.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	Ve6VeFSgkz.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Texas_Tool_Purchase_Order#T18834-1.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	DHL_RF_20200712_BN_N0095673441.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	Gam.xls	Get hash	malicious	Unknown	Browse	104.21.18.65
	TRANSPORT_INSTRUCTION_MR.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	New order-Docs0374.xls	Get hash	malicious	Unknown	Browse	172.67.180.182
	gmb.xls	Get hash	malicious	Unknown	Browse	172.67.180.182
	BNP Paribas_RemittanceAdviceNotification106173036326.doc	Get hash	malicious	AgentTesla	Browse	104.21.25.202
	Swift_Message#1234323456.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	72625413524.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	Purchase Inquiry.vbs	Get hash	malicious	AgentTesla	Browse	172.67.215.45
UNIFIEDLAYER-AS-1US	DHL_RF_20200712_BN_N0095673441.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	CR-FEDEX_TN-775537409198_Doc.vbs	Get hash	malicious	Unknown	Browse	192.185.84.89
	http://vgjlx.app.link/e/0ZWlI0Ci1Ib	Get hash	malicious	Unknown	Browse	162.241.225.18
	QUOTE RNP002673CC1F68.pdf.exe	Get hash	malicious	AgentTesla	Browse	192.185.35.67
	https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=remoinmobiliaria.com%2F%40%2FAmericanautoshield/ZwgXU85423ZwgXU85423ZwgXU/bWlrZS5ub3ZpY2tAYW1lcmljYW5hdXRvc2hpZWxkLmNvbQ==	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	108.179.194.39
	https://www.bing.com/ck/a?!&&p=b0f77ec767d44bfbJmltdHM9MTcxMjM2MTYwMCZpZ3VpZD0wMDc1OTQ1YS0xZDU3LTYxMDMtMzczZi04MDAzMWMwMTYwODImaW5zaWQ9NTE0MQ&ptn=3&ver=2&hsh=3&fclid=0075945a-1d57-6103-373f-80031c016082&u=a1aHR0cDovL3d3dy5kZXBhbmVsaW5nLmNvbS9wcm9kdWN0cy5odG1s&ntb=1	Get hash	malicious	Phisher	Browse	162.144.150.146
	INQ No.KP-50-000-PS-IN-INQ-0027.exe	Get hash	malicious	FormBook	Browse	162.240.81.18
	Order B2024-0000548 pdf.wsf	Get hash	malicious	Unknown	Browse	192.185.84.89
	https://www.sigtn.com/utils/emt.cfm?client_id=9195153&campaign_id=73466&link=aHR0cHM6Ly9icm9kbWFuc2dkdG5wZ2VzZWMuY29tL0NrMTgwZG5RbkFPVmZJM0V3ZTZEUDdTWTBYR201dXR4TlhOMkVrTHZBUTFmVUZ2a0tOL2hvd2FyZC5zdGV5bkBsY2F0dGVydG9uLmNvbS9jTGJ2cUtyZ1l5d3dpMkpOM0NGYXdrdW5kSFp4amJBQ2R0RkhneHNS	Get hash	malicious	HTMLPhisher	Browse	192.232.222.161
	https://u43957641.ct.sendgrid.net/ls/click?upn=u001.0Q2k6Tkbkoom04JcBCS1bm-2FvOge1W36GwvuSdih0P4JugvzV4-2FrWyPqZWCP-2FjIBNLIQsDH-2BiJ-2FwtGIsQEo-2F1lg-3D-3DD4vy_FXZTG-2Bj8dxNvEuxDJrPqKA8uB9LHQ48OflWnDl8SlkMIeqE5kJRv-2BwjlJ-2BTz9LaXXbddhQoxXZFjW61L1BulkplVPhKO5ARKFw4WBNXwUjDYnN9WjvMC1qZal-2BSbiVhkNDXHzo0-2BRl2juwpMn3h9dNAq9ZBCf8LnPEOZY9GqbZetUAeU7Eutkrra6RqLG0LYTAB9pnUknxEinL3j6RW-2F5AawLVk6-2FJEsz0F-2FhvPx4oc-3D	Get hash	malicious	HTMLPhisher	Browse	192.185.164.49

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	PO 26519PZ F30 59.vbs	Get hash	malicious	FormBook, GuLoader	Browse	104.26.13.205
	Texas_Tool_Purchase_Order#T18834-1.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	DHL_RF_20200712_BN_N0095673441.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	e-dekont_swift-details.vbs	Get hash	malicious	Unknown	Browse	104.26.13.205
	TRANSPORT_INSTRUCTION_MR.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	shipping document.vbs	Get hash	malicious	FormBook, GuLoader	Browse	104.26.13.205
	copy_76499Kxls.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.26.13.205
	Swift_Message#1234323456.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	72625413524.vbs	Get hash	malicious	XWorm	Browse	104.26.13.205

Process:	C:\Users\user\Desktop\PO No. 2430800015.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yHoBWWkdpyxFI.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380747059108785
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoULF+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:lGLHyIFKEDZ2KRHWLOug8s
MD5:	3CB326546B47A1BBCCEC64B199288773
SHA1:	43DFC6AC1990B68B59E178710A559632211667B6
SHA-256:	C92A7E753A5D3801D52E8440FBF64D4229737878267118396224058C31824BA6
SHA-512:	CF1789C4FE133E6A41400F14292064C2DF4B302A3053002D3CC7E93D46945F5F66C2260DB8810C4277CB3F538B167B9879FB3C30460EE91A85B00A5188F68146
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...\|...........System.Configuration4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1nsl5gzm.ezb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfjnjfoc.ai5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_klxnq02u.dkd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lrnlb3zv.nnh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp5967.tmp

Download File

Process:	C:\Users\user\Desktop\PO No. 2430800015.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.109258863313811
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtZZ5xvn:cgergYrFdOFzOzN33ODOiDdKrsuTZ1v
MD5:	361AC53DBF9300ECCEEA6A14B8BC475E
SHA1:	B87A10C3E3730CA058971DD560C6977C45945184
SHA-256:	4AD004075A2DD43331CA2896C278BDF629646DB9B1D547D6BA7086086FF8C7BB
SHA-512:	20C4410F658B8B2B14B26E7AC4BF00B8F7307F2DD4205EB9138C69113C1F20E8C95F1C748A40CEEA5BDEC7F104AD6CA193A0DB3370BD5A130F766407C294D6DF
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp69E2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.109258863313811
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtZZ5xvn:cgergYrFdOFzOzN33ODOiDdKrsuTZ1v
MD5:	361AC53DBF9300ECCEEA6A14B8BC475E
SHA1:	B87A10C3E3730CA058971DD560C6977C45945184
SHA-256:	4AD004075A2DD43331CA2896C278BDF629646DB9B1D547D6BA7086086FF8C7BB
SHA-512:	20C4410F658B8B2B14B26E7AC4BF00B8F7307F2DD4205EB9138C69113C1F20E8C95F1C748A40CEEA5BDEC7F104AD6CA193A0DB3370BD5A130F766407C294D6DF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe

Download File

Process:	C:\Users\user\Desktop\PO No. 2430800015.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	656896
Entropy (8bit):	7.9766286310066405
Encrypted:	false
SSDEEP:	12288:/7pX/gjtq7nzPoTmIYv+i/YcTNl59KbOfBo3JLd4kB2TaK2VA69x0:/71OanzPoX8bp9/WJ4+xAQx
MD5:	A36FF2C09D921FBD6EE2F39D14C36DBA
SHA1:	E41E7AB38156164AC96518D6D558B7F63D0DD31D
SHA-256:	E0478198DFC6BE28C91FDF8EA0935C80040936E79DCF037219EBDFB94E71E960
SHA-512:	F79803562097828C0749175FF1401B90CC6016D13BC79EDBCFA2F8F239BB9CF81710F34CC4972F306000CF5E07ECA3B5A36D10420F872F694C7446AA2B5D1CCA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75% Antivirus: Virustotal, Detection: 34%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.%f............................~.... ........@.. .......................`............@.................................$...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................`.......H.......D....,......,....................................................0..A....... .........%. ...(.....!... 0........%.$...(.....%...(.........&.....(........(.......(....+....(........(.........0............{........&...}.......0............{........&...}.......0............{.........0.............E....E...V.......E...D...I.../.........~....(......,...+..+..r...p..(....(....(....&..~....(....}......+....+....}.......+...0............{.........0..........~%....~!

C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PO No. 2430800015.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9766286310066405
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO No. 2430800015.exe
File size:	656'896 bytes
MD5:	a36ff2c09d921fbd6ee2f39d14c36dba
SHA1:	e41e7ab38156164ac96518d6d558b7f63d0dd31d
SHA256:	e0478198dfc6be28c91fdf8ea0935c80040936e79dcf037219ebdfb94e71e960
SHA512:	f79803562097828c0749175ff1401b90cc6016d13bc79edbcfa2f8f239bb9cf81710f34cc4972f306000cf5e07eca3b5a36d10420f872f694c7446aa2b5d1cca
SSDEEP:	12288:/7pX/gjtq7nzPoTmIYv+i/YcTNl59KbOfBo3JLd4kB2TaK2VA69x0:/71OanzPoX8bp9/WJ4+xAQx
TLSH:	63D423ECABE7A9F5C4C422F2125354584F710056E573F8CF8FDB68426682B84C926FA7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.%f............................~.... ........@.. .......................`............@................................

File Icon


Icon Hash:	c04e363636261032

Static PE Info

General

Entrypoint:	0x4a127e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6625D02D [Mon Apr 22 02:49:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1224	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa2000	0xe00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9f284	0x9f400	7cbc1f90e0ade4d8b8e68adf0f87d5cc	False	0.9823574862637363	data	7.983713256417978	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa2000	0xe00	0xe00	1428600cd735dd809d4ee6d6009a7f57	False	0.6637834821428571	data	5.774737445870938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0xc	0x200	0a9053b4dd9bc2d4f80226f71446e4f6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa20c8	0x7f0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9281496062992126
RT_GROUP_ICON	0xa28c8	0x14	data	1.05
RT_VERSION	0xa28ec	0x3a0	data	0.41379310344827586

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 08:08:15.747715950 CEST	49708	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:15.747807026 CEST	443	49708	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:15.747890949 CEST	49708	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:15.754264116 CEST	49708	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:15.754314899 CEST	443	49708	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:15.943093061 CEST	443	49708	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:15.943182945 CEST	49708	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:15.946151018 CEST	49708	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:15.946177006 CEST	443	49708	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:15.946475983 CEST	443	49708	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:15.986279011 CEST	49708	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:16.096533060 CEST	49708	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:16.140163898 CEST	443	49708	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:16.252248049 CEST	443	49708	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:16.252326012 CEST	443	49708	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:16.252401114 CEST	49708	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:16.258409023 CEST	49708	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:17.292577982 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:17.466614008 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:17.467257023 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:19.278714895 CEST	49712	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:19.278785944 CEST	443	49712	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:19.279035091 CEST	49712	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:19.283051968 CEST	49712	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:19.283085108 CEST	443	49712	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:19.464524984 CEST	443	49712	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:19.464622021 CEST	49712	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:19.468424082 CEST	49712	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:19.468446016 CEST	443	49712	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:19.468668938 CEST	443	49712	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:19.564430952 CEST	49712	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:19.564745903 CEST	49712	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:19.612124920 CEST	443	49712	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:19.740991116 CEST	443	49712	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:19.741049051 CEST	443	49712	104.26.13.205	192.168.2.5
Apr 23, 2024 08:08:19.741108894 CEST	49712	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:19.745292902 CEST	49712	443	192.168.2.5	104.26.13.205
Apr 23, 2024 08:08:20.322446108 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:20.496036053 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:20.496138096 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:20.692034960 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:20.692313910 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:20.865794897 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:20.866022110 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:21.040988922 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:21.041696072 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:21.224757910 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:21.224807978 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:21.224845886 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:21.224873066 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:21.262057066 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:21.435309887 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:21.438585997 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:21.612123013 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:21.613576889 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:21.788122892 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:21.789307117 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:21.979623079 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:21.979948997 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:22.153067112 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:22.153465033 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:22.366905928 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:22.385766983 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:22.386207104 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:22.559393883 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:22.559446096 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:22.560256958 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:22.560309887 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:22.560364962 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:22.560364962 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:22.732904911 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:22.732948065 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:22.733247042 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:22.734072924 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:22.783195019 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:23.014431000 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:23.014667988 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:23.188602924 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:23.188798904 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:23.364047050 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:23.364701033 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:23.547471046 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:23.547494888 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:23.547511101 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:23.547580957 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:23.549608946 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:23.724483013 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:23.727713108 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:23.901622057 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:23.902079105 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:24.076869011 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:24.080686092 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:24.257864952 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:24.258153915 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:24.431972980 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:24.432358980 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:24.646713972 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:24.652401924 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:24.652633905 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:24.826234102 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:24.826273918 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:24.827090979 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:24.827166080 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:24.827187061 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:24.827217102 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:08:25.000889063 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:25.000933886 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:25.000965118 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:25.001343966 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:08:25.048779011 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:09:57.127163887 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:09:57.300448895 CEST	587	49709	162.241.225.141	192.168.2.5
Apr 23, 2024 08:09:57.301099062 CEST	49709	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:10:00.346386909 CEST	49713	587	192.168.2.5	162.241.225.141
Apr 23, 2024 08:10:00.520777941 CEST	587	49713	162.241.225.141	192.168.2.5
Apr 23, 2024 08:10:00.521554947 CEST	49713	587	192.168.2.5	162.241.225.141

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 08:08:15.649693012 CEST	57438	53	192.168.2.5	1.1.1.1
Apr 23, 2024 08:08:15.738492966 CEST	53	57438	1.1.1.1	192.168.2.5
Apr 23, 2024 08:08:17.104496956 CEST	56023	53	192.168.2.5	1.1.1.1
Apr 23, 2024 08:08:17.290654898 CEST	53	56023	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2024 08:08:15.649693012 CEST	192.168.2.5	1.1.1.1	0x6060	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:08:17.104496956 CEST	192.168.2.5	1.1.1.1	0x4f89	Standard query (0)	mail.leema.lk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 23, 2024 08:08:15.738492966 CEST	1.1.1.1	192.168.2.5	0x6060	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:08:15.738492966 CEST	1.1.1.1	192.168.2.5	0x6060	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:08:15.738492966 CEST	1.1.1.1	192.168.2.5	0x6060	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:08:17.290654898 CEST	1.1.1.1	192.168.2.5	0x4f89	No error (0)	mail.leema.lk	162.241.225.141	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	104.26.13.205	443	6508	C:\Users\user\Desktop\PO No. 2430800015.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 06:08:16 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-23 06:08:16 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 06:08:16 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 878bad94e80ac327-EWR
2024-04-23 06:08:16 UTC	14	IN	Data Raw: 31 35 34 2e 31 36 2e 31 39 32 2e 31 36 33 Data Ascii: 154.16.192.163

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	104.26.13.205	443	5016	C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 06:08:19 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-23 06:08:19 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 06:08:19 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 878badaabef843ad-EWR
2024-04-23 06:08:19 UTC	14	IN	Data Raw: 31 35 34 2e 31 36 2e 31 39 32 2e 31 36 33 Data Ascii: 154.16.192.163

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 23, 2024 08:08:20.692034960 CEST	587	49709	162.241.225.141	192.168.2.5	220-box5269.bluehost.com ESMTP Exim 4.96.2 #2 Tue, 23 Apr 2024 00:08:20 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 23, 2024 08:08:20.692313910 CEST	49709	587	192.168.2.5	162.241.225.141	EHLO 704672
Apr 23, 2024 08:08:20.865794897 CEST	587	49709	162.241.225.141	192.168.2.5	250-box5269.bluehost.com Hello 704672 [154.16.192.163] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 23, 2024 08:08:20.866022110 CEST	49709	587	192.168.2.5	162.241.225.141	STARTTLS
Apr 23, 2024 08:08:21.040988922 CEST	587	49709	162.241.225.141	192.168.2.5	220 TLS go ahead
Apr 23, 2024 08:08:23.014431000 CEST	587	49713	162.241.225.141	192.168.2.5	220-box5269.bluehost.com ESMTP Exim 4.96.2 #2 Tue, 23 Apr 2024 00:08:22 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 23, 2024 08:08:23.014667988 CEST	49713	587	192.168.2.5	162.241.225.141	EHLO 704672
Apr 23, 2024 08:08:23.188602924 CEST	587	49713	162.241.225.141	192.168.2.5	250-box5269.bluehost.com Hello 704672 [154.16.192.163] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 23, 2024 08:08:23.188798904 CEST	49713	587	192.168.2.5	162.241.225.141	STARTTLS
Apr 23, 2024 08:08:23.364047050 CEST	587	49713	162.241.225.141	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	08:08:12
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\PO No. 2430800015.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO No. 2430800015.exe"
Imagebase:	0xeb0000
File size:	656'896 bytes
MD5 hash:	A36FF2C09D921FBD6EE2F39D14C36DBA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2017439239.0000000004E89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:08:13
Start date:	23/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe"
Imagebase:	0x760000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:08:13
Start date:	23/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:08:13
Start date:	23/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp5967.tmp"
Imagebase:	0xb10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:08:13
Start date:	23/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:08:14
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\PO No. 2430800015.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO No. 2430800015.exe"
Imagebase:	0x210000
File size:	656'896 bytes
MD5 hash:	A36FF2C09D921FBD6EE2F39D14C36DBA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:08:14
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\PO No. 2430800015.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO No. 2430800015.exe"
Imagebase:	0xc20000
File size:	656'896 bytes
MD5 hash:	A36FF2C09D921FBD6EE2F39D14C36DBA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3232135567.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3232135567.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3235207096.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3235207096.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	08:08:15
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe
Imagebase:	0x4e0000
File size:	656'896 bytes
MD5 hash:	A36FF2C09D921FBD6EE2F39D14C36DBA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 75%, ReversingLabs Detection: 34%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:08:16
Start date:	23/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:08:17
Start date:	23/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yHoBWWkdpyxFI" /XML "C:\Users\user\AppData\Local\Temp\tmp69E2.tmp"
Imagebase:	0xb10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:08:17
Start date:	23/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:08:18
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe"
Imagebase:	0xb30000
File size:	656'896 bytes
MD5 hash:	A36FF2C09D921FBD6EE2F39D14C36DBA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3235098698.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3235098698.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3235098698.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	148
Total number of Limit Nodes:	7

Executed Functions

Function 07F013B1 Relevance: 4.0, Strings: 3, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 07F015EE
)", xrefs: 07F0146A
Te]q, xrefs: 07F01429

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: Te]q$Te]q$)"
API String ID: 0-1081650559
Opcode ID: 9e79494541ca82f975dc4cd60b10ea212b5dd83ec3d3e3428cbf0da3e1820190
Instruction ID: 0ccb237558c581674931c2e639f47c6ffecb408338ed8aac29f649e070f21433
Opcode Fuzzy Hash: 9e79494541ca82f975dc4cd60b10ea212b5dd83ec3d3e3428cbf0da3e1820190
Instruction Fuzzy Hash: D781B4B4E156098FDB08CFAAC98069EFBB2FF89300F24952AD415BB364D7349945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07F013C0 Relevance: 4.0, Strings: 3, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 07F015EE
)", xrefs: 07F0146A
Te]q, xrefs: 07F01429

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: Te]q$Te]q$)"
API String ID: 0-1081650559
Opcode ID: 354176dcafb19fc8109a343bf9160754ef4e39f25fad31242a47524bec1ca870
Instruction ID: a18024a332ff3e58fd31648a495f033d1b4dc78284f5e524c8adb6a0a2991ca2
Opcode Fuzzy Hash: 354176dcafb19fc8109a343bf9160754ef4e39f25fad31242a47524bec1ca870
Instruction Fuzzy Hash: 3681C4B4E156098FDB08CFAAC980ADEFBB2FF89300F24942AD415AB364D7349945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07F03471 Relevance: 1.6, Strings: 1, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tIh, xrefs: 07F03915

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: 9443d0ce2636dcbf392e50012b5f7f13b191ec589c1ab25e700030f6f670fff1
Instruction ID: 7fdc3e1984dc8f75730ad7c27c9cb4d8fba0be8fd62d80c5298457cfb5b478eb
Opcode Fuzzy Hash: 9443d0ce2636dcbf392e50012b5f7f13b191ec589c1ab25e700030f6f670fff1
Instruction Fuzzy Hash: 97E15AB5A1420ADBCB04CFA9D4858EEFBB2FF49310B18915AD511AB355D734EA82CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 07F03531 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

tIh, xrefs: 07F03915

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: e17f9d200622384ce93a0db625677cbb4191d37f5c5d02388d6d97dc75481310
Instruction ID: ec981a4a5757ecb99e82ce25b7e97ba595fd651925e0c7f53aa564a2dfc49c6a
Opcode Fuzzy Hash: e17f9d200622384ce93a0db625677cbb4191d37f5c5d02388d6d97dc75481310
Instruction Fuzzy Hash: B4D117B1E1520ADBCB04CFA9C4858AEFBB2FF89301B18D55AD511AB355D734EA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07F03560 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

tIh, xrefs: 07F03915

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: 8e503799e79cfc0050a88a012a840ec07333b3a2aee17d720a5e590169e0050b
Instruction ID: ea7028413c4d858f05cc9c36412a7af35f20bbf72bfcc75dca56cbff64210e7a
Opcode Fuzzy Hash: 8e503799e79cfc0050a88a012a840ec07333b3a2aee17d720a5e590169e0050b
Instruction Fuzzy Hash: DBD104B0E1520ADBCB04CF99C4858AEFBB2FF89301B189559D512AB354DB34EA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 082891D0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b064ee97ffc4e9c67c63e7d411135960cc3a15da1d4622fba9727416bc20f4
Instruction ID: c189c2fd30e57319a3a652e125b2d54ee71fa119fb8027e6fbf8310176dff241
Opcode Fuzzy Hash: 57b064ee97ffc4e9c67c63e7d411135960cc3a15da1d4622fba9727416bc20f4
Instruction Fuzzy Hash: 2B32AB74B12204CFDB18EBA9C550BAEBBF6AF89301F14446DE546AB3D0CB34E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07F065B8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76764f2be0a0cbdd29491cfcb3ad01e637700eb17bbb0818466296b15d651884
Instruction ID: 6afb39544cac0c7e82eafbb6c303b2efa836e8758075ef82a956b2f5d41a4311
Opcode Fuzzy Hash: 76764f2be0a0cbdd29491cfcb3ad01e637700eb17bbb0818466296b15d651884
Instruction Fuzzy Hash: F59124B5D15208DFCB08CFA5D58099DFBB2FB8A300F24A42AE406FB364DB3499159F54

Uniqueness

Uniqueness Score: -1.00%

Function 07F065A8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d52fecb73254312c593b25f3e62bae46e9551b0df575d27f1e5d5a508334604
Instruction ID: 4947d08e16e000937a3878976d69e5d6ab246c0bf5ed0d015094a8bf55100bd9
Opcode Fuzzy Hash: 7d52fecb73254312c593b25f3e62bae46e9551b0df575d27f1e5d5a508334604
Instruction Fuzzy Hash: 999146B5E11209DFCB48CFA5D58099DBBB2FB8A300F24A42AE406FB364DB349915CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07F062A0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19af04021fadbcb8dda17d940a255f5411ad1bae8c205dd6eb6be5c58d87181d
Instruction ID: 5832a97b8ed51496498fd91141288bbc3fe38029420d494cf7e882a676f03bec
Opcode Fuzzy Hash: 19af04021fadbcb8dda17d940a255f5411ad1bae8c205dd6eb6be5c58d87181d
Instruction Fuzzy Hash: FC810FB5E14219CFCF04CFA9C8809AEFBB1FB89300F14956AD401A73A4D7399922DF95

Uniqueness

Uniqueness Score: -1.00%

Function 07F06291 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05bf6ba3f49b3d8e46b84fe9dcf34a227a9904d7903fcb839f063a7cafa15c2b
Instruction ID: 0f1b63e51eef239aa4d13c8efb546a213e94bd435214b2bd852a4ffc3878d64b
Opcode Fuzzy Hash: 05bf6ba3f49b3d8e46b84fe9dcf34a227a9904d7903fcb839f063a7cafa15c2b
Instruction Fuzzy Hash: 9C8102B5E10219DFCF04CFA9C8809AEFBB1FB89300F14952AD401A73A4D7399922DF95

Uniqueness

Uniqueness Score: -1.00%

Function 07F0E750 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79cae2574b5ba1ad8867a855b6062f39f8ae131a8654897a17f1bf442b918322
Instruction ID: 6881796bfe62682da7534b98e372e5c4b1ca692a991a5302204889f3496eb3a7
Opcode Fuzzy Hash: 79cae2574b5ba1ad8867a855b6062f39f8ae131a8654897a17f1bf442b918322
Instruction Fuzzy Hash: 79213CB1D146088BEB18CFA7C9043DEBFF7AF89300F18C06AD40976295DB34054A8F90

Uniqueness

Uniqueness Score: -1.00%

Function 07F026B0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04300de9a0a2e950ae5ac0262bb495aa3a31d59783befdb25cb484eb351f587a
Instruction ID: 4982c681811cc229fc687f9a7f3af24ff3324fa91b37b6212d42c83f28b8f325
Opcode Fuzzy Hash: 04300de9a0a2e950ae5ac0262bb495aa3a31d59783befdb25cb484eb351f587a
Instruction Fuzzy Hash: 02210CB1E016188BDB18CFABD8442DEFBF3BFC9310F18C06AD408A6358DB341945CA90

Uniqueness

Uniqueness Score: -1.00%

Function 07F026A0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e75925b13c1fa72b7525be99afb80700e09fb22d9d4b2ae00b4beab3e0687e
Instruction ID: c16fb72dae71dc53ae21dc0c32158d60532e3d29fc15ffe86c1395ef5a010574
Opcode Fuzzy Hash: 80e75925b13c1fa72b7525be99afb80700e09fb22d9d4b2ae00b4beab3e0687e
Instruction Fuzzy Hash: 6321EEB1E016588BDB19CF6BC94429EBFF3AFC9310F18C16AD408A7358DB745945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07F0E760 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f43402088ff6ed6ac6fa08a808390950235d470c49114a3980eae6119b35368
Instruction ID: 097d2dae390e46bac8566915cc437a5e0c85808f2cb3615f0a2d82e0a712ce63
Opcode Fuzzy Hash: 9f43402088ff6ed6ac6fa08a808390950235d470c49114a3980eae6119b35368
Instruction Fuzzy Hash: 3E21F7B1D146198BEB18CFA7C9447EEFAF7AFC9300F18C06AD40976294EB7409458F90

Uniqueness

Uniqueness Score: -1.00%

Function 07F07A70 Relevance: 2.6, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8aq, xrefs: 07F07AE0
8aq, xrefs: 07F07B2B

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: 8aq$8aq
API String ID: 0-1589283582
Opcode ID: 9045bbf146decad60afbc6135b467b1c965b6c785bccc18b76e5902bfccf0bc8
Instruction ID: 2c3bd0d81daeaebb56707de60cb7317896be61236496f7deec3f5e9ba22e6a0f
Opcode Fuzzy Hash: 9045bbf146decad60afbc6135b467b1c965b6c785bccc18b76e5902bfccf0bc8
Instruction Fuzzy Hash: 1731AFB4B4020A8FCF10EA6CC844A7FB7F5EB45301F1844A9DA15AB3E5DA74A941DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 07F03BA0 Relevance: 2.6, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3H5, xrefs: 07F03C3E
3H5, xrefs: 07F03C30

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: 3H5$3H5
API String ID: 0-2752242361
Opcode ID: 3b600714ca39180d29a9b1790231b62f803472fd1958b590d0d4ab2cbb8de9e8
Instruction ID: e773b1f0e0f401cfb80fc9d5479f6605b8d224c0d6773b87409cbc5fb6c55968
Opcode Fuzzy Hash: 3b600714ca39180d29a9b1790231b62f803472fd1958b590d0d4ab2cbb8de9e8
Instruction Fuzzy Hash: 812116B0E11209DFCB48DFA9C540AAEFBF1FF89300F18D5AA9508A7354E7349A45DB81

Uniqueness

Uniqueness Score: -1.00%

Function 08283FEC Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0828422E

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5dabcc901dd778d661e667f9a2c9493c872c91bcd937e25ddc53b544fb7e43e4
Instruction ID: 32d8136aa7d8459869d29f7e4db4c0c5408adf3aea5dfe9acfd8cfff10c97ac8
Opcode Fuzzy Hash: 5dabcc901dd778d661e667f9a2c9493c872c91bcd937e25ddc53b544fb7e43e4
Instruction Fuzzy Hash: B2A17C71D1121ACFDF24EFA8C841BDEBBB2BF48315F14816AD808A7290DB749985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 08283FF8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0828422E

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 77a5b743226e9868c2802418552101e7d1402d2635259d28199b738b2e3b87da
Instruction ID: 8d9462529ae28203c48c7d7b7247a57bbd32c5a2a80ce48004f5280c0b727862
Opcode Fuzzy Hash: 77a5b743226e9868c2802418552101e7d1402d2635259d28199b738b2e3b87da
Instruction Fuzzy Hash: BB917C71D1121ACFDF24EFA8C841BDEBBB2BF48315F14816AD808A7290DB749985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0316B8BF Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0316BB26

Memory Dump Source

Source File: 00000000.00000002.2014648424.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_PO No.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0eee5d02b69a0303561bd1d704b4673fe387b5ac2fc990d69ac9814fae93e979
Instruction ID: 4b86c43f1ade9b1778fe8b1bc012d4695f7445a95ab68cf059e5d9b491030911
Opcode Fuzzy Hash: 0eee5d02b69a0303561bd1d704b4673fe387b5ac2fc990d69ac9814fae93e979
Instruction Fuzzy Hash: 998156B0A04B458FDB24DFAAD54076ABBF5FF88300F04892ED48AD7A40DB74E915CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03165E64 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03165F21

Memory Dump Source

Source File: 00000000.00000002.2014648424.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_PO No.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d60898f8ccff456237e6107a7e83bc874b94e1f2f62f1dd72aa82cada5c3d27b
Instruction ID: 4fa19f5097fa4f6713815b3cbb4dedf43a4a59a5ceccd709c159b6c46bc6e50f
Opcode Fuzzy Hash: d60898f8ccff456237e6107a7e83bc874b94e1f2f62f1dd72aa82cada5c3d27b
Instruction Fuzzy Hash: 0C4122B1C00619CFDB25DFA9C844B9DFBF6BF49304F2480AAD418AB251D779598ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 03164A3C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03165F21

Memory Dump Source

Source File: 00000000.00000002.2014648424.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_PO No.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 767f909b4cabca1c8bc8628762186f1f261acd870d363e4bb18e73730acc7ae2
Instruction ID: 7f815cd3337cafdd41c8a55ca1235da2a9fbf3ee0ef6db6cf2fd2c2a728fa1a9
Opcode Fuzzy Hash: 767f909b4cabca1c8bc8628762186f1f261acd870d363e4bb18e73730acc7ae2
Instruction Fuzzy Hash: 8641D2B0C0061DCBDB24DFA9C844B9DBBF6BF49304F2080AAD418AB255DB75694ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 08283D68 Relevance: 1.6, APIs: 1, Instructions: 90
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 08283E00

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 81887b7588860d5b89b98f003407488dc1fc1c691cfc6da266f963ecfdbf52b6
Instruction ID: 3a34b18983c3d7bea6568fc9881e464ff272a2ccf8bfb854ca2b5a743bff5e60
Opcode Fuzzy Hash: 81887b7588860d5b89b98f003407488dc1fc1c691cfc6da266f963ecfdbf52b6
Instruction Fuzzy Hash: C2316975801249CFCF10DFA9C889AEEBFF0FF49311F10852AD969A7291C7389546CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08283D70 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 08283E00

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7d7236af254c776b21656cdacad76a59626a60894d58762cdea8afdd02ba6fa9
Instruction ID: 08c0e5198eea2f14778458e8f48f22f956b712b2986b861b4c5b481b325dd335
Opcode Fuzzy Hash: 7d7236af254c776b21656cdacad76a59626a60894d58762cdea8afdd02ba6fa9
Instruction Fuzzy Hash: 162126B1900309DFCB10DFAAC885BEEBBF5FF48310F50842AE919A7240C7789954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08283E5C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 08283EE0

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 33b8aa3dbda2547b61b806b614390a7f72c99bfdaac32ad207c20af17fbe1dcd
Instruction ID: 6fd98e91fea219164f2bf2377769a3443ca860fa460d1234ea6b8e42e0ad9ced
Opcode Fuzzy Hash: 33b8aa3dbda2547b61b806b614390a7f72c99bfdaac32ad207c20af17fbe1dcd
Instruction Fuzzy Hash: 9A2123B1C00249DFCB10DFAAC885AEEFBF1FF48310F50842AE959A7250C7789954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0316D440 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0316DD66,?,?,?,?,?), ref: 0316DE27

Memory Dump Source

Source File: 00000000.00000002.2014648424.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_PO No.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d698dfe7679a952b3e60f637de60c26ab7b1ed6646909172ba23575148deb277
Instruction ID: 2643fb0d71591c7052b66b7f5f9817856ab79f6e2d9bec69e1db154334789e02
Opcode Fuzzy Hash: d698dfe7679a952b3e60f637de60c26ab7b1ed6646909172ba23575148deb277
Instruction Fuzzy Hash: CA21E3B5900258DFDB10DF9AD984AEEFBF8FB48310F14841AE918A3350D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08283BD6 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08283C56

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3fc71c22571eb431a460735ecd22b6aa3f054b00f417e34bacd864e1b6c8b979
Instruction ID: a7038b412ea64ddf4a8d0eab295366b371042f7b8849a8b9c50a8b4502bec68a
Opcode Fuzzy Hash: 3fc71c22571eb431a460735ecd22b6aa3f054b00f417e34bacd864e1b6c8b979
Instruction Fuzzy Hash: 6A213771D002098FDB10DFAAC585BEEBBF4AF48314F54842ED859A7241C7789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08283BD8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08283C56

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 70792ae6ac95daf9e2e3120ca0f33f08dd857643cf989e2c13a25b8d23c358a6
Instruction ID: 2809cb158c3e66809d5ebef853ecff4e8ed6edcea3c93ee5e7eb06fc39fc3412
Opcode Fuzzy Hash: 70792ae6ac95daf9e2e3120ca0f33f08dd857643cf989e2c13a25b8d23c358a6
Instruction Fuzzy Hash: 40213771D003098FDB10DFAAC5857AEBBF4EF48314F54842AD819A7241CB78A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08283E60 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 08283EE0

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3cfa87a66f39d12be8cd82966918fb49428152094256c942d62c98cfb78b482b
Instruction ID: 75f129c34568f7f7cd282cf2a960dce574a47846817ec74c6bb50c3330637ec0
Opcode Fuzzy Hash: 3cfa87a66f39d12be8cd82966918fb49428152094256c942d62c98cfb78b482b
Instruction Fuzzy Hash: 8421F8B1C00259DFCB10DFAAC945AEEFBF5FF48310F50842AE519A7250C7799945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0316B2F8 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0316BBA1,00000800,00000000,00000000), ref: 0316BDB2

Memory Dump Source

Source File: 00000000.00000002.2014648424.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_PO No.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 214d4455b840260c1751fb0f8a1cd058775fc396c082bb2adfccdc663d4d87ff
Instruction ID: 4ead46b8219f15cf735f319000848c5a3a238dda4c705a27f45e6aa70f4ab65f
Opcode Fuzzy Hash: 214d4455b840260c1751fb0f8a1cd058775fc396c082bb2adfccdc663d4d87ff
Instruction Fuzzy Hash: BB2135B28043488FCB10CFAAD944ADEFFF8EF49314F14806AD519AB211C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0316B310 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0316BBA1,00000800,00000000,00000000), ref: 0316BDB2

Memory Dump Source

Source File: 00000000.00000002.2014648424.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_PO No.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 46f42e2193568b30eb3d5bd12b694264e44b6e0c949f0d8cf88989ff8a5aa525
Instruction ID: fa13c163c1eb56e98a167aa6f02ffb107b87486c33df6895dba58fb10b6625b4
Opcode Fuzzy Hash: 46f42e2193568b30eb3d5bd12b694264e44b6e0c949f0d8cf88989ff8a5aa525
Instruction Fuzzy Hash: A81126B6C043489FCB10DF9AD844ADEFBF4EF48314F14842AD919AB211C379A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08283CAD Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 08283D1E

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2b290d7ed5cf33c719d63c2ecdae8a08c0d78c2045db925cf58d195d43169c61
Instruction ID: c73a5320464b91d5fb0b1f0b0c13824ee0c8e448e0221fd8591086e3a4093d18
Opcode Fuzzy Hash: 2b290d7ed5cf33c719d63c2ecdae8a08c0d78c2045db925cf58d195d43169c61
Instruction Fuzzy Hash: CA1147718002498FCB10DFAAC444AEEFFF5EF88310F24841AD519A7250C7799944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08283CB0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 08283D1E

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b3b45811e616643d5a02df876acda132da461aa863068e67645898c3a16ecd3c
Instruction ID: ab4c18a54c1f012032caa2a112d94533ca65042902a7245e170e7cfdbc814e0e
Opcode Fuzzy Hash: b3b45811e616643d5a02df876acda132da461aa863068e67645898c3a16ecd3c
Instruction Fuzzy Hash: D4112671800249DFCB10DFAAC844AEEFBF5FF48314F14841AE519A7250C779A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08283B20 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 08283B8A

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 36ca90ecf1e4a0a8e927015db134b214f7ded16efe903242936c1ef955bb73f9
Instruction ID: bc71e7e4191b4038f8801a7e3f94f9b7d5ba0b97d394d76b43606619fb440976
Opcode Fuzzy Hash: 36ca90ecf1e4a0a8e927015db134b214f7ded16efe903242936c1ef955bb73f9
Instruction Fuzzy Hash: 381149B1C002498FCB10DFAAC449BEEFFF5AF88314F24841EC419A7250CB78A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0316BD40 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0316BBA1,00000800,00000000,00000000), ref: 0316BDB2

Memory Dump Source

Source File: 00000000.00000002.2014648424.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_PO No.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 070b227329500842f3ba46630f1038c7943dccfa1bee600641344b177c676903
Instruction ID: 9353140251d0cc4da5f0a089338f12ae57a8eddc1b49079c7a3038b39fe55dde
Opcode Fuzzy Hash: 070b227329500842f3ba46630f1038c7943dccfa1bee600641344b177c676903
Instruction Fuzzy Hash: C611F3B6C002498FDB10CF9AD544AEEFBF5FF48314F14842AD819A7210C379A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 08283B28 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 08283B8A

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 19f3794e2b2fde467024ddea2670369797437321b20fc8c8b84ce54e45f5370e
Instruction ID: f2adf1d3933167e60ec80fe1f16121bed92c181b0315b0d12e12fe031cb0400e
Opcode Fuzzy Hash: 19f3794e2b2fde467024ddea2670369797437321b20fc8c8b84ce54e45f5370e
Instruction Fuzzy Hash: 0E113AB1D00249CFCB10DFAAC4457EEFBF5EF88724F20841AD519A7240CB79A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 08287CD4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 082883C5

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d929179fcc202c1fb29c3325f5aebbb1cfac3ad026b6dde6446bbd423704a30c
Instruction ID: bbd12f653394ba5928b4b8c3c55a5cbdb333080d86a898e897c65061ec73f78f
Opcode Fuzzy Hash: d929179fcc202c1fb29c3325f5aebbb1cfac3ad026b6dde6446bbd423704a30c
Instruction Fuzzy Hash: 1011E3B5800349DFDB10DF9AD544BDEBBF8EB48310F10841AE918A7240D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0316BAC0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0316BB26

Memory Dump Source

Source File: 00000000.00000002.2014648424.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_PO No.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c9e9cd66d2719cac4115ecffc58fd173ce57ca9c43e8a576674f450da129654f
Instruction ID: 2d1a4bafaec18abd1acc44a6e35c54a107a2960eaa35c2c28a1ceab74339a9c4
Opcode Fuzzy Hash: c9e9cd66d2719cac4115ecffc58fd173ce57ca9c43e8a576674f450da129654f
Instruction Fuzzy Hash: E211DFB5C002498FCB10DF9AD944A9EFBF4AF89214F14841AD819B7210C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08288361 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 082883C5

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 21013a1aa2abb3efda791a7b116751a2b023078916c3443b79ec2e2fd774b681
Instruction ID: d0b8711c2b1375bdc834ff601e47f5917b354ef29875eeb9cfd288c1231b8e42
Opcode Fuzzy Hash: 21013a1aa2abb3efda791a7b116751a2b023078916c3443b79ec2e2fd774b681
Instruction Fuzzy Hash: 0411F2B5800249DFDB10DF9AD585BDEFFF8EB48314F10841AE918A7650C3B9A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0316BDE9 Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0316BBA1,00000800,00000000,00000000), ref: 0316BDB2

Memory Dump Source

Source File: 00000000.00000002.2014648424.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_PO No.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 42446063e495f635e8116166f7666fcdafd623489bc2686e819a5b79ffdc1b61
Instruction ID: 7dc981451b5f3fe936f105e3319504be19196e6e44a5b65a6190ffc1207f04c2
Opcode Fuzzy Hash: 42446063e495f635e8116166f7666fcdafd623489bc2686e819a5b79ffdc1b61
Instruction Fuzzy Hash: EEF0B4739087444BDB21D6EEE804396FBE89B45334F08C067D649D7141C7B99464CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07F0120C Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07F08239

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 656d886b131f52708f1820c36356e2610ac19e4b4efefbfea85f13ff910a40a8
Instruction ID: ccdb5343d27a54f5ce2539ff9884af5e8809edaa7c45f26b5f51f6e5d94bdd9f
Opcode Fuzzy Hash: 656d886b131f52708f1820c36356e2610ac19e4b4efefbfea85f13ff910a40a8
Instruction Fuzzy Hash: C7418F75B002099FCB14EF7998449AFBBF6FFC8660B188969E419D7394DB309C0587A1

Uniqueness

Uniqueness Score: -1.00%

Function 07F05CF0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

O};5, xrefs: 07F05D28

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: O};5
API String ID: 0-3558557551
Opcode ID: e1b10dffa5bfa779dfe4d6c74bddb55d029d9e05f6ea2297c5f8201cce1c2b57
Instruction ID: 4bb173dcc84516b96b0e790582ca4a53df71b654f5696c959dc12f7a0a902296
Opcode Fuzzy Hash: e1b10dffa5bfa779dfe4d6c74bddb55d029d9e05f6ea2297c5f8201cce1c2b57
Instruction Fuzzy Hash: 78416BB0A25209DFCB44CF95D5898AEBBF1FF89300F64A8A6D055EB358D734DA20DB10

Uniqueness

Uniqueness Score: -1.00%

Function 07F05CE2 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

O};5, xrefs: 07F05D28

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: O};5
API String ID: 0-3558557551
Opcode ID: 16e446e1ea11c3f8c1cdfe9cfe322ef244bd105348a7e13953d29ee128989328
Instruction ID: 97427988e2f36236e3e165a8c4cf2382bcbf564f5e2ade38f4f536417fcb2414
Opcode Fuzzy Hash: 16e446e1ea11c3f8c1cdfe9cfe322ef244bd105348a7e13953d29ee128989328
Instruction Fuzzy Hash: EB419FB0A15209DFCB44CF95D5898AEBFF1FF89300F68A895D055AB368D734DA20DB10

Uniqueness

Uniqueness Score: -1.00%

Function 07F0D819 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07F0DA02

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 7342408ae5ce8c633bbb10ef6b4a28b1cabb2ff4bd70aede3aeaf5cd873622d3
Instruction ID: 3abdaa991ba8d112d8cb299c48ac827cfb675538fd4c716d6a88f516e9a36e4b
Opcode Fuzzy Hash: 7342408ae5ce8c633bbb10ef6b4a28b1cabb2ff4bd70aede3aeaf5cd873622d3
Instruction Fuzzy Hash: D0310BB4E053488FDB04CFEAC95469DBFF6BF8A300F18906AD455AB3A9DB745846CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07F07CE8 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07F07C5B

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: e456caeaf507aec540a2941ed00bdb9de07079b9134f65b176952050fee43e68
Instruction ID: 1ec6855ae934317766bce2f98b4a9c5b505b3a7837ff65a41e2facc559c6ab6c
Opcode Fuzzy Hash: e456caeaf507aec540a2941ed00bdb9de07079b9134f65b176952050fee43e68
Instruction Fuzzy Hash: CD21C762A042D54BDB06AB7C99607EE7F619FC2215F1800E7C045CB396E918CD06C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 07F03B90 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

3H5, xrefs: 07F03C3E

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: 3H5
API String ID: 0-3899204960
Opcode ID: 55a2db3c25f6718e53c61d31ad801738b1a71ef6d47e921ce7f559ba2a03b06d
Instruction ID: a006e93e071d7e0995fcb226b453f61cb7c3462a7937db75b2a96e051ffa03bb
Opcode Fuzzy Hash: 55a2db3c25f6718e53c61d31ad801738b1a71ef6d47e921ce7f559ba2a03b06d
Instruction Fuzzy Hash: E7219FB0D1524ACFCB15CFA9D5405AEBFF1BF8A300F18C1AAD540AB391D7349A45DB81

Uniqueness

Uniqueness Score: -1.00%

Function 07F011FC Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07F07C5B

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 5550900fc1141a57a36b25569a99650e0cdee4cb12219592b36b2d33f1bbb4c0
Instruction ID: 2ac299b11f7d0bd5883f6aec5e9b3d5db0f5646800ff6e54b92dd9a5ffa37c55
Opcode Fuzzy Hash: 5550900fc1141a57a36b25569a99650e0cdee4cb12219592b36b2d33f1bbb4c0
Instruction Fuzzy Hash: 901151B1F0010A8BCF14EBBC99505AEB7B5EFC4711B5444A9C505E7344EB359E06D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07F0D8F8 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07F0D908

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 7ab156dbca9964053144537630c2e8b67c5a32d46f57d4dea76a879ba5a73551
Instruction ID: cf0c2053e0451718d045d26a93b956c84d9056cfadd76e52b69e6a86da353b8a
Opcode Fuzzy Hash: 7ab156dbca9964053144537630c2e8b67c5a32d46f57d4dea76a879ba5a73551
Instruction Fuzzy Hash: F1114D79E002099FCB08DFE9D5849ADFBB2FB88310F10852AE919AB365D7315956CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07F0D88F Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07F0DA02

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 59c409f7bbea1394d9af1df9175b1cfab1e0bbece3adde0f5c30477ef05f9726
Instruction ID: 07948dde8917cce4ed6d0ebb8d66853ad2e40dcb63087ec52509f9a3b95269dc
Opcode Fuzzy Hash: 59c409f7bbea1394d9af1df9175b1cfab1e0bbece3adde0f5c30477ef05f9726
Instruction Fuzzy Hash: 4F01C9B8E08248CFCB04DFD9C5846ADBBB6BF4A300F14A019D459AF399DB3098468F40

Uniqueness

Uniqueness Score: -1.00%

Function 07F0E008 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc77f1de30b46cac542a3d81b333afccbbf66324ee67addb91579e3da14257a7
Instruction ID: abf8dfaeee106fad450ce6509feab648836d58ad9261080b087602b68e43468e
Opcode Fuzzy Hash: dc77f1de30b46cac542a3d81b333afccbbf66324ee67addb91579e3da14257a7
Instruction Fuzzy Hash: C74129B1E19209CFDB04DFA9C9406AEFBF6BB89301F18D469D419A3392D7349940DB94

Uniqueness

Uniqueness Score: -1.00%

Function 07F05B88 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7df35dad815d4ca8dab318aba4adcb4fb4e705602aa074d2c136f01818678d
Instruction ID: 8629d14ab84444fe156208689f730941f13774699ff84fc294d208db1ffd2c4c
Opcode Fuzzy Hash: ce7df35dad815d4ca8dab318aba4adcb4fb4e705602aa074d2c136f01818678d
Instruction Fuzzy Hash: 3D41ADB49197888FC706DB69D444948BFF0FF8A311F5A90D6D480DF3A3DA389965CB12

Uniqueness

Uniqueness Score: -1.00%

Function 07F00006 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86004bb441729429c173ec9a54f8df63ba56187d04941864ccbc404f36c242d8
Instruction ID: 140a676760d2b35b146fa37476a65f0157c181d29ae9e41e3813eba9d0e0175c
Opcode Fuzzy Hash: 86004bb441729429c173ec9a54f8df63ba56187d04941864ccbc404f36c242d8
Instruction Fuzzy Hash: 9041B3B2919252CBC7118B65CC007BABBB1FB42315F4C81A7E4549B2D3DA398941E7D1

Uniqueness

Uniqueness Score: -1.00%

Function 07F05E6A Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb366623ea7d0d524fe930f48e106bb4e0242c21ac612d4f45a1f53e0107e35a
Instruction ID: f40d4aa57e81a0e15c3fe869c3a9f1bb59c38520ded908c48f50cb785df7ffd0
Opcode Fuzzy Hash: fb366623ea7d0d524fe930f48e106bb4e0242c21ac612d4f45a1f53e0107e35a
Instruction Fuzzy Hash: F14189B5E0020ADFCB04CF95D8419AFBBB2FB89310F149529E404AB394D7B49A51CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07F05E78 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d2396399e561cab334c115e113906cbd0f02569db5e6a65692acb9151cf37e
Instruction ID: 94b6ec112c92a6e9df4f7506e9a22eb855c70c13d7d929b7ec9561b013ab823d
Opcode Fuzzy Hash: e8d2396399e561cab334c115e113906cbd0f02569db5e6a65692acb9151cf37e
Instruction Fuzzy Hash: EB4188B4E0020ADFCB04CF95D8419AFBBB2FB89311F149529E405AB394D7B49A51CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 07F0DFF7 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93ddd9868be1f7565629e75111f51d001decf2edfc18d200e0b2778353f0768
Instruction ID: aaff4099aedfb982a53091bf6419b4407e78aaa01c7b4490b78c68bf7ee4ef45
Opcode Fuzzy Hash: a93ddd9868be1f7565629e75111f51d001decf2edfc18d200e0b2778353f0768
Instruction Fuzzy Hash: C1311CB5D19208CFDB04DFAAC9046AEBBF6BF89301F08D46AD419A7391D7344901DB94

Uniqueness

Uniqueness Score: -1.00%

Function 07F07EC4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb0fcef0ad145d513ec60d077dfdfd0217b65f749949c8012fd75032fc66dc7
Instruction ID: 148318dcee68fd240370fb4b9f9da179586c391c184e44be76b88d43bee2e5ee
Opcode Fuzzy Hash: ddb0fcef0ad145d513ec60d077dfdfd0217b65f749949c8012fd75032fc66dc7
Instruction Fuzzy Hash: 74315AB6900208EFCF10DFA9D848A9EBFF5EF49310F14846AE908A7350D775A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07F0ACB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77a74f879b1b01cda3d7150733cc8f7275ba265b4dc54a47e4747bbae486dd5
Instruction ID: d6fe6c72f3599f72bcdc028c3bee03c00fa356b45f9d639018a3ccb05c602bdb
Opcode Fuzzy Hash: b77a74f879b1b01cda3d7150733cc8f7275ba265b4dc54a47e4747bbae486dd5
Instruction Fuzzy Hash: 6D31E470B46309DFD3144B288858B367BA7BB86309F6DC07AE0164F3C2DA76C801EB90

Uniqueness

Uniqueness Score: -1.00%

Function 07F03E90 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a8ba9c76814c371601f7f7474e204255ddef5323deb39705cba51964d7ea36
Instruction ID: 7f742c40e6307f9d1a7328080af64b71c935fef8a02e2a453d4990e3d47ddc7b
Opcode Fuzzy Hash: 83a8ba9c76814c371601f7f7474e204255ddef5323deb39705cba51964d7ea36
Instruction Fuzzy Hash: F931F5B1E1520ADFCB08CFA9C5805AEFBF2BF89300F18C56AD419A7394D7749A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07F0EA67 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdab8446338711db4597743d76259f692b4ced1ec6f66c83713c5d7c37a022a
Instruction ID: bc7a658bf68b30d9dea6e1f83d45c650bdb8d1401fabe3100de9e6c8e7ed5cc0
Opcode Fuzzy Hash: cbdab8446338711db4597743d76259f692b4ced1ec6f66c83713c5d7c37a022a
Instruction Fuzzy Hash: AB41F0B4E15218CFCB14DB98C684AECBBF5BB0E310F189895D41AA7391D7309981DF90

Uniqueness

Uniqueness Score: -1.00%

Function 07F03E80 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81d3b7f953cffc51785291d9feb8bdb30b59cdddad94d88d623d3221b471d01
Instruction ID: 27073051b8b62e874d60cf463f2e3a5034305a3098b11e6e6de848aa18e57dfc
Opcode Fuzzy Hash: e81d3b7f953cffc51785291d9feb8bdb30b59cdddad94d88d623d3221b471d01
Instruction Fuzzy Hash: C8316CB1D1520ADFCB04CFA9C5805AEFBB2FF86300F18C5AAD415A7395D7389645CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07F0ACA0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827a87c828902eea552d3eb5c1cbe6ab207931f2f6771aca717d7d4e60b583c7
Instruction ID: ea4948c178b8729ef8d9cde92a12402116213d0143ba1dc58115c6955ba3ae12
Opcode Fuzzy Hash: 827a87c828902eea552d3eb5c1cbe6ab207931f2f6771aca717d7d4e60b583c7
Instruction Fuzzy Hash: 5431D475B46305DFD7148B288849B257BA2FB8530AF5DC07AE05A4F3C2DB7AC801E780

Uniqueness

Uniqueness Score: -1.00%

Function 0311D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014169711.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_311d000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8ae586adedaa9804e8542b2f7bdcb7dc707df0b657bff045883a3af1230e7b
Instruction ID: 2f3d5106791f13e6d3156c256b94fc3d210dd270a2fdd61a3160fae32a37b86c
Opcode Fuzzy Hash: ca8ae586adedaa9804e8542b2f7bdcb7dc707df0b657bff045883a3af1230e7b
Instruction Fuzzy Hash: 5E21F271504204EFDB05DF24E9C0B66FBA9FB8C314F24C6BDE9194B256C33AD466CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0311D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014169711.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_311d000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5664e0e6b61a335f9fcc4c4569503583ce30ade0502fc5186babc2d85dc9b551
Instruction ID: b49b9b2dcfe287aa1b3d5ed903672341df104981bff295612b07166420adc19f
Opcode Fuzzy Hash: 5664e0e6b61a335f9fcc4c4569503583ce30ade0502fc5186babc2d85dc9b551
Instruction Fuzzy Hash: 9721F275604204DFCB18DF24E984B66BF69FB88314F24C5BDD90A4B256C33AD467CA62

Uniqueness

Uniqueness Score: -1.00%

Function 07F07CC4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3599add3f9e58dad35adae2c8ccfb328f1b5fba893c0cba14bfc684c21aaa37
Instruction ID: affb206d46ceca2c7ac513588caadc9b808e273e36b7b3fb5f21bc69b5dd2c9f
Opcode Fuzzy Hash: d3599add3f9e58dad35adae2c8ccfb328f1b5fba893c0cba14bfc684c21aaa37
Instruction Fuzzy Hash: 5231E3B0C01218DFDB20DF9AC584B9EBFF4AB49314F68805AE404BB390C7759845DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07F0827E Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0660706b5624664a4a327db0f675a33ff0f7c318df9b400d098875b331195182
Instruction ID: b7a64fb160773b55c210d3678fa126409eb4ea07441d550a69e729483e56f881
Opcode Fuzzy Hash: 0660706b5624664a4a327db0f675a33ff0f7c318df9b400d098875b331195182
Instruction Fuzzy Hash: 4221E3B1C01258DFDB20DF9AC588B9EBFF0AB49314F28845AE404BB390C3759845DF90

Uniqueness

Uniqueness Score: -1.00%

Function 07F07E8C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98bab576fe26cdb8e11edb728d6194bcaf5c20564cc06e913582e1303006b47b
Instruction ID: e7b5c62143bdf001e6a7775694385b915aed6dd0bccc9db7d19e91ecce0fa4cb
Opcode Fuzzy Hash: 98bab576fe26cdb8e11edb728d6194bcaf5c20564cc06e913582e1303006b47b
Instruction Fuzzy Hash: 1F1191B9A09344EFCB05DB74CE5576E7BB9EB46200F1844EAE805C7382E934EE05E761

Uniqueness

Uniqueness Score: -1.00%

Function 07F05C18 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9104e16eee0e90404203b3a15b42d3f3c6c7ff3adc040dd58d3721fcb049b7
Instruction ID: ad8249c6341489ea071aae096749c91e7c2d2d55ca046423f15dfb49f7b9ed32
Opcode Fuzzy Hash: af9104e16eee0e90404203b3a15b42d3f3c6c7ff3adc040dd58d3721fcb049b7
Instruction Fuzzy Hash: 9921C2B4A10908DFC708DF5AE484999BFF1FF88310F5690D4E4889B365EB31D9A0CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0311D007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014169711.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_311d000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7279a433e1552cba70aebd2cf715bdaaa800810159f47c7de9847ec88c18f77d
Instruction ID: 87ead47ec88774183363e9bc5e5d875eb1640f0f3da0433575cfc2c12ce368da
Opcode Fuzzy Hash: 7279a433e1552cba70aebd2cf715bdaaa800810159f47c7de9847ec88c18f77d
Instruction Fuzzy Hash: 8C21A4755093808FCB02CF24D994715BF71FB4A214F28C5EAD8498F2A7C33AD41ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 07F0E1A1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679a3216bd0b71b054118441217733d21300999ff54da5cb5d8d570a4f41e095
Instruction ID: 0ee883b3b85a1192741c0257322edb7aeaed8a98fe70454816c370544da5c99b
Opcode Fuzzy Hash: 679a3216bd0b71b054118441217733d21300999ff54da5cb5d8d570a4f41e095
Instruction Fuzzy Hash: F92149B4E08249CFCB40DFA8C1819AEBBF5BF4A310F24519AD818A7352D7309E41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07F0E1B0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f705da7095e88310e81a7baeb9e7ee5fc8fbf7a9376cf76e86b7b5aa23e2eec
Instruction ID: 4350ea9602684d6856a72274d3fd36d1bda0d6717ee5bbad2caeacbde4a52675
Opcode Fuzzy Hash: 2f705da7095e88310e81a7baeb9e7ee5fc8fbf7a9376cf76e86b7b5aa23e2eec
Instruction Fuzzy Hash: 3C21F9B4E18109DFCB44DFA9C1819AEBBF9FB49310F2494A9D809A7751D730AE40DF91

Uniqueness

Uniqueness Score: -1.00%

Function 07F080C8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6d844420a6ea3dbeaae4d47b5d2de1096f0fdd46e00fe6c4911a46e55bd7ca
Instruction ID: db8934c21ccea09d1d42f7bebe11cb8bc8d65c95de9089bc1de469c6205fad8f
Opcode Fuzzy Hash: 2e6d844420a6ea3dbeaae4d47b5d2de1096f0fdd46e00fe6c4911a46e55bd7ca
Instruction Fuzzy Hash: D81173B5A006169B9B15EF688D446BFB7B7EFC4260B188929D429D3380EF34990197A0

Uniqueness

Uniqueness Score: -1.00%

Function 07F0EB79 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa51ecc0c6cda3fb643007e4411a2df1bf3f46d0df5efd778a4f479fd456234d
Instruction ID: 7f3b64707abedf8cd2c8b5169ed1972ffa7a2d0a8caa8b77abfcbd2b4f1ed5d6
Opcode Fuzzy Hash: fa51ecc0c6cda3fb643007e4411a2df1bf3f46d0df5efd778a4f479fd456234d
Instruction Fuzzy Hash: A821B2B4D11268CFCB60DFA8C588BDCBBB5FB08311F148495E81AA7355DB34AA85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07F0E290 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c28d6cf9c14bcf13260e657ac2055768e5765a962664c6ab7deffce666fe182
Instruction ID: f74605e5a81920406d882ef1f291669a78f508009993fb6e235dd9dfa8423365
Opcode Fuzzy Hash: 0c28d6cf9c14bcf13260e657ac2055768e5765a962664c6ab7deffce666fe182
Instruction Fuzzy Hash: D71146B4E49208DFC705EFA8C5406ADBBF5FF4A310F0899AAD008AB352C330DA05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 07F07ED4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c60269551832986a82e3b42f7d6fe1937ba528cfbdc15ee60a8f92bf1a2ef1
Instruction ID: 5eb801e3553d1e974c345d381d1855dea5fd54f1045b5209363059bf4104fb6b
Opcode Fuzzy Hash: 09c60269551832986a82e3b42f7d6fe1937ba528cfbdc15ee60a8f92bf1a2ef1
Instruction Fuzzy Hash: D12100B6800349DFCB10CF9AD988ADEBBF4FB49310F14841AE918A7351D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0311D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014169711.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_311d000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: bc6eb08319fab77a6cb8726ef9a2a3a601704891cb592eeab83ce08b48c80677
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: EB11BB75504280DFCB02CF14D5C4B25FBA1FB88214F28C6A9D8494B696C33AD41ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 07F0EAAB Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4704589090b5859799fa50b186bd3f5a3195978f24f23405c1653ef0498a94dd
Instruction ID: 41ba99588060409b43ae140f56a50e6769d5b6061ae90eba72d6d8efa0abf61e
Opcode Fuzzy Hash: 4704589090b5859799fa50b186bd3f5a3195978f24f23405c1653ef0498a94dd
Instruction Fuzzy Hash: 0E1126B1919218CFCB14DB58CA859ECBBF5BB0E311F185595D409AB392C730AD85DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07F0E2A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe44c2913bed080319c9ba5561203e2d2b94d445cbdd73ae53137843fa72b0d
Instruction ID: 8f579b8c2706c6e0a36670b052488f936767b5777127071d12a53f278efbfbb8
Opcode Fuzzy Hash: abe44c2913bed080319c9ba5561203e2d2b94d445cbdd73ae53137843fa72b0d
Instruction Fuzzy Hash: AB1127B4E49208DFCB04EFA9C140AADBBF9FF49310F0499A9D408A7352D770EA01DB80

Uniqueness

Uniqueness Score: -1.00%

Function 07F0E8B4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3cafe0387750e1831e9fb5ef5ca2287b48c3d74cddc00bd6143e5126a5f985
Instruction ID: 08066e65e169e68539d8f43361d7b75355040540d2933af28075ac60e2c7e5e7
Opcode Fuzzy Hash: 7a3cafe0387750e1831e9fb5ef5ca2287b48c3d74cddc00bd6143e5126a5f985
Instruction Fuzzy Hash: 1D1107B0919218CFCB24DB58C6819ECB7F6BB4E311F585594D409B7391C730AD85DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07F0F1A0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d2d3c20025e4148163bd45739fdb5df82e47b28cf30a82af6dc639fdea4f1c
Instruction ID: a21feffd61e80ee538c198b1e8223f45829615dcacdb7a8839b4103b164f0a31
Opcode Fuzzy Hash: f2d2d3c20025e4148163bd45739fdb5df82e47b28cf30a82af6dc639fdea4f1c
Instruction Fuzzy Hash: E9116D70D25218EFCB18CF6AD5409AEBBF6BF89301F148029E808A7351DB309941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0310D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014101435.000000000310D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0310D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310d000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876124611b475d16447f517ee01ebb99edb212a38fe46e77c72f590e8c222726
Instruction ID: 6ea6ae1edb1c539a49723ff51835f1b0eabef14a9e5ce6d2ab63a2a5111a04f9
Opcode Fuzzy Hash: 876124611b475d16447f517ee01ebb99edb212a38fe46e77c72f590e8c222726
Instruction Fuzzy Hash: DB01DB711043449BE724DE99DD84B67FF9CEF8A328F18C56AED090A2C6D3B99841CA71

Uniqueness

Uniqueness Score: -1.00%

Function 07F0F5F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a27502b51abd67063bcc0656ce309ddf0c33bd2197a3d0e88b7222463c6ce3d
Instruction ID: 2a80315a707bc10b20c319b9e98c5db1ef95e813c9cdf7130123ff228f3fe006
Opcode Fuzzy Hash: 8a27502b51abd67063bcc0656ce309ddf0c33bd2197a3d0e88b7222463c6ce3d
Instruction Fuzzy Hash: A901FB79A15108DFC704DFA8C685AADBBF5AB4D301F19D194E4089B362DB30DE00EB80

Uniqueness

Uniqueness Score: -1.00%

Function 07F0F578 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1328fc8dfb0023c68a22732f6edc1c295e892af6a1f455d6cc884f52c529e17
Instruction ID: 08e79e9e9ff6286882c8de471e41dd9344883edbe472f050f62f10e8624c6092
Opcode Fuzzy Hash: c1328fc8dfb0023c68a22732f6edc1c295e892af6a1f455d6cc884f52c529e17
Instruction Fuzzy Hash: 4CF03CB192D108DBC724CF55D540ABDBBFDAF9A301F48A1A594095B392DB30DB54EBC0

Uniqueness

Uniqueness Score: -1.00%

Function 07F0D9DF Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3324877e4a407ea837be8ebae8c96bd4147f68aae6095a855d529543968ba4
Instruction ID: 5b654cd938e1af67a3bbdf68fd27282d563d0faa2a69a1da9c226f6b7c6cc5ce
Opcode Fuzzy Hash: ba3324877e4a407ea837be8ebae8c96bd4147f68aae6095a855d529543968ba4
Instruction Fuzzy Hash: 450116B8E08219CFCB00CFE5C890AADBBB5BF4E300F14942AD456AB396D7709801CF80

Uniqueness

Uniqueness Score: -1.00%

Function 07F096C9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5650e1a7dd700f5fc150a35d91e269ee017ba9a701e103960d4890e0d7167f13
Instruction ID: b1ca943444be0fbb532e45853b2a3546181c72e36aa3f44c116e6d84311fa7f1
Opcode Fuzzy Hash: 5650e1a7dd700f5fc150a35d91e269ee017ba9a701e103960d4890e0d7167f13
Instruction Fuzzy Hash: F2F0BBB2A00009AFCF04DF98DC45AAEBBEADB44214F1881A6E408D3350E671ED109791

Uniqueness

Uniqueness Score: -1.00%

Function 07F086D8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a0a280e1e3ff3d9f46f5a1976c6b9922cef6aeeb4ea08abfa6cb2b93ecd44b
Instruction ID: f90e3cb5997fb92f3b10ec27aef9b166abdc3f53be965799a1524982dbb0b34f
Opcode Fuzzy Hash: b6a0a280e1e3ff3d9f46f5a1976c6b9922cef6aeeb4ea08abfa6cb2b93ecd44b
Instruction Fuzzy Hash: 25F0BE767042541F93049A6A9C94C2BBBE9EBCD62031540BAE508CB351DA209C00C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 07F03C89 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751b745c6d2e355727418f73ba79bd6fb0fe806597cc5a3760190c852fedaa8b
Instruction ID: 524f20d80d08b173bce0f1f12d45eb7dc310e1a2b25da8d259b56f312a411cf8
Opcode Fuzzy Hash: 751b745c6d2e355727418f73ba79bd6fb0fe806597cc5a3760190c852fedaa8b
Instruction Fuzzy Hash: 09014678A012489FCB05CFA8C984A99BFF1FF49310F19C1C9E8189B3A2CB35E941DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0310D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014101435.000000000310D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0310D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310d000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b927798c84d8c2b657efee3ca0db70efb2279a71b9bb198283485f2f881f5b
Instruction ID: 268d77acf54e728da84e45fd3a259fe9520fbd3bfe5c789a4ac757dfb88b3bec
Opcode Fuzzy Hash: e0b927798c84d8c2b657efee3ca0db70efb2279a71b9bb198283485f2f881f5b
Instruction Fuzzy Hash: 65F062714043449BE7108E5AD988B66FF9CEF86634F18C45AED484A286C3B99844CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 07F0863C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f95b19387dba1ed8c9216010225f0c423235bb761a2b00635d5b2d5f2a841604
Instruction ID: 04c22761c1a3feb82917b63d79b6ab047b9ba524db13735badd22b3976f1249e
Opcode Fuzzy Hash: f95b19387dba1ed8c9216010225f0c423235bb761a2b00635d5b2d5f2a841604
Instruction Fuzzy Hash: 5E01ECF5C00219DFEB14CF55C9443ADBAB1AF443A4F198655D824AA290D7744A41DFD0

Uniqueness

Uniqueness Score: -1.00%

Function 07F08648 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8838448f642d46782bb87ce900ac568115555072e10f78e015ca176f90978b8
Instruction ID: a7888dd1f667fbd1009d172ca83f0b5ab6457474937dba0e52a8221a79a79253
Opcode Fuzzy Hash: d8838448f642d46782bb87ce900ac568115555072e10f78e015ca176f90978b8
Instruction Fuzzy Hash: 0701FBB4C00219DFDB14CF6AC8087AEBAF5FF483A0F158225E824AA2D0D7744A40DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 07F03C98 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61680229f42b264f63baadaab73a811dd529cc37de7a6badb1aa96ad5f14e085
Instruction ID: f39a834db1f3d5b02e2c8319a618f54bd704b3e53c79cf44fc49f0d51295f3f7
Opcode Fuzzy Hash: 61680229f42b264f63baadaab73a811dd529cc37de7a6badb1aa96ad5f14e085
Instruction Fuzzy Hash: 3F015478E01208AFCB04DFA9C585A9DBFF1AF48310F15C199A9089B365DB35E951DB41

Uniqueness

Uniqueness Score: -1.00%

Function 07F086E8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3def47bafe8809ba8cfa561db6d8f61fb52bbd230ed21c020a1ca8a101ddcb94
Instruction ID: fa75570bbe23e7944bf5940f36e295469941883f0752a24510c83d616163c96a
Opcode Fuzzy Hash: 3def47bafe8809ba8cfa561db6d8f61fb52bbd230ed21c020a1ca8a101ddcb94
Instruction Fuzzy Hash: 57E06D767002286F9304DAAEDC84D6BBBEEFBCC670361807AF508C7310DA319C01C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 07F0E84C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6653d143c124a7a860f8f1a778094c417d8c21674ca73197a1b30041681bb61
Instruction ID: a1830bf20e10565f183562b44ee01f4bac605175b6449de2892530029a7e2505
Opcode Fuzzy Hash: f6653d143c124a7a860f8f1a778094c417d8c21674ca73197a1b30041681bb61
Instruction Fuzzy Hash: F0F03CB2919248CFCB10EB54D9859AC7BF9BB0E210F085985D409AB392D730EC80DF91

Uniqueness

Uniqueness Score: -1.00%

Function 07F0D8C4 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e0e49f5fe0ecca6ec66ab8dd1b882a5b76121ef5900d50dd288e9702a92b03
Instruction ID: 96194d883837f779630593e59b1a69d2df7dffff9af5c845fa9278d585e7fadf
Opcode Fuzzy Hash: 42e0e49f5fe0ecca6ec66ab8dd1b882a5b76121ef5900d50dd288e9702a92b03
Instruction Fuzzy Hash: 10F0E2B4E1B218CBDB08CFA9D6446EDBBFABF49300F186429A409A3390D7749A01DB40

Uniqueness

Uniqueness Score: -1.00%

Function 07F0EC3F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48c78195dd1e9b476d851eeac0355e8a0b68a3069cc9306ca337ec40e45c2a3
Instruction ID: e49562ecf145dacfa8a9c5479654f9e99d07ad5d5b2b312aa63203eed3790961
Opcode Fuzzy Hash: c48c78195dd1e9b476d851eeac0355e8a0b68a3069cc9306ca337ec40e45c2a3
Instruction Fuzzy Hash: ADF01DB5D19208CFCB14DF54C2868AC7BF9BB4E311F595594E40AA7392DB309C84DF61

Uniqueness

Uniqueness Score: -1.00%

Function 07F0D389 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1bd60d7bcb31e036bc7d909a1a71c0d49a36ee8edaeed09e0936dd982f4ed6
Instruction ID: 28442e8047e8d208db55f5e46d16d5632c6bbeb7f048e239bb1da39473d26b77
Opcode Fuzzy Hash: 6d1bd60d7bcb31e036bc7d909a1a71c0d49a36ee8edaeed09e0936dd982f4ed6
Instruction Fuzzy Hash: 6AE092B5B59218CACF14CAA4E9405F8B7BDEB8B205F0471A5D00E92391DB308949AB80

Uniqueness

Uniqueness Score: -1.00%

Function 07F0D00F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32c118f2191f46a4456871bc51eec91d2d0e247a9d417ef20ec35c21a132aff
Instruction ID: 453a2d75cae6c2870e196b1dcbca6f5be16b130a08060d7cee91dc05bcaf4993
Opcode Fuzzy Hash: e32c118f2191f46a4456871bc51eec91d2d0e247a9d417ef20ec35c21a132aff
Instruction Fuzzy Hash: BAE0D872A18114DFCB008B64EE45AE87779FF46245F0460E5D40D93262DB348D4ADF81

Uniqueness

Uniqueness Score: -1.00%

Function 07F0E250 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7959f7ca755b1054dc96ec294e9e6ec9058d5d7f95cfe1f5247fd72cf25517c
Instruction ID: 609bc3857886fd9d6af4569d5d9189540c2c7c051f1af6a27ec0b9f741acddb3
Opcode Fuzzy Hash: c7959f7ca755b1054dc96ec294e9e6ec9058d5d7f95cfe1f5247fd72cf25517c
Instruction Fuzzy Hash: E4E04F7054A3C4DFC7279774D11415C3F716B47226B1C15CAD0949B2A3CA3A4D57D751

Uniqueness

Uniqueness Score: -1.00%

Function 07F0E95F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c27ab4f80a93f65a8594a9fb4f6d697c11f479867dbef6f515e0dad9f8d651
Instruction ID: 06acbde9412f6806eb6560f9c697740d79a14a52e6337770719732007cd37596
Opcode Fuzzy Hash: e8c27ab4f80a93f65a8594a9fb4f6d697c11f479867dbef6f515e0dad9f8d651
Instruction Fuzzy Hash: F3E04FB1D1D249CFCB04DF52C9145F9BB7ABF8F301F18E051A40A62296EB344A58DB90

Uniqueness

Uniqueness Score: -1.00%

Function 07F02CAC Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d637b8390cbb5038542e3b128b42e628052df69cfcc4e780efe2c03d9a52967
Instruction ID: b915315db935ebe7f66b20773fe2d64380c10e64bb1a907dc7d21a9bdec6d447
Opcode Fuzzy Hash: 1d637b8390cbb5038542e3b128b42e628052df69cfcc4e780efe2c03d9a52967
Instruction Fuzzy Hash: C8E04FB1526345CFC718DB70C0499997B71FF45311B241099E0079A3B4CB35E981CE90

Uniqueness

Uniqueness Score: -1.00%

Function 07F00460 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a45611b975da4bbcbf8725ea929e06d21aafde756b5544099e7f8efa3c8bb98
Instruction ID: 6fe333e70b8aef573384583962173cc2ea4a00552c60e8e88cbdbeb3c61d8d1a
Opcode Fuzzy Hash: 6a45611b975da4bbcbf8725ea929e06d21aafde756b5544099e7f8efa3c8bb98
Instruction Fuzzy Hash: 97D05EE38152089BCF009AF4DC0A75A3AA8D301215F9C1454E808C2241EA65C260D255

Uniqueness

Uniqueness Score: -1.00%

Function 07F0CF10 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef69197e359fc680bc3d9767e7204a850c84166b8d10319c003bc14901e4acc
Instruction ID: 6e46785340e07d835918e6d12ea58846c936e3577815dee7507a47d6de897aaa
Opcode Fuzzy Hash: aef69197e359fc680bc3d9767e7204a850c84166b8d10319c003bc14901e4acc
Instruction Fuzzy Hash: CAD0224B8A81C00BCB1200B06F9131A2FB0D722502BACAEAF8CD6C69A3E09DC42161D3

Uniqueness

Uniqueness Score: -1.00%

Function 07F0E260 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b7d83028af3d4481d3c5e9643d24431b4382da63469dad2dfe27f470bb8f6d
Instruction ID: bf253be69a36080960710924aec87b0f976763cc509a4ae99415d2feb51494c5
Opcode Fuzzy Hash: 21b7d83028af3d4481d3c5e9643d24431b4382da63469dad2dfe27f470bb8f6d
Instruction Fuzzy Hash: 72D0C7B0C0220CDFCB14EFB4E10529CBF31BB06302F1440A8E80823340CB314A90DB80

Uniqueness

Uniqueness Score: -1.00%

Function 07F02C34 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad529cbafd1e227d2834078f68f82baf818a86980005d058759559077910d041
Instruction ID: c1648f4be1c8cdf40b27a3f38e221f2c1663a82cd51cf5f73c07205e0ec8f945
Opcode Fuzzy Hash: ad529cbafd1e227d2834078f68f82baf818a86980005d058759559077910d041
Instruction Fuzzy Hash: 0FE08C70522348CFCB64EFB0C449689BBB0FF44340B1410E5E8168F268CB3AE982CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07F00470 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5f235b774bea6d21f90a15596342d42b7777ff35f977435e99545eff620041
Instruction ID: 20a10659107b89843a112ac9b0fa82bf7e41f485726892bd1469609d32b032db
Opcode Fuzzy Hash: fa5f235b774bea6d21f90a15596342d42b7777ff35f977435e99545eff620041
Instruction Fuzzy Hash: 41C012B141520C9FC310DAF4940975A7AA8E705212F585454E808C3140DE75C460D695

Uniqueness

Uniqueness Score: -1.00%

Function 07F00ADD Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce331ca1aeaa2a753b38559c6331ac1f22997e143c3805db4cbd1b4c2b9dba1
Instruction ID: f0c19d7426099edd31228cf8046ae871bd336c05681fd5bd76929267d64cda03
Opcode Fuzzy Hash: 7ce331ca1aeaa2a753b38559c6331ac1f22997e143c3805db4cbd1b4c2b9dba1
Instruction Fuzzy Hash: 76D012309011198FCB94CF64D981B9CB7BAFF48200F10E695E00993164DB745E89CF44

Uniqueness

Uniqueness Score: -1.00%

Function 07F096A0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b42358c296aaa1e965185ba5435414946b2c4ce2446578d28dad5e88270955
Instruction ID: 10834c75ce2dabed375f2e397306d3387e0c9b91da496501039dd800b51ff6c9
Opcode Fuzzy Hash: 10b42358c296aaa1e965185ba5435414946b2c4ce2446578d28dad5e88270955
Instruction Fuzzy Hash: C7C09BFB400141E5D9406564CDD1B459656A775704F9C9452E108D13C0E1655515B667

Uniqueness

Uniqueness Score: -1.00%

Function 07F0CF20 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc3667c887d2b34d49c6cc1f5d19f9b95add2586ae1b1525d569225505c2b75
Instruction ID: da6ff106c5a2eb3e2d0667b2cae1236810296f661e86a3a5c8d0bb5f50682f40
Opcode Fuzzy Hash: bdc3667c887d2b34d49c6cc1f5d19f9b95add2586ae1b1525d569225505c2b75
Instruction Fuzzy Hash: 0EC08C700232088FC3102BA4B60D3683A68BB00203F486014F00D029938EA44060C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 07F07E7C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c6bcd60734c433154f8d6558ce61d8a1dd21fdebd5e125f05a243c96ffc4da
Instruction ID: ccf46875219f9f03b34f152d05a21e3924df6d176f18fc1b098cd60d43c7267e
Opcode Fuzzy Hash: 94c6bcd60734c433154f8d6558ce61d8a1dd21fdebd5e125f05a243c96ffc4da
Instruction Fuzzy Hash: B1B092BE1A6240E2880466644AD092AA811EBA2B00B889C516204401D494A4A869F56F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07F0A830 Relevance: 4.0, Strings: 3, Instructions: 253COMMON

Download Yara Rule

Strings

]\`, xrefs: 07F0AAC2
[V~*, xrefs: 07F0A9AC
T+-q, xrefs: 07F0AB7A

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$]\`
API String ID: 0-3978741314
Opcode ID: a3c9f1ee77a97e4fee27f75a89d86476c7620bdeb1a63af75512a909639653d8
Instruction ID: aae224228febb318e5b4402482bf9a6e4a0841bae32d4d505558a0edbcbe994b
Opcode Fuzzy Hash: a3c9f1ee77a97e4fee27f75a89d86476c7620bdeb1a63af75512a909639653d8
Instruction Fuzzy Hash: 0EB1F3B5E15219DBCB04DFAAD98189EFBF2BF89300F18D52AD415AB358D33099029F94

Uniqueness

Uniqueness Score: -1.00%

Function 07F01C38 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

7Z/t, xrefs: 07F01D5B
[[bb, xrefs: 07F01DAB
RWIK, xrefs: 07F01CB2

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: 7Z/t$RWIK$[[bb
API String ID: 0-1157992699
Opcode ID: 79f8acd524b2cdadd69f164ad3c3c8559bc37e4c9180add26682317935cf4f5e
Instruction ID: 92705195aba734750796534446e822935531449ba63a348d72e709256a60cbb8
Opcode Fuzzy Hash: 79f8acd524b2cdadd69f164ad3c3c8559bc37e4c9180add26682317935cf4f5e
Instruction Fuzzy Hash: BA5118B5E1520ACFCB18CFAAC4815AEFBF2BF89310F18D169D415A7394D7349A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 07F01C48 Relevance: 3.9, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

7Z/t, xrefs: 07F01D5B
[[bb, xrefs: 07F01DAB
RWIK, xrefs: 07F01CB2

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: 7Z/t$RWIK$[[bb
API String ID: 0-1157992699
Opcode ID: b7211304970318c6a17d9db9db20861c7d4cf807140cf2eb63d3c0c53fe7f886
Instruction ID: 1b55e71d7f612a7f17d8672facbd9be8e2cabfaeafc20239143feb01cc609741
Opcode Fuzzy Hash: b7211304970318c6a17d9db9db20861c7d4cf807140cf2eb63d3c0c53fe7f886
Instruction Fuzzy Hash: 855107B1E1520ACFCB18CFAAC4415AEFBF2BF89300F18D569D415A7354D7349A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 07F004A8 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0, xrefs: 07F0051D

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 3abbd8e5a270ed7ba2e8d4282ceb2fe4c869255ae12236827126c1186b384b7d
Instruction ID: c142c57efd91c10058ecb13e832264db4497bbc1ca2c57b44b1219bb3419db2b
Opcode Fuzzy Hash: 3abbd8e5a270ed7ba2e8d4282ceb2fe4c869255ae12236827126c1186b384b7d
Instruction Fuzzy Hash: 0521C5B1E016189BEB18CFABD84079EFBF7AFC8200F14C0AAD518A6254EB344A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 07F00499 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

0, xrefs: 07F0051D

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8fc935e7fd6e313d0c67bab54cd0b527e56b0ab3ef13140373a49a8dbe96f8b2
Instruction ID: bd2b5ce5e8a1940b7f0398e583d9a729833e38d5a17691768a9662c8b86a6635
Opcode Fuzzy Hash: 8fc935e7fd6e313d0c67bab54cd0b527e56b0ab3ef13140373a49a8dbe96f8b2
Instruction Fuzzy Hash: CC21BAB1E006188BEB58CFABC95079EFAF3AFC8300F18C56AD418B6354EB344A418F51

Uniqueness

Uniqueness Score: -1.00%

Function 08283300 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0375340a807227d9ffb14f70522d150f44ea1aaa7cf8158dc010bc61296e71
Instruction ID: 67f558731fa73dc64068d38fbd74a213efa0c447ef3347929f21f87f6147bbe6
Opcode Fuzzy Hash: 7c0375340a807227d9ffb14f70522d150f44ea1aaa7cf8158dc010bc61296e71
Instruction Fuzzy Hash: 91E10374E11219CFCB14DFA8C5849AEBBF2FF89305F248169E405AB356D735A942CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 082813B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd539fe2585fca5e671cfd59af121983ad7c8eb314b62a61c3fc06c5512c5e15
Instruction ID: 3f79531123d6b8f7409125fe247851ab7a4b58e923910161c30ce8caf0bd6e76
Opcode Fuzzy Hash: dd539fe2585fca5e671cfd59af121983ad7c8eb314b62a61c3fc06c5512c5e15
Instruction Fuzzy Hash: A6E12674E11219CFCB14DFA8C5809AEBBF2FF88305F248169D415AB396D731A942CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08281C28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dbe9232e8a2b1b9e28f0190cee2ac268aeee3ba426843b6a2c3ca7cf5d8bd11
Instruction ID: e8f709c3e952db7dd0e757c04d5942149fe816f6877442e912e312e98d2d4759
Opcode Fuzzy Hash: 5dbe9232e8a2b1b9e28f0190cee2ac268aeee3ba426843b6a2c3ca7cf5d8bd11
Instruction Fuzzy Hash: 76E1F674E11119CFCB14DFA8C5809AEBBF2FF89305F24816AE415AB396D731A942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 08282EC8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a08749589487f363ec203c4600bf9c1dcf8986f05edbc476150f59e13057cf
Instruction ID: 3a64b93981918f8095fc5914243276d6686e41f69e26efa3476624777ba1b342
Opcode Fuzzy Hash: e2a08749589487f363ec203c4600bf9c1dcf8986f05edbc476150f59e13057cf
Instruction Fuzzy Hash: 25E10474E11219CFCB14DFA9C5809AEBBF2FB89305F24816AD405AB356C731A942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 082817F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ae78d40521eda582b6a9b7a0330d99f946b78872e5d95c2cb91b23e88fc4c1
Instruction ID: 430feb82f5a71240d16e4855d22d8485cce87b3d9ce6b6d12ed6eea92e003813
Opcode Fuzzy Hash: a4ae78d40521eda582b6a9b7a0330d99f946b78872e5d95c2cb91b23e88fc4c1
Instruction Fuzzy Hash: 3BE10574E11219CFCB14DFA8C5809AEBBF2FF88305F248169D815AB396D731A942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07F08C4F Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296bc8bfe06c356543f40476bbda3e45f914284702e7c2c424ec9467fc44bbf0
Instruction ID: 1102473177ed96c2c8c5dd17ffd547810bd4452e188e4cefeb3f5de518cc9e9d
Opcode Fuzzy Hash: 296bc8bfe06c356543f40476bbda3e45f914284702e7c2c424ec9467fc44bbf0
Instruction Fuzzy Hash: 2FD12835D2075A8ACB11EB64D990AADB775FF99300F10D7AAD04937250EB74AEC8CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07F08C60 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73473ca515d2f77f7ff5b8ba9176d29e3eed4fd171655a04474c5d751bd0e3c9
Instruction ID: 97fee8c376d3f5f981e57c52a8eeca7b00ff2c44048181d110ce5a3e086fd7be
Opcode Fuzzy Hash: 73473ca515d2f77f7ff5b8ba9176d29e3eed4fd171655a04474c5d751bd0e3c9
Instruction Fuzzy Hash: 97D11835D2075A8ACB11EB64D990AADB775FF99300F11D7AAD04937250EB70AEC8CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0316E714 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014648424.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5898b96f106d89ac10b5c21b6ab232d05ef3c746d950447c6b617da6009f7c0d
Instruction ID: e99f9ce5c8320407d9dba7c1bf32b6dc2faaab9af29fa04dad83810600d67a72
Opcode Fuzzy Hash: 5898b96f106d89ac10b5c21b6ab232d05ef3c746d950447c6b617da6009f7c0d
Instruction Fuzzy Hash: 97A17E3AA002158FCF05DFF4D94459EBBB6FF88301B15456AE805AF261EB31E926CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07F04400 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e1b767e871f5d078956b41547884f09539ce972c0d2e0fc847162dc9369cb8
Instruction ID: 9b5ad7fbd0b7d66703638727beb259815ef74feea8101b22d288e6e37377cc40
Opcode Fuzzy Hash: 94e1b767e871f5d078956b41547884f09539ce972c0d2e0fc847162dc9369cb8
Instruction Fuzzy Hash: 4481E1B4E14219CFCB44CFA9C5849AEFBF2FF89210F18955AD515AB364D330AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07F043F1 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d1d071ff85178e1a1facd8012daa316f79489e72a2d1a6eed4eb09f1c3f94f
Instruction ID: 29492126bab37eb563d8185849871c1aad0ffad0406a454c3dc4e6658f0fa9b6
Opcode Fuzzy Hash: 80d1d071ff85178e1a1facd8012daa316f79489e72a2d1a6eed4eb09f1c3f94f
Instruction Fuzzy Hash: B6811274E14219CFCB44CFA9C5849AEFBF2FF89210F18916AD515AB364D330AA02CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07F02100 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0129eda45fb24bf9b0e33b3bf585722f97feef5e425d24cdb139cd52ca06cb75
Instruction ID: 6763bdcaff7b534849c25a5d8366dcc85f042732f1511480ddc0cf69c65b2cd8
Opcode Fuzzy Hash: 0129eda45fb24bf9b0e33b3bf585722f97feef5e425d24cdb139cd52ca06cb75
Instruction Fuzzy Hash: A6614BB5E1120ADFCB04CF99D8849AEFBB2FB89320F188066D515A7354D334DA42DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07F02110 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57b6acf95cf071ad0b8a53b4c562d67e78e88e0be860fcfec7eb517c75c79ac
Instruction ID: 74162711fb190d71ad10edbfbae5d0cbb4ba0b397cb29a602b3330dc4e2436d6
Opcode Fuzzy Hash: a57b6acf95cf071ad0b8a53b4c562d67e78e88e0be860fcfec7eb517c75c79ac
Instruction Fuzzy Hash: DC7138B5E11209DFCB04CF99D8849AEFBB2FB89320F148466D515AB354C3349A42DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07F05860 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c7cda8a7f2c6989e220162dee0306a761c33d9b74a2a052ea1feadf6cf7c65
Instruction ID: 658078e41d239914e398c601072374b4f2b213a321fa7ff15de19ff77ede5315
Opcode Fuzzy Hash: 15c7cda8a7f2c6989e220162dee0306a761c33d9b74a2a052ea1feadf6cf7c65
Instruction Fuzzy Hash: 9E6113F092660DDBD700CFA4E18685ABFF1FB89301F28A495D085D7384DBB89275DB84

Uniqueness

Uniqueness Score: -1.00%

Function 07F052B8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfa15fd1d757c3e37e8c0b439f59da3c15c26f1dfe62f30b279a836479d2462
Instruction ID: 22a2d97596f6bba62d95422e63dc174f67e7847dbd4f11374c0fe1a73d713582
Opcode Fuzzy Hash: 8cfa15fd1d757c3e37e8c0b439f59da3c15c26f1dfe62f30b279a836479d2462
Instruction Fuzzy Hash: F46137B5E1420ADFCB04CFA9C9919EEFBB2BF49300F18901AD415A7344D3B49A55DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08281388 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026440077.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8280000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235bdd5837570623de2615a0fca3259121b5d84ec5856b7eca589508ed8e877b
Instruction ID: 8da444534675b973d096d3efb0adfa0584615ba8a86196336edc96a64e9f33b1
Opcode Fuzzy Hash: 235bdd5837570623de2615a0fca3259121b5d84ec5856b7eca589508ed8e877b
Instruction Fuzzy Hash: D6517D74E15219CFCB14DFA9C5405AEBBF2FF89301F24C1AAD418AB292C7309942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07F052A8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a2b1fc45a5e44212aee2fff79c3b8ee9e9ad3e6cce7e1863ca4ec4c6912644
Instruction ID: 20e8220e629bc23e489d1a9856078395efabacbb9235572ee19f733b628effac
Opcode Fuzzy Hash: b9a2b1fc45a5e44212aee2fff79c3b8ee9e9ad3e6cce7e1863ca4ec4c6912644
Instruction Fuzzy Hash: 165129B5E1420ADFCB04CFA9C9819EEFBB2BF49300F18941AD415A7384D3B49A56DF91

Uniqueness

Uniqueness Score: -1.00%

Function 07F07538 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00c1b253307f4d8de2c326ddca6f44dca30e55641d9660c3e32849f13cecd5a
Instruction ID: 7e329ed52b9e03fcd329d804965b42f4a61a3837beccee6163641d39338644f3
Opcode Fuzzy Hash: d00c1b253307f4d8de2c326ddca6f44dca30e55641d9660c3e32849f13cecd5a
Instruction Fuzzy Hash: E75125B1E1521ADBCF04DFAAD4855AEFBB2FF89210F14946AE005B7354D734AA418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 07F07529 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e73256723e5f0b3977c323f7ba81cf04c88351edef11dfe9c4dc37e80800b0
Instruction ID: 1056e7ccadd5aa0347e13c2f13d5dcf5056933a95b53f0978a57b35f74079c3f
Opcode Fuzzy Hash: 72e73256723e5f0b3977c323f7ba81cf04c88351edef11dfe9c4dc37e80800b0
Instruction Fuzzy Hash: 555139B1E1121ADBCF04DFAAD5855AEFBB2FF88310F14946AE401B7354D734AA418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 07F05618 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff26c46a830cf76dc28a1c33673d48be6f4e6afdd4c8def514a9fcdbaaea9e3
Instruction ID: 229102a7bc7d41c15047c667333c323df1d035846c6925c2f7121cad66caa61e
Opcode Fuzzy Hash: bff26c46a830cf76dc28a1c33673d48be6f4e6afdd4c8def514a9fcdbaaea9e3
Instruction Fuzzy Hash: EA5106B5E01209DFCB04CFAAC9855AEFBB2FF89310F18C16AD815A7340D7749A519F94

Uniqueness

Uniqueness Score: -1.00%

Function 07F05628 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65c082e15af0b3f9f36088c37aa3fb2645be0e0c1b8f32aae6978f055d64ec9
Instruction ID: 075b4ea87ff7425c7b2cab752797fb8a26fa5b9af4fb2940c42e605679ef47da
Opcode Fuzzy Hash: e65c082e15af0b3f9f36088c37aa3fb2645be0e0c1b8f32aae6978f055d64ec9
Instruction Fuzzy Hash: 0841E4B5D1020ADFCB08CFAAC4859AEFBF2BF89300F14D12AC815A7344D7749A619F94

Uniqueness

Uniqueness Score: -1.00%

Function 07F03A11 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95afa82b3ec422f36ab5858bc9d98c93c6a41625552f0c20bd0d495e0af0ecbb
Instruction ID: cbfb708caea97ad8dc196670401ee79e5f0e4f7ba4dc56fe4d33556edb7be659
Opcode Fuzzy Hash: 95afa82b3ec422f36ab5858bc9d98c93c6a41625552f0c20bd0d495e0af0ecbb
Instruction Fuzzy Hash: A74127B4E152198FCB04CFA9C9805AEBBF1FF89210F19952AD415B73A4D7349A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07F0A840 Relevance: 5.1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

Strings

[V~*, xrefs: 07F0A9A5
[V~*, xrefs: 07F0A9AC
]\`, xrefs: 07F0AAC2
T+-q, xrefs: 07F0AB7A

Memory Dump Source

Source File: 00000000.00000002.2025786625.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f00000_PO No.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$[V~*$]\`
API String ID: 0-1849991408
Opcode ID: 387f41628d9e352983893eae27f2e36a32af7f472f59328c9764ea02528e908e
Instruction ID: 4bd40aea821c6eac1feac361940dc80eaf86efc1b83af2886d76f2d74170c00e
Opcode Fuzzy Hash: 387f41628d9e352983893eae27f2e36a32af7f472f59328c9764ea02528e908e
Instruction Fuzzy Hash: 992178B1E116598BDB08DFAAC94459EFBF3BF89300F18C12AD418AB354DB745946CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PO No. 2430800015.exePID: 6508, Parent PID: 2968COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	26
Total number of Limit Nodes:	5

Executed Functions

Function 014AC5CB Relevance: 2.7, Instructions: 2724COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbdfb6d0de8d04c3b559adfb61de2dc2abfcc535618b52bf27c6e490f5e554a
Instruction ID: 84c6c268e15c84874ebcbcfb6fb05bcd3c366b6c0fd44d30c87ce2c2f031f396
Opcode Fuzzy Hash: 4fbdfb6d0de8d04c3b559adfb61de2dc2abfcc535618b52bf27c6e490f5e554a
Instruction Fuzzy Hash: 6953F831C10B1A8ACB51EF68C8905A9F7B1FF99300F55D79AE45877221FB70AAD4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014ADBD8 Relevance: 2.3, Instructions: 2314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee3175644ef46ae858238981c02d79fc5b3b9d3a4bb53db187e1726677ee773
Instruction ID: 1c474e5dd6ab94ed194c73a7c326ea474cd46a565967bf4f9fe42fac9d0cc077
Opcode Fuzzy Hash: 7ee3175644ef46ae858238981c02d79fc5b3b9d3a4bb53db187e1726677ee773
Instruction Fuzzy Hash: 13333F31D107198ECB11EF68C8905AEF7B1FF99300F55C69AE459B7221EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014A4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc039a905c99a9597204b46787f243893c12d7673876366d45441f6923035621
Instruction ID: 763ec1243693e15adf955900ff2e4e232b0bc07be2c10aa52a287960a1b0ce9e
Opcode Fuzzy Hash: bc039a905c99a9597204b46787f243893c12d7673876366d45441f6923035621
Instruction Fuzzy Hash: FFB14470E002098FDF14CFA9C98179EBBF2AF98714F5D852AD419E7364EB749846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014A3E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3dfc8a6e468547d1bd1329a21731baf20ed9fc3d74be5540be2d66e2fc3567e
Instruction ID: 37d8fe6a94e16ee551abeeaaacc341dc15cfa405f07a65454bcc25857d20829b
Opcode Fuzzy Hash: f3dfc8a6e468547d1bd1329a21731baf20ed9fc3d74be5540be2d66e2fc3567e
Instruction Fuzzy Hash: 26916170E002098FDF10CFA9C9957DEBBF2BFA8314F59812AE415A7364EB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06ACE928 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3248973230.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6ac0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f2eb0536780d239b32d8490830acad02e5d9e5dddf537904f237a0695ce896
Instruction ID: 6b1f39f8a1647e821c7eadefe8d53275dc1f316327577fd443ab91bf74f2d014
Opcode Fuzzy Hash: 41f2eb0536780d239b32d8490830acad02e5d9e5dddf537904f237a0695ce896
Instruction Fuzzy Hash: C9412472D043958FC710DFA9D8142AABFF5BF89220F0585ABD404E7251EB389841CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 06ACEA10 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 06ACEA77

Memory Dump Source

Source File: 00000008.00000002.3248973230.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6ac0000_PO No.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 4652cf598b55390b3d642a69abaf2cd3bc5b986eac562b790fc8e6111d96b94a
Instruction ID: 922620efbd8af286718cf12187233ddeed3776b1cf4712487bc287570814b311
Opcode Fuzzy Hash: 4652cf598b55390b3d642a69abaf2cd3bc5b986eac562b790fc8e6111d96b94a
Instruction Fuzzy Hash: 6211EFB1C006599FCB10DF9AC544AAEFBF8BF48720F15816AE818A7250D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 014A7D88 Relevance: 1.4, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 014A7E1C

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 4486c815e507cac91295653145f5adfb4f9d108f2b0e58126e19da9eea7755d8
Instruction ID: fceded26c695ec37e6ddd05b3d95194374862aab81992a69a3035b65f797ef23
Opcode Fuzzy Hash: 4486c815e507cac91295653145f5adfb4f9d108f2b0e58126e19da9eea7755d8
Instruction Fuzzy Hash: E031B030E00209DBEB25CF69C44479FB7B1EF9A311F618866E501FB360EB71AC468B51

Uniqueness

Uniqueness Score: -1.00%

Function 014A7D98 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LR]q, xrefs: 014A7E1C

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: a06ad8e90ad3389f12664579a120829eeea9ba591d06d4c31990a8a25e92ad31
Instruction ID: 09c672016b25ec8e363dbb3ce92d38aaef79b4561b53697b8d73d728894b2dc4
Opcode Fuzzy Hash: a06ad8e90ad3389f12664579a120829eeea9ba591d06d4c31990a8a25e92ad31
Instruction Fuzzy Hash: 8831A031E10209DBDB25CFA8C44069FB7B1EF99311F518426E505F7350EB71AC428B51

Uniqueness

Uniqueness Score: -1.00%

Function 014A0838 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Ko, xrefs: 014A0898

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 4119f4266dc294cc931901a71c724718fb179475871b363df750b67fc6df479b
Instruction ID: edb34e134425dbf93c6236fd68b2a80830c19e2e47319513cf020cb86c0bf2ed
Opcode Fuzzy Hash: 4119f4266dc294cc931901a71c724718fb179475871b363df750b67fc6df479b
Instruction Fuzzy Hash: D2110430E012054BEF265A78D41436F37A4EF52314FA2497FE002DB3A6CA74CC458BC9

Uniqueness

Uniqueness Score: -1.00%

Function 014A0848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Ko, xrefs: 014A0898

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 593d7e2fac69e3ea7fc655ddf8dbf79a6f7ef198b0e79502296fa5444b34865e
Instruction ID: 2fc3a5f17d07743ba57958a753dff5ce1af94838b86af4ffebb75b76ed5acbc8
Opcode Fuzzy Hash: 593d7e2fac69e3ea7fc655ddf8dbf79a6f7ef198b0e79502296fa5444b34865e
Instruction Fuzzy Hash: 2A119D30B012094BEF655A7DD55472B36A9EB91210FA2493EE006CB3B6DA74DC458BC9

Uniqueness

Uniqueness Score: -1.00%

Function 014A86D8 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ba66b3afb9f2cb68fcd86d68198ef551f80bb6f6deefed1f5737305959cf2a
Instruction ID: 68d26625b06b3ce49521e96add75d29a8a937c88b5100558f097960b482e9955
Opcode Fuzzy Hash: 77ba66b3afb9f2cb68fcd86d68198ef551f80bb6f6deefed1f5737305959cf2a
Instruction Fuzzy Hash: A322D17070110A8FEB2ABB2CE49662D77A6FF95701B504A7AE001DB369DF35EC46C790

Uniqueness

Uniqueness Score: -1.00%

Function 014A8728 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9983a24fd74afffe14a2b1cc0c2cf14de7ccf52642d81d32896546c4a913179
Instruction ID: 1955a597296b433db8c1734f31c2f5523f22acf2860343fd36b682bef1c09ce5
Opcode Fuzzy Hash: b9983a24fd74afffe14a2b1cc0c2cf14de7ccf52642d81d32896546c4a913179
Instruction Fuzzy Hash: 6C12B07070110A9FEB29BB2CE49662D77A6FF95701B604A3AE001DB369DF35EC46C790

Uniqueness

Uniqueness Score: -1.00%

Function 014A8738 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a64ca560e27fca442769dbe2689075e9be1134f1222587a239d982add872e8
Instruction ID: 5b0297c0c1480acc659054dc8af8e095212862325c0f66e2507c86e1e25d34d4
Opcode Fuzzy Hash: 30a64ca560e27fca442769dbe2689075e9be1134f1222587a239d982add872e8
Instruction Fuzzy Hash: D912B17070110A9BEB29BB2CE49662D76ABFFD5701B504A3AE001DB369DF35EC46C790

Uniqueness

Uniqueness Score: -1.00%

Function 014A4A8C Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde78c7fd2dec50d0b3a56c200e2885c57e1829292f10259071c459dc52ea5c6
Instruction ID: a52a8b75adb4be63b29cc09c57a4383ab0ba0ca000efa1eb04661402711ae27e
Opcode Fuzzy Hash: dde78c7fd2dec50d0b3a56c200e2885c57e1829292f10259071c459dc52ea5c6
Instruction Fuzzy Hash: 8BB15270E00209CFDB10CFA8D9857DEBBF1AF58714F5D852AD418A7364EBB49846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014AA252 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fbca6eefe9683574b7df48f326ff5af6e8b6ffa659177861adf903712fdd69
Instruction ID: 34d57e06261b24226ce05ac07d9d43772816a772b82af9055e9fd127036d85a9
Opcode Fuzzy Hash: 43fbca6eefe9683574b7df48f326ff5af6e8b6ffa659177861adf903712fdd69
Instruction Fuzzy Hash: 72A16F34A002058FDB15DF68D994AAEBBF2FF98310F65846AE405EB365DB35EC46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014A3E74 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff2328b0e8556ba8c7aa88e3c0b465e92a15658897c9b81e83a552c1eddf979
Instruction ID: f05b2c4e456f95f9d700be3fc58e90ef7edd9754a651b1372a49fae92b8ae07c
Opcode Fuzzy Hash: eff2328b0e8556ba8c7aa88e3c0b465e92a15658897c9b81e83a552c1eddf979
Instruction Fuzzy Hash: F2A15DB0E002099FDB10CFA8C9957DEBBF1BF68314F59812AE414A7364EB749846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014AA6B8 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1caa25d12af5fcfe4c3046e479d84b10d7e138ddfcc59b840ba2f6c2b52610f
Instruction ID: d9afdca1624aa5523be4b21b7907417f76d58bc50793d43846cc44485f9bed2c
Opcode Fuzzy Hash: c1caa25d12af5fcfe4c3046e479d84b10d7e138ddfcc59b840ba2f6c2b52610f
Instruction Fuzzy Hash: 10819071A002058FDB04CF69D884B9EBBF5FF98310F65C16AE9099B3A5DB70D845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014A4804 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22fc48f8190fba86c8ecb0adc7682e241ddc744ad310fb75477d006392d3112b
Instruction ID: 7de06ce998e3ed9e78e7c2578b0d7ad90d89e8f7236d8eaf142447b1d54632a3
Opcode Fuzzy Hash: 22fc48f8190fba86c8ecb0adc7682e241ddc744ad310fb75477d006392d3112b
Instruction Fuzzy Hash: ED719DB0D00249CFDB10CFA9D9517DEBBF1BF98314F59812AE418A7364EBB49842CB95

Uniqueness

Uniqueness Score: -1.00%

Function 014A4810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fcd132a1e8c615294a70093544fbf2a0cd5e986d7a1dee61e2e04d60de8fe41
Instruction ID: 297f39c823a71e7b5df3418cdd8964c38f486ba01eecdd3aaab69dab22a301ad
Opcode Fuzzy Hash: 4fcd132a1e8c615294a70093544fbf2a0cd5e986d7a1dee61e2e04d60de8fe41
Instruction Fuzzy Hash: 19719F70E00249CFDF10CFA9C95179EBBF2BF98314F59812AE414A7364EB749842CB95

Uniqueness

Uniqueness Score: -1.00%

Function 014AA500 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6741230913da89896f69039c5fd0c22f49ea0c14fb32f811fe25ba27b35dc6
Instruction ID: c2f2010a8eaeb7a1162163043e8be21bc99d9fa158aebea6c60a536b5743e9fd
Opcode Fuzzy Hash: 4d6741230913da89896f69039c5fd0c22f49ea0c14fb32f811fe25ba27b35dc6
Instruction Fuzzy Hash: 3E41D430B0020A8BDF25DA6DD99076F7766EBD6210FB1482BD049C73A1D735D846CB82

Uniqueness

Uniqueness Score: -1.00%

Function 014A112B Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791e9362d49fb83773da1cba31bd4639880f251aa1c37615e8e4c77565f4cf31
Instruction ID: 0b719a4d41ca778a0fa1ab34d09a9a20b0ff0b79268c7cee7448b6a8f0e3788d
Opcode Fuzzy Hash: 791e9362d49fb83773da1cba31bd4639880f251aa1c37615e8e4c77565f4cf31
Instruction Fuzzy Hash: CE51617061124A9FCB06EF38F9B29583F75FB96304308497AD0259B23EE730AD49DB90

Uniqueness

Uniqueness Score: -1.00%

Function 014A6CDF Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0361ab461112c49464efe578312d1bc10e77e873e6526f5c20a688b3159a62e4
Instruction ID: fd65c83cd0bc1b1a8637267f3e516e3c3767998bb56e4bcaa2ae0db8dd363bab
Opcode Fuzzy Hash: 0361ab461112c49464efe578312d1bc10e77e873e6526f5c20a688b3159a62e4
Instruction Fuzzy Hash: 92513570D002188FDB14CFA9C844B9EFBB1BF58710F5A811AE819BB3A1D774A841CB95

Uniqueness

Uniqueness Score: -1.00%

Function 014A6CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b5c4fc00bc1f278c793759daa2357eefba5e850ab984142e9e3baead812e97
Instruction ID: 609ad69c11bbf0e337a1b5e1e91993ac5182fb2d9fadd102bde57b8614ad5299
Opcode Fuzzy Hash: f6b5c4fc00bc1f278c793759daa2357eefba5e850ab984142e9e3baead812e97
Instruction Fuzzy Hash: 60513571D002188FDB14CFA9C844B9EFBB1BF58710F5A811AE819BB3A0D774A841CF95

Uniqueness

Uniqueness Score: -1.00%

Function 014A6F6B Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3277f9c8640befa3dde3b9a2c1579321b03dd07a7524cf4bdf01a8af9940c8
Instruction ID: 755ce4f59947c7dc2cdb3fb089b879a2351754aaed935e0cc2159f792bfdff1d
Opcode Fuzzy Hash: bf3277f9c8640befa3dde3b9a2c1579321b03dd07a7524cf4bdf01a8af9940c8
Instruction Fuzzy Hash: DA417A78750215CFDB14DB68C468AAE7BF6AF5D301F62406AE402EB3B5CB75AC41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014A1138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c44d1c40a151ac75cd172f4b82badead02f0cb6dfb64797f0951aa298865c4b
Instruction ID: 2e027777ba9ed65b40f4b80296ef558e62968fb0f06665dfb30ff44320efe9b9
Opcode Fuzzy Hash: 9c44d1c40a151ac75cd172f4b82badead02f0cb6dfb64797f0951aa298865c4b
Instruction Fuzzy Hash: A251FB3161224A9FCB0AFF28F9B29583F75FB963043084979D0255B23EDB30AD49DB91

Uniqueness

Uniqueness Score: -1.00%

Function 014A26DC Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c7e04543050c1d254be1539cd22622e0e20567f166e9995fc1a52ecc7e02ec
Instruction ID: bc7229e9aa1863509f08481486647c776e80bf3374a3bc9ac51d913b367f9e97
Opcode Fuzzy Hash: a0c7e04543050c1d254be1539cd22622e0e20567f166e9995fc1a52ecc7e02ec
Instruction Fuzzy Hash: BD41FFB4D00249DFDB14CFA9C584ADEBFB5FF58310F64802AE409AB264DB759946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 014A26E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857197979d3c00e5e8adf7990d1a49113c9ffdce672c4531bbcdcecff5b526af
Instruction ID: fa650fe8c1a516eb2866eef7d27876c54dca7f2e020498c8876a37c127254688
Opcode Fuzzy Hash: 857197979d3c00e5e8adf7990d1a49113c9ffdce672c4531bbcdcecff5b526af
Instruction Fuzzy Hash: 8641EEB4D003489FDB14DFA9C584ADEBFB5FF58310F64802AE809AB264DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014A5099 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f98f503b9d27b176e25b2b92dac86256201c5f7b2a0a8ebcdc3aa88db1e963
Instruction ID: 11e70bcec7be2b130bc68ff5fc1ee9dddb229e578885c54f34ed1356890d8076
Opcode Fuzzy Hash: a6f98f503b9d27b176e25b2b92dac86256201c5f7b2a0a8ebcdc3aa88db1e963
Instruction Fuzzy Hash: D6317E70B00205CFDB15EB78C6646AE77B2AFA9204F51047EC515EB3B5DB369D01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014A50A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e9de73988e389f6f6379d5c887003de67009f4c941e3af0b605d60fa143d40
Instruction ID: 7286e45b11fe8679bdf87a59e2fdded95e1bf7a68f50380f62d31b91cc7ee421
Opcode Fuzzy Hash: a9e9de73988e389f6f6379d5c887003de67009f4c941e3af0b605d60fa143d40
Instruction Fuzzy Hash: DF317A70B00205CFDB14EB38DA646AE77B6AFA9204F52047DC502EB3A5DF369C01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014A16A0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d96ed86f56dbe961188ac28e976744a421aebadcee48c6e76d8d67a69b022b6
Instruction ID: 4a963a49f6b053956f88ebaa0fdbeee91d214375f467ac3a719b98e258421b03
Opcode Fuzzy Hash: 0d96ed86f56dbe961188ac28e976744a421aebadcee48c6e76d8d67a69b022b6
Instruction Fuzzy Hash: D221B7385041065FDF23AB28E4B4BAA3B65EB55704F514967D01ACB37AD734CC46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014AA070 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf81dd1b0d3c34ffcde549b42c8e5458495134aaa452f580b9f0eaae3b8bb86
Instruction ID: c20417e022fdc52e933fa804e86aeec5e4c00c17c15a69e993ab7c2743a1abc6
Opcode Fuzzy Hash: ecf81dd1b0d3c34ffcde549b42c8e5458495134aaa452f580b9f0eaae3b8bb86
Instruction Fuzzy Hash: DD31C371E0020A9BDB15DF69D89469FFBB2FF95300F61C61AE405AB350DB70A846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014AA080 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3ade01ddd83d8a50065f3e0ad5b70db305294dfa6f7f4d9d4853844c293b45
Instruction ID: e5cced5c055c089b12b91741fada0d8c6d50cc7f28111c48e5f04db2ec286928
Opcode Fuzzy Hash: fe3ade01ddd83d8a50065f3e0ad5b70db305294dfa6f7f4d9d4853844c293b45
Instruction Fuzzy Hash: 0B218271E0420A9BDB05CF69D89469FF7B2FF99300F61C61AE805EB351DB71A846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014A9F70 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbafef2cdd74953093763e8949832371fb05997e1253877d1ec58dd5ec5105d
Instruction ID: 78ea9a118d50549af51d9fdfe1ce835d39feb7f65011066b29f034d0e2d67fe3
Opcode Fuzzy Hash: 2fbafef2cdd74953093763e8949832371fb05997e1253877d1ec58dd5ec5105d
Instruction Fuzzy Hash: 5E21B031E0420A8FCB15CFA4C4506DEBBB2AF99304F61855BF815BB3A1EB71A846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014A1380 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b674809ee6772a541499250e7c769b157bc4d2113ce14c109a1390e12f32f6
Instruction ID: a7965e4bea55e27bd2bdc9d03a069802386df072195a5185726e03d3104213e8
Opcode Fuzzy Hash: 40b674809ee6772a541499250e7c769b157bc4d2113ce14c109a1390e12f32f6
Instruction Fuzzy Hash: 7D21C6706002178BEB365A6CE0A876E3B65E716715F91087BE446CB3B6DA35CC84C741

Uniqueness

Uniqueness Score: -1.00%

Function 014A4F88 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3590402bc6552078c332409899f99cdd352dbb12a2f98cb8633f99491c64d5ff
Instruction ID: 8be43a57a221dd152bb1cd8000b55f260823b4258593debdde95f355606ceb96
Opcode Fuzzy Hash: 3590402bc6552078c332409899f99cdd352dbb12a2f98cb8633f99491c64d5ff
Instruction Fuzzy Hash: 15217AB0B40205CFDB14EF78D56869E77F1AF9D204B1004A9E406EB3B5EB358C01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0145D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234141494.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_145d000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b815764ded6301c170f28d4445834fe04ebd331b905c0a78026d73e27986cd70
Instruction ID: b7ad2b1dfcaf5268adf87b868cfbb8b8269e2301bc031c72d1199abf1444cc84
Opcode Fuzzy Hash: b815764ded6301c170f28d4445834fe04ebd331b905c0a78026d73e27986cd70
Instruction Fuzzy Hash: F92103B19042049FCB55DFA8C980B26BB65FF88718F20C56AED490B363C73AD447CA61

Uniqueness

Uniqueness Score: -1.00%

Function 014A1888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070deae45080c8a00d24bdc86bd8e8adeda00b11f6f9e80fbeb14d20972f0726
Instruction ID: 0b943dd208a2fc1c8adcecc08335eb9e4ec1dcae87806d1f37a5a023f5d17011
Opcode Fuzzy Hash: 070deae45080c8a00d24bdc86bd8e8adeda00b11f6f9e80fbeb14d20972f0726
Instruction Fuzzy Hash: 1B214A30B40209CFDB14EB68C5246AE77FAAB99604F51046AC106EB3A4EB368D00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014A9F80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efba4af25e9d59105be0f7b10effe8647733c5c80151b60ccd44c3336c5914f3
Instruction ID: d0a75bd3b9a86eb639d77e789e0854ed2e43736d84b7303827d900242d4ae855
Opcode Fuzzy Hash: efba4af25e9d59105be0f7b10effe8647733c5c80151b60ccd44c3336c5914f3
Instruction Fuzzy Hash: 9921B030E0420A8BCB19CFA9C45069EF7B6AF99304F61851BF815BB3A0DB70A846CB41

Uniqueness

Uniqueness Score: -1.00%

Function 014A16B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f47e73eabf44546d7137d87935cb0e377eca1addf8b62f1f3dfb5dbfee5d37e
Instruction ID: eeada8c49bfa65349e52372b2d20a9a99e43cdf423127b681628887fc96f3833
Opcode Fuzzy Hash: 7f47e73eabf44546d7137d87935cb0e377eca1addf8b62f1f3dfb5dbfee5d37e
Instruction Fuzzy Hash: 902181386001065FDF22EA28E8B4B5A3B69EB55704F515A37D01ACB37ADB34DC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014A1879 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c800f36134e00af448ae4501606a13c9a417e077b5669b5277eb7f88a678a6fc
Instruction ID: f8920e8161c788a85bd30c0a60e38d55a63c65f3d40b2ae7e74746086bdeeb9d
Opcode Fuzzy Hash: c800f36134e00af448ae4501606a13c9a417e077b5669b5277eb7f88a678a6fc
Instruction Fuzzy Hash: 30216D70B00205CFEB14EB68C5647AE77FAAFA9604F61046EC106EB3B1EB368D01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014A4F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99c0248ae0d9eff492661bb058225facd810a17fb755e4272caef29c7f99e7d
Instruction ID: d90f46c9ec2e4c45d37c1f99b6079bb1908c02bff6152d1947909325098c5b16
Opcode Fuzzy Hash: c99c0248ae0d9eff492661bb058225facd810a17fb755e4272caef29c7f99e7d
Instruction Fuzzy Hash: 3E215CB0740204CFDB14EF79D558A9E77F1AF99204F110469E406EB3B5EB729D00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014A148B Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193f5df3a936bcd8a13191b7444c09470d23ef2bdd200a8d2bc7e84e44f27e52
Instruction ID: af37169a61a43f5ff63a1d4591dc639f223d9c900f9f3dcb0082d8ce5afaaf45
Opcode Fuzzy Hash: 193f5df3a936bcd8a13191b7444c09470d23ef2bdd200a8d2bc7e84e44f27e52
Instruction Fuzzy Hash: 9111E231A012158FCF21EFBD94501AE7BA4EF69610F5600BBE445EB321D635D8828791

Uniqueness

Uniqueness Score: -1.00%

Function 014A17C3 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f6cd32d17d831e49945e194990c2aa036e5fae1c9ab90a6c96a368b2b97917
Instruction ID: 1a17e10856ea8c7f35f0aaca9c76f2ee188f35d516bf53c9f205e7825e40143a
Opcode Fuzzy Hash: b9f6cd32d17d831e49945e194990c2aa036e5fae1c9ab90a6c96a368b2b97917
Instruction Fuzzy Hash: EE112276F003429FCB11ABB898542AE7FB6EB88620F210867D459D7391EB348C02CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014AA4F3 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e2dd672502864c96f7aa354472df148a2355be546d8381f83530fb8d43d5fb
Instruction ID: ea83e6e1883e86b940e0a1aef4af463eb1f9a197148fe9f0b3b5d58b1aa5042f
Opcode Fuzzy Hash: 75e2dd672502864c96f7aa354472df148a2355be546d8381f83530fb8d43d5fb
Instruction Fuzzy Hash: 4E11C831B0021A4FCF159FB9C8906AF7B76FB96210F61487AC459DB392D730E845C796

Uniqueness

Uniqueness Score: -1.00%

Function 014A1498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d738bfa9e5a797f2ad96dba9ad7bdf9a9659d1ba01b9351772ab97cf3f0422b4
Instruction ID: 12a510132e855bb18a9994c213d8251d59aadf9a1ce92679e9b98bd4648cd404
Opcode Fuzzy Hash: d738bfa9e5a797f2ad96dba9ad7bdf9a9659d1ba01b9351772ab97cf3f0422b4
Instruction Fuzzy Hash: 0A016D31A012158FCF21EFBD88501AE7BE9EB68610F56047AE806E7311E675E8418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0145D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234141494.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_145d000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 65ef3bd6c613963932830b509c2b1597a40d5f4f285624327472c8398568a77d
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: E511AC759042448FDB16CF54C5C4B16BB61FB48218F24C6AADC494B363C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 014AA6B3 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ae177adcfc6f4ca927fa0c7d8bbe237dcdb4af95dc7331f388b942ee12ce7d
Instruction ID: 0fe969142798f2951622f84b1389d050f4e71dafb2e4c800cfc2ae6990c8ae87
Opcode Fuzzy Hash: 67ae177adcfc6f4ca927fa0c7d8bbe237dcdb4af95dc7331f388b942ee12ce7d
Instruction Fuzzy Hash: 6401D630A001048BDB04DF99D984B8BBBB9FF94710FA48175C8081B3AAEB70ED05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 014A8F10 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ab7ab6553c5f18634cfe690f9da268aca8f636918f2ebb1502816906ff7cc6
Instruction ID: d356a559a3bca35bd5fe6564347a41147b3439d14a93c849dfa245b53e3acdbb
Opcode Fuzzy Hash: e0ab7ab6553c5f18634cfe690f9da268aca8f636918f2ebb1502816906ff7cc6
Instruction Fuzzy Hash: 4701447590424EDFDB06EFB4F96499C7FB5EF45204B1046EAC0049B269EB316E0ECB52

Uniqueness

Uniqueness Score: -1.00%

Function 014A1524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f198d32b2fe031f0e9c0f2bc2a5a3a2ed05f3e2b22b2871a7b851909b5e4188
Instruction ID: 0cd8c6c299be33a3ef86a5ea781dde600cd1f10f1e08410209fa22b2c0a69047
Opcode Fuzzy Hash: 0f198d32b2fe031f0e9c0f2bc2a5a3a2ed05f3e2b22b2871a7b851909b5e4188
Instruction Fuzzy Hash: 22F0F632A051518FD7229BAC84A01AD7B65EE75511B9E00ABE442EB361D635E442C711

Uniqueness

Uniqueness Score: -1.00%

Function 014A7EB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e72bde6594336caef8bc431a54d5ad0499c20b695512be37e148cc845edfd8
Instruction ID: 08a1893b6d8fb76994f94026c02720e31a3d304f319a624dcb1f8892ed81b754
Opcode Fuzzy Hash: 23e72bde6594336caef8bc431a54d5ad0499c20b695512be37e148cc845edfd8
Instruction Fuzzy Hash: 17F0E735B40119CFCB14EB68D5A8BAD77B2EF88316F6144A8E5069B3A0DB35AD06CF41

Uniqueness

Uniqueness Score: -1.00%

Function 014A8F20 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c5276cdd6e7648444066adcba02af49125af4e43fe9a562c16bfc8fe2a83b4
Instruction ID: 3629f21ed1238801549753cbc191f8e2b6a365ec867df28044314338d6a5acfd
Opcode Fuzzy Hash: a6c5276cdd6e7648444066adcba02af49125af4e43fe9a562c16bfc8fe2a83b4
Instruction Fuzzy Hash: 91F01D3490010EDFDB09EFB4FA6099D7BB9EF40204F504679C0049B268DB316E098B81

Uniqueness

Uniqueness Score: -1.00%

Function 014A6BF8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3234524666.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14a0000_PO No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac978b3ef5bd013f8b372facbf2116dfb36ab0759257ee396a4ca39d4c619aa
Instruction ID: d942eeee5caa9cf7a94332ab1289b3b5df69cd8606eb72ac610a3b810b5e32a2
Opcode Fuzzy Hash: fac978b3ef5bd013f8b372facbf2116dfb36ab0759257ee396a4ca39d4c619aa
Instruction Fuzzy Hash: 8DF0E5B2B881908FC7059B38A4D849A7FA9EBA522431E019BD5499B216DA3248878BC0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: yHoBWWkdpyxFI.exePID: 2764, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	169
Total number of Limit Nodes:	8

Executed Functions

Function 06E313C0 Relevance: 4.0, Strings: 3, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)", xrefs: 06E3146A
Te]q, xrefs: 06E31429
Te]q, xrefs: 06E315EE

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: Te]q$Te]q$)"
API String ID: 0-1081650559
Opcode ID: c2960fd32a7f20b4464531a3f06a1de0a6a19144fbe63b35f92774d011245ee3
Instruction ID: 0c7a3e704fd700a76fc7bffb0471b3e62477b4a063fcff9e5f09491f529dd64d
Opcode Fuzzy Hash: c2960fd32a7f20b4464531a3f06a1de0a6a19144fbe63b35f92774d011245ee3
Instruction Fuzzy Hash: B781C374E006198FDB48CFAAC984AEEFBB2FF88304F24942AD415AB354D7359946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06E313B1 Relevance: 3.9, Strings: 3, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)", xrefs: 06E3146A
Te]q, xrefs: 06E31429
Te]q, xrefs: 06E315EE

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: Te]q$Te]q$)"
API String ID: 0-1081650559
Opcode ID: 0d27285bb8c2e532faa4df11eedae433a8f71b39afd5626b6ed5954f0a40daca
Instruction ID: bcd41d4189a73a779bfe83d0f7f8a80ca5d33f3c3432c8e1ddceb837a2a96cb9
Opcode Fuzzy Hash: 0d27285bb8c2e532faa4df11eedae433a8f71b39afd5626b6ed5954f0a40daca
Instruction Fuzzy Hash: B581D374E006198FDB48CFAAC984AEEBBB2FF88304F24942AD415BB354D7349946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06E33B90 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

3H5, xrefs: 06E33C30
3H5, xrefs: 06E33C29

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: 3H5$3H5
API String ID: 0-2752242361
Opcode ID: 1abfa1bbaca66a969eb4f19bef313936759b50ee07db90ce4808cfa5033fe612
Instruction ID: 2544c0d23557da50c148a6e2a34f33f56fe884bfa46c99dc239c08f50025d110
Opcode Fuzzy Hash: 1abfa1bbaca66a969eb4f19bef313936759b50ee07db90ce4808cfa5033fe612
Instruction Fuzzy Hash: 0C5187B0E1565ACFCB44CFA9C5849AEFBF1FF89310F14A16AD415AB264E3309A01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0540B306 Relevance: 1.8, Strings: 1, Instructions: 563COMMON

Download Yara Rule

Strings

D, xrefs: 0540B30B

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 86ac4f634887bac10d94a3762387ea9fc67a649e390fd23306fda4502b3d6533
Instruction ID: adeae60d9f28cf4cfb2020a23a2ecd41f18285dc31401ecae7bd750daf7bf5c8
Opcode Fuzzy Hash: 86ac4f634887bac10d94a3762387ea9fc67a649e390fd23306fda4502b3d6533
Instruction Fuzzy Hash: 4652C974A402288FDB54DF68D998A9EB7B6FF89301F1041E9D409A73A5CF34AE81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06E33471 Relevance: 1.7, Strings: 1, Instructions: 452COMMON

Download Yara Rule

Strings

tIh, xrefs: 06E33915

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: 4c8f3942f04af2288b131167d0bca227785c4ec40fa4e20e6a0e326f00960528
Instruction ID: 6b35e50495427259c0bcd4abe3fb2cafd939c99b8c8653735a80ee633ae16122
Opcode Fuzzy Hash: 4c8f3942f04af2288b131167d0bca227785c4ec40fa4e20e6a0e326f00960528
Instruction Fuzzy Hash: DC029F74E153A9EFCB84CFA5C488C9FBFB1FB45301B54A0A9E602AB215C735A542CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06E33531 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

tIh, xrefs: 06E33915

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: 037fffe45d56d461b14737ca29ce0199e522508d48c44692124bc5e18c2bcbf4
Instruction ID: 0420bd5c28317f282e5d91029463d150e156253817d5601de6caebbba503ec18
Opcode Fuzzy Hash: 037fffe45d56d461b14737ca29ce0199e522508d48c44692124bc5e18c2bcbf4
Instruction Fuzzy Hash: 82D15B70E1425ADFDB44CF95C4858AEFBB2FF89301B10E159E512AB254DB34EA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06E33560 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

tIh, xrefs: 06E33915

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: ed10774df84a0795c455525d18959d9e914322928a41881b674bce6862b2ea6b
Instruction ID: 890834d755b2c42493c890caa89259239da7e49dfbe2c9f03f529008a2868091
Opcode Fuzzy Hash: ed10774df84a0795c455525d18959d9e914322928a41881b674bce6862b2ea6b
Instruction Fuzzy Hash: 56D13A70E1425ADFDB44CF99C4858AEFBB2FF88301B10E559E512AB254DB34EA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06E365A8 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f3e42073f53ca67120f8f4ffb60a7c790afdbdd8431a04a2b4f101ccffc41e
Instruction ID: 664fcf20eff164b3e96b95038c27b9a6060d5f493934b7d41911dda92799a922
Opcode Fuzzy Hash: 48f3e42073f53ca67120f8f4ffb60a7c790afdbdd8431a04a2b4f101ccffc41e
Instruction Fuzzy Hash: 31914670D15218EFDB48CFE9D5849EDFBB2EB89340F20A42AE016BB264D7349905CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06E362A0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94cc766d78fa69c5cd5f484dd3792d7ffc45662b3e4100454b106b89d76c751a
Instruction ID: f44a37de63aa78836c7afaaae0fba43ca2fbbfa3cce3769cdc736acce1fe0bef
Opcode Fuzzy Hash: 94cc766d78fa69c5cd5f484dd3792d7ffc45662b3e4100454b106b89d76c751a
Instruction Fuzzy Hash: B281F074E04229DFDB44CFA9C9849EEBBB1FF8A300F10A56AD401BB264D7359942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06E36291 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a44153a79c738ec18316a1d6ff05e530176ee3a83aa102fed8da73961cd975f
Instruction ID: 840ad4ebdee0585c4ca47e381a636a84e6de60f1621a2e8266bf3277f3548b54
Opcode Fuzzy Hash: 8a44153a79c738ec18316a1d6ff05e530176ee3a83aa102fed8da73961cd975f
Instruction Fuzzy Hash: AE810274E04229DFDB44CFA9C9849EEBBB2FF89300F11A46AD401BB264D7359912CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06E326A0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfbe14761da90e69975de0e718ceefd105be74eb4f52509c9b9b145b23f14ef
Instruction ID: 0f3881d717c0ed192da6921b3e1b00589f7c728328c1629cbd3b1bf15bd1d9ce
Opcode Fuzzy Hash: 1dfbe14761da90e69975de0e718ceefd105be74eb4f52509c9b9b145b23f14ef
Instruction Fuzzy Hash: C0614971E0121A9FDB44CFAAD9845DEFBB2FF89310F24D566D504B7218DB30AA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06E3E760 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d86ba987330b85a46b2ddd0744fb5d4028182a3353f0c4143153486f8abe95
Instruction ID: 9a3c73bd43d76fbcbba397c51d5ce507a9cc319e92e6f8c242cedf22c6e6ceff
Opcode Fuzzy Hash: b6d86ba987330b85a46b2ddd0744fb5d4028182a3353f0c4143153486f8abe95
Instruction Fuzzy Hash: 0E21C3B1D046198BEB58CFABC8487EEBEF6AFC9300F14D06AD40976264EB741945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0540EC10 Relevance: 16.5, Strings: 13, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0540EEFF
fbq, xrefs: 0540EE2D
fbq, xrefs: 0540EE1D
XX]q, xrefs: 0540EC33
$]q, xrefs: 0540EE70
Te]q, xrefs: 0540EC58
$]q, xrefs: 0540EE64
$]q, xrefs: 0540EE42
$]q, xrefs: 0540ED37
$]q, xrefs: 0540EE50
Te]q, xrefs: 0540EC62
fbq, xrefs: 0540EF5F
XX]q, xrefs: 0540EC43

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: fbq$ fbq$ fbq$Te]q$Te]q$XX]q$XX]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-910277667
Opcode ID: 9c9fd7a7c877fb3f6cc042360df2ede62140fde8208a165b846cbf29754c1feb
Instruction ID: 493db8f50ff35fcf27ada10031610e9f483c8faf54f6fcd78b95518f0624eefa
Opcode Fuzzy Hash: 9c9fd7a7c877fb3f6cc042360df2ede62140fde8208a165b846cbf29754c1feb
Instruction Fuzzy Hash: BFB14130A04218DFDB18CF58C544AEEBBBABF84710F7498A6D4426B3D5C735AC62CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0540D26A Relevance: 14.2, Strings: 11, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0540D7CD
$]q, xrefs: 0540D732
Te]q, xrefs: 0540D3F3
$]q, xrefs: 0540D7D9
Te]q, xrefs: 0540D330
Te]q, xrefs: 0540D47A
$]q, xrefs: 0540D73E
Te]q, xrefs: 0540D2DE
Te]q, xrefs: 0540D567
Te]q, xrefs: 0540D513
Te]q, xrefs: 0540D523

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: Te]q$Te]q$Te]q$Te]q$Te]q$Te]q$Te]q$$]q$$]q$$]q$$]q
API String ID: 0-2237115325
Opcode ID: bcf170677993a89d3c74e38b7b0897e60f4d13e533647df31458461c60f60765
Instruction ID: 26c7973ef1c3e5dbaa34a10434561243d3805c4db3c329335c6769e06d3c6f6e
Opcode Fuzzy Hash: bcf170677993a89d3c74e38b7b0897e60f4d13e533647df31458461c60f60765
Instruction Fuzzy Hash: 37027230F40208DFDB149FA8C555BBE7AE2BB88700F649476E406AB3D4DA74EC4ACB55

Uniqueness

Uniqueness Score: -1.00%

Function 0540E770 Relevance: 14.1, Strings: 11, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0540EEFF
fbq, xrefs: 0540E933
fbq, xrefs: 0540E8D2
XX]q, xrefs: 0540EADE
fbq, xrefs: 0540E8EC
XX]q, xrefs: 0540EB16
XX]q, xrefs: 0540EBB2
XX]q, xrefs: 0540EBF6
fbq, xrefs: 0540E8C6
XX]q, xrefs: 0540EACE
XX]q, xrefs: 0540EBE6

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: fbq$ fbq$ fbq$ fbq$XX]q$XX]q$XX]q$XX]q$XX]q$XX]q$$]q
API String ID: 0-302525356
Opcode ID: 8a1753457db832ccbb4e3299d79517baa312c3c2e73dd510dc7a9dc5c45333f2
Instruction ID: 4880d9037f4b25e29e8d57538a6ef57b195b5f617b14fcd4ba2b007dc4324f7a
Opcode Fuzzy Hash: 8a1753457db832ccbb4e3299d79517baa312c3c2e73dd510dc7a9dc5c45333f2
Instruction Fuzzy Hash: 3FE16D30A04248DFDB14CFA8C555AEE7BB6BB84300F7498B6E406AB3D5CB349C66CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0540EC29 Relevance: 12.7, Strings: 10, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0540EEFF
fbq, xrefs: 0540EE1D
XX]q, xrefs: 0540EC33
Te]q, xrefs: 0540EC58
$]q, xrefs: 0540EE64
$]q, xrefs: 0540EE42
$]q, xrefs: 0540ED37
XX]q, xrefs: 0540EBB2
fbq, xrefs: 0540EF5F
XX]q, xrefs: 0540EBE6

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: fbq$ fbq$Te]q$XX]q$XX]q$XX]q$$]q$$]q$$]q$$]q
API String ID: 0-4039791027
Opcode ID: 5a3a1f00b14c9918190538e41b704132501e677dcd5d7fd8f05415837747076e
Instruction ID: 15efd239c72c02ff52d068d4edbfd77661ee3fabf5c909dd0ed0b952a616f316
Opcode Fuzzy Hash: 5a3a1f00b14c9918190538e41b704132501e677dcd5d7fd8f05415837747076e
Instruction Fuzzy Hash: 67A13E30A08218DFDB28CF54C544AEEB7BABB85711F3498B7E4025B2D4C735A8B2CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0540E762 Relevance: 9.0, Strings: 7, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 0540E933
fbq, xrefs: 0540E8EC
XX]q, xrefs: 0540EB16
XX]q, xrefs: 0540EBB2
fbq, xrefs: 0540E8C6
XX]q, xrefs: 0540EACE
XX]q, xrefs: 0540EBE6

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: fbq$ fbq$ fbq$XX]q$XX]q$XX]q$XX]q
API String ID: 0-3374093414
Opcode ID: 44b50a7ae7b101d05ca3cc8884b8069b0630d601409dab997b7482b4c6dc4c8a
Instruction ID: fd0d73fb002e4cb6c82dfa3d195a505c6ae9704bb795b0226eddb2d299bc51ba
Opcode Fuzzy Hash: 44b50a7ae7b101d05ca3cc8884b8069b0630d601409dab997b7482b4c6dc4c8a
Instruction Fuzzy Hash: 31C17B30A04248DBDB14CF98C555BEE7BB6BB84700F7498BAE406AB3D5CB749C62CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0540D9C8 Relevance: 5.1, Strings: 4, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8aq, xrefs: 0540DCA0
8aq, xrefs: 0540DCE6
8aq, xrefs: 0540DCDA
8aq, xrefs: 0540DCAE

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: 8aq$8aq$8aq$8aq
API String ID: 0-3625865161
Opcode ID: fdc91278a0c49475ac34728fa862a26859878940db83b0b91527f4233b2a7ae9
Instruction ID: de913b3ee4c81229a41613db98c46683b8ec9e8bf6054836cb74685b5104ca73
Opcode Fuzzy Hash: fdc91278a0c49475ac34728fa862a26859878940db83b0b91527f4233b2a7ae9
Instruction Fuzzy Hash: C121CB31E0C2248BCB14CBA9D8516FFB6A5FF40325F28A17BE466C72D1C738D94ACA51

Uniqueness

Uniqueness Score: -1.00%

Function 0540D5A0 Relevance: 2.7, Strings: 2, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0540D7CD
$]q, xrefs: 0540D732

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: d36ade0619ce7bd86c5a5fe33923389b06b2248332161adf0b48e3ac9aa0f5c7
Instruction ID: 26aeb75defe31ed161a2f523553412ac274df62520d8debcd0ce9cd969da6c09
Opcode Fuzzy Hash: d36ade0619ce7bd86c5a5fe33923389b06b2248332161adf0b48e3ac9aa0f5c7
Instruction Fuzzy Hash: A7817F34F04208DFDB149FA4C955BFE7AA2BB88700F209876E406AB3D4DB749C49CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0540D651 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

$]q, xrefs: 0540D7CD
$]q, xrefs: 0540D732

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 8d10b8b66ca1bdbd92eafdd8f466732174ad3fb00dd280e98a58fbbb8dd99516
Instruction ID: c4af1cd63865378b55fe60547d06aae9f68a8e3803b3688b175fef7995012410
Opcode Fuzzy Hash: 8d10b8b66ca1bdbd92eafdd8f466732174ad3fb00dd280e98a58fbbb8dd99516
Instruction Fuzzy Hash: 79618434F40208DFDB148EA4C855BEE7AA3BB88700F209876E506AB3D4DA74AC05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06E37A70 Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

8aq, xrefs: 06E37B2B
8aq, xrefs: 06E37AE0

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: 8aq$8aq
API String ID: 0-1589283582
Opcode ID: 82da58ba7a17c23cb92eff61e9c6a2ab30a6f7d70872d27bbdf7ffd9c95572d8
Instruction ID: 632326d4d8140e7e5aabe6c0039fd4d634e6b13121db0254b8918fa691ab2273
Opcode Fuzzy Hash: 82da58ba7a17c23cb92eff61e9c6a2ab30a6f7d70872d27bbdf7ffd9c95572d8
Instruction Fuzzy Hash: 023111B0B0435A9FDF90DB688848ABABBB2EB85304F1054EAD215DF2A5D6309C04C799

Uniqueness

Uniqueness Score: -1.00%

Function 09493FEE Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0949422E

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f35606dd8968649987c866f68abad6fdd9cf1a59ffe2e397bd17b33715fb2511
Instruction ID: 0a0ccc6cccc2b964b091e3f3de56b462111a707ef7e71f3c0a226bff3f345c9d
Opcode Fuzzy Hash: f35606dd8968649987c866f68abad6fdd9cf1a59ffe2e397bd17b33715fb2511
Instruction Fuzzy Hash: 59A17F71D10229CFDF24CF68C8457EEBBB2BF44314F1482AAE819A7260D7749986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 09493FF8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0949422E

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2442a2917c485c9724b724b4dca0f49f00af47c9f40f98ab1e5a149c0f99237b
Instruction ID: ee52fb33a37bcfb437800a42dee8930275ca2393d2f43f0b3c259a4bd2cc23e4
Opcode Fuzzy Hash: 2442a2917c485c9724b724b4dca0f49f00af47c9f40f98ab1e5a149c0f99237b
Instruction Fuzzy Hash: 2C916071D10229CFDF24CF68C8457EEBBB2BF44314F1485AAE819A7250D7749986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E04A3C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00E05F21

Memory Dump Source

Source File: 00000009.00000002.2056074814.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e00000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b80283c67e02bfe8d8d394c98a71f6ee090698dfd48248db7933bd3bf1819f16
Instruction ID: 28fa675c6a1555873dd0339605127faa0fa15d022905d927f12078841234c487
Opcode Fuzzy Hash: b80283c67e02bfe8d8d394c98a71f6ee090698dfd48248db7933bd3bf1819f16
Instruction Fuzzy Hash: 6041D2B1D00619CBDB24DFA9C844B9EBBB5BF44304F20805AD418BB255DB75698ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E05E6D Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00E05F21

Memory Dump Source

Source File: 00000009.00000002.2056074814.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e00000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dfabd1028e49da1e6f71666c71926c53913f795a95f78036566c6ed1d5ed0c9b
Instruction ID: c0f2f4f5aac5d4ced1f410e7abc6bdd65c40ffcd029f7b28e27b1f8cdc027215
Opcode Fuzzy Hash: dfabd1028e49da1e6f71666c71926c53913f795a95f78036566c6ed1d5ed0c9b
Instruction Fuzzy Hash: 2741D4B1D00619CFDB24DFA9C84479EBBF6BF84304F20805AD418BB255D775698ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 09493D68 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09493E00

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a3f99d531ce8ef855001f8e3c7fd42369e9bc6db949c435a744082ea154f5f8f
Instruction ID: 556cc4c02d4e66837936e8a7e54a30f3e4d3df488c67902ef291ad756ed96aac
Opcode Fuzzy Hash: a3f99d531ce8ef855001f8e3c7fd42369e9bc6db949c435a744082ea154f5f8f
Instruction Fuzzy Hash: 532157B19102099FCF10DFA9C885BEEBFF4FF48310F10842AE959A7240C7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 09493D70 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09493E00

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 036831b1807512a33a690b947f7ccddc1f099c491579508ee093befd013887b9
Instruction ID: 31293c405df04b1e658ecc1ff5111e002864794b87d92eb4601f5be340b7ff7f
Opcode Fuzzy Hash: 036831b1807512a33a690b947f7ccddc1f099c491579508ee093befd013887b9
Instruction Fuzzy Hash: BF2113B19102099FCF10DFAAC885BEEBBF5FF48310F10842AE919A7240C7789954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E0D440 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E0DD66,?,?,?,?,?), ref: 00E0DE27

Memory Dump Source

Source File: 00000009.00000002.2056074814.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e00000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3e1c78fbcbb0833168b25d0ab13a405b00e22d11b6963dc3ec8aa80320a59126
Instruction ID: a542bd4f9edd8d50737c4abb5f800d7119e710437f8dd701c543175c7f4f5950
Opcode Fuzzy Hash: 3e1c78fbcbb0833168b25d0ab13a405b00e22d11b6963dc3ec8aa80320a59126
Instruction Fuzzy Hash: 9A21E3B59042489FDB10DF9AD984AEEBBF8FB48310F14845AE918B7350D378A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09493BD2 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09493C56

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 40ab8ca20a4965bbc3563d5132030695d86ee1f0b383244a3e7a8b5af6bcacc9
Instruction ID: be3d917160d06e81838a16d7ee42bea629ebd6f8f84856e515c16c34fdbae224
Opcode Fuzzy Hash: 40ab8ca20a4965bbc3563d5132030695d86ee1f0b383244a3e7a8b5af6bcacc9
Instruction Fuzzy Hash: 5D2125B2D002098FDB14DFAAC4857AEBFF4EF89314F14842AD559A7241C7789985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 09493E5A Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09493EE0

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 436bbcb4001c85ad3037a7b7b87750765c01bb4b43353fd9d5cfd25619625ef8
Instruction ID: 1cab74dfea03f26ced762dc245d92fe90cee0bdbabfc15264c9bc436d09e5779
Opcode Fuzzy Hash: 436bbcb4001c85ad3037a7b7b87750765c01bb4b43353fd9d5cfd25619625ef8
Instruction Fuzzy Hash: F22125B1C002499FCF10DFAAC885AEEBBF5FF48310F10842EE959A7250C7399945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 09493BD8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09493C56

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1d9f84a38182fa6e7c2a992da5f170af0babba6adee7c9075662a96d8fe72b63
Instruction ID: 61a2d42ff2c4d93fa304c1c18989f35b9a0759b3a60e581c84ac5eeba3f97e7d
Opcode Fuzzy Hash: 1d9f84a38182fa6e7c2a992da5f170af0babba6adee7c9075662a96d8fe72b63
Instruction Fuzzy Hash: F52134B29003098FDB10DFAAC4857AEBFF4EF49314F50842AD459A7240CB78A985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 09493E60 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09493EE0

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1ecae80f4be1659cdef26aebfabbbb4458f95f85f056988ab6954a52e55e9503
Instruction ID: 5400c94b0985fd0eacd9936e730e99d071841cfd142b734727dc1d7276c9621a
Opcode Fuzzy Hash: 1ecae80f4be1659cdef26aebfabbbb4458f95f85f056988ab6954a52e55e9503
Instruction Fuzzy Hash: A221F5B1C002499FDF10DFAAC885AEEFBF5FF48310F50842AE959A7250D7799944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 09493CAA Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09493D1E

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7fd308ac97a63259e1f3ca8193375c960a1bfaa148fcd78ae554a548e1d64d2c
Instruction ID: df36a525f2ab5f3556184c13e74d1fcc29ad58b3693aa2a74f423b47aaec80fa
Opcode Fuzzy Hash: 7fd308ac97a63259e1f3ca8193375c960a1bfaa148fcd78ae554a548e1d64d2c
Instruction Fuzzy Hash: A01144728002489FCB10DFAAC844AEFBFF5EF89314F14841AE559A7250CB79A940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B310 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E0BBA1,00000800,00000000,00000000), ref: 00E0BDB2

Memory Dump Source

Source File: 00000009.00000002.2056074814.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e00000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6a2dac47f82750e24f9a31ac1c6e8a19b55e4b6e348c57e86815805d4b581688
Instruction ID: d95260e6f20728708a445641f21bc5265ae7dcf5f07bea6d38907b4e693bfd0f
Opcode Fuzzy Hash: 6a2dac47f82750e24f9a31ac1c6e8a19b55e4b6e348c57e86815805d4b581688
Instruction Fuzzy Hash: D211D3B69002499FDB10DF9AD444AEEFBF4FF48314F10842AD519B7250C379A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09493CB0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09493D1E

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2dd233f2399a5b4ca216884a6e6a13675b551679dbe396d550f83a97450a6747
Instruction ID: 9f20ee85e9eff75f26fe2c7a8ebaea75009e8b820f75cea9c1a06d15f65b66a0
Opcode Fuzzy Hash: 2dd233f2399a5b4ca216884a6e6a13675b551679dbe396d550f83a97450a6747
Instruction Fuzzy Hash: 9E1126718002499FDB10DFAAC844AEFBFF5EF48314F10841AE519A7250C779A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 09493B20 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09493B8A

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8f40c6bc02d96690427570d2b03aeed0b694c1e9fcd513142dd28eae7e2ffc73
Instruction ID: 4e165e16343a187ec9cab110387134efeb22edf5a2adce212c23a19c99ec9af7
Opcode Fuzzy Hash: 8f40c6bc02d96690427570d2b03aeed0b694c1e9fcd513142dd28eae7e2ffc73
Instruction Fuzzy Hash: 42115BB1D003488FDB10DFAAC4457AEFFF5EF89310F14845AD419A7240DB79A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 09493B28 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09493B8A

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c8320ffddb5f28008cb0c1375d2e4a61b9adb595517ca09981f2f05a81a0e7ee
Instruction ID: 9e3afe2ff42286ce0c1e0bcadaecc6e13f9c8e0b2922b136c768efafa3ed6df2
Opcode Fuzzy Hash: c8320ffddb5f28008cb0c1375d2e4a61b9adb595517ca09981f2f05a81a0e7ee
Instruction Fuzzy Hash: BE113AB1D002488FDB20DFAAC4457EEFFF5EF89324F20841AD519A7240CB79A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E0BAC0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E0BB26

Memory Dump Source

Source File: 00000009.00000002.2056074814.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e00000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: acc800c1ff42bb98e7f92a25494e92b275d4eb8a40eaa11a8c6cc6834dd345cd
Instruction ID: a134a255d7b4e8a7a690b9448a695589c3e455f21bdaebbf11e4e3e151209edb
Opcode Fuzzy Hash: acc800c1ff42bb98e7f92a25494e92b275d4eb8a40eaa11a8c6cc6834dd345cd
Instruction Fuzzy Hash: A811DFB6C002498FDB20DF9AD844A9EFBF4FF89314F10845AD829B7250D379A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09497079 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 094970DD

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6f4dabfa6643fe3ca0733cb809ab186abba4bfb6fe6ee2ea1a973d2f8130f650
Instruction ID: 44d4e288e3f0f46710c31652ba230a1d5dee891f7c314bc05081e9cfd025b28b
Opcode Fuzzy Hash: 6f4dabfa6643fe3ca0733cb809ab186abba4bfb6fe6ee2ea1a973d2f8130f650
Instruction Fuzzy Hash: 8911E0B58003499FDB10DF9AC484BDEFBF8EB58324F10841AE958A3200C379A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09497080 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 094970DD

Memory Dump Source

Source File: 00000009.00000002.2066618934.0000000009490000.00000040.00000800.00020000.00000000.sdmp, Offset: 09490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9490000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e10692d3ef829290b9dc384d7d0eefb405f73e23ac75c338abeef0c969b3d478
Instruction ID: f353181304cc10cba35cc9ff5dd46efb4c898f2c82c90ee281961a3ba3bab2cc
Opcode Fuzzy Hash: e10692d3ef829290b9dc384d7d0eefb405f73e23ac75c338abeef0c969b3d478
Instruction Fuzzy Hash: 0311B0B58003499FDB10DF9AD545BDEBBF8EB48324F10845AE558A7200C379A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05408158 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

d8bq, xrefs: 05408558

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: d8bq
API String ID: 0-3484500975
Opcode ID: 40b48c69c2656beea51d970a4bbccf9d9c2a815d26aed5570efb3816e4f9bfb5
Instruction ID: 8a882a62a49ce32abb8b1316edc811f2f39adfac47d1057e9e3626f6e409a1d8
Opcode Fuzzy Hash: 40b48c69c2656beea51d970a4bbccf9d9c2a815d26aed5570efb3816e4f9bfb5
Instruction Fuzzy Hash: 30615C30B001188FCB15DF69D558AEE7BB6FF88712F2450BAE902AB395DA31DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06E3120C Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

Te]q, xrefs: 06E38239

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 2e64118f43b51623e31820f2e9d649160312724154b61b6965694570981f8364
Instruction ID: bb48732ea559f3012966c97a8fd81be1a7dbe056bdc683b7f03ab0549ca89249
Opcode Fuzzy Hash: 2e64118f43b51623e31820f2e9d649160312724154b61b6965694570981f8364
Instruction Fuzzy Hash: D151A071B002198FCB14DF7998889AFBBF6EFC4324B158969E429D7395DB309D05C790

Uniqueness

Uniqueness Score: -1.00%

Function 06E35CF0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

O};5, xrefs: 06E35D28

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: O};5
API String ID: 0-3558557551
Opcode ID: 83a4d811db947405359f81f0f89b35d1fac5a5eb25723b35ecdc03522846c01f
Instruction ID: 6e1b0f8d0b1abfce39b9284060370998ecbe54cd682b6b05063d8e3125fbff8c
Opcode Fuzzy Hash: 83a4d811db947405359f81f0f89b35d1fac5a5eb25723b35ecdc03522846c01f
Instruction Fuzzy Hash: 1B415C70A14219DFDB84CF99D5898AEBFF1FF89301FA1E8A6D405A7318D7309A20CB14

Uniqueness

Uniqueness Score: -1.00%

Function 06E35CE3 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

O};5, xrefs: 06E35D28

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: O};5
API String ID: 0-3558557551
Opcode ID: f72b48a33f6c70e16bdf6f04e36f6b1965fd44c811af602eb14e212163600fd1
Instruction ID: 1dc240038035561a47b832da917d9805ce10af6118049f296e70b5a416e84038
Opcode Fuzzy Hash: f72b48a33f6c70e16bdf6f04e36f6b1965fd44c811af602eb14e212163600fd1
Instruction Fuzzy Hash: E6414E70A10619DFDB84CF99D5899AEBFF1FF89301FA1E8A6D405A7318D7309A20CB14

Uniqueness

Uniqueness Score: -1.00%

Function 06E3D819 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

Te]q, xrefs: 06E3DA02

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: dcd59294467e2059659b33c49f222a5c7253630a83c7afb6a1e257e3dc6d9045
Instruction ID: 2c6047b8548465bd796f7025985d6ec83074a67ee07c1e39cfa0abd76e2b297a
Opcode Fuzzy Hash: dcd59294467e2059659b33c49f222a5c7253630a83c7afb6a1e257e3dc6d9045
Instruction Fuzzy Hash: 903148B4E043488FEB08CFA6C8556DEBFF6BF89300F14906AD409AB3A5DB745946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 06E311FC Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Te]q, xrefs: 06E37C5B

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: d0907e06a77156035f0f85710221f7de1e3326a23051b40716f498a2806fc697
Instruction ID: a3d1c754baeaab27696d920012b2409b6509dee4350948fc641e1482ce275e37
Opcode Fuzzy Hash: d0907e06a77156035f0f85710221f7de1e3326a23051b40716f498a2806fc697
Instruction Fuzzy Hash: 5E115E71F0021A8BCF84EBBC99545EEB6B6AFC8701B1044A9C505EB244EB358A02C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 06E3D8F8 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Te]q, xrefs: 06E3D908

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 4b0ea78f79bdb8b3e27f443dabe7569c61f3dd5eceba3e9c544d0c188c39f28a
Instruction ID: 6fc2e3e45b1224a95c5a93414ac551de3a6dd0cb7070d356a46625b603049614
Opcode Fuzzy Hash: 4b0ea78f79bdb8b3e27f443dabe7569c61f3dd5eceba3e9c544d0c188c39f28a
Instruction Fuzzy Hash: A5118075E00209DFCB08DFE9D4819ADFBB2FF88310F20812AE919AB365C6316946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06E3D88F Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Te]q, xrefs: 06E3DA02

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: d2b31ef641ea4a4a3d83ee215f03fcb537409a2ebdc04b2e594bb233f1838764
Instruction ID: 2ea54179176145a25042368551bff3e8a67b3d127032c3bc9aa3cea1ea5e6f5a
Opcode Fuzzy Hash: d2b31ef641ea4a4a3d83ee215f03fcb537409a2ebdc04b2e594bb233f1838764
Instruction Fuzzy Hash: 3701C578E08258CFDB44DFE9C8956EDBBF6BF49300F10A059E40AAB359DA306846CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05406740 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a8a77979beffb7bde9db0b71a7ae55f719d337b40c774ab74e0dd1d3d18b0d
Instruction ID: f0139ba5247008900def63fd429a9c55a35b28a71c73c20918f24f750cbac3e6
Opcode Fuzzy Hash: 11a8a77979beffb7bde9db0b71a7ae55f719d337b40c774ab74e0dd1d3d18b0d
Instruction Fuzzy Hash: 76224BB0A05B424AD7785BA488842DFB790FB05310F7059AFD0FA9A3D5D735A0C78B9B

Uniqueness

Uniqueness Score: -1.00%

Function 05406742 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68736bdb6d531edf552858bf5046b993c77fb2854f39da775f534cd21d456cf
Instruction ID: 56492ff17dd983c9ff092f0c2a4dcb91f95aa34587802b99defb4e9104bd095e
Opcode Fuzzy Hash: a68736bdb6d531edf552858bf5046b993c77fb2854f39da775f534cd21d456cf
Instruction Fuzzy Hash: 12123AB0A05B424AD7785BA489882DFB790FB05300F7059AFD0FA993D5D735A0C78B9B

Uniqueness

Uniqueness Score: -1.00%

Function 05408770 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f89f1e3889b428511463dd59a4f25c3abb5f80968fb32488394168b03d4e85
Instruction ID: f9b25ba670ecd935b4192d1b36e7e63013a891e1fe432367614b0dc76f5571cc
Opcode Fuzzy Hash: 05f89f1e3889b428511463dd59a4f25c3abb5f80968fb32488394168b03d4e85
Instruction Fuzzy Hash: 8EB19E31A001199FCB05DF69D944AEF7BB6FF88701F24846AE80697394DB34DD52CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06E3ACB0 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dce838437ebdc3ea3a3cef4a6cb59bb747fad862c88f49f429c0ff53be5194e
Instruction ID: c3f58259e12adae4e97ed0707eea1904370138da8d7fd7db7eb4f2e5ef290c18
Opcode Fuzzy Hash: 0dce838437ebdc3ea3a3cef4a6cb59bb747fad862c88f49f429c0ff53be5194e
Instruction Fuzzy Hash: 7A610470A15324CFD7948F6D881877ABBB2BF85309F5490BAE4A68B2C1D734D8C1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06E301E2 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d095e80bb837dd29b14fff95bbab2e90dd3ac9671f5a9a8b142e741a5621ab
Instruction ID: 382d9cfc445a76d445cea8c92dcdc81b218b608331d4a2dbead63c88f58afdc8
Opcode Fuzzy Hash: 72d095e80bb837dd29b14fff95bbab2e90dd3ac9671f5a9a8b142e741a5621ab
Instruction Fuzzy Hash: A351F471E05375CFD3848F68C858ABAB7B1FF45309F4996A6E0658B282D339C845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06E3E008 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a67dcb4b462627216fa07d22e3cf6e0e84747da87e236592c649fd3a5e5b62c
Instruction ID: bbfd481d9df8e09b55601237fc21f255a5b7c68d26044c8ef3d82893d9089713
Opcode Fuzzy Hash: 7a67dcb4b462627216fa07d22e3cf6e0e84747da87e236592c649fd3a5e5b62c
Instruction Fuzzy Hash: 56410770E09219CFEB44CFAAC4486EEBBF6AB8C301F14E06AE419A7251DB705941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0540856F Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f164c2369250a57daadc7ce2e06163e88a426bfae741739e23239200784a1177
Instruction ID: 3851f303bd862411798bda283349e1295ef905ae95e5a3ee93429c6e3667ca4d
Opcode Fuzzy Hash: f164c2369250a57daadc7ce2e06163e88a426bfae741739e23239200784a1177
Instruction Fuzzy Hash: 7341F675B042168FCB10CF68C9949AFBBB2BF85340B2958BBD505DB3A2DB30D841C791

Uniqueness

Uniqueness Score: -1.00%

Function 06E35B88 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443acc4696078e00be8932a284993ebf2abcaf2a35632e40b3c250547df4e700
Instruction ID: 13b1983f4586913ceb96c490e799954fa30b82fa7aa31c31ea12d724c7e8e593
Opcode Fuzzy Hash: 443acc4696078e00be8932a284993ebf2abcaf2a35632e40b3c250547df4e700
Instruction Fuzzy Hash: 80419AB49197848FC706DF6DD484998BFB0EF8A211B5A84D6D480CF3B3DA34A895CB16

Uniqueness

Uniqueness Score: -1.00%

Function 054088BF Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881be69ec2ce323476bc6d67987855b4ab4416b15f651697faac10508c055cd4
Instruction ID: f6c9a3d9682107b63cc1ee6ddd6df975cd65090018e5a5f72214deed1632525f
Opcode Fuzzy Hash: 881be69ec2ce323476bc6d67987855b4ab4416b15f651697faac10508c055cd4
Instruction Fuzzy Hash: 6D4128316001199FDF05DF69D948AAF7BA7FF84712F24846AE80297398CB38DD52CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06E35E6A Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db122db60314eb1e7e73c9b9d03dba0b606712383d1782ff14e151980536e6d3
Instruction ID: f8c1be1fcc8c0369da5b453f72eed3c6c7c0f80ed1eaa7175d6a73ec3cd215aa
Opcode Fuzzy Hash: db122db60314eb1e7e73c9b9d03dba0b606712383d1782ff14e151980536e6d3
Instruction Fuzzy Hash: BD417C75E0420A9FCB44CF99D8419EEBFB6FF89310F24A46AE505BB354D7709A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06E37EC4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbc76a02a13a3ab2941973586ca39f8cbd304b42fe66c8d5eae7b3e2ba279f4
Instruction ID: 9dee41982e69af39a0b426394283723b765b7eaa2f9e7c4f72566a0b1985634b
Opcode Fuzzy Hash: 8cbc76a02a13a3ab2941973586ca39f8cbd304b42fe66c8d5eae7b3e2ba279f4
Instruction Fuzzy Hash: 0F3159B1900308AFCB50DFA9D848ADEBFF9EB49310F10846AE919A7351D774A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06E33E80 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147893128dad728908ac08d837fadb189eb5c2c6fa0913adfb1f7ad0855a66f0
Instruction ID: 00f19678a0aced1bf7ed6ef0eee999f7d4d93f7a17de57b59ebd35216459298e
Opcode Fuzzy Hash: 147893128dad728908ac08d837fadb189eb5c2c6fa0913adfb1f7ad0855a66f0
Instruction Fuzzy Hash: E03147B0E1535ADFDB44CFA9C584AEEFBB2BB88300F24D56AC419A7214D7349A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06E3EA67 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11dbe4707ef40bda9ae49a25a73486f93ee8c33082aa28232a87ea88002a788
Instruction ID: 6ac3c9f7eb99e8a6c23a80fc1021d4b6a9aa29993bd71db767b0444d1f1fdcd8
Opcode Fuzzy Hash: a11dbe4707ef40bda9ae49a25a73486f93ee8c33082aa28232a87ea88002a788
Instruction Fuzzy Hash: C641BD74D05328CFDBA4CB98C589AECBBB5BB49311F146096E40AAB255C730AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05408140 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5136e9bc8aa4edfd64074f0f4c520eb64f04482a01e1aaeb1acacdc35bb4618
Instruction ID: 4b42bb553051aed88bc7016b28298ce4d78b9fb89e8c537a1007a93df9cc4431
Opcode Fuzzy Hash: f5136e9bc8aa4edfd64074f0f4c520eb64f04482a01e1aaeb1acacdc35bb4618
Instruction Fuzzy Hash: 0E31AB31A00258DFCF15DFA8D948AEE7BB1FF88312F2450AAE9016B391E6719D41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 06E30047 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91454b7d500e1981b56a782994d9cea7681d645c8a58555844518e58762473ac
Instruction ID: 4c2ed5ebb847f5b14662f29a999d7f1c0231720de4446ac9e0ece20c7965a49d
Opcode Fuzzy Hash: 91454b7d500e1981b56a782994d9cea7681d645c8a58555844518e58762473ac
Instruction Fuzzy Hash: 47312430D00335CFD7818F28C8483BABBA2FF41309F5995E6D4988B186D7368946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06E3ACA0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f014708c885e3f1105c16e53b7ad012c4d919a8879f4041b97ffd6d9627ccc
Instruction ID: 0a12e05f6a1b2b7307e4a17ef96923462618fae2ecce9c682683a87ce2dc6d84
Opcode Fuzzy Hash: a1f014708c885e3f1105c16e53b7ad012c4d919a8879f4041b97ffd6d9627ccc
Instruction Fuzzy Hash: F831C330B45324CFE3548B1CC85DB657BA2AF8570EF9980BAE4994F296DB769881CB04

Uniqueness

Uniqueness Score: -1.00%

Function 06E37E37 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb99be7edb5be32bb85256d07f37a476017c83108280eed89f9c7269a20fedbc
Instruction ID: db6b8289f6ef7952a5f19e6d77086cfe8ab582abeb236ff7a24a010266e4c4cb
Opcode Fuzzy Hash: fb99be7edb5be32bb85256d07f37a476017c83108280eed89f9c7269a20fedbc
Instruction Fuzzy Hash: 7431CFB2C043848FCB10DFAAC8587CABFF4EF69310F15809AD858A7211D774A805CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2052265865.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b3d000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4399ea1c231bd562043b02d588bf000c7dc947b16e04555dc5b95cee80ca1b9
Instruction ID: b8205d00d818ed9f747c2f4525da0172980bad444e72ebebe8e235c1efe54ebd
Opcode Fuzzy Hash: b4399ea1c231bd562043b02d588bf000c7dc947b16e04555dc5b95cee80ca1b9
Instruction Fuzzy Hash: 2B213771600240DFDB05DF14E9C0F26BFA5FBA8318F30C5A9E9090B256C33AD816DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2052548205.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b4d000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525b8037c429af99d0d523ed0639f46748744081c805112a581d991134484c33
Instruction ID: c3476bc7b9195a8175f0a3fcd3ae0b1706f871d0249ee9923b91751f25440c27
Opcode Fuzzy Hash: 525b8037c429af99d0d523ed0639f46748744081c805112a581d991134484c33
Instruction Fuzzy Hash: A9210771604204EFDB05DF14D5C0F26BBE5FB84314F20C6ADE9494B356C3BAD906EA61

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2052548205.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b4d000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb037e002bcdd81699db290420c5b6263794be83ff631047af738dc8b157aa46
Instruction ID: 3019bb8f5e572b56c2fa4d7dee93dbd8375d6e6ef9be1457cefc49c3edf0ed68
Opcode Fuzzy Hash: eb037e002bcdd81699db290420c5b6263794be83ff631047af738dc8b157aa46
Instruction Fuzzy Hash: CE21F271604204DFCB14DF24D9D4B26BFA5FB88314F20C5ADD90A4B396C33AD907EA61

Uniqueness

Uniqueness Score: -1.00%

Function 06E37CC4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367989792b238f9d42f9ba59b07109a592a07287f276dd1e825c1512f4218f11
Instruction ID: 0833168ae1092b905e4e2861294c4e2350f4216807a0aa50eee93d63572b2b74
Opcode Fuzzy Hash: 367989792b238f9d42f9ba59b07109a592a07287f276dd1e825c1512f4218f11
Instruction Fuzzy Hash: FE31DFB0C013189FDB60DF9AC588B9EBBF4AB08314F24846AE404BB340C7B59885CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E3827E Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17caf511ddc9fc5abf023e324b7db386eef9b92a83a1c849822104ddace01fce
Instruction ID: c89413b505a06bb67f5198eb7aa5c7059e0bdbbdacfb8fc454e2debb054c5b23
Opcode Fuzzy Hash: 17caf511ddc9fc5abf023e324b7db386eef9b92a83a1c849822104ddace01fce
Instruction Fuzzy Hash: 1521E0B1C01318DFDB60DF9AC588B9EBFF4AB48314F24805AE404BB340C7759885CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0540D9B8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9970255ebf424efcea7e710729653bc2e454edc4b264120092f43a7569ce343c
Instruction ID: b9f5776001be0ecc6118a93a409fa06d55419321485118251904d5ba95081505
Opcode Fuzzy Hash: 9970255ebf424efcea7e710729653bc2e454edc4b264120092f43a7569ce343c
Instruction Fuzzy Hash: 2E11B671E0C2248FCB04CAA8D9516FFB765FB51221F29A177D4A6CB2D1C338D94AC751

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2052548205.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b4d000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6a1f496babe06820b68e078bc0ed13f04cd103ea4080c7aeaa2b9a234fd8c6
Instruction ID: ce800401acfd3ebaec450fbcb2d4525e133772eaf4aa14fd3d700e1110987cbe
Opcode Fuzzy Hash: 4d6a1f496babe06820b68e078bc0ed13f04cd103ea4080c7aeaa2b9a234fd8c6
Instruction Fuzzy Hash: 292192755083809FCB02CF14D994B11BFB1FB46314F28C5DAD8498F2A7C33A990ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 06E3E1A1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9991737f3808a5d7ede20d1cfa8174ff46bf2ee0ad9116b90694aa10e79f4337
Instruction ID: 2a41f1624c96ad6d716ded39ed1bb9b0a9395b50888491edfd66288c7ce81005
Opcode Fuzzy Hash: 9991737f3808a5d7ede20d1cfa8174ff46bf2ee0ad9116b90694aa10e79f4337
Instruction Fuzzy Hash: 6021E9B4D05259CFCB84CFA9C1859EEBBF5AB49300F20A096D809A7711D730AE41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E35C18 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d6b65f89cba78da3073161214b6bf765b24cd143dab324cd12b6574a4d12d0
Instruction ID: 8016aacca6b71b030f0d91194b789dcd6f646f14c2d98b759d2c524b14e1f740
Opcode Fuzzy Hash: 51d6b65f89cba78da3073161214b6bf765b24cd143dab324cd12b6574a4d12d0
Instruction Fuzzy Hash: BC214EB4A10908DFC744DF5AE485999BFF1EF8C310F5280E5E8889B265EB31E9A5CB05

Uniqueness

Uniqueness Score: -1.00%

Function 06E3E290 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aacddb3c38038e1dfb227778f03cc1319170ac2b8d83c5b514d3a4bdfdd2cc63
Instruction ID: 0aa2042a13e7c6105b5dd025e221add1f6c4ecabf81b2e86beadfb00a38873b1
Opcode Fuzzy Hash: aacddb3c38038e1dfb227778f03cc1319170ac2b8d83c5b514d3a4bdfdd2cc63
Instruction Fuzzy Hash: 0B114670D48219DFCB48CFA8C6455EEBBF5FF89310F01A5AAD409A7222D3709A42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06E380C8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad9699d6de23ecbbf9c5d2a636ec598beee5ddac5816d443063284a4555ddca
Instruction ID: fd0f22930d7233ea10314cae93635753428d832e73c7c7124db9beb9ad65d698
Opcode Fuzzy Hash: fad9699d6de23ecbbf9c5d2a636ec598beee5ddac5816d443063284a4555ddca
Instruction Fuzzy Hash: 391170B6F007154B8B54DA698C445BFBBFBEBC8260B254529E829D7340EF309906C764

Uniqueness

Uniqueness Score: -1.00%

Function 06E3EB79 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d609568ac02d1a221311ee6145559f31d4767686d7231b801143ea3dadf32e6e
Instruction ID: 31c40ec573fef0ae11546ab18c9ee80eb0b7f219918e7af7fa31f62c2feb79a7
Opcode Fuzzy Hash: d609568ac02d1a221311ee6145559f31d4767686d7231b801143ea3dadf32e6e
Instruction Fuzzy Hash: 3F219474D11268CFDBA4DFA8C588BDCBBB5BF48305F109096E40AA7355DB30AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06E37ED4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc94cb95832d5f9858ea2d783fa7f4bbff17ac130e05ed2ab160112b05acf17
Instruction ID: 8a40dc4990f3d457a052587062314a751f55a303ca3985fb1b776d63cedc5df2
Opcode Fuzzy Hash: 2cc94cb95832d5f9858ea2d783fa7f4bbff17ac130e05ed2ab160112b05acf17
Instruction Fuzzy Hash: FE2114B58043499FDB20CF9AC988ADEBFF4FB48310F108419E919A7351D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2052265865.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b3d000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: fe8489c16c95392db396c2971ba0640592fa3eaae5bdae97d28b970c3d6e6155
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 2911D376504280DFCB16CF14D5C4B16BFB1FBA8314F34C6A9D9490B656C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2052548205.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b4d000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 5b9aa17b6c27ae2dd181818cea6a9fd8ef703097adb7b72b7afa231697c19ee2
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 8F11BB75504280DFCB02CF10C5C4B15BBA1FB84314F24C6A9D8494B296C37AD80ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 06E3EAAB Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9de968d63db2a517640bb4c5064fc0f845c7ca11126c4155658f071912c244
Instruction ID: 575ed30fd42378f581f7e52f5626b6a22ae8472ecb6ce466fb88b30ad462cd33
Opcode Fuzzy Hash: cd9de968d63db2a517640bb4c5064fc0f845c7ca11126c4155658f071912c244
Instruction Fuzzy Hash: 55110770908328CFDB55CF94C5869ECBBB6BB4D311F242196D81AAB355C731AD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06E3E8B4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e2b63ed77e768941555d6f2d734c37bbefce14fbdc1303402b1b347564c7b1
Instruction ID: c48e3f9c059d9ad0d9d39b2df4a791dfe5a18dfb85477ffec4d017f506a2ce40
Opcode Fuzzy Hash: 62e2b63ed77e768941555d6f2d734c37bbefce14fbdc1303402b1b347564c7b1
Instruction Fuzzy Hash: AC11D474E08328CFDBA4CB94C5899ECBBB6BB4D311F646196D40ABB255C730AD85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0540DAF8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6060387864bdde2d2eefff7cfc3c7bba8dc5660467f5331cd759328eeaa89ff
Instruction ID: 7960d513f0add702af7896557a4a4697ba4e51825e9171f8905465ee57bcc314
Opcode Fuzzy Hash: f6060387864bdde2d2eefff7cfc3c7bba8dc5660467f5331cd759328eeaa89ff
Instruction Fuzzy Hash: F711E534F102149BC704BFE8D919BEEBBB1FB88711F508476E516D7384DB7459058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2052265865.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b3d000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91d4c3c9f436cdad184a1b3ba7ee48c66b8f0b52b74cb1057568b7bfdb92d5e
Instruction ID: 7fed00eaea4107d3fda4b3ca85e123418f8e8c68e06a654b185e4bbc44d9545f
Opcode Fuzzy Hash: b91d4c3c9f436cdad184a1b3ba7ee48c66b8f0b52b74cb1057568b7bfdb92d5e
Instruction Fuzzy Hash: C501F231004340DAE7218B29DDC4B67BFDCEF46360F28C9AAED190A286D6399C41CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 06E3F578 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2239f11ee898ebdec355480e28758b2cd4b1dc18d0f0b5867205933b00de30
Instruction ID: c3e8b85d208beb743fa8493d52b9cc880ea4974eeadaf7d48ef5e6ad871ddf25
Opcode Fuzzy Hash: 6e2239f11ee898ebdec355480e28758b2cd4b1dc18d0f0b5867205933b00de30
Instruction Fuzzy Hash: 1AF06930D19218EFDB44CF55D5489EEBBB9AF99305B00E1A5A4095B212DB30AE00DB80

Uniqueness

Uniqueness Score: -1.00%

Function 06E3D9DF Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50fcd0b6fc39ee393962e74b425fbafee0e7afd5b6fdc4513066cdcb2140d190
Instruction ID: c63a6fdc8c54ca5a3313ae79b8f6ac477d084b179b7b0b089992fcf81aca4c55
Opcode Fuzzy Hash: 50fcd0b6fc39ee393962e74b425fbafee0e7afd5b6fdc4513066cdcb2140d190
Instruction Fuzzy Hash: AE01C474E08329CFDB40CFA5CC54AADBBB5BF49300F10A42AD416AB355D770A901CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0540CA08 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908d19bcece24f032dd7c292abf56005bffd89a38fd3bb83a81f79b24f844232
Instruction ID: aa5ab3a2968cc389763316d5d87a21b77c91c242867f63b24fb28ded2e359896
Opcode Fuzzy Hash: 908d19bcece24f032dd7c292abf56005bffd89a38fd3bb83a81f79b24f844232
Instruction Fuzzy Hash: CEF046362046049BC709AB69FC9088FFF6AEFC8320B1089B7EC454B356DF346C0983A4

Uniqueness

Uniqueness Score: -1.00%

Function 06E3863C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9ac3c627965d9692e028ec8694ed077bd812d474a1fba3640641a069431686
Instruction ID: 4b59cab7139f2376f3e6b004165eba8a868173e5a6f7994d61fc89731e2fe16c
Opcode Fuzzy Hash: 0d9ac3c627965d9692e028ec8694ed077bd812d474a1fba3640641a069431686
Instruction Fuzzy Hash: CC011AB1C20329DFDB54CF5AC8083AE7AF5AF44364F25D265E824AA290D7744A40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06E33C8A Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ace8b428cee9612e8cb963ffe3587b39370c0b2d6228745fb2bfbf015bc663
Instruction ID: 96aae920bcba3ff9d0bdb7f3e84ca909ebb72740dddd6f025bd950afc7edff77
Opcode Fuzzy Hash: 50ace8b428cee9612e8cb963ffe3587b39370c0b2d6228745fb2bfbf015bc663
Instruction Fuzzy Hash: 0701C474E00208AFDB05DFA9C589A99BFF1AF48300F16C0A9E808AB361DA34E940CF40

Uniqueness

Uniqueness Score: -1.00%

Function 054066E0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10cb68c25611c3d772901872b7ebeac761244b0308c4b0583aeec16e75cd7309
Instruction ID: ccaa7fef884f840bbffcbe58e021e0ff58b26714bc16a00df1fbf3d54c86387c
Opcode Fuzzy Hash: 10cb68c25611c3d772901872b7ebeac761244b0308c4b0583aeec16e75cd7309
Instruction Fuzzy Hash: 96F0FF6240E3C48FCB028BBCA8145EA3F70DB03224B4B15EBD696CB0D3D2698824C392

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2052265865.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b3d000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960a38dd2a6afc49e50c2d63400f4ad052c39f67e581089de40772aeccfefb25
Instruction ID: 96918731d760fa2fe07ba12bf40176f88af3d99563776f5450faedb08af4ae0b
Opcode Fuzzy Hash: 960a38dd2a6afc49e50c2d63400f4ad052c39f67e581089de40772aeccfefb25
Instruction Fuzzy Hash: 3AF06271405344DAE7218F16DC88B66FFD8EF55734F28C55AED484A286C2799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 06E396C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0f30c145b504591af25541749b6196223a7ea14e09aaf774993e2afa24ed02
Instruction ID: 26eda25ac33a198022de2178f0855dd1f520f2f6e428e7c179985cfff87af79c
Opcode Fuzzy Hash: ac0f30c145b504591af25541749b6196223a7ea14e09aaf774993e2afa24ed02
Instruction Fuzzy Hash: BFF0B4B3A00208AFDF84CF98D945AAE7BEADB44214F1991AAE408D7350E631DD50C744

Uniqueness

Uniqueness Score: -1.00%

Function 06E386D8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351770fe5572077d9461abf0fdf0b66aa3bbc753e57b228bbcc14075043ab34e
Instruction ID: 318cdcb5a7c4205caf0a9da19d9adb8e1ab95c6f52deef5d1f7446fbbd84af17
Opcode Fuzzy Hash: 351770fe5572077d9461abf0fdf0b66aa3bbc753e57b228bbcc14075043ab34e
Instruction Fuzzy Hash: 41F082B6B042545F9304CBA99C94D6BBBE9EFD966032680B6E508D7355D9308C05C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 06E38648 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d3e8c70ac5babe13cea50e96446146e80f893f0ef72a77ef06089ba669adf6
Instruction ID: f3ca3cefebf85071686b7c3c85f354e583fe015bc37cf9987d8ee0fbe27d010f
Opcode Fuzzy Hash: e7d3e8c70ac5babe13cea50e96446146e80f893f0ef72a77ef06089ba669adf6
Instruction Fuzzy Hash: 1101E8B0C20329DFDB54CF6AC8087AEBAF5AF48354F208625E824AA290D7744A40CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 06E33C98 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0943ce06590b9fd7a60f9d0f540ac3e22fc5e1c2de0429a86761e96d3fcb8870
Instruction ID: 82fc0e07eb5a19553c9692a235a05846ffe4d6ea102ad6586c7b5e4b93b6fa7e
Opcode Fuzzy Hash: 0943ce06590b9fd7a60f9d0f540ac3e22fc5e1c2de0429a86761e96d3fcb8870
Instruction Fuzzy Hash: FA01AF74E00208AFCB04DFA9C589A9DBFF1AF48300F15C1A8A808AB361DA31EA40CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06E386E8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0076da8b65462a9b2be4ecc81e2c23dc726100ae88df8687bc10197c8b34b124
Instruction ID: 37b0f8209bcc3ef09de20ced807a79a89aab9497f51d9cdf20499e3825f0995c
Opcode Fuzzy Hash: 0076da8b65462a9b2be4ecc81e2c23dc726100ae88df8687bc10197c8b34b124
Instruction Fuzzy Hash: 1DE06D727001286F9304DAAEDC84C6BBBEDFBCCA70361807AF508C7310DA319C01C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 06E3E84C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7684b27fa3debfef652dcc2eae932faca0dd2f6836f332a8b1f500b6e5726463
Instruction ID: 057cfb18b7bb07c5432452fb4efbe9af54bab9a4c6d9639e9ed72782d1d0824b
Opcode Fuzzy Hash: 7684b27fa3debfef652dcc2eae932faca0dd2f6836f332a8b1f500b6e5726463
Instruction Fuzzy Hash: 8BF0EC75908364CFDB91DB54E58A9EC7BB9BB0E310F146582D409AB256D730BC84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06E3D8C4 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e60bf3399fe9c45194b0dafe4b9d15ac6151958fb379a9fdf430751a90696b
Instruction ID: cac79baf7af1a212f4eb636c569c85de628b33cda0b22bc14a33c0efc89ba58e
Opcode Fuzzy Hash: e0e60bf3399fe9c45194b0dafe4b9d15ac6151958fb379a9fdf430751a90696b
Instruction Fuzzy Hash: 52F09274E1B328DFEB84CFA5D9486EDBBFABF4D300B106469A409A7250D770A941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0540CA74 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ab0f2b1cac0b85bea9f852f5d142f2b9133904426eaf6b1b62988a8560427f
Instruction ID: 5d156be7d1479f5f98f667426ce4a90542d74eb0004b029946c1c54af0accee2
Opcode Fuzzy Hash: 78ab0f2b1cac0b85bea9f852f5d142f2b9133904426eaf6b1b62988a8560427f
Instruction Fuzzy Hash: E5F0E9727082508FC7069B68BCD05ADBF65EF9430070486BBD5814B266DB78990AD750

Uniqueness

Uniqueness Score: -1.00%

Function 0540CA18 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1075b1f08371e97e042669c07a882ba3b957f11f1c56f706e3867515b8230505
Instruction ID: 789dd89c3e64d68bf78bc7def48e1d3a6ce54bb594fefce2090ee07ebbaf7ac7
Opcode Fuzzy Hash: 1075b1f08371e97e042669c07a882ba3b957f11f1c56f706e3867515b8230505
Instruction Fuzzy Hash: 19F0A73530060457C709AA29FC8489FFF9EEFC4320B10857AE9494B355CF74AD099294

Uniqueness

Uniqueness Score: -1.00%

Function 06E3EC3F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50b6848cfe16c63ec7f89af5b1f21b9fd2b4270b83c602117fae470562c87f8
Instruction ID: 355ddf7a81d4315e44314cd3745d7f4bfb3e2e1d8ade4e0de5956d4ff898f3b0
Opcode Fuzzy Hash: e50b6848cfe16c63ec7f89af5b1f21b9fd2b4270b83c602117fae470562c87f8
Instruction Fuzzy Hash: 42F0F934D05324CFDB54CF51D18A8EC7BB9BB4D301F116095E40AA7215CB30AC44CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05406698 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8617c9019a203d04b5d87b0aa00ad35e6b31ad89937f98fd51b2f816c0d2c876
Instruction ID: 0b5fb377e3c9bae976e71fa8ec4dc22dce3454813cf55c5dbc2edf3a314f36d8
Opcode Fuzzy Hash: 8617c9019a203d04b5d87b0aa00ad35e6b31ad89937f98fd51b2f816c0d2c876
Instruction Fuzzy Hash: D5E06D32304524CA8604EB59FC804F6B3B9EB8966A32880A6E40E9B624D333D892C780

Uniqueness

Uniqueness Score: -1.00%

Function 06E3D389 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023736b852917ba13a59dea3579b122fefb839dff523a7aa080948ef92d5fdf0
Instruction ID: 1ba224830ec45268f88302497484fd8afea727a8929e1c9856a3560b89644c2b
Opcode Fuzzy Hash: 023736b852917ba13a59dea3579b122fefb839dff523a7aa080948ef92d5fdf0
Instruction Fuzzy Hash: B2E01234A49328DEDF94DE55ED486F87779EF8A305F107565D00D93211DB305949CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06E3E250 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5100e1c66d58386b1124519f8d0bee2c3b3411bf75d25e4faf01c6f2a362ec99
Instruction ID: 00418061d805dc53463660d3c2c229050a5b42c788883432602ba50c792f1861
Opcode Fuzzy Hash: 5100e1c66d58386b1124519f8d0bee2c3b3411bf75d25e4faf01c6f2a362ec99
Instruction Fuzzy Hash: 8CE0DF30549380DFC71A9B74C0052983F71AB8B315B2450DED0899B2A3CA376D83CB41

Uniqueness

Uniqueness Score: -1.00%

Function 06E3D00F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086e4c84a62a283b37763fe9f2ef47daf4e967f8d4f4372aeeec9e7941088daf
Instruction ID: 917a56ed95832b6b2f654d9e5956c0c074daaa3ff0c773fa2d574bbfadf94bd0
Opcode Fuzzy Hash: 086e4c84a62a283b37763fe9f2ef47daf4e967f8d4f4372aeeec9e7941088daf
Instruction Fuzzy Hash: 47E0D831949214AFCB408B64ED49AE87B79EF46214F0151E5E40D97226DB30594ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 06E3E95F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153bcd6635953686a6fafb189f923b02eaf446031aa48b7d8bc686f71a20408f
Instruction ID: 2376c442584b638afcd4c9f041e8975769cc9ef6912ac959e37bf1c4a7fc0131
Opcode Fuzzy Hash: 153bcd6635953686a6fafb189f923b02eaf446031aa48b7d8bc686f71a20408f
Instruction Fuzzy Hash: D3E04F30C0D325CFEB44CF92C8185FABF7AAB8E340F14E092A40A66155DB302A44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0540E718 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d41cfbfdc5ab5407fec2ccfacbdbcd7904c15d9af984165ad07fff334e098b
Instruction ID: 0c95d5488fd24b4b686aee814407d8753c0cedbaa910d218354ad2d77449be6f
Opcode Fuzzy Hash: e3d41cfbfdc5ab5407fec2ccfacbdbcd7904c15d9af984165ad07fff334e098b
Instruction Fuzzy Hash: 2AE0DF6260C3448FC7155B2884647A23F79BF85A00F2608EAC8118B2E7EB3A9831CF56

Uniqueness

Uniqueness Score: -1.00%

Function 06E32CAC Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca0049e81287e2ff69daa297a6352b67e3bd600fafdd0dd45c3a76bc5cc5fc6
Instruction ID: febaa4819cc7583522b21173dd0eccd4a66e43d69630cb6bf9fd145f72f482e9
Opcode Fuzzy Hash: 3ca0049e81287e2ff69daa297a6352b67e3bd600fafdd0dd45c3a76bc5cc5fc6
Instruction Fuzzy Hash: 81E04670925355CFC758DBB1C04A9987F72FF48301B202099E5439F274CB35EA82CE84

Uniqueness

Uniqueness Score: -1.00%

Function 06E3E260 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29453ec1613523f2ea8966bff8d23661c583295589e9a9edd0d2a5a82a3b059
Instruction ID: e8475dc240b45900df28c090e45b219f6530c866cb1674f76dddc16d634a9783
Opcode Fuzzy Hash: a29453ec1613523f2ea8966bff8d23661c583295589e9a9edd0d2a5a82a3b059
Instruction Fuzzy Hash: 7BD05E70C16308DFCB14DFA4E54969DBF75FB4A316F5041E9E84823341CB326A54DB85

Uniqueness

Uniqueness Score: -1.00%

Function 06E32C34 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d100a49534b3c9fb88dd7e725f9c180feb8bc6e54af88108d2b4076e8b1d734f
Instruction ID: e6dd6a9c04aec615aa9335b1ffdf9c0f547ce054bd292fcaf2e9e9d490b2f292
Opcode Fuzzy Hash: d100a49534b3c9fb88dd7e725f9c180feb8bc6e54af88108d2b4076e8b1d734f
Instruction Fuzzy Hash: 08E08C30911314CFCB54DFB1C449689BF70FF48340B1010A9E816CF268CB36AA82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06E30460 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c13ee7bab204d443b8b66e352805aa7df2d359686f4cd74d7ee71a414225193
Instruction ID: db9b78ba86c23a27f8c29d2b7d60e544b2420d2a81729e011344246176b80002
Opcode Fuzzy Hash: 0c13ee7bab204d443b8b66e352805aa7df2d359686f4cd74d7ee71a414225193
Instruction Fuzzy Hash: 90D0A7F3C152049FC750CFF8DA0D7B63F50975A317F5B14AA940893291EA31C541C705

Uniqueness

Uniqueness Score: -1.00%

Function 06E30470 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f937b0324b222689ad80ae2c899193fbe5b018e14e0c70355d5bceeeb889e5
Instruction ID: 07e2a10735e9c3863e290a349252ea085358f31784edc80b684cb46584611f4d
Opcode Fuzzy Hash: c5f937b0324b222689ad80ae2c899193fbe5b018e14e0c70355d5bceeeb889e5
Instruction Fuzzy Hash: DEC012714112189BC310DEFC9409A667FA8D70A216F044465A80883100DA729550C665

Uniqueness

Uniqueness Score: -1.00%

Function 06E30ADD Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6beb0fd5c133ed432f16cecc281a701a730020173a6cc4f9032fece26fd506
Instruction ID: b77e3c642776f41067b699ee2d3e773319c1e4f5419e71c8297a9559c13890ed
Opcode Fuzzy Hash: be6beb0fd5c133ed432f16cecc281a701a730020173a6cc4f9032fece26fd506
Instruction Fuzzy Hash: A4D0123090511D8FCB94DF64D980E8CBBBAEF48200F10E695D01997124DB705A89CF44

Uniqueness

Uniqueness Score: -1.00%

Function 06E396A0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6af8ed59054b9c9ec40f64c43d9ab26042248bddecf1962be316a34df64cab
Instruction ID: 017d524cb2c78140378b829ac0a6992437a7b40664ffa39f0e3d9266b781951d
Opcode Fuzzy Hash: ff6af8ed59054b9c9ec40f64c43d9ab26042248bddecf1962be316a34df64cab
Instruction Fuzzy Hash: 8FC09BF7400307A5D5905564CDD1B4956665775704F547455E108DD280D4116664E21D

Uniqueness

Uniqueness Score: -1.00%

Function 06E3CF20 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1dc97cef1d311eceef7e2da66897dcc82ae1228e57292d9f55e0482ca8c9f2
Instruction ID: 47cfcb6d25248f7d2bd5167c383fae8afa242271c7fcc54edb5c2378bad8955c
Opcode Fuzzy Hash: 4b1dc97cef1d311eceef7e2da66897dcc82ae1228e57292d9f55e0482ca8c9f2
Instruction Fuzzy Hash: 77C02B30027B04CFD3103BA4F40D32E3FA8670C307F504012F04D128128F71B060C65A

Uniqueness

Uniqueness Score: -1.00%

Function 06E311EC Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b64f6c5a25ed8df0ac53221ba6313751a25399f098d16544c5ff835e050819b
Instruction ID: 89f576168f15a242dabb657466ae90ad867fddd453b9dcb066e84a58b95e3a26
Opcode Fuzzy Hash: 9b64f6c5a25ed8df0ac53221ba6313751a25399f098d16544c5ff835e050819b
Instruction Fuzzy Hash: F7C09B3E044111DF8781E754C9C8DA9BFBAFF55300744DCD6A15449034C621D42DF716

Uniqueness

Uniqueness Score: -1.00%

Function 06E37E7C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065091586.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180f464e80e7d2f2db66078997a5a15371a2cc7951b0f101afca07227c2e6cf8
Instruction ID: d87debb60dafe392b44ec349c839754da542dc3806d7ee2e5c08ad657b1d8388
Opcode Fuzzy Hash: 180f464e80e7d2f2db66078997a5a15371a2cc7951b0f101afca07227c2e6cf8
Instruction Fuzzy Hash: C7B0127B1AA711E6D68426654EC8D6AAC15FFA2B00B80EC9A730540094D960FC78D15F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0540BE38 Relevance: 8.0, Strings: 6, Instructions: 491COMMON

Download Yara Rule

Strings

4']q, xrefs: 0540BEAE
4']q, xrefs: 0540BEDE
4|bq, xrefs: 0540C043
$]q, xrefs: 0540BF00
4|bq, xrefs: 0540C028
4']q, xrefs: 0540BE53

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4|bq$4|bq$$]q
API String ID: 0-3260684265
Opcode ID: 90f7c07852900e4b81c24f2f65e4f292197d370def3df93b6f09754beb8ec35a
Instruction ID: 092e47d9e7e6ec6a711ed022e76118ef1793914de74f14d343dac602b941b74e
Opcode Fuzzy Hash: 90f7c07852900e4b81c24f2f65e4f292197d370def3df93b6f09754beb8ec35a
Instruction Fuzzy Hash: AEF1CE31704215CFC719DF29C4D4ABEBBA7BF85600B2995BAE406CB3A1CA35DC42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05408B68 Relevance: 6.7, Strings: 5, Instructions: 453COMMON

Download Yara Rule

Strings

Haq, xrefs: 05409080
(o]q, xrefs: 05409009
,aq, xrefs: 05408DA7
,aq, xrefs: 05408D97
(o]q, xrefs: 05409013

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq$Haq
API String ID: 0-2157538030
Opcode ID: 98a3f723e05924cb97f902dcbe365f4144ec1135a73bf426eb141ba0fdba21b0
Instruction ID: bc02b9f35afa5809ecd5ba7d0b10e55cf3d52519fa76763b137a464b8c41b9f0
Opcode Fuzzy Hash: 98a3f723e05924cb97f902dcbe365f4144ec1135a73bf426eb141ba0fdba21b0
Instruction Fuzzy Hash: 18026F74B04515CFC718CF69C5889AEB7B2BF84710B2591AAE806DB3B6DB35EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05404820 Relevance: 10.1, Strings: 8, Instructions: 79COMMON

Download Yara Rule

Strings

4']q, xrefs: 054048CF
4']q, xrefs: 05404843
4']q, xrefs: 05404938
4']q, xrefs: 054048F2
4']q, xrefs: 05404866
4']q, xrefs: 054048AC
4']q, xrefs: 05404889
4']q, xrefs: 05404915

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-692194742
Opcode ID: f83d662de2d92a7408e100f21458ecfaeecd0359a14ceb76fdc8aad8dc3c990b
Instruction ID: 7e6f61c2542aea71f8e2d08cf4b20cc75206358ef3bed5206afe39d009a15e67
Opcode Fuzzy Hash: f83d662de2d92a7408e100f21458ecfaeecd0359a14ceb76fdc8aad8dc3c990b
Instruction Fuzzy Hash: F9313D30A0510A8FCF0CEFA9E991ADE7BF5FF41704B1045A9D055AF265DB346A09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05404830 Relevance: 10.1, Strings: 8, Instructions: 78COMMON

Download Yara Rule

Strings

4']q, xrefs: 054048CF
4']q, xrefs: 05404843
4']q, xrefs: 05404938
4']q, xrefs: 054048F2
4']q, xrefs: 05404866
4']q, xrefs: 054048AC
4']q, xrefs: 05404889
4']q, xrefs: 05404915

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-692194742
Opcode ID: 08fb68e193ed6c595356aa2d7f154c2605b83c66bc13bafbc15d288ad30eed49
Instruction ID: 4aea012e564ad784a2e8e5e4b53394266d46b18b730ffd24077f30e1fb2976dd
Opcode Fuzzy Hash: 08fb68e193ed6c595356aa2d7f154c2605b83c66bc13bafbc15d288ad30eed49
Instruction Fuzzy Hash: 6F31AE30A0010A9FCF0CEFA9E991ADE77F5FF44A04F1045A9D0556B265DF356E098B91

Uniqueness

Uniqueness Score: -1.00%

Function 0540E100 Relevance: 9.0, Strings: 7, Instructions: 255COMMON

Download Yara Rule

Strings

$]q, xrefs: 0540E4EA
$]q, xrefs: 0540E4FA
LR]q, xrefs: 0540E3DA
LR]q, xrefs: 0540E3E8
$]q, xrefs: 0540E20F
LR]q, xrefs: 0540E4A7
LR]q, xrefs: 0540E4B5

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$LR]q$LR]q$$]q$$]q$$]q
API String ID: 0-686011864
Opcode ID: 5fc843f41da2b0ce274d535bc7a9d8926e52f4a02d8657bab949b7cbab73fb55
Instruction ID: 634ccc9eccd7bf43cde72438f1a52fcb44399b805f7121b3186b9c64bb6fbf8c
Opcode Fuzzy Hash: 5fc843f41da2b0ce274d535bc7a9d8926e52f4a02d8657bab949b7cbab73fb55
Instruction Fuzzy Hash: CAB12A70E00118CFCB14DF9CD984AEDBBB6BF48300F259966E416AB395D734E8A2CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0540E0F0 Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

$]q, xrefs: 0540E4EA
LR]q, xrefs: 0540E3DA
$]q, xrefs: 0540E20F
LR]q, xrefs: 0540E4A7

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 7cf2953d5ba8812c275c1588c381d6127ede4d9e061006a2d07cf3304d8527c0
Instruction ID: eed33b1ee3a5338c1c911830fa6cc0687eaed76045370b00d42526946430bafa
Opcode Fuzzy Hash: 7cf2953d5ba8812c275c1588c381d6127ede4d9e061006a2d07cf3304d8527c0
Instruction Fuzzy Hash: 04A10B70E04118CFCB14CF9CC980AEDBBB6BF48300F259966E416AB395D734E8A2CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0540E4B7 Relevance: 5.2, Strings: 4, Instructions: 208COMMON

Download Yara Rule

Strings

$]q, xrefs: 0540E4EA
LR]q, xrefs: 0540E3DA
$]q, xrefs: 0540E20F
LR]q, xrefs: 0540E4A7

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 5b13eff507b3d6ff89a35f6aa05f3ba6c319829f48ec49510df8f5307760a508
Instruction ID: f750e183be926009404d93522d90f43cecef7ce7d3fcb5e0f0daf0ac843536a1
Opcode Fuzzy Hash: 5b13eff507b3d6ff89a35f6aa05f3ba6c319829f48ec49510df8f5307760a508
Instruction Fuzzy Hash: 5B910A70E00118CFCB14CF98D980AEDBBB6FF48310F259966E416AB395D734E8A2CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0540E328 Relevance: 5.2, Strings: 4, Instructions: 203COMMON

Download Yara Rule

Strings

$]q, xrefs: 0540E4EA
LR]q, xrefs: 0540E3DA
$]q, xrefs: 0540E20F
LR]q, xrefs: 0540E4A7

Memory Dump Source

Source File: 00000009.00000002.2064036410.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5400000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: b684a6a799b193e35b57803bd587915af55e01fcb60cbe3b187a07c95684dfd6
Instruction ID: e6d3dc7f62bce03492163a104c0ee0487e0fbcd5598be187ff1c8497a5d896d6
Opcode Fuzzy Hash: b684a6a799b193e35b57803bd587915af55e01fcb60cbe3b187a07c95684dfd6
Instruction Fuzzy Hash: 3A91FA70E04118CFCB14CF98C684AEDBBB6BF48310F259966E416AB395D734E8A2CB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: yHoBWWkdpyxFI.exePID: 5016, Parent PID: 2764COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	83
Total number of Limit Nodes:	7

Executed Functions

Function 02E3C5CB Relevance: 2.7, Instructions: 2724COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eadbb7d833c6d5a5f2805b1a41858d20f630b0dbbe8954ea51b3dbfc97c1e7b8
Instruction ID: e66e75a23c70745bf980402ab122ae1fb5857bad357dd54201bc0160752661f0
Opcode Fuzzy Hash: eadbb7d833c6d5a5f2805b1a41858d20f630b0dbbe8954ea51b3dbfc97c1e7b8
Instruction Fuzzy Hash: FC53D831C10B1A8ACB51EF68C8946A9F7B1FF99300F11D79AE45877121FB70AAD5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02E3DBD8 Relevance: 2.3, Instructions: 2311COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a595a2bafa2a22810bb648c6beba3215cd6448f9c0d3b35cdeba768d6eac4e
Instruction ID: 201d11a20ac17d81fc83ae85e796e7cfb0d772102e679b9243b701424288bc98
Opcode Fuzzy Hash: 72a595a2bafa2a22810bb648c6beba3215cd6448f9c0d3b35cdeba768d6eac4e
Instruction Fuzzy Hash: EC333E31D107198ECB11EF68C8946ADF7B1FF99300F15D79AE458A7221EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02E3C5CF Relevance: 1.1, Instructions: 1094COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2571d1a0453c933fb9fe1a4d2e4424eb41962976537ee1379608cf768e5240
Instruction ID: 373834965a9490d4e67a5de7c613c46c5c47e01ea8cf5cac6d7e4fde440a6dce
Opcode Fuzzy Hash: 5d2571d1a0453c933fb9fe1a4d2e4424eb41962976537ee1379608cf768e5240
Instruction Fuzzy Hash: 7FC2C631C10B1A8ACB51EF68C8546A9F7B1FF99300F11D79AE4587B121FB70AAD5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02E341C8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddc7476bab98da8d97b43c77c1b2141b09f0306e7c9660febf22f468cbab9e2
Instruction ID: 115b32c05751411b40658eb5ac684d859d0e642cfbeab920598fac7fe5813435
Opcode Fuzzy Hash: 1ddc7476bab98da8d97b43c77c1b2141b09f0306e7c9660febf22f468cbab9e2
Instruction Fuzzy Hash: C7B15D71E40209DFDF11CFA9D8897ADBBF2BF88319F14D129E419A7294EB349845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02E34A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d29ba0eebd10ae219cbade4f7a434aacf20f8ee888c43e3408ff98cc2b742c6
Instruction ID: 98cd9f761f06542307e861b30b01b244721746fa0e702d492778b0aa9e18154e
Opcode Fuzzy Hash: 7d29ba0eebd10ae219cbade4f7a434aacf20f8ee888c43e3408ff98cc2b742c6
Instruction Fuzzy Hash: B5B17E70E402098FDF11CFA9C8997EDBBF2AF88319F14D529D415E7294EB349885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E33E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749ed0b1b19cd9d2fe0df716928d6a8e0ffbd663a8a0071b59350f19dd944c4a
Instruction ID: 2eac8e12f5ac9bcfd06d164f776219308b50f0c74f8db897b89116b7c7ff284c
Opcode Fuzzy Hash: 749ed0b1b19cd9d2fe0df716928d6a8e0ffbd663a8a0071b59350f19dd944c4a
Instruction Fuzzy Hash: D9915970E406098FDF11CFA9C9897DEBBF2AF88309F14D129E415A7294EB349846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 069FE938 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3249381408.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_69f0000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a58d3474e655db23efe1992105bc027e1e1765d70dc08535bd8fe13644a05b
Instruction ID: c82ef411b7d12c13ed14ad38ff60b2d104adaedf035a545a7a7b4982613856a4
Opcode Fuzzy Hash: 46a58d3474e655db23efe1992105bc027e1e1765d70dc08535bd8fe13644a05b
Instruction Fuzzy Hash: A3413331D143998FCB04DFB9D8006AEBFF5AF89210F15856BD504A7651DB389885CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 06B4D804 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B4D922

Memory Dump Source

Source File: 0000000D.00000002.3250611684.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b40000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ab91213ba3dc3064b6d33fabf9763ea687852826f65b5da17825982432cea6c7
Instruction ID: 889479903bda67cfe067c6e5bca3197995db6bf4c9ee1646f1aaebecf562ba83
Opcode Fuzzy Hash: ab91213ba3dc3064b6d33fabf9763ea687852826f65b5da17825982432cea6c7
Instruction Fuzzy Hash: FA51CFB1D003499FDB14DF99C884ADEBFB5FF48310F24856AE819AB210D775A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06B4D810 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B4D922

Memory Dump Source

Source File: 0000000D.00000002.3250611684.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b40000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a20fdf922fa10286aa635ae6c7e4d012785b8fa5a27eceb17b1a7a6d64f9af63
Instruction ID: 6a03f8c8c9abd837243649bb1ab973c2ab3cb37adb278cf0dda5953ad8484e09
Opcode Fuzzy Hash: a20fdf922fa10286aa635ae6c7e4d012785b8fa5a27eceb17b1a7a6d64f9af63
Instruction Fuzzy Hash: 4041AFB1D103099FDB14DF9AC884ADEBBB5FF48310F24856AE819AB210D775A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06B4CD6C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06B4FE91

Memory Dump Source

Source File: 0000000D.00000002.3250611684.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b40000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 016dbaf7a5cc4715fa3c9012ffb387324130846e6d0740e956db1ced9fe7e032
Instruction ID: dc1e9f904390d5aebc223831b9cef140482dd6cf5e062426e44f7c919122c5cd
Opcode Fuzzy Hash: 016dbaf7a5cc4715fa3c9012ffb387324130846e6d0740e956db1ced9fe7e032
Instruction Fuzzy Hash: 19414DB5950309CFDB54DF99C488AAABBF9FF88314F24C499D519A7321D334A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 069FE528 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,069FE98A), ref: 069FEA77

Memory Dump Source

Source File: 0000000D.00000002.3249381408.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_69f0000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3d57f197418795df60d7351df507604041d63c3dd39ad13eb5100fd9a9d0124d
Instruction ID: 3d19a1394de15d73b7f4bcc659a599f8a656a732c17746cfc37c89f21b974aa4
Opcode Fuzzy Hash: 3d57f197418795df60d7351df507604041d63c3dd39ad13eb5100fd9a9d0124d
Instruction Fuzzy Hash: 861133B1C006599BCB10DF9AC444B9EFBF4FF08320F11852AE918A7250D378A954CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 069FEA08 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,069FE98A), ref: 069FEA77

Memory Dump Source

Source File: 0000000D.00000002.3249381408.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_69f0000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 74ca36a4642071c87ea38a31cedae86dbce973180acf896996a0a929e67d8bc2
Instruction ID: b9c09cb9fe27b83ace8f37f15a795fcaf3cf67c5d0d3a255e7e187c5813e05cf
Opcode Fuzzy Hash: 74ca36a4642071c87ea38a31cedae86dbce973180acf896996a0a929e67d8bc2
Instruction Fuzzy Hash: 241112B1C0065A9BCB10CF9AC544BDEFBF4BF08320F15852AD528B7250D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E37D88 Relevance: 1.4, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 02E37E1C

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: efb8f5f61fc33a86651c4a0b5138c762df7ccf0fbae9b33bdea2d9e83fbdb8d6
Instruction ID: ed10ccddb1822914c3ce90793083bba203d105c54a6a15959d5146d95130ea56
Opcode Fuzzy Hash: efb8f5f61fc33a86651c4a0b5138c762df7ccf0fbae9b33bdea2d9e83fbdb8d6
Instruction Fuzzy Hash: ED314170E502099FEB15DFA5C4497AEB7F1EF46605F209429E805EB250EB749C42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02E37D98 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LR]q, xrefs: 02E37E1C

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: e3ead8cf63ed927d924cfa88a475b8eee1b2aa1e301ed08111520d6e67ea059b
Instruction ID: 3ef31061d5dcbe66fed217cfe85dfa458e020cf431ca7dee4bd70f5dc43e7846
Opcode Fuzzy Hash: e3ead8cf63ed927d924cfa88a475b8eee1b2aa1e301ed08111520d6e67ea059b
Instruction Fuzzy Hash: BC316E70E50219DBDB15CFA9C4497AEF7B1FF86305F108529E806EB240EB70AC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02E30838 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Ko, xrefs: 02E30898

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: d76204f509d8c4175c294e9dfd4a23d639b7ff2b0326919fee32220ae095edea
Instruction ID: c6114a38857328541d3ceac1f4ac3ec033f4b8265b15b0094e6766028d511896
Opcode Fuzzy Hash: d76204f509d8c4175c294e9dfd4a23d639b7ff2b0326919fee32220ae095edea
Instruction Fuzzy Hash: 5D11CE30A843148BEF265AB9D44876E76A5EF8221EF14D979D002CB281DB79D886CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02E30848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Ko, xrefs: 02E30898

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 2253bd18aae59b1e27865070d95a7365b76bb4b7819e4e379455757784791962
Instruction ID: dfba58ac3ca87399ea923133023646007cf20bb6aa9643ee07a9f91bc502a406
Opcode Fuzzy Hash: 2253bd18aae59b1e27865070d95a7365b76bb4b7819e4e379455757784791962
Instruction Fuzzy Hash: BB11E030B802048BDF6A9A7AD44C76E7299EF8131AF10D939D006CF294DB74DC86CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 02E386D8 Relevance: .6, Instructions: 599COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83c81b1f7358ed349d695f852b5bb9dc7e1d92e8a5cbed6b1e6e6baa57a1588
Instruction ID: 2472408ce0e2b553f29d1fd9584d4f0d0c52cc7d4a4f863f56041162ffc3aec2
Opcode Fuzzy Hash: a83c81b1f7358ed349d695f852b5bb9dc7e1d92e8a5cbed6b1e6e6baa57a1588
Instruction Fuzzy Hash: F822A0707102128FDB2AAB3CE49AA2C77A6FB85309B548939E416CB354CF35EC47D791

Uniqueness

Uniqueness Score: -1.00%

Function 02E38728 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff9813891d39e4161ac594785e2ee97d8973cb4da046fff8a5d41d92d159306
Instruction ID: c6e46ddafc9a8dcb94ba3e65ea95bd776cde52f22d231b891f4f71e0484d1d80
Opcode Fuzzy Hash: 3ff9813891d39e4161ac594785e2ee97d8973cb4da046fff8a5d41d92d159306
Instruction Fuzzy Hash: 70128F707102168BDF2AAB3CE48A62C76A7FB85309B648939E416CB354CF35EC47D791

Uniqueness

Uniqueness Score: -1.00%

Function 02E38738 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d35bed83675f4fdd7571ae2df55856df94732c68996e78f27d0c8dab19106e7
Instruction ID: 948e17c87e7f71f4ede4c070ab9c2e2d4053ff2c9be81a75f4757e6e91f5cab4
Opcode Fuzzy Hash: 8d35bed83675f4fdd7571ae2df55856df94732c68996e78f27d0c8dab19106e7
Instruction Fuzzy Hash: B5128F707102168BDF29AB3CE48AA2C76A7FB85309B648939E416CB354CF35EC47D791

Uniqueness

Uniqueness Score: -1.00%

Function 02E341BC Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24005fa05fefa5532142f54a4b20bb596e45ede8caee0ae1de01f9eb4d6d7e9
Instruction ID: 87887d20f217b9441ac101962fa860e8b51437d1d32d0f6c8a3f97af8ab9003b
Opcode Fuzzy Hash: a24005fa05fefa5532142f54a4b20bb596e45ede8caee0ae1de01f9eb4d6d7e9
Instruction Fuzzy Hash: 76B15D71E40209DFDF11CFA9D88979DBBF1BF88319F14D129E819A7294EB349845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02E34A8C Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f9a8b6e6ac6c2de46ec3e8ea56fc104ba69fabe4ee3c70d566c87a31ba3bdb
Instruction ID: fec96d388c2cb6918610256363e5d129a5d88002d2870012f4364a597416f9bc
Opcode Fuzzy Hash: c5f9a8b6e6ac6c2de46ec3e8ea56fc104ba69fabe4ee3c70d566c87a31ba3bdb
Instruction Fuzzy Hash: F7B17B70E40209CFDB11CFA8C8997DDBBF1AF89319F14D129E819A7294EB349885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E3A252 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d214c7c420d30e43f33f32c633bdeb3104687136223d72f6636d50dcc66cc419
Instruction ID: 83c01da283600174aefc5ad999bf7aa0f096a3abaa7381d9f24e8db6972203d2
Opcode Fuzzy Hash: d214c7c420d30e43f33f32c633bdeb3104687136223d72f6636d50dcc66cc419
Instruction Fuzzy Hash: D6A16E34B002049FCB15DF68D599AADBBB2FF89315F248465E80AEB364DB35DD82CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02E33E74 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2051c3c2ec4aee1adc63f4cb436309a295af6fb23b10890a28f909361fa383
Instruction ID: dc786578b014a1899932d002a18397877509e4ff7f50c391632a01c261cc35ba
Opcode Fuzzy Hash: 8e2051c3c2ec4aee1adc63f4cb436309a295af6fb23b10890a28f909361fa383
Instruction Fuzzy Hash: 3EA16B70E406099FDB11CFA9C9897DEBBF2AF88309F149129E415A7294EB349846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E3A6B8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6860af0d7d2293768315cc1a1f6d072f642a2ea9bbc24a89bbca682cf003bb1a
Instruction ID: 2d78f2668f182c0568aa3148a05c83fcf7ff3bc81a1d4994376706e0f87cd133
Opcode Fuzzy Hash: 6860af0d7d2293768315cc1a1f6d072f642a2ea9bbc24a89bbca682cf003bb1a
Instruction Fuzzy Hash: 67818B71A002058FDB14CF69E888B9DBBB6FF88315F14C16AE909AB395DB70D845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E3A500 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8d12042277b19892e94454a7325df5204960c33e1513b2708f16ea757ed327
Instruction ID: 3b103944a36687589d8208fa6db60b193dfcea0d78f0c1c040c238775fe65a7a
Opcode Fuzzy Hash: 3c8d12042277b19892e94454a7325df5204960c33e1513b2708f16ea757ed327
Instruction Fuzzy Hash: 7B41E531B4020A9FDF26DA68D49476E7766FB85319F20883AD459DB380D735DC86CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02E36CDF Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cad9cea5551990b66c0ee60e4f3ababe7f50a38ba056672d4bf7642fb52f91
Instruction ID: eed24517674eb6eb93010f0459ee4ac99004edfe9bf36b50267e07d2c2b9c9cf
Opcode Fuzzy Hash: b4cad9cea5551990b66c0ee60e4f3ababe7f50a38ba056672d4bf7642fb52f91
Instruction Fuzzy Hash: F4515670D002189FDB15DFAAC888BADBBF5BF49308F548029E819BB350C774A844CF99

Uniqueness

Uniqueness Score: -1.00%

Function 02E36CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b9e75521eb930f228927c92e47ea106b88b8223e90a9f9d3ed42199a006db6
Instruction ID: 93a20e4fe7593e047aa5cbbd1f872088372cf520ea2218d68c39d17be3a5f221
Opcode Fuzzy Hash: 79b9e75521eb930f228927c92e47ea106b88b8223e90a9f9d3ed42199a006db6
Instruction Fuzzy Hash: E3513570D002189FDB15DFAAC888B9DBBF5BF49309F149429E819BB390D774A844CF99

Uniqueness

Uniqueness Score: -1.00%

Function 02E36F6B Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286861ec3fb28778ad81348b7d898a2d2d0cd14250c151b4f71a417ba6f82882
Instruction ID: 2430223285855c172be0662fd17db3f574aff3591ba5b32aca6862e2256c6b32
Opcode Fuzzy Hash: 286861ec3fb28778ad81348b7d898a2d2d0cd14250c151b4f71a417ba6f82882
Instruction Fuzzy Hash: FB415774690214CFDB15EB69C498AADBBF6AF48705F209468E402EB3A5CB75AC00CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02E3112A Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ed1b1b9cf124797c39ae5aff626ee61f943b030792d52c7ce1ca11d691390e
Instruction ID: c55d3b2478b3ddd71ea9b63c8e0015bed6b362bc8738a0c120ef6668295f5e44
Opcode Fuzzy Hash: 34ed1b1b9cf124797c39ae5aff626ee61f943b030792d52c7ce1ca11d691390e
Instruction Fuzzy Hash: 2E511B306129628FCB0AEF2EF9C09543F75FB5B3043049B69D1456B62EEB60794EDB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E31138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4feb88e90efc755014882b46f73734a45c1309b2f3e280db5a77059c9af95aa0
Instruction ID: 4e80e9b81b8444606b7e3018d4088cd42e88cbbc14b4cf0ee424bf77e44e64f0
Opcode Fuzzy Hash: 4feb88e90efc755014882b46f73734a45c1309b2f3e280db5a77059c9af95aa0
Instruction Fuzzy Hash: 7651EA306129628FCB0AFF2EF9C09553F65FB5B3043049B68D1056B62EEB60794DDB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E326DC Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0da59ab79b242fac5d8bdc89a33c4d370069560085a6b43d68005cffc533ec6
Instruction ID: a609515ae5c2964354ab385e4ff38d461df5d4635ffada60ccbfffe8e3a021a5
Opcode Fuzzy Hash: e0da59ab79b242fac5d8bdc89a33c4d370069560085a6b43d68005cffc533ec6
Instruction Fuzzy Hash: 2441EFB0D00249DFDB10CFA9C484AEEBFB5FF48304F148429E809AB254DB75A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E326E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a66388f496d9ce0e4ad75cde40baa16bcc842b631f2129cf979a8c945b080f
Instruction ID: 807ac6e944e690caeaeb12b53828ff1a7c1fb3433f6ec0b9b5900304000de440
Opcode Fuzzy Hash: 95a66388f496d9ce0e4ad75cde40baa16bcc842b631f2129cf979a8c945b080f
Instruction Fuzzy Hash: 0E41ECB0D00349DFDB14DFA9C584ADEBFB5FF48314F24842AE809AB254DB75A949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E350A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20312343724d98d7d22c4eb709da74b4e5d8c30d5956a01e50f2bf05a2302c0f
Instruction ID: 932f67bcca7f27e6c3dbfb118461f8975b38454b3a768385c858fe6645d84e07
Opcode Fuzzy Hash: 20312343724d98d7d22c4eb709da74b4e5d8c30d5956a01e50f2bf05a2302c0f
Instruction Fuzzy Hash: 14317C30A40615CFDB1AEB34C9586AD77F6AF4D30AF50456CD505AB3A4DF36AC01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E35099 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c284631679cc522e432f4181d69467f095333f9c434897e55f94ad657fb4365
Instruction ID: 9cf1849a1aba96076330383e7a0424c63b4955ea8e397727d5b57a7a66d331aa
Opcode Fuzzy Hash: 2c284631679cc522e432f4181d69467f095333f9c434897e55f94ad657fb4365
Instruction Fuzzy Hash: BF318E30B40A11CFDB16EB34C5586AD77F2AF4D34AF5045ACD905AB3A5DB36AC01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E3A070 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d66bc4f8f3ece7c964729293a4c434dc50c855dde6e7c0427da2640fdf0456
Instruction ID: 4539d43f74f4229b7783e4760de5af89831bd33614301e056dcb6176c2572f0f
Opcode Fuzzy Hash: f6d66bc4f8f3ece7c964729293a4c434dc50c855dde6e7c0427da2640fdf0456
Instruction Fuzzy Hash: 1731E671E0021A9BDF05CF65D895A9EF7B2FF89304F10C62AE845EB340DB719886CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02E3A080 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8073b63f3a53a977f1e4483ebdb8f38c653f1ff23f44cb96f09696f4c9db495
Instruction ID: 4665ebb1fa7824d7231099f1cb5f589e446fbffebf9f508b62e523e87a121822
Opcode Fuzzy Hash: c8073b63f3a53a977f1e4483ebdb8f38c653f1ff23f44cb96f09696f4c9db495
Instruction Fuzzy Hash: 0F21A871E002099BDF05CF69D85569EF7B2FF89304F10C629E845EB350DB719882CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E316A0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011c2f10ddedf45b205ecc31665a98a7230e7607ef84b07007a86c0d3f6b7a61
Instruction ID: 2b21fc2fd6b9bedc6c5049669722ef4c20f3a7382979ce9daf0c909bb9cb0eca
Opcode Fuzzy Hash: 011c2f10ddedf45b205ecc31665a98a7230e7607ef84b07007a86c0d3f6b7a61
Instruction Fuzzy Hash: 562108345801114FDF27EB39F88CB5A3B65EB46309F049A79D40ECB25AE738E846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02E31380 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1957792fe6f78f5963ab0533db8bcd1c18344199af0b8c85d79f2a4ca8cc5157
Instruction ID: aeff99b2c652455f5761aa7a36c40b8ccb6b01f3325e60d8632e73d80cddec7f
Opcode Fuzzy Hash: 1957792fe6f78f5963ab0533db8bcd1c18344199af0b8c85d79f2a4ca8cc5157
Instruction Fuzzy Hash: 8921D230AC02018BDF366679F08D32E36A5E74236AF55582DE00ECF681DB29C8D4C792

Uniqueness

Uniqueness Score: -1.00%

Function 02E34F88 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0280c7cfc38c92f9825c957e58aa67a897da37fe9d811d3cbc7d9cbe86cb924
Instruction ID: 4f56d6db5bb9e36e52e26bd9db26eca5776117821f2f42a04d05616c76607eb1
Opcode Fuzzy Hash: e0280c7cfc38c92f9825c957e58aa67a897da37fe9d811d3cbc7d9cbe86cb924
Instruction Fuzzy Hash: 5B212734A40204CFDB15EF79C558BAD7BF2AF8D246B1184A8E506EB3A4DB369D01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E39F70 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3786fc7e6ef4ad68fa3ef4fb28ee3b125ccd77a85d5cf029cf137de50c312168
Instruction ID: a0f529e7839cc0c19091bd5a09bcc29025c60b5a27a5bbfa6976352b37fb1920
Opcode Fuzzy Hash: 3786fc7e6ef4ad68fa3ef4fb28ee3b125ccd77a85d5cf029cf137de50c312168
Instruction Fuzzy Hash: 6321A130E402058FDB19CFA5C454AAEB7B2AF89304F20C52AE816EB390DB709846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011BD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3233030237.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_11bd000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84194d595258c9919a74db0beb2ca77c7a46d1b5ce7ec5574aa56fe2faff0ca0
Instruction ID: 834fc06c3e7395b7105b50ad5efd394092cc99ebfd1f4fc987db9cc47b6300bc
Opcode Fuzzy Hash: 84194d595258c9919a74db0beb2ca77c7a46d1b5ce7ec5574aa56fe2faff0ca0
Instruction Fuzzy Hash: 532122715042049FCF1DDF68E9C0B26BB65FB84318F20C5ADE9490B252C73AD446CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02E31888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0355723889b4fb8f1c244a0a032edd7254cfa54214db65e8b6962466b17641
Instruction ID: 1e3376332048a8fa0256544b79c0f2262ac3479515aacac2711d074ba259a2e3
Opcode Fuzzy Hash: 1c0355723889b4fb8f1c244a0a032edd7254cfa54214db65e8b6962466b17641
Instruction Fuzzy Hash: 71213630B80255CFDB15EB68C5187AE77F6AB4934AF10446CD10AEF2A4EB369D00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E39F80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d481db05ac5662afa75967772bf61bc42355d3ed541359ea0a07636a6ead5aa
Instruction ID: ce6aab22212260eaec163fb76b8217e368174f77fd117147deb670b153cc931e
Opcode Fuzzy Hash: 7d481db05ac5662afa75967772bf61bc42355d3ed541359ea0a07636a6ead5aa
Instruction Fuzzy Hash: 99215331E002159BDF19CFA5C454AEEF7B2AF89304F10C52AE816F7390DBB49946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02E316B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b43fcd114a3b960917bee1c47f478f45c421766dae7993fce71066b1843acf4
Instruction ID: 39d46974e2017ae6825f32bdbf58fa489d11d6d409b3b3e2a9d2fafd3e6cb11f
Opcode Fuzzy Hash: 5b43fcd114a3b960917bee1c47f478f45c421766dae7993fce71066b1843acf4
Instruction Fuzzy Hash: 292166346805114FDF16EB69F88CB5A3759EB45309F149B39D00ECB259EB34E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E31879 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccd67e3ff971f3ea5d541549d56029afd9973f1a9b1b513b063d15bc70cc8d1
Instruction ID: ec020230819335a6d7643c436a0d80c7f3313c05b08c7340926068749517d484
Opcode Fuzzy Hash: bccd67e3ff971f3ea5d541549d56029afd9973f1a9b1b513b063d15bc70cc8d1
Instruction Fuzzy Hash: ED214830B80255CFEB15EB64C5587AD77F6AB4934AF20846CD10AFB2A0DB369D04CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02E34F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079e60faf1f514bba03f24eee78d194e7aaa73e036202f59d132b33448223913
Instruction ID: 11e897ad50cd686c37a8427e937234c5b8e54002bce3408647354d37e889b235
Opcode Fuzzy Hash: 079e60faf1f514bba03f24eee78d194e7aaa73e036202f59d132b33448223913
Instruction Fuzzy Hash: 57211634A40205CFDB18EB79C558BAD7BF2AB8D245F114468E506EB3A4DB32AD40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E3A4F2 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a47f81b54759f94fcbd3b3e0043b03305c74c30fe376bec3ff611e56849e06
Instruction ID: 2c815a81594b0d7a87bce70ca1bc61ef6e7ce8a9d87adbdda06a1cb54f90e351
Opcode Fuzzy Hash: 47a47f81b54759f94fcbd3b3e0043b03305c74c30fe376bec3ff611e56849e06
Instruction Fuzzy Hash: 6A11BE32B0421A9FCB15DEB8D8843AEB766FB86214F118479C419DB381D734E889C782

Uniqueness

Uniqueness Score: -1.00%

Function 02E317C3 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5facb14e376b7aafc11efb02559e712e6cd3b37025fea9c96df6b210d456a086
Instruction ID: aa5684a2102624c2d173ce84338f28e346afd4e2572f0ca99c12bbdacfd418ec
Opcode Fuzzy Hash: 5facb14e376b7aafc11efb02559e712e6cd3b37025fea9c96df6b210d456a086
Instruction Fuzzy Hash: 08115C36F802118FCF11ABB6A84C26F3BE5EB49265F14882AD50DD7341E735C842CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02E3148B Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a0d0227e60f05656aec4d0cf0667dbc7b47df4165d90204c51d0fcefba5037
Instruction ID: 09cfb0fb2dbba974780d5c1a30b3a956cd7134ff086296693c2ad59ab83565ec
Opcode Fuzzy Hash: 68a0d0227e60f05656aec4d0cf0667dbc7b47df4165d90204c51d0fcefba5037
Instruction Fuzzy Hash: B0110A31A412549FCF23EFB994442AD7BF6EF48226B14A0BDE409EB201D732D842CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E31498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138bb191d1b840381f690a9d1ebe082528cca865cb0ade874d7c40fae931fb54
Instruction ID: dca6f22424ab051902093f91ff1d3c0a15475825a52747cfd014ae25f3fe8aae
Opcode Fuzzy Hash: 138bb191d1b840381f690a9d1ebe082528cca865cb0ade874d7c40fae931fb54
Instruction Fuzzy Hash: 22018431A412149FCF22EFB9845829D7BF6EF48226B14A47DE80AEB300E735D841CF91

Uniqueness

Uniqueness Score: -1.00%

Function 011BD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3233030237.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_11bd000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 00518cd18b10f5368d0fe20b33f1707e5d4c0042978c43efbd34a91ccf9fd509
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 6511DD75504284CFDB1ACF64D9C4B15BFA2FB84318F24C6A9D8494B256C33AD44ACF62

Uniqueness

Uniqueness Score: -1.00%

Function 02E3A6AA Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5e7d9bb6f2ac5b2121b59df6d57cd08e9c2609d4a7df688fa549baff1e2d26
Instruction ID: 0a0cc8ec699e226cebb75c4176e5581c1f24676adf4dbbbe10844bae879b885c
Opcode Fuzzy Hash: 3c5e7d9bb6f2ac5b2121b59df6d57cd08e9c2609d4a7df688fa549baff1e2d26
Instruction Fuzzy Hash: 9C11E530A002008FCB05DFB4E98468ABBB6FF85315F54C175C8485F2AAD774D94ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E38F10 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4421f6145aaeb011cd4f6226796443c4755417f5c11a46aa7b0b224f8327ba32
Instruction ID: 806e29a7662f5c43a27b4db54bc6f099e37fa83f6eebdfd69da9f6addf66f943
Opcode Fuzzy Hash: 4421f6145aaeb011cd4f6226796443c4755417f5c11a46aa7b0b224f8327ba32
Instruction Fuzzy Hash: DA012C34904259DFCF06EBB8F991A9C7FB5EF41304B1042BAC0089B269DB356E0ECB52

Uniqueness

Uniqueness Score: -1.00%

Function 02E31524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f98d6c6cf8cbc6a28045c04f4981eb6fcdac6b4ad576cb92317348c867a0944
Instruction ID: 2f64d952cae32886240469f33a98fe9de844fbbb10ca000443d38303dd2e92b1
Opcode Fuzzy Hash: 0f98d6c6cf8cbc6a28045c04f4981eb6fcdac6b4ad576cb92317348c867a0944
Instruction Fuzzy Hash: 0CF02B33A84150DFCB238BA884991AC7B61EE98227718A0EFD80ADF211D735D402CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02E37EB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5720cbf3b9dcc3585535432f3d63df8d347b289756d3f6c75a347e475cc02ae
Instruction ID: b79dc4cdbd8e36d19e99ba3b0e19766f1a6064e4f64dc8f296499cfaf02bab42
Opcode Fuzzy Hash: f5720cbf3b9dcc3585535432f3d63df8d347b289756d3f6c75a347e475cc02ae
Instruction Fuzzy Hash: C8F03735B40114CFCB14DB65D598B6D77B2EF88316F5044A8E5069B3A0CB30AD46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02E38F20 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025910ad81ee05205ed8f7d222e3741ed2c11d0bc4d740be0c70bced7fabc94b
Instruction ID: e6db00ed61cb4c3291217ede75e0e452b20769a43b6bdb9c39a8c9518de6cf03
Opcode Fuzzy Hash: 025910ad81ee05205ed8f7d222e3741ed2c11d0bc4d740be0c70bced7fabc94b
Instruction Fuzzy Hash: E7F0EC34950219DFCF09FFB9F985A9D7BB9EF40304F505679C0099B268EB316E098B91

Uniqueness

Uniqueness Score: -1.00%

Function 02E36C03 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3234637545.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_yHoBWWkdpyxFI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed7e1768fdfbb94c78eca417f161a37f37c8e3b3478415246df87029d28795d
Instruction ID: 96c2e6642adc7630bc29bdadd79102ddb913aeacdc23b5c7ba195410fab7bc68
Opcode Fuzzy Hash: fed7e1768fdfbb94c78eca417f161a37f37c8e3b3478415246df87029d28795d
Instruction Fuzzy Hash: ADD05E327045108F8204AB2CD08445DB7E6AFC9611322816AD159C7760DA21AC018784

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06B42E03 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 06B42E86
GetCurrentThread.KERNEL32 ref: 06B42EC3
GetCurrentProcess.KERNEL32 ref: 06B42F00
GetCurrentThreadId.KERNEL32 ref: 06B42F59

Memory Dump Source

Source File: 0000000D.00000002.3250611684.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b40000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 642414917dc0e1b903b4aafdff724fa6d830dae0e3108c50a08d3822ebee66c8
Instruction ID: 7268912a49cd207000a0b8ad6d0d628f7bc85979b979f139072ae03328db93b5
Opcode Fuzzy Hash: 642414917dc0e1b903b4aafdff724fa6d830dae0e3108c50a08d3822ebee66c8
Instruction Fuzzy Hash: 485146B0D01309CFDB58DFAAD588BAEBBF1FF48304F208459E119A7260D7749984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 06B42E08 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 06B42E86
GetCurrentThread.KERNEL32 ref: 06B42EC3
GetCurrentProcess.KERNEL32 ref: 06B42F00
GetCurrentThreadId.KERNEL32 ref: 06B42F59

Memory Dump Source

Source File: 0000000D.00000002.3250611684.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b40000_yHoBWWkdpyxFI.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8725a274e842ff3b131fd9132d2315f5deda99e6da41be313c4dee25c9a11ef0
Instruction ID: 5d457b7854f581a16ad23341263f99e85460c689166f27582c29f9ec6068f39a
Opcode Fuzzy Hash: 8725a274e842ff3b131fd9132d2315f5deda99e6da41be313c4dee25c9a11ef0
Instruction Fuzzy Hash: A65145B09003098FDB54DFAAD548BAEBBF5EF48314F208459E119A7260D7749984CB65

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO No. 2430800015.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO No. 2430800015.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yHoBWWkdpyxFI.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1nsl5gzm.ezb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfjnjfoc.ai5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_klxnq02u.dkd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lrnlb3zv.nnh.psm1

C:\Users\user\AppData\Local\Temp\tmp5967.tmp

C:\Users\user\AppData\Local\Temp\tmp69E2.tmp

C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe

C:\Users\user\AppData\Roaming\yHoBWWkdpyxFI.exe:Zone.Identifier

Static File Info

General

Windows Analysis Report
PO No. 2430800015.exe

Function 07F013B1 Relevance: 4.0, Strings: 3, Instructions: 202
COMMON

Function 07F013C0 Relevance: 4.0, Strings: 3, Instructions: 201
COMMON

Function 07F03471 Relevance: 1.6, Strings: 1, Instructions: 395
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre