Play interactive tour

Edit tour

Windows Analysis Report V5Al4cc8RL

Overview

General Information

Sample Name:	V5Al4cc8RL (renamed file extension from none to exe)
Analysis ID:	552874
MD5:	5b8c247358c809a35edfc69ce74ea5c7
SHA1:	663b2a00733f4ab4af9e73c948a14aacaa3d4c6e
SHA256:	23c7ee11b32f31b5b6bb9c94af7250d3c8edaccb70ab9472d15a3a9ae2ee3b8d
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

V5Al4cc8RL.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\V5Al4cc8RL.exe" MD5: 5B8C247358C809A35EDFC69CE74EA5C7)

V5Al4cc8RL.exe (PID: 6512 cmdline: C:\Users\user\Desktop\V5Al4cc8RL.exe MD5: 5B8C247358C809A35EDFC69CE74EA5C7)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "hisgraceinme@yandex.com", "Password": "newyear2022", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.257945194.0000000002B07000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000000.255852649.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.255852649.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.255239710.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.255239710.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.254686523.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.254686523.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000000.254143628.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.254143628.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: V5Al4cc8RL.exe PID: 6220	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: V5Al4cc8RL.exe PID: 6220	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: V5Al4cc8RL.exe PID: 6512	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: V5Al4cc8RL.exe PID: 6512	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.V5Al4cc8RL.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.V5Al4cc8RL.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.V5Al4cc8RL.exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.V5Al4cc8RL.exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.V5Al4cc8RL.exe.2b51724.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.0.V5Al4cc8RL.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.V5Al4cc8RL.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.V5Al4cc8RL.exe.2afb594.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.0.V5Al4cc8RL.exe.400000.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.V5Al4cc8RL.exe.400000.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.V5Al4cc8RL.exe.3af50f0.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.V5Al4cc8RL.exe.3af50f0.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.V5Al4cc8RL.exe.400000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.V5Al4cc8RL.exe.400000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.V5Al4cc8RL.exe.3b2b110.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.V5Al4cc8RL.exe.3b2b110.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.V5Al4cc8RL.exe.400000.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.V5Al4cc8RL.exe.400000.12.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.V5Al4cc8RL.exe.3b2b110.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.V5Al4cc8RL.exe.3b2b110.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.V5Al4cc8RL.exe.3af50f0.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.V5Al4cc8RL.exe.3af50f0.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 17 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.0.V5Al4cc8RL.exe.400000.12.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "hisgraceinme@yandex.com", "Password": "newyear2022", "Host": "smtp.yandex.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: V5Al4cc8RL.exe	Virustotal: Detection: 33%			Perma Link
Source: V5Al4cc8RL.exe	ReversingLabs: Detection: 41%

Machine Learning detection for sample

Show sources

Source: V5Al4cc8RL.exe

Joe Sandbox ML: detected

Source: 4.0.V5Al4cc8RL.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.V5Al4cc8RL.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.2.V5Al4cc8RL.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.V5Al4cc8RL.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.V5Al4cc8RL.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.V5Al4cc8RL.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8

Source: V5Al4cc8RL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: V5Al4cc8RL.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Joe Sandbox View

IP Address: 77.88.21.158 77.88.21.158

Source: global traffic

TCP traffic: 192.168.2.5:49836 -> 77.88.21.158:587

Source: global traffic

TCP traffic: 192.168.2.5:49836 -> 77.88.21.158:587

Source: V5Al4cc8RL.exe, 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: V5Al4cc8RL.exe, 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: V5Al4cc8RL.exe, 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp	String found in binary or memory: http://QBAAYx.com
Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0h
Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
Source: V5Al4cc8RL.exe, 00000000.00000003.235602973.0000000005AD6000.00000004.00000001.sdmp	String found in binary or memory: http://en.wPTf
Source: V5Al4cc8RL.exe, 00000000.00000003.235089237.0000000005AF2000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikipedia
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://repository.certum.pl/ca.cer09
Source: V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://repository.certum.pl/ca4
Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://repository.certum.pl/ycasha2.cer0
Source: V5Al4cc8RL.exe, 00000004.00000002.507040750.0000000002DAE000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.yandex.com
Source: V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://subca.ocs-
Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://subca.ocsp-certum.com0.
Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238151607.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238082880.0000000005AD7000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242524112.0000000005ADE000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242181300.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242431858.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmljC1
Source: V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu-hu-d
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: V5Al4cc8RL.exe, 00000000.00000003.242181300.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242431858.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlJ
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: V5Al4cc8RL.exe, 00000000.00000003.242524112.0000000005ADE000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.243646078.0000000005ADC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: V5Al4cc8RL.exe, 00000000.00000003.242524112.0000000005ADE000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242181300.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242431858.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF9D
Source: V5Al4cc8RL.exe, 00000000.00000003.242524112.0000000005ADE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsd
Source: V5Al4cc8RL.exe, 00000000.00000003.247569775.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.261731654.0000000005AD0000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247686760.0000000005AD7000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comasno
Source: V5Al4cc8RL.exe, 00000000.00000003.242431858.0000000005ADC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomF
Source: V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd6D
Source: V5Al4cc8RL.exe, 00000000.00000003.247271696.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247569775.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.261731654.0000000005AD0000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247686760.0000000005AD7000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdia6D
Source: V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comituF
Source: V5Al4cc8RL.exe, 00000000.00000003.247271696.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247569775.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247686760.0000000005AD7000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: V5Al4cc8RL.exe, 00000000.00000003.237362893.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237445278.0000000005AD8000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn2
Source: V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnFROM
Source: V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnJ
Source: V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237445278.0000000005AD8000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnva
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: V5Al4cc8RL.exe, 00000000.00000003.239487614.0000000005ADD000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238669999.0000000005ADB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.239393407.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: V5Al4cc8RL.exe, 00000000.00000003.239487614.0000000005ADD000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.239393407.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: V5Al4cc8RL.exe, 00000000.00000003.239487614.0000000005ADD000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.239393407.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: V5Al4cc8RL.exe, 00000000.00000003.238669999.0000000005ADB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
Source: V5Al4cc8RL.exe, 00000000.00000003.235374791.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236344812.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236022823.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236658890.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236259831.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236566208.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236536316.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236788828.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235613845.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237785650.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237422103.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236732771.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236508751.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235845119.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238068440.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237645057.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238438414.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237214547.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236975965.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235789156.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238478134.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238541470.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238649245.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236679295.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236075154.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236291815.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235985152.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236618636.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236897959.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235466855.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237931677.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236440918.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238140250.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235418141.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235725240.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235314851.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238736518.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237721608.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235521691.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236393828.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235657356.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238766071.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235946333.0000000005AEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: V5Al4cc8RL.exe, 00000000.00000003.235374791.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236344812.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236022823.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236658890.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236259831.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236566208.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236536316.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236788828.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235613845.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237785650.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237422103.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236732771.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236508751.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235845119.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238068440.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237645057.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238438414.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237214547.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236975965.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235789156.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238478134.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238541470.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238649245.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236679295.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236075154.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236291815.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235985152.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236618636.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236897959.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235466855.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237931677.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236440918.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238140250.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235418141.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235725240.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235314851.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238736518.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237721608.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235521691.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236393828.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235657356.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238766071.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235946333.0000000005AEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: http://yandex.ocsp-responder.com03
Source: V5Al4cc8RL.exe, 00000004.00000002.506919005.0000000002D5B000.00000004.00000001.sdmp	String found in binary or memory: https://T2RlCNQDaV0Ojub.com
Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: V5Al4cc8RL.exe, 00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000000.254143628.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: V5Al4cc8RL.exe, 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: smtp.yandex.com

Source: V5Al4cc8RL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 0_2_028C3A24	0_2_028C3A24
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 0_2_028CE8E0	0_2_028CE8E0
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 0_2_028CE8F0	0_2_028CE8F0
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 0_2_028CCF14	0_2_028CCF14
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 0_2_028C6C81	0_2_028C6C81
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00D70958	4_2_00D70958
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00D776C8	4_2_00D776C8
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00D7BE68	4_2_00D7BE68
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00D78888	4_2_00D78888
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00D7E3A9	4_2_00D7E3A9
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00D9B43C	4_2_00D9B43C
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00D9DEC0	4_2_00D9DEC0
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00D91FF0	4_2_00D91FF0
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00D9AB70	4_2_00D9AB70
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00D92768	4_2_00D92768
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00F40C71	4_2_00F40C71
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00F44DA0	4_2_00F44DA0
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00F4C140	4_2_00F4C140
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00F4B690	4_2_00F4B690
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00F48320	4_2_00F48320
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00F455E6	4_2_00F455E6
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00F455E8	4_2_00F455E8
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00F4BD28	4_2_00F4BD28
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00F4DE60	4_2_00F4DE60
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00F4AB21	4_2_00F4AB21

Source: V5Al4cc8RL.exe	Binary or memory string: OriginalFilename vs V5Al4cc8RL.exe
Source: V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamehnoksqXHWDvXLXQGJLwfmNUry.exe4 vs V5Al4cc8RL.exe
Source: V5Al4cc8RL.exe, 00000000.00000002.256860396.0000000000762000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePolicyLev.exe< vs V5Al4cc8RL.exe
Source: V5Al4cc8RL.exe, 00000000.00000002.262709097.00000000091A0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs V5Al4cc8RL.exe
Source: V5Al4cc8RL.exe, 00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamehnoksqXHWDvXLXQGJLwfmNUry.exe4 vs V5Al4cc8RL.exe
Source: V5Al4cc8RL.exe, 00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs V5Al4cc8RL.exe
Source: V5Al4cc8RL.exe	Binary or memory string: OriginalFilename vs V5Al4cc8RL.exe
Source: V5Al4cc8RL.exe, 00000004.00000002.498271939.0000000000682000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePolicyLev.exe< vs V5Al4cc8RL.exe
Source: V5Al4cc8RL.exe, 00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamehnoksqXHWDvXLXQGJLwfmNUry.exe4 vs V5Al4cc8RL.exe
Source: V5Al4cc8RL.exe, 00000004.00000002.502687417.0000000000AF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs V5Al4cc8RL.exe
Source: V5Al4cc8RL.exe	Binary or memory string: OriginalFilenamePolicyLev.exe< vs V5Al4cc8RL.exe

Source: V5Al4cc8RL.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: V5Al4cc8RL.exe	Virustotal: Detection: 33%
Source: V5Al4cc8RL.exe	ReversingLabs: Detection: 41%

Source: V5Al4cc8RL.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\V5Al4cc8RL.exe "C:\Users\user\Desktop\V5Al4cc8RL.exe"
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process created: C:\Users\user\Desktop\V5Al4cc8RL.exe C:\Users\user\Desktop\V5Al4cc8RL.exe
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process created: C:\Users\user\Desktop\V5Al4cc8RL.exe C:\Users\user\Desktop\V5Al4cc8RL.exe	Jump to behavior

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\V5Al4cc8RL.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: V5Al4cc8RL.exe, 00000000.00000003.245108131.0000000005AFC000.00000004.00000001.sdmp

Binary or memory string: of The Monotype Corporation.slnt

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: V5Al4cc8RL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: V5Al4cc8RL.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: V5Al4cc8RL.exe, ContextForm/AutoMachine.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.V5Al4cc8RL.exe.760000.0.unpack, ContextForm/AutoMachine.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.V5Al4cc8RL.exe.760000.0.unpack, ContextForm/AutoMachine.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.V5Al4cc8RL.exe.680000.13.unpack, ContextForm/AutoMachine.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.V5Al4cc8RL.exe.680000.11.unpack, ContextForm/AutoMachine.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.V5Al4cc8RL.exe.680000.2.unpack, ContextForm/AutoMachine.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.V5Al4cc8RL.exe.680000.0.unpack, ContextForm/AutoMachine.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.V5Al4cc8RL.exe.680000.5.unpack, ContextForm/AutoMachine.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.V5Al4cc8RL.exe.680000.9.unpack, ContextForm/AutoMachine.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 0_2_00765123 push edi; retf	0_2_00765124
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 0_2_00765305 pushad ; retf	0_2_00765306
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 0_2_0076430A push esp; ret	0_2_00764311
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 0_2_007662B6 push ecx; iretd	0_2_007662B7
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 0_2_007642AB push esi; retf	0_2_007642C9
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 0_2_028CD0C0 push eax; retf	0_2_028CF731
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00685123 push edi; retf	4_2_00685124
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_0068430A push esp; ret	4_2_00684311
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00685305 pushad ; retf	4_2_00685306
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_006842AB push esi; retf	4_2_006842C9
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_006862B6 push ecx; iretd	4_2_006862B7
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Code function: 4_2_00D97A37 push edi; retn 0000h	4_2_00D97A39

Source: initial sample

Static PE information: section name: .text entropy: 7.56350374002

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.V5Al4cc8RL.exe.2b51724.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.V5Al4cc8RL.exe.2afb594.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.257945194.0000000002B07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: V5Al4cc8RL.exe PID: 6220, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: V5Al4cc8RL.exe, 00000000.00000002.257945194.0000000002B07000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: V5Al4cc8RL.exe, 00000000.00000002.257945194.0000000002B07000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe TID: 6224	Thread sleep time: -35259s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe TID: 6264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe TID: 7044	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe TID: 7060	Thread sleep count: 2706 > 30	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe TID: 7060	Thread sleep count: 7080 > 30	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe TID: 7044	Thread sleep count: 43 > 30	Jump to behavior

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Window / User API: threadDelayed 2706			Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Window / User API: threadDelayed 7080			Jump to behavior

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Thread delayed: delay time: 35259	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

Code function: 4_2_00D7C8A8 LdrInitializeThunk,

4_2_00D7C8A8

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

Memory written: C:\Users\user\Desktop\V5Al4cc8RL.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

Process created: C:\Users\user\Desktop\V5Al4cc8RL.exe C:\Users\user\Desktop\V5Al4cc8RL.exe

Jump to behavior

Source: V5Al4cc8RL.exe, 00000004.00000002.505613360.0000000001470000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: V5Al4cc8RL.exe, 00000004.00000002.505613360.0000000001470000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: V5Al4cc8RL.exe, 00000004.00000002.505613360.0000000001470000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: V5Al4cc8RL.exe, 00000004.00000002.505613360.0000000001470000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: V5Al4cc8RL.exe, 00000004.00000002.505613360.0000000001470000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Users\user\Desktop\V5Al4cc8RL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Users\user\Desktop\V5Al4cc8RL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 4.2.V5Al4cc8RL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.V5Al4cc8RL.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.V5Al4cc8RL.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.V5Al4cc8RL.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.V5Al4cc8RL.exe.3af50f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.V5Al4cc8RL.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.V5Al4cc8RL.exe.3b2b110.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.V5Al4cc8RL.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.V5Al4cc8RL.exe.3b2b110.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.V5Al4cc8RL.exe.3af50f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.255852649.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.255239710.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254686523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254143628.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: V5Al4cc8RL.exe PID: 6220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: V5Al4cc8RL.exe PID: 6512, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\V5Al4cc8RL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: V5Al4cc8RL.exe PID: 6512, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 4.2.V5Al4cc8RL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.V5Al4cc8RL.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.V5Al4cc8RL.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.V5Al4cc8RL.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.V5Al4cc8RL.exe.3af50f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.V5Al4cc8RL.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.V5Al4cc8RL.exe.3b2b110.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.V5Al4cc8RL.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.V5Al4cc8RL.exe.3b2b110.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.V5Al4cc8RL.exe.3af50f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.255852649.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.255239710.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254686523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254143628.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: V5Al4cc8RL.exe PID: 6220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: V5Al4cc8RL.exe PID: 6512, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping2	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	Credentials in Registry1	Security Software Discovery211	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion131	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Virtualization/Sandbox Evasion131	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing13	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
V5Al4cc8RL.exe	34%	Virustotal		Browse
V5Al4cc8RL.exe	41%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot
V5Al4cc8RL.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.0.V5Al4cc8RL.exe.400000.12.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.V5Al4cc8RL.exe.400000.8.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.2.V5Al4cc8RL.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.V5Al4cc8RL.exe.400000.6.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.V5Al4cc8RL.exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.V5Al4cc8RL.exe.400000.10.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnva	0%	Avira URL Cloud	safe
http://en.wPTf	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnJ	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnFROM	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://subca.ocsp-certum.com0.	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/n-u	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://www.fontbureau.comF9D	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsd	0%	URL Reputation	safe
https://T2RlCNQDaV0Ojub.com	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comasno	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://subca.ocs-	0%	Avira URL Cloud	safe
http://en.wikipedia	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://yandex.ocsp-responder.com03	0%	URL Reputation	safe
http://www.fontbureau.comituF	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comcomF	0%	URL Reputation	safe
http://www.founder.com.cn/cn2	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.fontbureau.comdia6D	0%	Avira URL Cloud	safe
http://QBAAYx.com	0%	Avira URL Cloud	safe
http://www.fontbureau.comd6D	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.yandex.ru	77.88.21.158	true	false		high
smtp.yandex.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	V5Al4cc8RL.exe, 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnva	V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237445278.0000000005AD8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://en.wPTf	V5Al4cc8RL.exe, 00000000.00000003.235602973.0000000005AD6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnJ	V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false		high
http://yandex.crl.certum.pl/ycasha2.crl0q	V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false		high
http://www.tiro.com	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnFROM	V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	V5Al4cc8RL.exe, 00000000.00000003.235374791.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236344812.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236022823.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236658890.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236259831.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236566208.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236536316.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236788828.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235613845.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237785650.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237422103.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236732771.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236508751.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235845119.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238068440.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237645057.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238438414.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237214547.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236975965.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235789156.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238478134.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238541470.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238649245.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236679295.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236075154.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236291815.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235985152.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236618636.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236897959.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235466855.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237931677.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236440918.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238140250.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235418141.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235725240.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235314851.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238736518.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237721608.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235521691.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236393828.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235657356.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238766071.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235946333.0000000005AEB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com0.	V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://repository.certum.pl/ca.cer09	V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.htmlJ	V5Al4cc8RL.exe, 00000000.00000003.242181300.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242431858.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp//	V5Al4cc8RL.exe, 00000000.00000003.239487614.0000000005ADD000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.239393407.0000000005ADD000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com01	V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/n-u	V5Al4cc8RL.exe, 00000000.00000003.238669999.0000000005ADB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.come	V5Al4cc8RL.exe, 00000000.00000003.235374791.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236344812.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236022823.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236658890.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236259831.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236566208.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236536316.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236788828.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235613845.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237785650.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237422103.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236732771.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236508751.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235845119.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238068440.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237645057.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238438414.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237214547.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236975965.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235789156.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238478134.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238541470.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238649245.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236679295.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236075154.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236291815.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235985152.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236618636.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236897959.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235466855.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237931677.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236440918.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238140250.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235418141.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235725240.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235314851.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238736518.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237721608.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235521691.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236393828.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235657356.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238766071.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235946333.0000000005AEB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	V5Al4cc8RL.exe, 00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000000.254143628.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.certum.pl/CPS0	V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false		high
http://www.fontbureau.comF9D	V5Al4cc8RL.exe, 00000000.00000003.242524112.0000000005ADE000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242181300.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242431858.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comalsd	V5Al4cc8RL.exe, 00000000.00000003.242524112.0000000005ADE000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://repository.certum.pl/ycasha2.cer0	V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238151607.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238082880.0000000005AD7000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242524112.0000000005ADE000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242181300.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242431858.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	false		high
https://T2RlCNQDaV0Ojub.com	V5Al4cc8RL.exe, 00000004.00000002.506919005.0000000002D5B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	V5Al4cc8RL.exe, 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comF	V5Al4cc8RL.exe, 00000000.00000003.242524112.0000000005ADE000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.243646078.0000000005ADC000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://repository.certum.pl/ctnca.cer09	V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false		high
http://www.fontbureau.comasno	V5Al4cc8RL.exe, 00000000.00000003.247569775.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.261731654.0000000005AD0000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247686760.0000000005AD7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	V5Al4cc8RL.exe, 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.certum.pl/ctnca.crl0k	V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false		high
http://subca.ocs-	V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	low
http://en.wikipedia	V5Al4cc8RL.exe, 00000000.00000003.235089237.0000000005AF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlu-hu-d	V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	false		high
https://www.certum.pl/CPS0	V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/	V5Al4cc8RL.exe, 00000000.00000003.239487614.0000000005ADD000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.239393407.0000000005ADD000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://smtp.yandex.com	V5Al4cc8RL.exe, 00000004.00000002.507040750.0000000002DAE000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://yandex.ocsp-responder.com03	V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comituF	V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	V5Al4cc8RL.exe, 00000000.00000003.237362893.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237445278.0000000005AD8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false		high
http://crls.yandex.net/certum/ycasha2.crl0-	V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false		high
http://www.fontbureau.comcomF	V5Al4cc8RL.exe, 00000000.00000003.242431858.0000000005ADC000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn2	V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	V5Al4cc8RL.exe, 00000000.00000003.239487614.0000000005ADD000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238669999.0000000005ADB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.239393407.0000000005ADD000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como	V5Al4cc8RL.exe, 00000000.00000003.247271696.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247569775.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247686760.0000000005AD7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comdia6D	V5Al4cc8RL.exe, 00000000.00000003.247271696.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247569775.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.261731654.0000000005AD0000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247686760.0000000005AD7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.certum.pl/ca.crl0h	V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false		high
http://QBAAYx.com	V5Al4cc8RL.exe, 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comd6D	V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.certum.pl/ca4	V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmljC1	V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.88.21.158	smtp.yandex.ru	Russian Federation		13238	YANDEXRU	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	552874
Start date:	13.01.2022
Start time:	20:52:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	V5Al4cc8RL (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 1.9% (good quality ratio 1.1%) Quality average: 43.1% Quality standard deviation: 39.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 180 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:53:52	API Interceptor	664x Sleep call for process: V5Al4cc8RL.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
77.88.21.158	RFQ7534567.doc	Get hash	malicious	Browse
	MT106_11-Advance.Payment.exe	Get hash	malicious	Browse
	DHL Delivery Invoice AWB 2774038374.pdf.exe	Get hash	malicious	Browse
	DHL Delivery Invoice AWB 2774038374.exe	Get hash	malicious	Browse
	Enquiries #oPU46rkEAKUhyA4.pdf.exe	Get hash	malicious	Browse
	PUCHASE INQUIRIES.exe	Get hash	malicious	Browse
	JG4wxLFjVx.exe	Get hash	malicious	Browse
	VCoycS3b62.exe	Get hash	malicious	Browse
	zVd17VxIfi.exe	Get hash	malicious	Browse
	DHL Delivery Invoice AWB 2774038374.exe	Get hash	malicious	Browse
	8456754.doc	Get hash	malicious	Browse
	RFQ56767.doc	Get hash	malicious	Browse
	fHVTaKcT0C.exe	Get hash	malicious	Browse
	Payment 20211229.exe	Get hash	malicious	Browse
	Purchase_order_scan.exe	Get hash	malicious	Browse
	pNPpAW7x5N.exe	Get hash	malicious	Browse
	PKO_TRANS_DETAILS_20211216_0809521.exe	Get hash	malicious	Browse
	C9XFduEWGz.exe	Get hash	malicious	Browse
	G47wmLn8uy.exe	Get hash	malicious	Browse
	pago12_14299038859.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
smtp.yandex.ru	RFQ7534567.doc	Get hash	malicious	Browse	77.88.21.158
	MT106_11-Advance.Payment.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.pdf.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.exe	Get hash	malicious	Browse	77.88.21.158
	Enquiries #oPU46rkEAKUhyA4.pdf.exe	Get hash	malicious	Browse	77.88.21.158
	PUCHASE INQUIRIES.exe	Get hash	malicious	Browse	77.88.21.158
	64795.doc	Get hash	malicious	Browse	77.88.21.158
	JG4wxLFjVx.exe	Get hash	malicious	Browse	77.88.21.158
	VCoycS3b62.exe	Get hash	malicious	Browse	77.88.21.158
	zVd17VxIfi.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.pdf.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.exe	Get hash	malicious	Browse	77.88.21.158
	8456754.doc	Get hash	malicious	Browse	77.88.21.158
	PURCHASE INQUIRIES.exe	Get hash	malicious	Browse	77.88.21.158
	RFQ56767.doc	Get hash	malicious	Browse	77.88.21.158
	SO#_UPSDT_INVOICE.exe	Get hash	malicious	Browse	77.88.21.158
	fHVTaKcT0C.exe	Get hash	malicious	Browse	77.88.21.158
	PRODUCTS INQUIRIES.exe	Get hash	malicious	Browse	77.88.21.158
	Payment 20211229.exe	Get hash	malicious	Browse	77.88.21.158
	Purchase_order_scan.exe	Get hash	malicious	Browse	77.88.21.158

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
YANDEXRU	RFQ7534567.doc	Get hash	malicious	Browse	77.88.21.158
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	77.88.21.37
	Halkbank_Ekstre_20210825_073604_628391.exe	Get hash	malicious	Browse	77.88.21.37
	MT106_11-Advance.Payment.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.pdf.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.exe	Get hash	malicious	Browse	77.88.21.158
	4nmeEJrZJ9.exe	Get hash	malicious	Browse	5.255.255.5
	Enquiries #oPU46rkEAKUhyA4.pdf.exe	Get hash	malicious	Browse	77.88.21.158
	PUCHASE INQUIRIES.exe	Get hash	malicious	Browse	77.88.21.158
	default.html	Get hash	malicious	Browse	77.88.21.119
	JG4wxLFjVx.exe	Get hash	malicious	Browse	77.88.21.158
	VCoycS3b62.exe	Get hash	malicious	Browse	77.88.21.158
	zVd17VxIfi.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.exe	Get hash	malicious	Browse	77.88.21.158
	8456754.doc	Get hash	malicious	Browse	77.88.21.158
	DmpOiwahZV.exe	Get hash	malicious	Browse	77.88.55.50
	ZU9VbjUL19	Get hash	malicious	Browse	95.108.149.12
	VaB15i6xjQ.exe	Get hash	malicious	Browse	5.255.255.88
	RFQ56767.doc	Get hash	malicious	Browse	77.88.21.158
	TwUQy6g4z3.exe	Get hash	malicious	Browse	77.88.55.77

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\V5Al4cc8RL.exe.log Download File
Process:	C:\Users\user\Desktop\V5Al4cc8RL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
MD5:	D918C6A765EDB90D2A227FE23A3FEC98
SHA1:	8BA802AD8D740F114783F0DADC407CBFD2A209B3
SHA-256:	AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
SHA-512:	A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.553221581772884
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	V5Al4cc8RL.exe
File size:	583680
MD5:	5b8c247358c809a35edfc69ce74ea5c7
SHA1:	663b2a00733f4ab4af9e73c948a14aacaa3d4c6e
SHA256:	23c7ee11b32f31b5b6bb9c94af7250d3c8edaccb70ab9472d15a3a9ae2ee3b8d
SHA512:	5cdabc9c8ef9bf6dcc43432cebf9c3852d4ed5331202e11187cb5eb094875cd6d2e97ecfa8f44f1e9b9f91866c203f6c190aec4ec960abab05e6bbf14f196305
SSDEEP:	12288:aHOZsCJFrxBQqap0aYeznd7qdE3P/VVSohhJeDbZOOhkK1MVLm3avxd4:zZ7sfC9mnd7P98ey
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3..a..............0.............>.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x48fd3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61DFF633 [Thu Jan 13 09:51:47 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8fcf0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x90000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8dd44	0x8de00	False	0.806477147577	data	7.56350374002	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x90000	0x5e0	0x600	False	0.430338541667	data	4.17654103463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x900a0	0x354	data
RT_MANIFEST	0x903f4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Volcanologists R (C)
Assembly Version	1.4.0.0
InternalName	PolicyLev.exe
FileVersion	1.4.0.0
CompanyName	Volcanologists R
LegalTrademarks
Comments
ProductName	TheBottomHalf
ProductVersion	1.4.0.0
FileDescription	TheBottomHalf
OriginalFilename	PolicyLev.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2022 20:55:37.716947079 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:37.779475927 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:37.779623985 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.030756950 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.031210899 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.093826056 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.093868971 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.094228029 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.156843901 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.208772898 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.215018034 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.278708935 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.278752089 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.278778076 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.278799057 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.278851032 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.278882027 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.341253996 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.404108047 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.458822012 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.686903000 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.749757051 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.751410007 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.815258980 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.816240072 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.891427040 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.892287016 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:38.962730885 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:38.963748932 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:39.031382084 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:39.031868935 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:39.094799042 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:39.096743107 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:39.097032070 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:39.097867012 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:39.098064899 CET	49836	587	192.168.2.5	77.88.21.158
Jan 13, 2022 20:55:39.160569906 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:39.160602093 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:39.415364027 CET	587	49836	77.88.21.158	192.168.2.5
Jan 13, 2022 20:55:39.458869934 CET	49836	587	192.168.2.5	77.88.21.158

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2022 20:55:37.569441080 CET	59261	53	192.168.2.5	8.8.8.8
Jan 13, 2022 20:55:37.586563110 CET	53	59261	8.8.8.8	192.168.2.5
Jan 13, 2022 20:55:37.599062920 CET	57151	53	192.168.2.5	8.8.8.8
Jan 13, 2022 20:55:37.617896080 CET	53	57151	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2022 20:55:37.569441080 CET	192.168.2.5	8.8.8.8	0xbf6c	Standard query (0)	smtp.yandex.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:55:37.599062920 CET	192.168.2.5	8.8.8.8	0x8386	Standard query (0)	smtp.yandex.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2022 20:55:37.586563110 CET	8.8.8.8	192.168.2.5	0xbf6c	No error (0)	smtp.yandex.com	smtp.yandex.ru		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2022 20:55:37.586563110 CET	8.8.8.8	192.168.2.5	0xbf6c	No error (0)	smtp.yandex.ru		77.88.21.158	A (IP address)	IN (0x0001)
Jan 13, 2022 20:55:37.617896080 CET	8.8.8.8	192.168.2.5	0x8386	No error (0)	smtp.yandex.com	smtp.yandex.ru		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2022 20:55:37.617896080 CET	8.8.8.8	192.168.2.5	0x8386	No error (0)	smtp.yandex.ru		77.88.21.158	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 13, 2022 20:55:38.030756950 CET	587	49836	77.88.21.158	192.168.2.5	220 vla3-3dd1bd6927b2.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1642103737-PXioOG3DVS-tbPOA4RV
Jan 13, 2022 20:55:38.031210899 CET	49836	587	192.168.2.5	77.88.21.158	EHLO 992547
Jan 13, 2022 20:55:38.093868971 CET	587	49836	77.88.21.158	192.168.2.5	250-vla3-3dd1bd6927b2.qloud-c.yandex.net 250-8BITMIME 250-PIPELINING 250-SIZE 53477376 250-STARTTLS 250-AUTH LOGIN PLAIN XOAUTH2 250-DSN 250 ENHANCEDSTATUSCODES
Jan 13, 2022 20:55:38.094228029 CET	49836	587	192.168.2.5	77.88.21.158	STARTTLS
Jan 13, 2022 20:55:38.156843901 CET	587	49836	77.88.21.158	192.168.2.5	220 Go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: V5Al4cc8RL.exe PID: 6220 Parent PID: 3020

General

Start time:	20:53:43
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\V5Al4cc8RL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\V5Al4cc8RL.exe"
Imagebase:	0x760000
File size:	583680 bytes
MD5 hash:	5B8C247358C809A35EDFC69CE74EA5C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.257945194.0000000002B07000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: V5Al4cc8RL.exe PID: 6512 Parent PID: 6220

General

Start time:	20:53:53
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\V5Al4cc8RL.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\V5Al4cc8RL.exe
Imagebase:	0x680000
File size:	583680 bytes
MD5 hash:	5B8C247358C809A35EDFC69CE74EA5C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.255852649.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.255852649.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.255239710.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.255239710.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.254686523.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.254686523.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.254143628.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.254143628.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: V5Al4cc8RL.exe PID: 6220 Parent PID: 3020 V5Al4cc8RL.exeCOMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.3%
Total number of Nodes:	129
Total number of Limit Nodes:	4

Executed Functions

Function 028C3A24, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6102b0fde42169e11ce608f2aa64c3bfdddf7f884289e20287762f66d50da84
Instruction ID: 750f2f1a8667e251e3511a2dafd3e8cdc6a5191b19c367d04a7bc3f501bbc8fc
Opcode Fuzzy Hash: c6102b0fde42169e11ce608f2aa64c3bfdddf7f884289e20287762f66d50da84
Instruction Fuzzy Hash: A1411D74E05209DFCB44CFA9C584AAEFBF6EF88304F24C4BA9418E7264E7349A45CB45

Uniqueness

Uniqueness Score: -1.00%

Function 028C6C81, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6324693d03bcc397bc7acca5a31bde4f34e3c31718860bf76c9d01f4c068690
Instruction ID: a12c1b8e58815639c19fa8291acbd5d1cbeadebc7134dfb464e6de4fff24be92
Opcode Fuzzy Hash: d6324693d03bcc397bc7acca5a31bde4f34e3c31718860bf76c9d01f4c068690
Instruction Fuzzy Hash: 60414B74E05249DFCB04CFA9C480A9EFBF2EF89304F24C5AAD418EB265E7349A05CB41

Uniqueness

Uniqueness Score: -1.00%

Function 089F19FC, Relevance: 2.7, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 089F2137
, xrefs: 089F213E

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 87db9eef7ede0e60b6c87e027b82f5530e40ef3d08c169c73d954cc2c6c70170
Instruction ID: 23166e660832184b08dfefa3e5fc8c2f1d50eed4ef2a6c2b571d036a4229f060
Opcode Fuzzy Hash: 87db9eef7ede0e60b6c87e027b82f5530e40ef3d08c169c73d954cc2c6c70170
Instruction Fuzzy Hash: 5E61D235A10701CFDB00EF29D485955B7F1FF89308B818AA9D8496F266EB74F995CB80

Uniqueness

Uniqueness Score: -1.00%

Function 028C9B10, Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028C9D56

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 84de0eb92fcd39056b31bb052a39d13ecdff1f29a3971da1f9b48f5edf5e940b
Instruction ID: c9e755b6829b1008112574f9407de11548a4d375d58a20ae7a99cbf6a718f92c
Opcode Fuzzy Hash: 84de0eb92fcd39056b31bb052a39d13ecdff1f29a3971da1f9b48f5edf5e940b
Instruction Fuzzy Hash: A7714578A00B159FD724DF69D1447AAB7F5BF88304F10896ED48ADBA40DB35E805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 028C4154, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028C5A89

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b32c3fefcc605ca74741dc51dd46c73e82c2ddc57c04be393e7744f8dec5abde
Instruction ID: 0ade137b8ca512e81664e13da1cbeff9b2bad048739a9d9b765edbc0ec852ccd
Opcode Fuzzy Hash: b32c3fefcc605ca74741dc51dd46c73e82c2ddc57c04be393e7744f8dec5abde
Instruction Fuzzy Hash: 4641E3B4C00719CBDB24CFA9C884BDEBBB5BF48308F648569D408BB251D7B5A949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 028C59CD, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028C5A89

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bceb4e4dbf2b4172fa8b06fd6c5553d290e6b6b22d150508c3397548c8348116
Instruction ID: e64f600a165b130e651dd3efef1a91e556021e65f66a3bbddfe9d26eccd075bb
Opcode Fuzzy Hash: bceb4e4dbf2b4172fa8b06fd6c5553d290e6b6b22d150508c3397548c8348116
Instruction Fuzzy Hash: E94103B4C00718CFDB14CFA9C884BDEBBB5BF88308F64846AD409AB250D775694ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 028CBB44, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028CBFFE,?,?,?,?,?), ref: 028CC0BF

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b1cc256e0ffeb123d6a7682d57bb4b2cc673a31f388aae35dd76ef62283c8387
Instruction ID: 1010054d41c60f722775f5c1d89aa9df19a86378388a5af0c1bc6a093ede57a6
Opcode Fuzzy Hash: b1cc256e0ffeb123d6a7682d57bb4b2cc673a31f388aae35dd76ef62283c8387
Instruction Fuzzy Hash: 0521E4B59002189FDB10CFA9D884ADEBBF8FB58324F14845AE918F7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028CC030, Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028CBFFE,?,?,?,?,?), ref: 028CC0BF

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 537906be41c43b7447bdabe3619598c90ec15571378f4568280fc00dca17de0f
Instruction ID: 14b0b3f4165bbe9815f6158286caa635af50c205a30ea7ef7e543777265e017f
Opcode Fuzzy Hash: 537906be41c43b7447bdabe3619598c90ec15571378f4568280fc00dca17de0f
Instruction Fuzzy Hash: 432100B99002589FDB10CFA9D584AEEBBF4EF48324F14842AE958A3210C378A954CF60

Uniqueness

Uniqueness Score: -1.00%

Function 028C97D0, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028C9DD1,00000800,00000000,00000000), ref: 028C9FE2

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 22766b41df4a4b66d96050bb8a513f2b84a3f6ae8c70262744899b8d74cd41ec
Instruction ID: dff6481512f8f957330f44eed537b04680d4f554b27fad7b2135cccebebe6154
Opcode Fuzzy Hash: 22766b41df4a4b66d96050bb8a513f2b84a3f6ae8c70262744899b8d74cd41ec
Instruction Fuzzy Hash: CB1117B99003198FCB10CF9AC484BEEFBF4EB58314F14846EE415A7600C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028C9F71, Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028C9DD1,00000800,00000000,00000000), ref: 028C9FE2

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ec7f7eedfd29606b828fa47004f33b483cdf0254d9d2361f8e3d37908cb8d6d1
Instruction ID: 3f16bd2e58cd6fa501589c0c8853e0af59b1d466a55b4cc0e90ed9063d583d9a
Opcode Fuzzy Hash: ec7f7eedfd29606b828fa47004f33b483cdf0254d9d2361f8e3d37908cb8d6d1
Instruction Fuzzy Hash: E01117B99003598FCB10CF99D444BEEFBF4AB98314F14886ED455A7600C375A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028C9CF0, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028C9D56

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a1c40cf893910c95af4dd6c218f69afc84ae35ac18052dd3a5aee54c6e27076f
Instruction ID: 5f709a34100faf40cabd555b4576e3205f5167b8baca349646ccaa640a443d87
Opcode Fuzzy Hash: a1c40cf893910c95af4dd6c218f69afc84ae35ac18052dd3a5aee54c6e27076f
Instruction Fuzzy Hash: 9C11D2B9D006598FDB10CF9AD444BDEFBF4AF88324F14845AD529B7610C374A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 089F8C0C, Relevance: 1.3, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

W, xrefs: 089F8C14

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: a98e1d75acab22e8f978526d21b9e9d56517128f0c98b4315907ef77b42dc0a0
Instruction ID: a1780e53cb24261e6509ab8f411a807adeb7850186bf281990ecd73dea5963ad
Opcode Fuzzy Hash: a98e1d75acab22e8f978526d21b9e9d56517128f0c98b4315907ef77b42dc0a0
Instruction Fuzzy Hash: CE3144B0D012489FDB58DFA9C994BDEBBB5AF48304F24802EE509BB680CB745945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 089F87D0, Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72fcedfb37d25ef1fe9e2d573c78f049032152dc399bbf13c2374b204c2ce345
Instruction ID: 57f689fb35132955b68fd8d52d9d552f41d7823424d2abb5121f65565ae2560f
Opcode Fuzzy Hash: 72fcedfb37d25ef1fe9e2d573c78f049032152dc399bbf13c2374b204c2ce345
Instruction Fuzzy Hash: 9DB17B70E002189FDB18DFA8C4986EEBBB6EF89304F248529E505FB394DF745946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089FD340, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4209453ef17a33582709b2ac1a4e83b012fbd2d6d87d2dbe774315d9e6b2ab1
Instruction ID: 68bb651dfd93c4aff0914d32b82fe6af761f85af7f0bfbf918e531fd3ea547f5
Opcode Fuzzy Hash: e4209453ef17a33582709b2ac1a4e83b012fbd2d6d87d2dbe774315d9e6b2ab1
Instruction Fuzzy Hash: 0CB11B34A00105CFCB04EFA8C594ADDB7F2EF49219F2588A8E505AB365DB35ED46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 089F01E0, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b12b29fb88679d0abe70296aa94b99f4ce6ac1b6eff373c465e3682433f8271
Instruction ID: b0d07691beadaf04e7990db42211addf303e5316997f7d4aa678459703787b64
Opcode Fuzzy Hash: 2b12b29fb88679d0abe70296aa94b99f4ce6ac1b6eff373c465e3682433f8271
Instruction Fuzzy Hash: AF916E38B007018BDB08EF69C49469977A2FF88304F55897DD90AAF396DF75E8458B50

Uniqueness

Uniqueness Score: -1.00%

Function 089FB030, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6c93d738ca5ea7e18063ff0dfe71e0f79f7e6e5fcee1b02512cd4385660cb3
Instruction ID: 140382cde524b69ae82f0bb22afcf38944ccc74cd82f9e9e4ea0f979113a2945
Opcode Fuzzy Hash: 4f6c93d738ca5ea7e18063ff0dfe71e0f79f7e6e5fcee1b02512cd4385660cb3
Instruction Fuzzy Hash: 0C81A435B10208DFCB08EFA4D8989EDBBB5FF89315F148569E502AB365DB70A945CF80

Uniqueness

Uniqueness Score: -1.00%

Function 089F7BB8, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5302eea93c6ff85ea1887db8c769e7b74a1a22f3b459746e563d98d0515d48e2
Instruction ID: c00a75c56e558fa7b0c1e6345fe7fcf628d9ce0d507196cbc5f33341f4f5526a
Opcode Fuzzy Hash: 5302eea93c6ff85ea1887db8c769e7b74a1a22f3b459746e563d98d0515d48e2
Instruction Fuzzy Hash: EA712B35A007059FCB24DFB9D884AAEB7F5FF48215B548A2EE95AD3701DB34E8458F40

Uniqueness

Uniqueness Score: -1.00%

Function 089F7B70, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a823553c79f503dd48f2b22d30c84d7f16de7eab8bdcacd4092748aa7462939
Instruction ID: 93aaf738d6a9adb67a20b8c8f5212e1321c4214b7e3da2c945d562554aea5a0f
Opcode Fuzzy Hash: 7a823553c79f503dd48f2b22d30c84d7f16de7eab8bdcacd4092748aa7462939
Instruction Fuzzy Hash: 9D513F79A007059FCB24DFB8D584AAEBBF5FF88211B40892EE95AD3745DB34E8058B50

Uniqueness

Uniqueness Score: -1.00%

Function 089FC8E4, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8e60dabb29af2cb2e1a945e93eea325cd553b93bf717a03d02bc511429eb82
Instruction ID: 95629a2001c595cf9a27e13a043c4191e6902318490e6c84ddc0920a1c1d5569
Opcode Fuzzy Hash: 2f8e60dabb29af2cb2e1a945e93eea325cd553b93bf717a03d02bc511429eb82
Instruction Fuzzy Hash: 0851D675B002058FCB05EBB8D8584BEBBFAEFC42257148979E519DB395EF309C068791

Uniqueness

Uniqueness Score: -1.00%

Function 089F6C58, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66d0fe2fb84e17a473794b6be9e99396757c446f9574a33f9143539ee9ed958
Instruction ID: 0d0356e6f9b39c39f35b0beb45c90d04986c83599394bf45603e8898bc5822bb
Opcode Fuzzy Hash: d66d0fe2fb84e17a473794b6be9e99396757c446f9574a33f9143539ee9ed958
Instruction Fuzzy Hash: 28518A35E002198FCF19EFA8D884ADDBBB6FF88305F148529E505AB350DB30A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 089F7BA8, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1d4554fe707942e18d9959a0d029c61f9099872167f0bed1e4bae2c9c946df
Instruction ID: d869537795cb8e6434a5f1a52ff8484d16ad4d64d1a40a483666307d25e61256
Opcode Fuzzy Hash: aa1d4554fe707942e18d9959a0d029c61f9099872167f0bed1e4bae2c9c946df
Instruction Fuzzy Hash: 74511C79A007059FCB24DFB8D984A9EBBF5FF48211B508A2EE85AD3745DB34E8058F50

Uniqueness

Uniqueness Score: -1.00%

Function 089F1104, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db990dd6a3ab35a288f3d01386f0c753fb8e2d9620a7edaf34dfe979e7f99b9
Instruction ID: 1197f8efd629e00ca6e7dffb15c5fd1f9974af061f1f91c2ba7b17a7e4c319da
Opcode Fuzzy Hash: 7db990dd6a3ab35a288f3d01386f0c753fb8e2d9620a7edaf34dfe979e7f99b9
Instruction Fuzzy Hash: D941E039701314CFC71AAB7488506FDB7BAEFC2212F45486ED2499B352CB35A942CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 089F4B38, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c79a255577e40480f8469203839e9aa0755d1a23a752c2dc3831d8b23e0d9d2
Instruction ID: ba31e74aefe55df01231937366357a6c4bcf546563838f9cad655c1b1c28888c
Opcode Fuzzy Hash: 4c79a255577e40480f8469203839e9aa0755d1a23a752c2dc3831d8b23e0d9d2
Instruction Fuzzy Hash: 70416F35D1070A9BDB00EFA9D8506DDB772FFD5304F614A2AE104BB251EB70B985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 089F1320, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959d290030496d7f565f5bdf85847b0b08e388a094a6220d17e0e729b034a568
Instruction ID: a0f4ce89d459f61fcf6ba9a990486e020f3e5e480cb4b81d5185bd722c04a05d
Opcode Fuzzy Hash: 959d290030496d7f565f5bdf85847b0b08e388a094a6220d17e0e729b034a568
Instruction Fuzzy Hash: 08411934A00604CFC719EF68D594ADDB7F2EF89309B60886DD50AAB761CB72AC05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 089FACF0, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd746cfa86e946846292e5234b70a2098a3e7cd5b8449215c9e9c8af8b719bc3
Instruction ID: e7dab64c8691ef9eac341bfe26f7e027a1669b5dcee109d0ced031f088fdff32
Opcode Fuzzy Hash: cd746cfa86e946846292e5234b70a2098a3e7cd5b8449215c9e9c8af8b719bc3
Instruction Fuzzy Hash: BB417E31920618DFCB04EFA8D944ADDBBB5FF49306F008529E905B7250EB30AA59CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089FDE58, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53d86c6cb4846977eacd26ebad55445123a8c4736e37b4dab32f67d197dc9f6
Instruction ID: 28414e7be42ee47d5047cbebeeaae69a789ad375555bf4aa966fbc652f51f215
Opcode Fuzzy Hash: d53d86c6cb4846977eacd26ebad55445123a8c4736e37b4dab32f67d197dc9f6
Instruction Fuzzy Hash: BA4125B4E15209EFCB08DFA9D984AEEBBB2FB88301F10982AD515B7214D7345A05CF51

Uniqueness

Uniqueness Score: -1.00%

Function 089F8C18, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a89f7a747e3c84ebfe4452cb690cba006a618b973fed855cfc262164cf7b9e3
Instruction ID: 9c21232260110452124dd2f403b31795f8af5b9e08fccf175eb28e32e4a6008a
Opcode Fuzzy Hash: 2a89f7a747e3c84ebfe4452cb690cba006a618b973fed855cfc262164cf7b9e3
Instruction Fuzzy Hash: CD4156B0D012489FDB14DFD9D984BDEBBB9AF48318F24842AE515B7640CB705945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 089F8678, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f4c0746d45c1f04fe84f4d475246f7730e209e04c0be004082f75fab498598
Instruction ID: 73e64ae165426829052371f7aef29c3ca81b6ec4891ddbea1a40035fd0b25995
Opcode Fuzzy Hash: e8f4c0746d45c1f04fe84f4d475246f7730e209e04c0be004082f75fab498598
Instruction Fuzzy Hash: 8B3181753006008FC748DB7DC898A5AB7EAEFC9624755897CE61ACB376DE30EC068B51

Uniqueness

Uniqueness Score: -1.00%

Function 089F19AC, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0bd5ea3730162044db5773e5564a3279f49bfa148882b00d5844adf1a0faad
Instruction ID: 38e52fd8ba98383bc43a8e077808fc94fbb2eb6b657f5e3a08fcaa95118f81ce
Opcode Fuzzy Hash: fc0bd5ea3730162044db5773e5564a3279f49bfa148882b00d5844adf1a0faad
Instruction Fuzzy Hash: FF31E135E00701CBDB08FF69D4847A6B376EF88205F58897ADD0A6F246DF34A481CB61

Uniqueness

Uniqueness Score: -1.00%

Function 089F3CB4, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822481cde71bac7015ce70ede5fff54aca5f6df2033e345071d6e2074a93f26e
Instruction ID: 33bbcebb1e48350f6027fcf10d7a088093c23958b1db70b6ce1d6b9831097c2b
Opcode Fuzzy Hash: 822481cde71bac7015ce70ede5fff54aca5f6df2033e345071d6e2074a93f26e
Instruction Fuzzy Hash: 9E312B39A20219DFCB08EF68D884DEDB7B5FF88715F5185A9E915AB321CB30A840CB50

Uniqueness

Uniqueness Score: -1.00%

Function 089F5EE8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121bb469f4e091c40edbf9da149f519f85c9b8b688090f997390d8537d08530c
Instruction ID: 4c7ebaab3d0a7ee614947cea4105c27b91a17c0a769027020e2b336a5fe3090a
Opcode Fuzzy Hash: 121bb469f4e091c40edbf9da149f519f85c9b8b688090f997390d8537d08530c
Instruction Fuzzy Hash: 252190397105008FDB18EB6CD404A5E77EAAF8862671644BEE605CB362EF31DC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089F1850, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f5aa8442717b8b9c3a0bf51bb3fe152149484b616493db002b6692bc08f146
Instruction ID: ac0267123776a008c71400e09f8b363809f2fe768301b0205e6a9fac6429cdfb
Opcode Fuzzy Hash: a5f5aa8442717b8b9c3a0bf51bb3fe152149484b616493db002b6692bc08f146
Instruction Fuzzy Hash: CF2156383501108BDB1DBB28D454B6E379AAF85B05F10406DE506CF7E6CEB5EC428BD1

Uniqueness

Uniqueness Score: -1.00%

Function 089F19BC, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f718864412249e2b09ed02477ddcda69726ee0940dddb71935086afee38ce202
Instruction ID: 72011f80c534b52f591fe9683c645ca85b7a62062749c6c74cca4765fbef96f3
Opcode Fuzzy Hash: f718864412249e2b09ed02477ddcda69726ee0940dddb71935086afee38ce202
Instruction Fuzzy Hash: 4721AC3470A2605FC71A676484204BE7B69EF82601B0808BFF404DB353CB289C06D792

Uniqueness

Uniqueness Score: -1.00%

Function 089F5821, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de2587cd9cc027d2a60ed8048312065b5c59d5b28cd2b113f95d524666a680f
Instruction ID: 63e029efe8bb2cd0d2b8799294be9ffdd653dd7d2e3b6b849e6bd0d7bfc81a21
Opcode Fuzzy Hash: 7de2587cd9cc027d2a60ed8048312065b5c59d5b28cd2b113f95d524666a680f
Instruction Fuzzy Hash: 6C2124397505008FC758EF2DD498D297BE6EF8AB1532640AAE606CB376DB31EC02CB00

Uniqueness

Uniqueness Score: -1.00%

Function 089F5830, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f94a6e68006049898afe9ecec3b82de206fb457888d4279701ccb91d43a8e3b
Instruction ID: 31af119a55cf9de2c570403873a5db00de0095291686bab186c91e2450366bac
Opcode Fuzzy Hash: 0f94a6e68006049898afe9ecec3b82de206fb457888d4279701ccb91d43a8e3b
Instruction Fuzzy Hash: 1321C6397505108FC758EB2DD498D2977EAEF89A1572640AAE606CB376DB31EC02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010BD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257516423.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f55250cbe0e990b2161426715d2bdd159a90fbede59f0296506e0d5bfa6ec9b
Instruction ID: 34b04255892bf90756f7276fa34254dbeeb63747511a6cf523245557434ae745
Opcode Fuzzy Hash: 7f55250cbe0e990b2161426715d2bdd159a90fbede59f0296506e0d5bfa6ec9b
Instruction Fuzzy Hash: 7421F871504240DFDB15DF94D9C0FAAFFA5FB8431CF2489A9E8850B246C336E855CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010BD3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257516423.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f6bd73f1c4dab3bc6609142469582eaf8582709e58ef7af04356415165483a
Instruction ID: 995ca44712fc15078bd0c8b1938ba073dee54e54f304ed389cbf6430108559bb
Opcode Fuzzy Hash: b1f6bd73f1c4dab3bc6609142469582eaf8582709e58ef7af04356415165483a
Instruction Fuzzy Hash: 04212871500240DFDB05CF94D9C0BDAFBA5FB84328F24C9A9E8450B206C73AE85AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 089F1860, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485892d9f00e7adaed463597f23ed7c6204aa921e06496c3aab80cb08f4c03cd
Instruction ID: 786d4073ea6eb4f3892bed242c9f56d6a9accadb7c13764878d6a09f46007fc7
Opcode Fuzzy Hash: 485892d9f00e7adaed463597f23ed7c6204aa921e06496c3aab80cb08f4c03cd
Instruction Fuzzy Hash: CB2112383501118BDB1DBB28D468B6E379AAF85B05F10406DE506DF7E6CEB6EC418BD1

Uniqueness

Uniqueness Score: -1.00%

Function 089FA124, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bf9fa2a923ca16cc6bf511983b64e4e5f51c685bff9546e324a11576b4b57d
Instruction ID: 7358c9162049d29510c50f4fc1214cead03be8ccba624436a5ce87cdda5db6b3
Opcode Fuzzy Hash: 48bf9fa2a923ca16cc6bf511983b64e4e5f51c685bff9546e324a11576b4b57d
Instruction Fuzzy Hash: 5921B031A00209DBDB18EF65C4846EABBB5FF84325F50C839E9199B251DB35E954CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010CD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257538722.00000000010CD000.00000040.00000001.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10cd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892c8ddb574c3b8386251823cb64a6e9cc460109e64c8d6a487ee2ff2b203d5c
Instruction ID: 07339367c7fcba65bfb42837519e3566a4e4f33f07723739e92be8493173bdb3
Opcode Fuzzy Hash: 892c8ddb574c3b8386251823cb64a6e9cc460109e64c8d6a487ee2ff2b203d5c
Instruction Fuzzy Hash: 8E21D371504240DFDB15CF98D5C4B1EBBA5FB84654F34C9BDE88A4B246C336D846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010CD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257538722.00000000010CD000.00000040.00000001.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10cd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8500f997f793247b9a311bf1da35ff88acfc9a850929b6ee5211fc7209375103
Instruction ID: 2c9d6dda1572fc3f8b07a8d463f6a0f1825c4757f4f26f71ed013949b5929f6d
Opcode Fuzzy Hash: 8500f997f793247b9a311bf1da35ff88acfc9a850929b6ee5211fc7209375103
Instruction Fuzzy Hash: 3B21D671504240DFDB01DF94D9C4B1EBBA6FB94724F24C9BDE8894B246C336D446CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 089FBC90, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf24f8e7fb00606d3c4afd381fe06c022e4c8db0e47240b5f82cc48929d5f208
Instruction ID: f9a4771f2b479b3e7ea0d26e32aec6b627376aad978533ede0eb5ed028e2c5f2
Opcode Fuzzy Hash: bf24f8e7fb00606d3c4afd381fe06c022e4c8db0e47240b5f82cc48929d5f208
Instruction Fuzzy Hash: 791190357106109FD704EB69D884AAE7BEAEF89225B14097DF106DB361DF31EC028790

Uniqueness

Uniqueness Score: -1.00%

Function 089FC9F8, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297034b35852f28fd633ab1271bcd92b135e9182f4c1e7a36cb0353db14c3abf
Instruction ID: c17aee0619d85404c40ebc451c4600b2f63b04763b86203bb367efcdff0efa82
Opcode Fuzzy Hash: 297034b35852f28fd633ab1271bcd92b135e9182f4c1e7a36cb0353db14c3abf
Instruction Fuzzy Hash: 1D31F2B0C01218DFDB24EF99C588BDEBFF4AB48318F64846AE504BB291C7B55845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 089FA194, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82906300d585959337b7dcf3fed729d215858030e3c381aeeaaf3080a796eb0d
Instruction ID: 435a2ebed9f8da4a8488184a071b34e1a8e5eb511c4d31a73af84c97b8c40b20
Opcode Fuzzy Hash: 82906300d585959337b7dcf3fed729d215858030e3c381aeeaaf3080a796eb0d
Instruction Fuzzy Hash: 4921F2B5D013199FCB14DF99D884AEEBBF8EB48324F14842EE919A7701C374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 089FDD68, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fdfdfbe6d3bb5461b4a93ab0baf9f9a107e6b5287ecd7d118024d2a3ff116b
Instruction ID: 9f044328f9708e6571af367814ce14e6817f535313696ff912ccb8bbfae50c90
Opcode Fuzzy Hash: d4fdfdfbe6d3bb5461b4a93ab0baf9f9a107e6b5287ecd7d118024d2a3ff116b
Instruction Fuzzy Hash: 372129B4E04209EFCB08EFA9D5856AEFBB6FB88301F10C56AD905A7305DB345A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010CD006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257538722.00000000010CD000.00000040.00000001.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10cd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80317062cddfdfd4d094948ada0ebf0a3cf54d75adbb160cec45c8cc4183ede2
Instruction ID: 1f64b447ecf97d7ce7784ea6f649b913e73abbb8feb44d07cbd4311b4fadefd2
Opcode Fuzzy Hash: 80317062cddfdfd4d094948ada0ebf0a3cf54d75adbb160cec45c8cc4183ede2
Instruction Fuzzy Hash: 042195755087809FCB03CF58D994715BFB1EB46314F28C5EAD8858F257C33A9856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 089F0890, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e8333429214661e5a2ced0afbd64127edd12e6363f2c4c20799b8500271de2
Instruction ID: 4f8a42ccf17ecf182d455fe5c9ade22a3bbe2e124297d6cdb33dc22d03ab1cc5
Opcode Fuzzy Hash: b6e8333429214661e5a2ced0afbd64127edd12e6363f2c4c20799b8500271de2
Instruction Fuzzy Hash: 72114C31A00F018BE738EE2AD451727B7F9BB45315F144E3DE196C7A42D735E8488B91

Uniqueness

Uniqueness Score: -1.00%

Function 089FBCA0, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd6586c11fe815d417f23801d019eece55ccdfdba7558e9d3a6d29c452126e0
Instruction ID: 0eba02ccc17ec0b6f0186ba49809b037c0f1373934bbdebc8748d165e69bea4c
Opcode Fuzzy Hash: 9fd6586c11fe815d417f23801d019eece55ccdfdba7558e9d3a6d29c452126e0
Instruction Fuzzy Hash: B1118F357106109FC748EB69D888AAE77EAEF89225B10096EF506C7361DF30EC018790

Uniqueness

Uniqueness Score: -1.00%

Function 089F4E40, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50660bd924cfa2bcb1dcc3d643b97958549e47b1d8e29112942676d9822ce622
Instruction ID: 809d5440800abedd6bcc28f88f689d31b95e5f1cb0d0b69c7d491f8829fb9dd3
Opcode Fuzzy Hash: 50660bd924cfa2bcb1dcc3d643b97958549e47b1d8e29112942676d9822ce622
Instruction Fuzzy Hash: 39118431A006098BCB18EB79C4549EFB7B9AF84255F008E2ED74597355EB70D981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 089F681C, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52a9a4572d170f74100b3cf882f9c92d09c301e10179fb4c0cab5603773df88
Instruction ID: 13d45e7d6fae4aa7b987f862d89b205c3657fba84a7334035e2c606d3f362446
Opcode Fuzzy Hash: a52a9a4572d170f74100b3cf882f9c92d09c301e10179fb4c0cab5603773df88
Instruction Fuzzy Hash: 4B11E934714210AFC709ABA9D454AED7BAAFFC6604F5484AAF109DB7A1CF30AC05C751

Uniqueness

Uniqueness Score: -1.00%

Function 089F0880, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbf9e2f33d5db385ba1d1a267e687673a5d8bf0083faa1aa46ae82f2df15d2e
Instruction ID: c08d1a843a03191ab2d2d305ed62b1c936fca8d43ac6e1449ed896747bd1f6f8
Opcode Fuzzy Hash: dfbf9e2f33d5db385ba1d1a267e687673a5d8bf0083faa1aa46ae82f2df15d2e
Instruction Fuzzy Hash: B7119E31600F018BD338DE2AD841766B3F9BB81311F044A3DE196CBA02D739E8098B91

Uniqueness

Uniqueness Score: -1.00%

Function 089F6070, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1cc81e5aa5795ddc6446ab6608f77102ffde4fbd128f19e53c26042cdfa843
Instruction ID: e404371ba237f1af8764e91540e725f364c7d7a39777c9e11e9c4cfb6f5e6180
Opcode Fuzzy Hash: 5c1cc81e5aa5795ddc6446ab6608f77102ffde4fbd128f19e53c26042cdfa843
Instruction Fuzzy Hash: 11115E34710214CFDB18AF69C458AAE7BF6EF89705F10486DE50697361CF759C45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089F1D10, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ff9d8949a6f4423421a45de366db5c9b5756aec4e40dbea9ee15d747d845fb
Instruction ID: 47b0c4e9cc4854ed60d45ca547146cff5683dc1ebc5c76012381fe1e67b19bfd
Opcode Fuzzy Hash: 78ff9d8949a6f4423421a45de366db5c9b5756aec4e40dbea9ee15d747d845fb
Instruction Fuzzy Hash: 9E21473A900B5687DB10AF29D880282B3A1EF95324F198A7ADD5D3F206EB717985C794

Uniqueness

Uniqueness Score: -1.00%

Function 089FE150, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb458ea0897e709053cf975c3f7d49b86ca2966232d4236406781b99cd09a7bf
Instruction ID: 1f741d5904802e636801e5253d7abccd412bcbc2a43d5fb51628e25b039c590e
Opcode Fuzzy Hash: cb458ea0897e709053cf975c3f7d49b86ca2966232d4236406781b99cd09a7bf
Instruction Fuzzy Hash: 65115131B002198B8B54EBF895145FE76BAEFC8255B10447EC714EB295EB318D52CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010BD3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257516423.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
Instruction ID: e6fcff151e26bc1bca8aaaca9a425e950fde7d68945c1b7d5056e9917306bee6
Opcode Fuzzy Hash: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
Instruction Fuzzy Hash: 0B11E172404280CFCB02CF44D5C4B96FFB1FB84324F24C6A9D8490B616C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010BD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257516423.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
Instruction ID: 7e7114b3bb0d8d5be42e61d8c192c3585a25dad7f8a3fa7958e946d1748f7286
Opcode Fuzzy Hash: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
Instruction Fuzzy Hash: 1F11D376504280CFCB12CF54D5C4B56FFB1FB84328F24C6A9D8454B656C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 089F4A51, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2386ee80c45fe2d9cc41873f709de075967ca7c1e89f39009b9392f08295a24c
Instruction ID: b11188d0197c7f37c89e3831e5d653b9c3ccbbe3594b49eaded418f8ef6a665a
Opcode Fuzzy Hash: 2386ee80c45fe2d9cc41873f709de075967ca7c1e89f39009b9392f08295a24c
Instruction Fuzzy Hash: 6C219D3AD00B5187DB01DF29D840281B361EF99324F198ABACD4D3F346EB717985C790

Uniqueness

Uniqueness Score: -1.00%

Function 089FFCC8, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b605000b36fbf802c58a0ff65fdc0efa091753b79327ab4298851ba160cbaf73
Instruction ID: cf09c2ff96ae53ebc3eeb07364d682222c29533a71e9db8916f0eb9e20146c70
Opcode Fuzzy Hash: b605000b36fbf802c58a0ff65fdc0efa091753b79327ab4298851ba160cbaf73
Instruction Fuzzy Hash: D2116A78E15209DFCB08DFA9D94059DBFF2AF89311F2486AAD415A7355EB348A41CB10

Uniqueness

Uniqueness Score: -1.00%

Function 089FFC11, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f05f0511628d9c4ab86bc8dec214095761b566f4919cd54aec88efca98b5e2
Instruction ID: d2b8efb6be4d88137920a2e47fad13fa1b7d0b67f88e2f77158e7d929d829ec6
Opcode Fuzzy Hash: c5f05f0511628d9c4ab86bc8dec214095761b566f4919cd54aec88efca98b5e2
Instruction Fuzzy Hash: 7E116A74E05209DFCB08DFA5CD915AEBFB2FB89300F1485AAD818E3251EB304A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010CD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257538722.00000000010CD000.00000040.00000001.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10cd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97667016c062c97266623d2c50188c71d14a0f74471c64901586c743aa3c0651
Instruction ID: b7b27993302ceeded57f816ccce27f08bd1033587065f5ab3e64a70cfbedff33
Opcode Fuzzy Hash: 97667016c062c97266623d2c50188c71d14a0f74471c64901586c743aa3c0651
Instruction Fuzzy Hash: 0E11BE75504280DFCB42CF54C5C4B19BBA2FB84624F24C6ADD8494B696C33AD45ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 089FB530, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6d8318a7cd7b4043a770ba968da352f864037652fa74a36b3647414e45affe
Instruction ID: 9636e07a9a33df8e41d9bd738ed6cbbd28617b1c0fd3419a67d9561ace77b135
Opcode Fuzzy Hash: 8a6d8318a7cd7b4043a770ba968da352f864037652fa74a36b3647414e45affe
Instruction Fuzzy Hash: BA1189B5E0011A9F8B44DFADD9449AEFBF5FF88310B10816AE919E7315E7309911CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 089F5B0A, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f41b0e3df962d0df845cf12aaa0532a7e1ef26811ef43988536109de9febcf
Instruction ID: e74f3dbac33ae8004a31c9403644682afa92c00ade7183d119c2a5e1addae495
Opcode Fuzzy Hash: a0f41b0e3df962d0df845cf12aaa0532a7e1ef26811ef43988536109de9febcf
Instruction Fuzzy Hash: 7E118E75A006099FDB15DF68D880BAE7BF9FF88211F05843AEA24D7761DB34D911CB60

Uniqueness

Uniqueness Score: -1.00%

Function 089FFCD8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b715c9ddb1b870306552e159145fdabcba35ad3d44fa34b5e5e8d95261fec8
Instruction ID: 1579d99cfa02115c0912f8bcc86a63250732a0024bb929c1d2ca8b2ec3c03897
Opcode Fuzzy Hash: 30b715c9ddb1b870306552e159145fdabcba35ad3d44fa34b5e5e8d95261fec8
Instruction Fuzzy Hash: 9D111878E15609DFCB48DFA9D54119EBBF6BB89300F20D5BAC509E7305EB309A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 089F5B18, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942096b1c058da2dcb2329ee530569aaaaa52a0c63472f2d329b29c5ff815354
Instruction ID: 077e30b85d9043250cb20a34741b164e427115d0ba6153dad56ca6986947a5fe
Opcode Fuzzy Hash: 942096b1c058da2dcb2329ee530569aaaaa52a0c63472f2d329b29c5ff815354
Instruction Fuzzy Hash: AA116175A002099FCB15EF69C884AAEBBF9FF88611F01443AEA24D7361DB34D911CB60

Uniqueness

Uniqueness Score: -1.00%

Function 089FFC20, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb49c496b7bf435f632b43a9b5c5ba074bd422452f6db2c6d22838cf331fe5f
Instruction ID: 32d40df664ca69d798368a56d49011ebceff5eea76d7b73ebc9f9b62090f3172
Opcode Fuzzy Hash: 1bb49c496b7bf435f632b43a9b5c5ba074bd422452f6db2c6d22838cf331fe5f
Instruction Fuzzy Hash: 75117C70E04219DFCB48DFA9C9812AEBBF6FB88301F10C46AC918E3200DB304A41CF80

Uniqueness

Uniqueness Score: -1.00%

Function 089F860C, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc470c6c4af64c45c6b4d355d95ab164aa071d2a39e4ff6f6fb62f52a8939c7e
Instruction ID: bf383ef8e801074db9de79b8ad60749e26ffbf18c22cc9dc6feb9cab769b850e
Opcode Fuzzy Hash: cc470c6c4af64c45c6b4d355d95ab164aa071d2a39e4ff6f6fb62f52a8939c7e
Instruction Fuzzy Hash: 24018F343406205BC71CAB799894B7ABBDAABC4615F14487AF21EC7362CE25DC018790

Uniqueness

Uniqueness Score: -1.00%

Function 089FFDE0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782ea54416f5a02e7e93bd1713a34fd3feb112cbe33e19c67f8b5f13bce728d2
Instruction ID: 4b7566ad381ad811eaa272ab84110e88a74df00f2dc6541d246830cd6d74a3b0
Opcode Fuzzy Hash: 782ea54416f5a02e7e93bd1713a34fd3feb112cbe33e19c67f8b5f13bce728d2
Instruction Fuzzy Hash: 9E115B34E05109DFDB48EFA9D94499DBBB6FB88301F1089A9C118E3256EF708A41CF40

Uniqueness

Uniqueness Score: -1.00%

Function 010BD651, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257516423.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a7c31db40d115f8a9921196852200c1dfce24a2c6c6e484dc13ca733737571
Instruction ID: b3f1858c1b453fd7f3581e8234f39625e54c17fa709db16153a59a7a8a91ab65
Opcode Fuzzy Hash: 54a7c31db40d115f8a9921196852200c1dfce24a2c6c6e484dc13ca733737571
Instruction Fuzzy Hash: 450184614047849BE7115A99C8C47EAFFD8EB5922CF18885AED886A242D3799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 089FA020, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d075e790635433ae344746f121cf610c34b697baf5e710659a0f6b60217af3b4
Instruction ID: 1f0c1ac5497e85bb8f7ca5bd085f7390dd16c31286b6171f8f5584827240f963
Opcode Fuzzy Hash: d075e790635433ae344746f121cf610c34b697baf5e710659a0f6b60217af3b4
Instruction Fuzzy Hash: 3BF04F343511318B861CAA3AD45493E37DEAF85A5A309487DE60EC7262DF20DC028750

Uniqueness

Uniqueness Score: -1.00%

Function 089FBDC8, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166b08ef2002e4875c842987e782421e13d2620cec292282d4d0f2484615fe34
Instruction ID: a67575b05f8c1e219b86db0845785ca2f2545e7e8ef2924101e4f9c67640e0ce
Opcode Fuzzy Hash: 166b08ef2002e4875c842987e782421e13d2620cec292282d4d0f2484615fe34
Instruction Fuzzy Hash: 7EF0C831F041204FD7186E7AC458B66BFDDAF81766F094079FA49CB362DA65CC008BD0

Uniqueness

Uniqueness Score: -1.00%

Function 089F9C36, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe775ef80adf13dd446937ade24d119624bb5bf34eb7e966a5f556af4b26c5b
Instruction ID: 5e50328137e64f316905b453029c2dba2ee60543c08ce041ee1dc4cd1df1325a
Opcode Fuzzy Hash: 0fe775ef80adf13dd446937ade24d119624bb5bf34eb7e966a5f556af4b26c5b
Instruction Fuzzy Hash: BF01D1383002504FC71CEB749894B7A7BD6ABC8605F18487EE25EC7362CA34D801C790

Uniqueness

Uniqueness Score: -1.00%

Function 089F3408, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7060015aca2af32298101c6075868800927030a90c3a217a1e492586f83f3eec
Instruction ID: f7113c756bb7f6c3da199894e5bb3d4b702f03f2c364e4012ff895098a201dcb
Opcode Fuzzy Hash: 7060015aca2af32298101c6075868800927030a90c3a217a1e492586f83f3eec
Instruction Fuzzy Hash: F5F0FC35300300C7C72EB635C44069673ADFFC421AB10093DD6498B786EF75E802C794

Uniqueness

Uniqueness Score: -1.00%

Function 089FEC38, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18712fac61d2d645cef11fb998fd0a9467731f346c0038ca915e9bec3d896f68
Instruction ID: 1275d102b5aa0c65e773bef5a6c53370f3263335d5e0a37cd741924bf1198e31
Opcode Fuzzy Hash: 18712fac61d2d645cef11fb998fd0a9467731f346c0038ca915e9bec3d896f68
Instruction Fuzzy Hash: B0F0B4B67042245F930886699C84CB76BE9EFC92603154166EA08CB311C9308C05C770

Uniqueness

Uniqueness Score: -1.00%

Function 089F31F0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5def334dc5ae61f144e6a78cd997adec517935531a801296a6cc27033d647709
Instruction ID: 216be75080a19f656e7192437aa246c0bfff3d607768872f98c3c112e992345e
Opcode Fuzzy Hash: 5def334dc5ae61f144e6a78cd997adec517935531a801296a6cc27033d647709
Instruction Fuzzy Hash: EDF0C83E3106008FC718EB29C84486A33A6FBC5615B2541BED116C7379CB35DC018780

Uniqueness

Uniqueness Score: -1.00%

Function 089F1AE4, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3650e96cefac816b76e79617d0432ba33c11fb0da98cc64eb03639b86ec5029
Instruction ID: 99062d7ae11486bd6e6687c8323f7fba783fff96a4de2216003e8e20195646d1
Opcode Fuzzy Hash: e3650e96cefac816b76e79617d0432ba33c11fb0da98cc64eb03639b86ec5029
Instruction Fuzzy Hash: 01F0E9353151218BC62DBA3B8484A7E33DD9FC46A7F08087DEA0AC3392DE28DC41E790

Uniqueness

Uniqueness Score: -1.00%

Function 089FEB9C, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712729282af443dfec586e016b8207e12d6a567f2ba8a16a6b8e3ee3d56b7caa
Instruction ID: d747cf0765a733f974efacab1195d921b79b251d13263c1f5fa51a350ef21987
Opcode Fuzzy Hash: 712729282af443dfec586e016b8207e12d6a567f2ba8a16a6b8e3ee3d56b7caa
Instruction Fuzzy Hash: BA012C71C00219DFEB14DFAAC8083AE7BB1FF44316F158629E915EE2A0D7744A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010BD650, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257516423.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b908e47e616e2c9be2b6f06542601fc790e95ade25ff023fc7f05bebcca30270
Instruction ID: 8b6fb05f74855bc49ffa1da0755296ffae4536e54dbb1a9e689330234db66afc
Opcode Fuzzy Hash: b908e47e616e2c9be2b6f06542601fc790e95ade25ff023fc7f05bebcca30270
Instruction Fuzzy Hash: 07F0C2714047849FEB118A49CCC4BA2FFD8EB55238F18C45AED486F382C3789844CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 089F17D8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc1055cf69d1da6942844039a518bae4c2a98a5ff8a2bedbba7f0eb707fa6e4
Instruction ID: c874ed4bc14046f96fe9bb39d38b28140125030e2619aaf1614a583c22f68bef
Opcode Fuzzy Hash: 0bc1055cf69d1da6942844039a518bae4c2a98a5ff8a2bedbba7f0eb707fa6e4
Instruction Fuzzy Hash: 5FF04F34A10659CFCB08FBA8C4598DDBBB5FF85300F418599E6099B261EF71A944CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 089FEBA8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15358c330aac5dcbaf6563790608bc744c72097f0e99e29bc94b5d6ffb347bb1
Instruction ID: 75ebb358d1371ec0a5f190a831e40e1c426421f00ac98a8e26215df0122a7af6
Opcode Fuzzy Hash: 15358c330aac5dcbaf6563790608bc744c72097f0e99e29bc94b5d6ffb347bb1
Instruction Fuzzy Hash: F201EC70804219DFDB14DF5AC8087AE7BF5EF44355F108529E915AA1A1D7744A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089F2D10, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415a98354f481804678503669b410b367e1382afbbb7bb76b5bfc71221c3715a
Instruction ID: b105c5b1868ae04cfa1ddd1b704dd66ce8f7e3962ddbf292189fdf1a2f6bd757
Opcode Fuzzy Hash: 415a98354f481804678503669b410b367e1382afbbb7bb76b5bfc71221c3715a
Instruction Fuzzy Hash: 4E01B675D10609DFCB40EFACC54489DBBF4FF49210B1185AAE859EB321E770AA44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 089FEC48, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0dfccae392aceec77c288c55654e6f99576f2b48e4510975d1bf8e6dabd90b
Instruction ID: a25412bfefce108d080a84361bdb0d7eb121f7e7273769b2ed73e76909239f8b
Opcode Fuzzy Hash: fa0dfccae392aceec77c288c55654e6f99576f2b48e4510975d1bf8e6dabd90b
Instruction Fuzzy Hash: F1E03972B001246F5318DAAAD884CABBBEEEBCD664355813AF508CB310DA309C0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 089FD240, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a131ae484f285b3e05754ccb09f21bf36e539832059effc2932378b60dc0ebbf
Instruction ID: 932c0ec8196643e4163551bd3ee12c859c19733d6ab23013414c902e6643dadc
Opcode Fuzzy Hash: a131ae484f285b3e05754ccb09f21bf36e539832059effc2932378b60dc0ebbf
Instruction Fuzzy Hash: BD013CB4D0021ACFC708EFA8C4449AEBBF1EF48305F108469D918EB351DB799902CF90

Uniqueness

Uniqueness Score: -1.00%

Function 089FA3CC, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c582b9c39a951bba6aa1987af24d5b6c543406c7bf829b8fb5c2f019aa5fd7
Instruction ID: edd88d43378b785c4ef4a45c9e3cf597a2ed6b07c94b54a64053ae86f78b0b19
Opcode Fuzzy Hash: f4c582b9c39a951bba6aa1987af24d5b6c543406c7bf829b8fb5c2f019aa5fd7
Instruction Fuzzy Hash: A5E065343146648FC608976DD09497577D9AB5A215B1488AAE255D7371CA30DC008B50

Uniqueness

Uniqueness Score: -1.00%

Function 089FFBC0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c098ccdace97424e9b462df080994ce328880d04631516b6a82ab3d66a6da6
Instruction ID: 878922dc7e8ecee93b6e02dea82278f2ad4ec9aca5edfddb8905c195e8eabd63
Opcode Fuzzy Hash: 07c098ccdace97424e9b462df080994ce328880d04631516b6a82ab3d66a6da6
Instruction Fuzzy Hash: 09F0E2B0D092948FCB05CFA8D88498DBFB0FF06315B6046DAD8909B393D7396402CF52

Uniqueness

Uniqueness Score: -1.00%

Function 089F5A88, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcac6d104752512c94b428f9b8dfeb2e58d0bf92688a0aae8958e90d74ecbfb
Instruction ID: 7430de6d1c97aab2ba155bde0be1a981e86cfe456d4fa4e262e8a1490a02776e
Opcode Fuzzy Hash: ddcac6d104752512c94b428f9b8dfeb2e58d0bf92688a0aae8958e90d74ecbfb
Instruction Fuzzy Hash: 72E0E5310146458BC315EBB8C440B89BBA0FF03225F0447E9C8A04F192DB3991C6C752

Uniqueness

Uniqueness Score: -1.00%

Function 089F8218, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f5f1e60a19ae639c580d1cd34690b406ef0d3e1c57502f7efabe829ea425f0
Instruction ID: ae084b5f8eb8d4f0bdd941ae26a05729ec7a4633d6a0bfb30dbbd2275bb27422
Opcode Fuzzy Hash: 09f5f1e60a19ae639c580d1cd34690b406ef0d3e1c57502f7efabe829ea425f0
Instruction Fuzzy Hash: A5E01A383102069BEB54A6A9B465BB777ADD780296F00083AEA15EB289DF61E801C790

Uniqueness

Uniqueness Score: -1.00%

Function 089F57E0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560685d81108399309198b572de11eae246ccf9ead6ba6b7bd955c144c9bf92a
Instruction ID: 86905851fd8c8340c87ff3851aef4b54867d4577a9ffe4c9a76ba51b2d3a3390
Opcode Fuzzy Hash: 560685d81108399309198b572de11eae246ccf9ead6ba6b7bd955c144c9bf92a
Instruction Fuzzy Hash: 35E0C2367605114BCB2CA60EE80496E739FEFC8A22B1980BAE505CBB56CE25CC018391

Uniqueness

Uniqueness Score: -1.00%

Function 089F19DC, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f018da76a982833146c70d12f9bb0bcd80e8aa4aa508659ee9ac87ef7ed91778
Instruction ID: 06766dc8a71cf4886de06199eb93952877a11407d1298248343b30f61716da63
Opcode Fuzzy Hash: f018da76a982833146c70d12f9bb0bcd80e8aa4aa508659ee9ac87ef7ed91778
Instruction Fuzzy Hash: 50E0C2303106108FC718EB5CE48099AB3EEEF486393508D79F209C3361CB60FC048784

Uniqueness

Uniqueness Score: -1.00%

Function 089F6C00, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f26bd93bfd041d39871a48bd3f1941d45e800cbf0b77e2912768599a907d0d
Instruction ID: d6fe31aeb3e21f30d98da5e24f57bad993b17557f4dfb96313886e508db331ed
Opcode Fuzzy Hash: d3f26bd93bfd041d39871a48bd3f1941d45e800cbf0b77e2912768599a907d0d
Instruction Fuzzy Hash: 58E0DF30D502088FC354CBA4E845B9EBBB0FB02329F5487E9DD649B3A2C33A9943CB40

Uniqueness

Uniqueness Score: -1.00%

Function 089FFBD0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9840bd62ca0ecf560ec65b4560007cc3660ca346e20f3d68c798d8d3fceb0b
Instruction ID: 0c32bda45a4bc87cf56c57d5f49e384ceca6671df58ccd471b2fbcc410b1a316
Opcode Fuzzy Hash: bc9840bd62ca0ecf560ec65b4560007cc3660ca346e20f3d68c798d8d3fceb0b
Instruction Fuzzy Hash: 10E0C974D002189FCB44EFA8D445AADBBF4FB48305F5045AAD818D7351D7719941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 089F9BE8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efad611e86be612453c243f9f74165e491a2c455961b1e7d578ae6fce938c57
Instruction ID: 2d3131d768fb04b7eaa7aa529c810785c545dc8e73d40e01dac4f97104425773
Opcode Fuzzy Hash: 3efad611e86be612453c243f9f74165e491a2c455961b1e7d578ae6fce938c57
Instruction Fuzzy Hash: 27E08C70D45218AFC758EBB9E85139CBBF5FF81306F9082B9D468A2344D7394A42CF85

Uniqueness

Uniqueness Score: -1.00%

Function 089F5A98, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001aea494261fa81a16203c57a290a37e16d4337f87e664288247f0bbfe3db0b
Instruction ID: 4a802a121ac8a7650e49d0749ef7cd54e79894df88b1d981de9c7e212e308dfb
Opcode Fuzzy Hash: 001aea494261fa81a16203c57a290a37e16d4337f87e664288247f0bbfe3db0b
Instruction Fuzzy Hash: C3E046308212089FC708FFB8E84569DBBB9BB41202F4042BEC944A6200FB319698CB92

Uniqueness

Uniqueness Score: -1.00%

Function 089F4A07, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b78e42d6cc520265760da31a52a2da64a05b0c4aa443b40a564a3633609b60
Instruction ID: 2b63a6b3a310cf65d300a10eb63374816ed12158690abb8dee7ed5151134415a
Opcode Fuzzy Hash: 32b78e42d6cc520265760da31a52a2da64a05b0c4aa443b40a564a3633609b60
Instruction Fuzzy Hash: 8AE092315042804FD75AEBE8C4506DA7F71AF42219F0407EA84989B2C3D7360886CB86

Uniqueness

Uniqueness Score: -1.00%

Function 089FACA8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb9ea3f626cd36987d101d021ffe6ddd1c8df4b77e26528536d835aaec190be
Instruction ID: 6759d5c428419f563273d3d65793e674fcdc8b372b21734ece270e02c623fef8
Opcode Fuzzy Hash: 0bb9ea3f626cd36987d101d021ffe6ddd1c8df4b77e26528536d835aaec190be
Instruction Fuzzy Hash: 30E06D7190439CDFCB92AF34C8040997FF0AB02315B00C57AE858CA001E23481689B42

Uniqueness

Uniqueness Score: -1.00%

Function 089F6C10, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d433aa5d68dfc32a4c7deef60eac47d144db1edcea5b454d85e1e7f3a954268
Instruction ID: 4dfbe23628d81c5be2d4b82b7de37054375022fbc099b4869fa6fce0f27911b8
Opcode Fuzzy Hash: 2d433aa5d68dfc32a4c7deef60eac47d144db1edcea5b454d85e1e7f3a954268
Instruction Fuzzy Hash: 49E04630E002089FC744EFA8E888A9DBBB4FB48305F1081A9D81897320D7319940CF80

Uniqueness

Uniqueness Score: -1.00%

Function 089FFE98, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861b933cef425aba40c26760b99fa1964683bc0d5c25758c465d413a953a67f9
Instruction ID: e787c1dc93aae6360b80db96ac81802d94e0e5f37e3dd55332f58a5f50d2fd24
Opcode Fuzzy Hash: 861b933cef425aba40c26760b99fa1964683bc0d5c25758c465d413a953a67f9
Instruction Fuzzy Hash: 76E09A74D102089FC754DFA9D445A9CBBF4FB08715F4081EAD918D7351E7359950CF41

Uniqueness

Uniqueness Score: -1.00%

Function 089F6288, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3b0c148c8ee615e3c85ebab73254a9543acf46ebce3ec3ebf49c9e98479298
Instruction ID: b110456b6ba9acf052737e31ee7c791711289e69d2fccec6d383ca0d38c59a34
Opcode Fuzzy Hash: 1b3b0c148c8ee615e3c85ebab73254a9543acf46ebce3ec3ebf49c9e98479298
Instruction Fuzzy Hash: E8E04634E002089FCB04EFA8E484A9DBBB8FB49305F1081E9D80897320D7319940CF80

Uniqueness

Uniqueness Score: -1.00%

Function 089F5798, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d540734f89e4bb7e5f1586004493e70c196d702617415b919b3c775f4b83d82a
Instruction ID: b156274565930d86f63f29f11b261e119d0a72e552eed115c3687078f4c06280
Opcode Fuzzy Hash: d540734f89e4bb7e5f1586004493e70c196d702617415b919b3c775f4b83d82a
Instruction Fuzzy Hash: A1E04630D04218EFC704EFA8E458A9DBBF8FB49305F0081EAD80897365D7359A00CF51

Uniqueness

Uniqueness Score: -1.00%

Function 089F7488, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25201c7a088480cf6e5dddef7fa904bd36f209d7e75446cc9bd36d96deea9580
Instruction ID: eebbd7ac89cb99f88afcadd4b01b04b550b67a21a5ab76a9c3a25a180ead8bf3
Opcode Fuzzy Hash: 25201c7a088480cf6e5dddef7fa904bd36f209d7e75446cc9bd36d96deea9580
Instruction Fuzzy Hash: 42E0B634D01208AFC719EFE4A44569DBBB6FB44305F6081B9880493244E7365A41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 089FC580, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3184ba718371150ca33ea40cdbd18e5dc5de3579c161c23114f2b3b9216f9513
Instruction ID: 74e9aa4c434e975f4e0cb156afa90c13b2be75d92c06ed477e49b2f479fc44ad
Opcode Fuzzy Hash: 3184ba718371150ca33ea40cdbd18e5dc5de3579c161c23114f2b3b9216f9513
Instruction Fuzzy Hash: 53E08C70C05218AFC718EBB4A40029CBBF5BB45309F1082F9C41892340D7394A40CF40

Uniqueness

Uniqueness Score: -1.00%

Function 089FD1F8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193c0aa83f0d5665e0b8fc533c53aeb8d70958faa0741d2f03287775a05b1eea
Instruction ID: 1c2502384a8ecc1a1a0d00e724a272fc47eef298b5142be1d2214b7af6d0578d
Opcode Fuzzy Hash: 193c0aa83f0d5665e0b8fc533c53aeb8d70958faa0741d2f03287775a05b1eea
Instruction Fuzzy Hash: 83E0B670D05208DFCB14EFA4A44569DBBB9BB45305F5086B9D40897245D7369A45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 089F4A18, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135912dcb834ff8be7bdfcccad8b52c6711579c49e6c6ca26c01c6e550c9d24f
Instruction ID: dcec0c14892229ae2229f03a47d2aaa6f0171e0b52eb9b85c1c5cb29345ff209
Opcode Fuzzy Hash: 135912dcb834ff8be7bdfcccad8b52c6711579c49e6c6ca26c01c6e550c9d24f
Instruction Fuzzy Hash: B4E0EC34D112089FC754FFF8949569DBBB9AB84205F5005B98948D7241EB315A81CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 089F7B80, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64e22d568c924ac80e6870137707e22a05dad284846ad7e60224894ffb0cf98
Instruction ID: cb1e42aaf271afaa71ea963913ed580c7bbb4a720f4753a47813c5847ef496fb
Opcode Fuzzy Hash: c64e22d568c924ac80e6870137707e22a05dad284846ad7e60224894ffb0cf98
Instruction Fuzzy Hash: 9DC0803F71427413452D306F741057FA59F4ED1A33645403FAB0883345AC754C01C3E5

Uniqueness

Uniqueness Score: -1.00%

Function 089F9BF0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1618d4af762e00469d831c61d95a0207f63c4d06f918b1c151d2af697ac5b9a4
Instruction ID: f47772226af7a17613dc3a1465ab9df83521ab6ac2ea6b4d9e26647600ece743
Opcode Fuzzy Hash: 1618d4af762e00469d831c61d95a0207f63c4d06f918b1c151d2af697ac5b9a4
Instruction Fuzzy Hash: 77E08C70C052089FC758EBB8A40029CBBF5FB81305F1081B9C418A2344D7354A40CF40

Uniqueness

Uniqueness Score: -1.00%

Function 089FACB8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a291a3d41a2d9099221280d197ac3ad8dd1164ca50419bd1a73f0205f5e35263
Instruction ID: 08fa18cc02a34712cd224c6e3409da59037af0a9a2309e8ac0cb8b63644b5953
Opcode Fuzzy Hash: a291a3d41a2d9099221280d197ac3ad8dd1164ca50419bd1a73f0205f5e35263
Instruction Fuzzy Hash: 42E0E23181061CDFCB94FF79D94849A7BF8BB0525AF00C53AE95DDA101EA30D2A8DF90

Uniqueness

Uniqueness Score: -1.00%

Function 089FA470, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade0e43769c895c046765096867fc76361c16a9971c642ee54c7b6d9d18b3415
Instruction ID: 7e123cebd02e9a4401f7fd5a8dd261e74763da278ff048b58fd6f2fffeb14183
Opcode Fuzzy Hash: ade0e43769c895c046765096867fc76361c16a9971c642ee54c7b6d9d18b3415
Instruction Fuzzy Hash: 33C08016714A3D034C2E3259642417D61CD8FC6916F05007DD70E87783DD4C5D1303CE

Uniqueness

Uniqueness Score: -1.00%

Function 089FFD98, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e257f0c1905f135318dc5318f3227ab5f251b0f073deacd65dcca67242cc980
Instruction ID: 1681ebb3553b22446d279f8bd070f49c694d89ae835c59d94903847788a191d5
Opcode Fuzzy Hash: 5e257f0c1905f135318dc5318f3227ab5f251b0f073deacd65dcca67242cc980
Instruction Fuzzy Hash: 8CE0E270D0020CAFDB54EFE8E44569CBBF8FB04204F4081BA8918E7340EB355A41CF82

Uniqueness

Uniqueness Score: -1.00%

Function 089F3CC4, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0672e46883de0e5dfce93a2a88f4301623740b7ca8f4aa1327643c3d8a5fd8f8
Instruction ID: 88c0b84826e91b56a986a0ae2c6c2264d2716fdd82abd74bc4e4547394defaa0
Opcode Fuzzy Hash: 0672e46883de0e5dfce93a2a88f4301623740b7ca8f4aa1327643c3d8a5fd8f8
Instruction Fuzzy Hash: 90D05E315146088FC300BB6CD8498A577A4FF06218B414DA2E205A7221EB61F9148741

Uniqueness

Uniqueness Score: -1.00%

Function 089FBF08, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31887c3570862e04f5ec76f5a7665307804915a93e8c83d92d785a843617bf81
Instruction ID: 9b33806581f388302de1cfe85d1067303b2f4b61888cff7937fa824e6b57e8f4
Opcode Fuzzy Hash: 31887c3570862e04f5ec76f5a7665307804915a93e8c83d92d785a843617bf81
Instruction Fuzzy Hash: A0C012363101341B1608516E785D49D7ADED6C99A23050036F909C3300DE605D0246E5

Uniqueness

Uniqueness Score: -1.00%

Function 089FD700, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa495b7602ad90a9881e03228df193512f1e30e793de217cf707e985138ed92
Instruction ID: ea022a9f8651d2615cba41b9957befd9141c0af7808293ac0a8bd08b8afd6eec
Opcode Fuzzy Hash: 3aa495b7602ad90a9881e03228df193512f1e30e793de217cf707e985138ed92
Instruction Fuzzy Hash: D1D0673690111CBBDF029F84D844EDA7BA9FF05260F04806AFE185B251C6769961AB95

Uniqueness

Uniqueness Score: -1.00%

Function 089F81D8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2ac54601724dc976d081e2850050b3183d0aca907f70c7bd14a95093a50b84
Instruction ID: c8f520e323f703bb329946b33d8326f45e8f052256d5a714b04c21e41ab30258
Opcode Fuzzy Hash: cb2ac54601724dc976d081e2850050b3183d0aca907f70c7bd14a95093a50b84
Instruction Fuzzy Hash: DDD06774D21208AFDB94EFF8A44969DBFF8BB08205F5046B9D948D2244E7315A948B51

Uniqueness

Uniqueness Score: -1.00%

Function 089F5AD8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39749e5f9607aee74022ff1db0acb64bcada4d1aa01caa7451ceb75c68e6822c
Instruction ID: 412d8c0d6f43fb9cf6ca03bf5fb4f2dd24a5b1954a2f9ff056edb2c837fecd14
Opcode Fuzzy Hash: 39749e5f9607aee74022ff1db0acb64bcada4d1aa01caa7451ceb75c68e6822c
Instruction Fuzzy Hash: 7CD05E3650A248BFCB82AA50CC02F46BF39AB06348F24819AF6044E163C2B7C567D791

Uniqueness

Uniqueness Score: -1.00%

Function 089F3CD4, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34aaa0e7a42485afcbe54774f866974bd75f6ea792a961a3c0f4ef26f2c0ac2
Instruction ID: 8b98daa0fe863c44ed4cb533399b058e46bad44d763a15c133e3b2e42ca4d17d
Opcode Fuzzy Hash: c34aaa0e7a42485afcbe54774f866974bd75f6ea792a961a3c0f4ef26f2c0ac2
Instruction Fuzzy Hash: 5CD0C936646108BBCA81BA95C840A5BBB2ABB1A254F108855FB040D121C6B3D5669790

Uniqueness

Uniqueness Score: -1.00%

Function 089FB7A0, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a0c3153a078e7f30ba7da4bb4619cd5440e848cddb3fea2f59c7e0f849b0b8
Instruction ID: 56b26df7244651d2bedbb96327f221c1b36ebe64f3fc4642cbd329f18a41e439
Opcode Fuzzy Hash: a9a0c3153a078e7f30ba7da4bb4619cd5440e848cddb3fea2f59c7e0f849b0b8
Instruction Fuzzy Hash: EAC012362001287B4A01AB85D800C86BBADAF89654305C066F60C8B121D626E522D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 089FE118, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453d21941b43a7973739ea5a16bb0d9a3f640074d690314216ffc08c511ebf0c
Instruction ID: 4dc1df4af409e23151ed2a0d662e9f58cda195093f66075e44fd48b95dd456bf
Opcode Fuzzy Hash: 453d21941b43a7973739ea5a16bb0d9a3f640074d690314216ffc08c511ebf0c
Instruction Fuzzy Hash: 5CD012BA80D2C29FDB0727208C40800BFB1EBA210D32A84D2C0808A133C209C81ACB22

Uniqueness

Uniqueness Score: -1.00%

Function 089FC8C4, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fd860d688e1c3c1977a5279d10cabed39d69e5e71647e68f56f08b2735448b
Instruction ID: 081e9601a851635b0f10c0e182eadfa28b970f646afb015ba249200c067e1cf5
Opcode Fuzzy Hash: 06fd860d688e1c3c1977a5279d10cabed39d69e5e71647e68f56f08b2735448b
Instruction Fuzzy Hash: 97C04C79144118AB8649B7548944C59B6A5BB952057C18C61A24446131CA2598289712

Uniqueness

Uniqueness Score: -1.00%

Function 089FB502, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7942fe3cf54331fbb5ff2bf235c31b7170da76354afff408d0ec0c6e64033687
Instruction ID: d69a4734bd07045f92712bba6ec3fd077b7b6d21d662b81ca7a2d4d028c0c6e6
Opcode Fuzzy Hash: 7942fe3cf54331fbb5ff2bf235c31b7170da76354afff408d0ec0c6e64033687
Instruction Fuzzy Hash: 75B0922E2581C06EEB867760DC02BD96B92E7A1228F259921A19518611C239942AA72D

Uniqueness

Uniqueness Score: -1.00%

Function 089F12F0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa867ab2ff66a20d6c38a523faa49baf4fa7043fe3cb3b4acd912ef4b0cf1aa7
Instruction ID: 31dcafb3f16f1d12701f8e6e2f7c7e4abb174f73d99d4853cdce095157c2046e
Opcode Fuzzy Hash: fa867ab2ff66a20d6c38a523faa49baf4fa7043fe3cb3b4acd912ef4b0cf1aa7
Instruction Fuzzy Hash: 9FB012398889900FCE03A368A94F18C3F30C8C230174580C26044CEA42CD49C8438F53

Uniqueness

Uniqueness Score: -1.00%

Function 089F5EC0, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.262531513.00000000089F0000.00000040.00000001.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e3471efb0538d5c36f7ba573e650c01df604b4ec4def2bbfc3641387c72fee
Instruction ID: 43a623b2d46cb2f58dc57bf3a472fcf68e8c078ddd6d03c6135ddffd7d37a040
Opcode Fuzzy Hash: a3e3471efb0538d5c36f7ba573e650c01df604b4ec4def2bbfc3641387c72fee
Instruction Fuzzy Hash: 5FB09BB5A4D7808FCF83126044555043F706B53240B4E19C2D085CA1E3D51445048726

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 028CE8F0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b46126d3c6bf0f2468230ba844ed3a14aa74f52fc2faf59e6b6793d6875c58
Instruction ID: a8167852a46eebd635b58b73153d6c283f159fab87e8e0a2997707ef16ca3af5
Opcode Fuzzy Hash: e6b46126d3c6bf0f2468230ba844ed3a14aa74f52fc2faf59e6b6793d6875c58
Instruction Fuzzy Hash: FC12B1F9C91746CBEB10DF65F9981893BA1B78532CBD04A08D2612EAD1D7BC117ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 028CCF14, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53498cfcb133a224f143082867d2e6b6d2bc789c7cd67e21dd8e0b5576e35cb
Instruction ID: 2145eb1b4468b4e4d779038096b57820d1939e67fccdcdf57c8e3a6c319cdc6d
Opcode Fuzzy Hash: a53498cfcb133a224f143082867d2e6b6d2bc789c7cd67e21dd8e0b5576e35cb
Instruction Fuzzy Hash: 44A16D3AE1021A8FCF15DFA5C8445DEBBB2FF85304B25856AE909EB220DB75E915CF40

Uniqueness

Uniqueness Score: -1.00%

Function 028CE8E0, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257703044.00000000028C0000.00000040.00000001.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090fa46208e8ab7bcef354ac753ff259f1b0e50a81dd901888eefc774da1bd5e
Instruction ID: 846bc88ad160a0850ea4cf3948251376cab8ffd237895a1aa464949b9dc8fd8e
Opcode Fuzzy Hash: 090fa46208e8ab7bcef354ac753ff259f1b0e50a81dd901888eefc774da1bd5e
Instruction Fuzzy Hash: 15C126B9C91746CBDB10DF65E8981893BA1BB8532CF914B09D2616F6D0DBBC107ACF84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: V5Al4cc8RL.exe PID: 6512 Parent PID: 6220 V5Al4cc8RL.exeCOMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10%
Total number of Nodes:	30
Total number of Limit Nodes:	5

Executed Functions

Function 00F48320, Relevance: 2.3, APIs: 1, Instructions: 760
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F48AA8

Memory Dump Source

Source File: 00000004.00000002.504867185.0000000000F40000.00000040.00000010.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_V5Al4cc8RL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9a044bacca845f137f579af48076e226d1fd1285495612946ac0d22647ad54ec
Instruction ID: 65be9f57199af1fde3c811f1657b585d3040aa6a4924336bbc880e05cbff2b6c
Opcode Fuzzy Hash: 9a044bacca845f137f579af48076e226d1fd1285495612946ac0d22647ad54ec
Instruction Fuzzy Hash: 97620971E047198FCB24EFB8C85469DB7F1AF89340F1189A9D54AAB354EF309E85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00D7C8A8, Relevance: 1.7, APIs: 1, Instructions: 180
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00D7C8E9

Memory Dump Source

Source File: 00000004.00000002.504158861.0000000000D70000.00000040.00000010.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d70000_V5Al4cc8RL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 05fa20f619c851c839c92d28e76d0b7d4c8fe5a8962ff48134b1be8d8c33be56
Instruction ID: eb9a22fdf084845641b7e8fd684756b640212c3c1f34288441b51c55c6eae99b
Opcode Fuzzy Hash: 05fa20f619c851c839c92d28e76d0b7d4c8fe5a8962ff48134b1be8d8c33be56
Instruction Fuzzy Hash: 2A615030A14309DFDB14EFB4D9597AEBBF2AF44315F14882CE406A7254EF359845DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9B43C, Relevance: .7, Instructions: 669COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979e70ad349809d5cf66ebf1159accb4aea81bebfe6f97e689a226652285daf2
Instruction ID: 8985474a5fa5200cd0909b5054c2182b6605543a72542dea252e9f56a155f835
Opcode Fuzzy Hash: 979e70ad349809d5cf66ebf1159accb4aea81bebfe6f97e689a226652285daf2
Instruction Fuzzy Hash: 0B42A670A00244CFEF24DBB8D5547ADBBA6EF86314F19C46AD00AAF286CB75DC45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D9AB70, Relevance: .7, Instructions: 667
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077e16dff1aee783a43df00e1ea468a6de2df39c18a52e97df76d070f768d486
Instruction ID: c837f4536abbd6e537358a196e86d161e96fe694cd5eaccf0988eda99c15759f
Opcode Fuzzy Hash: 077e16dff1aee783a43df00e1ea468a6de2df39c18a52e97df76d070f768d486
Instruction Fuzzy Hash: 9E328131B042058FDF14EBB8D95866E77F2AF89314F158829E506DB391EF35DC428BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D9DEC0, Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66eacd21631cfbce57aa787d44864ecf82cca05427518e54f8ac6c7abe08ff1f
Instruction ID: 6509c746225015b29badb9af7f67daab7832476ba1a5db483580fadb845fa8ec
Opcode Fuzzy Hash: 66eacd21631cfbce57aa787d44864ecf82cca05427518e54f8ac6c7abe08ff1f
Instruction Fuzzy Hash: 1112E631A01219DFEB20DBA4C49C76A7FF6EF6A300F1585F9D1869B261CB35C806DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D91FF0, Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967ddd69a459ad05b6db7b9e4aa32ffb00de7ce9c028d54eb2e4d8fed31d8a78
Instruction ID: f0eddfaa0ae800518b779d5bacf38f521518e27a63952b75992d10d373823c7b
Opcode Fuzzy Hash: 967ddd69a459ad05b6db7b9e4aa32ffb00de7ce9c028d54eb2e4d8fed31d8a78
Instruction Fuzzy Hash: BA126D70A002199FDB14DFA8C954BAEBBF6BF88304F148529E906EB355DB34DD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D92768, Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7c472886ba12f41bc6b868460c5183f1869d6f6dfc09d1d49cca189f527625
Instruction ID: 2df604e9406344de05c09dc4baf1d7e755f85606b5a123c0bbe139f3419f4612
Opcode Fuzzy Hash: 3d7c472886ba12f41bc6b868460c5183f1869d6f6dfc09d1d49cca189f527625
Instruction Fuzzy Hash: DED12971A00119EFCF14CFA8D984AADBBF2FF98304F198165E805AB265D730ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D7C898, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00D7C8E9

Strings

_, xrefs: 00D7C887

Memory Dump Source

Source File: 00000004.00000002.504158861.0000000000D70000.00000040.00000010.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d70000_V5Al4cc8RL.jbxd

Similarity

API ID: InitializeThunk
String ID: _
API String ID: 2994545307-701932520
Opcode ID: 2279059a64c45695cd983871d2b5ae1b8018311cc2ff32e7604615937a379636
Instruction ID: dcba5adcfe3c85dda4bf747990d1735c4f83d3d187ae6736a66db8c09cb6ffd0
Opcode Fuzzy Hash: 2279059a64c45695cd983871d2b5ae1b8018311cc2ff32e7604615937a379636
Instruction Fuzzy Hash: 6C21D070A1028ADFCB14DFB8D458AADBFB1FF45314F14C56CE405AB291EB319846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A2B0, Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.504867185.0000000000F40000.00000040.00000010.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d9cd74350355062e42431686d9247923c6e3bb5ab0344b5d0a32bd45484c2b
Instruction ID: 2a9be782cf5a0e98e84f74e51c9c68de1aff61dec5462650e313e0361fa5f923
Opcode Fuzzy Hash: 17d9cd74350355062e42431686d9247923c6e3bb5ab0344b5d0a32bd45484c2b
Instruction Fuzzy Hash: 4C51B431B043459FCB00EFB4D888AAEBBB5FF85310F14896AE506DB255EF70D8058B62

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A310, Relevance: 1.6, APIs: 1, Instructions: 148
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F4A36F

Memory Dump Source

Source File: 00000004.00000002.504867185.0000000000F40000.00000040.00000010.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_V5Al4cc8RL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d5e731e29b6f78da0889b834193818c6eae9e188cba9853b7ced6b7cbbdf4f3d
Instruction ID: 4313cd27433c8d1ba46cbfd04ba34f252ed3c00c0cbb7642474316080b5b98c4
Opcode Fuzzy Hash: d5e731e29b6f78da0889b834193818c6eae9e188cba9853b7ced6b7cbbdf4f3d
Instruction Fuzzy Hash: 9C518371A002059FCB14FFB4D889AEEBBB5FF84314F148929E5069B255EF71E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D7DFB8, Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.504158861.0000000000D70000.00000040.00000010.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d70000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec2e44e177b63dda378a067d18271d50a92c87c170c8248aa0f3fb940d1812f
Instruction ID: d04d7a5039b41ce0f5970e7a1b803493e11ffe494b11994f6a4aa9225458932c
Opcode Fuzzy Hash: cec2e44e177b63dda378a067d18271d50a92c87c170c8248aa0f3fb940d1812f
Instruction Fuzzy Hash: 3F412872D043558FCB15CFB9D8446EEBBF1EF89320F0985AAD408E7251EB749845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4B188, Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00F4B241

Memory Dump Source

Source File: 00000004.00000002.504867185.0000000000F40000.00000040.00000010.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_V5Al4cc8RL.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ebede568c108cf7bcdb54fc98c06af35887e537513574d834606980f8ab4f4c0
Instruction ID: a6b629e59238d2ec2cd21dde1a8b79f44018e54e22714bb8776eeecadcf9283e
Opcode Fuzzy Hash: ebede568c108cf7bcdb54fc98c06af35887e537513574d834606980f8ab4f4c0
Instruction Fuzzy Hash: 6D31DFB1D002589FCB20CFDAD884ADEBFF5BF48314F14852AE819AB254D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F4AED0, Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 00F4AF84

Memory Dump Source

Source File: 00000004.00000002.504867185.0000000000F40000.00000040.00000010.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_V5Al4cc8RL.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3a0675b0edd978dfae216308bc63ca504f8a8e7270740e94c8926a42023520d9
Instruction ID: 1bc2b421e616ea85c9a01d474df97b0bc18eceba788046588e28cc835e3d849b
Opcode Fuzzy Hash: 3a0675b0edd978dfae216308bc63ca504f8a8e7270740e94c8926a42023520d9
Instruction Fuzzy Hash: 9631F0B1D012498FDB10CF99C584A8EFFF5BF48314F28856AE809AB345C7759988CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00D92D50, Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc52bca71d7673261b224f12cf7e543656ed6cb7acb0c4f34cc21c5dec34fa5e
Instruction ID: d645e4c388a1d217eb71e82955aa3fd1445734b8484e04485d64a7a2f3ac4b26
Opcode Fuzzy Hash: fc52bca71d7673261b224f12cf7e543656ed6cb7acb0c4f34cc21c5dec34fa5e
Instruction Fuzzy Hash: B6124D30A002499FCF24DFA9D884AAEBBF2FF49314F148959E449EB261D731ED41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00D932D8, Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf29bbc8886ec08f9ff9e325a0a16d12a8d71641d25d35b5db034c785065b0f
Instruction ID: d233059ada36896b837c629b6fe8809f607433ba0780f2ed92cee895b22805b4
Opcode Fuzzy Hash: aaf29bbc8886ec08f9ff9e325a0a16d12a8d71641d25d35b5db034c785065b0f
Instruction Fuzzy Hash: 77022970A00206DFCF14CF68C584AAEBBF2FF48354F298555E446AB2A5C730EE81DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00D95719, Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8af6ab533157c19db360fc86edbec8ab96050b15c1b21d93bcc4275a06e967
Instruction ID: 4f5c35a6872ef0e12d000fad3634ba07e0e2049a3d895747d9b815c516623064
Opcode Fuzzy Hash: 3d8af6ab533157c19db360fc86edbec8ab96050b15c1b21d93bcc4275a06e967
Instruction Fuzzy Hash: BFC10231F48105CFCB119F68E8981EDBBB2EF8A314F15497AC4099F695DB318869CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00D94C78, Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fb9e88a76caa13eecf9c17830cd4772cfc45bf7d37b5023a64266a5fcfcdcb
Instruction ID: e53a0885ef630906738e90725dcc9a0b174f36d87acd9aad84eb0ed1a4d38464
Opcode Fuzzy Hash: 61fb9e88a76caa13eecf9c17830cd4772cfc45bf7d37b5023a64266a5fcfcdcb
Instruction Fuzzy Hash: 6DD1EC75A002158FCB14CF69D588D9DBBF6FF88315B1A84A9E405AB362DB31EC42CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00D94B58, Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4762bf98447db924d4ffb619164e6a3f47122ea0f898b26befda50887bee2c7
Instruction ID: bd26dbc1a4f88614d26a02fb2a804de5a3e008c83919bc305a1951c2c1d27651
Opcode Fuzzy Hash: e4762bf98447db924d4ffb619164e6a3f47122ea0f898b26befda50887bee2c7
Instruction Fuzzy Hash: FAD1F971A012158FCF14CFA9C988D9DBBF2FF89315B1A8195E415AB362DB34EC42CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00D9C0A8, Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8c9ef81b1dbaa328ce619f8b7aeee48b7b4a409cc2535dedc5353196a8f9d6
Instruction ID: 9858ae9503010122cd20449e524c7e40d8cf8a749ee5e785e3399bdeff5e50b3
Opcode Fuzzy Hash: ca8c9ef81b1dbaa328ce619f8b7aeee48b7b4a409cc2535dedc5353196a8f9d6
Instruction Fuzzy Hash: C0C1C031A14249DFCF15CFE8C884AEEBFB2FF89310F148166E805AB255D771A855CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D308, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50170998bf8b21b3857f1b16582c01697910b149ff5ebece2cab0afe4e161beb
Instruction ID: 7d76549577c9bd5d6d0b38efe74f21044ba78f5f1ae29156cdcf80f939351fa1
Opcode Fuzzy Hash: 50170998bf8b21b3857f1b16582c01697910b149ff5ebece2cab0afe4e161beb
Instruction Fuzzy Hash: 86A1DD30B002159FCF15EBA8C955BAE77A7EB89304F198829F506DF395CB71DC4287A2

Uniqueness

Uniqueness Score: -1.00%

Function 00D92D48, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5bf77441e36e84f9f5fe8f59b44bd18b4ba7ee88ab0d12a4773cc0a3b71e88
Instruction ID: cfcf63851d801a712cba1a6187d6752df818657c7dc3586a7df28e1823b616bd
Opcode Fuzzy Hash: 3d5bf77441e36e84f9f5fe8f59b44bd18b4ba7ee88ab0d12a4773cc0a3b71e88
Instruction Fuzzy Hash: B4C14E30A002099FCF24DFA9C984AAEBBF6BF49314F148559E859EB361D730ED41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00D9BD68, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637376faff958ef0dc0d8c571a9c5639fdf5d2193203d4823bb40dd42da12953
Instruction ID: 221b96c8a5f83e6ec26d936b54b1b32caa917451ba73231735eee5f934b81e7c
Opcode Fuzzy Hash: 637376faff958ef0dc0d8c571a9c5639fdf5d2193203d4823bb40dd42da12953
Instruction Fuzzy Hash: FEA18B307042018FCF15DF68D994AAD7BE5AF89310F1A44AAE946CB3B2DB75DC02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D91AC0, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd697572598eb90d22b3727f7797a11ae3692965c5d8b8e5805e7f5f87cf6c4
Instruction ID: 9bc703f67d5f6a648ce797f3fe56cf3552812cfb5f96c828e94ccb7c97b51f78
Opcode Fuzzy Hash: 8bd697572598eb90d22b3727f7797a11ae3692965c5d8b8e5805e7f5f87cf6c4
Instruction Fuzzy Hash: AB817D38A402079FCF14CFA9C484AAAB7B2FF89355B298169D416DB365D731EC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9B108, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84baed1ecf4161c0a3c3bda6fe6d038d1c30fd5d7d08e52497ffe4aeb5e2af18
Instruction ID: a58b337cc86e936bdc45dc9243bda6df2dee5ca4de9dd877220874a4a117f74b
Opcode Fuzzy Hash: 84baed1ecf4161c0a3c3bda6fe6d038d1c30fd5d7d08e52497ffe4aeb5e2af18
Instruction Fuzzy Hash: 11715234B042048FDB44EBB9D96877E76E7AFC8714F168829D506DB394EF349C428B92

Uniqueness

Uniqueness Score: -1.00%

Function 00D93AC8, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca53397ddac79685e28173834361f454c39f7d71913c930dc173db0551e9437
Instruction ID: a9f7b1fe70e176574adf1bce686443c381ae492c56ddf3c4b5bd73e7efc6fef2
Opcode Fuzzy Hash: aca53397ddac79685e28173834361f454c39f7d71913c930dc173db0551e9437
Instruction Fuzzy Hash: 01516C313145119FCB14DF3DC888A6ABBE9FF4975871A44BAE44ACB362DB21DD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9CA80, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e27e8a059f03c811bc3cc4100473e928735936d1cec3798c8b9a62624296bb4
Instruction ID: ddbd9801f6ae9ec509727764efb2c16eda51e7701411c38086e19605f0b442f5
Opcode Fuzzy Hash: 7e27e8a059f03c811bc3cc4100473e928735936d1cec3798c8b9a62624296bb4
Instruction Fuzzy Hash: CC616D70E147498FDF15CFA6C5406AEBBF2AF49314F259219E809BB241D770AD85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D91830, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d026c313c4df4f938054deb1afec764e3d5217e08b39b2d88b5ac4b047cbe3
Instruction ID: 51e3d353b6662d9e703cdb2c42454e6c8cd75710665e833bfbf482851abb448e
Opcode Fuzzy Hash: 34d026c313c4df4f938054deb1afec764e3d5217e08b39b2d88b5ac4b047cbe3
Instruction Fuzzy Hash: B541D1347042069FDB15AB74C89477EB6E7AFC9304F188928E4568B389DF74CC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9CA71, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c01ff662a353b90ff4e2ab8717e98fc7034de230061e97240fe03ded36acbd
Instruction ID: 14257516608e873826e29b82620d41dbff916614239aa95d266fb52f66ac4bb9
Opcode Fuzzy Hash: 34c01ff662a353b90ff4e2ab8717e98fc7034de230061e97240fe03ded36acbd
Instruction Fuzzy Hash: 01516E70E147498FDF11CFA5C5406ADBBF2AF49314F259219E849AB241D770AD85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D9B3F4, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c812829a1078996b1ea127202b38a60c4def1af1dbad27d031725c54e03aeca
Instruction ID: 3dab21c96366404a40de734cc115b245ba8a6a2e937dc1166a82c3c5055209a1
Opcode Fuzzy Hash: 4c812829a1078996b1ea127202b38a60c4def1af1dbad27d031725c54e03aeca
Instruction Fuzzy Hash: 2E418034B002088FDF54EBB4D958B7E76E6EF88714F294429D902DB394DF349C429BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D9C263, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ef19e248999bad939b6b8633ea6ddcd9bf443b4c5759053db82a346a50414a
Instruction ID: bb20d37e039c0bf7322d5e72b1a18f4c22c3c4df68eb201355e689cb5613614b
Opcode Fuzzy Hash: 09ef19e248999bad939b6b8633ea6ddcd9bf443b4c5759053db82a346a50414a
Instruction Fuzzy Hash: ED41CD31A10249DFCF11CFE4C840AAEBFB2AF4A354F049156E815AB2A1D371ED54DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D916C8, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba7e13d02466bf3a9ef10325015454fe133c41f5eec2540694244e379737495
Instruction ID: 7b8d0fa7a12d0b9feb8b6350baea80695cd7e622ce67d124cda18fb9c1e9a24b
Opcode Fuzzy Hash: 2ba7e13d02466bf3a9ef10325015454fe133c41f5eec2540694244e379737495
Instruction Fuzzy Hash: 7041CD79604212CFDF158FA4D854BAA7BF6FF89300F098918E8069B390DB74CC11CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D9AEA8, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd579ecf4d2ca29d1d8198be65c657fab871b8fb055aaa5c4838f968d1e14c85
Instruction ID: c2e88eaa794fb85084df1e3edeb950f4ba1502a7d2307c50ad090409c8d2bca8
Opcode Fuzzy Hash: dd579ecf4d2ca29d1d8198be65c657fab871b8fb055aaa5c4838f968d1e14c85
Instruction Fuzzy Hash: 07419271B042058BDF64AF7CE98476E73A2EB86324F254839E50ADB290DB35DC4187A3

Uniqueness

Uniqueness Score: -1.00%

Function 00D95500, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8897291bde8549ce65f2aaf9bac91f21054c6a3150894ba956099e848dfc36
Instruction ID: c13ab996dfbb7073d0f59f0e4b78129537700aa9e493b1f2259b6edc4410836a
Opcode Fuzzy Hash: 8d8897291bde8549ce65f2aaf9bac91f21054c6a3150894ba956099e848dfc36
Instruction Fuzzy Hash: 1A41E2313046558FCB169F28E8146BA3BE7EF89310B054079F84ACB3A6DB75DD12CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D92618, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0746c737c8fe561e71326211440ecfc08a0a111620aa2667ba0848f0f52e24e3
Instruction ID: cb1ea8cd1be222ed2c1f61fbdc54b73b3eee6a2611d0bba276dd5a614489edea
Opcode Fuzzy Hash: 0746c737c8fe561e71326211440ecfc08a0a111620aa2667ba0848f0f52e24e3
Instruction Fuzzy Hash: 0941DF31A00248EFCF119FA4C804BBABBF6EF44314F09846AE816AB651D775DD55CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D938D8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f736ae5720d66b9817d52f9c319745c7f49a233829eeeeffa021b926860eb8
Instruction ID: aa08efdd874f3bd0ed748a8fdaf610639bfaaf9f4def1d055f156ccda748f75e
Opcode Fuzzy Hash: 58f736ae5720d66b9817d52f9c319745c7f49a233829eeeeffa021b926860eb8
Instruction Fuzzy Hash: 144124756002559FCF149F69C888BAA7BB6FF89314F140069F956CB3A0CB71DE40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D94890, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9657ff104ec262bec41b9bfe6bfd205afbab6bb92cb1425e3ffa362376dc2267
Instruction ID: ad4a3a1733b4467720dae72f39c5f8566b38e5fbc3a80536b14f2fa3918b12f0
Opcode Fuzzy Hash: 9657ff104ec262bec41b9bfe6bfd205afbab6bb92cb1425e3ffa362376dc2267
Instruction Fuzzy Hash: 4C31A6303442159FDF258A68D894E7F7769EB81354B19486EE092CB397DB24CC828BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D953F8, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273da8afe696cfa53286b5a9aab5d9704e402bfd02b20ab917ba4a4ec35561b4
Instruction ID: 4228529d5975203a9d6910ae77de434d724e3a29bea90f85627d2c5c670d2331
Opcode Fuzzy Hash: 273da8afe696cfa53286b5a9aab5d9704e402bfd02b20ab917ba4a4ec35561b4
Instruction Fuzzy Hash: F831EF71A052199FCB11DFA8E884AAEBBB8FF88311F14407AE515D7252D3719D51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D949B0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ced25b9da1ac1aa806eaf22d8ddab577a3aa3dcd4b129ad45f6695402703ed
Instruction ID: b252f86dc55410931fe5fb2976d7f47222659047d0d895b54f474d0cde198327
Opcode Fuzzy Hash: f3ced25b9da1ac1aa806eaf22d8ddab577a3aa3dcd4b129ad45f6695402703ed
Instruction Fuzzy Hash: E131EF31B042049FCB049B74C818BAEBBF6EF8D214F098469E506EB381CF319C01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D93D09, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a998658d79962d5b326e3f06ba9c3fd8919ecd933b772cfb3afe484cffe05842
Instruction ID: f749e18634481ae82ab6d74bf4b8c8bf2664d0e43f238f2767878f9084a7e1c1
Opcode Fuzzy Hash: a998658d79962d5b326e3f06ba9c3fd8919ecd933b772cfb3afe484cffe05842
Instruction Fuzzy Hash: 622126303042055BDF252735C8A877E3AABDFC5715B184039E506CB394EF29CE02A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00D9AB10, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3562606a781cd14bad30df0787c74b919baf507cd28e81b0aa76b6bdb131fd4
Instruction ID: 7fd01e69472cba6196a63ce8f89bde86588720d857da9728294d7c57f4cdaaec
Opcode Fuzzy Hash: b3562606a781cd14bad30df0787c74b919baf507cd28e81b0aa76b6bdb131fd4
Instruction Fuzzy Hash: 2E31B371E052458FCB01DBA8D984ADDBFF2EF95314F1580AAD404D7245E734DD06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D93D18, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77d5381af9aba7b96337bc7b38e3a0c9d46a61be845b882b1928916f617416c
Instruction ID: 79fd9cf6c0abb5bad3837a16bbcabe5ba17d8bc89e13f12800d6d448282300e3
Opcode Fuzzy Hash: f77d5381af9aba7b96337bc7b38e3a0c9d46a61be845b882b1928916f617416c
Instruction Fuzzy Hash: D221D4303082044BDF252635D4A877E3A9BDFC5718F288039E506CB398DF29CE42A3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00D914F0, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08432a0da8ce1b867ffc9c4e8407cc877aff56e8be70ea127af1568c1ae05d25
Instruction ID: 8e4bb25a60631693c2b14d1acd1ddf13b1aacc17a8201751e3cef5c3c795f8f5
Opcode Fuzzy Hash: 08432a0da8ce1b867ffc9c4e8407cc877aff56e8be70ea127af1568c1ae05d25
Instruction Fuzzy Hash: 16314C3560011A9FDF46AF65E844AAE7BB6FF88310F154429FD1AC7250CB35CD62DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D93C10, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450f83409bfc38591f923b13ce64f09d622579254fd1ab3f5ae136214616949a
Instruction ID: 67a776e3fc2e9628e32d24953c275ffba00062fe24d09ad743e723ec3203d0d2
Opcode Fuzzy Hash: 450f83409bfc38591f923b13ce64f09d622579254fd1ab3f5ae136214616949a
Instruction Fuzzy Hash: 1F21D131304655DFDF10CF2A9884A6B7BEAEB85340F19442AE852D7355EB31CE41D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504782217.0000000000ECD000.00000040.00000001.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ecd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c4e147c398c25afc3b82090d2debf3114389556bde55a642d69bc5600cbb5e
Instruction ID: afbac15605f385c477fed7474f1a39f42cfbd2ff5de62e893e89901fd6ecb8f9
Opcode Fuzzy Hash: 73c4e147c398c25afc3b82090d2debf3114389556bde55a642d69bc5600cbb5e
Instruction Fuzzy Hash: 7C212171508240DFCB04DF50DAC0F6BBB65FB98328F20897CE9051A206C337E85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504782217.0000000000ECD000.00000040.00000001.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ecd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42769b59f013fd3c4350a867c13a8ce62635407d0053d7e446a1b558476ce37f
Instruction ID: 5f8010e1cfe0fabf05c4e7f86e42b043336497a8d746151aa97293bb8b6848e3
Opcode Fuzzy Hash: 42769b59f013fd3c4350a867c13a8ce62635407d0053d7e446a1b558476ce37f
Instruction Fuzzy Hash: 8D21F172508240DFCB01DF14DAC0F6ABB65FB98328F24897DE8055B246C337D856DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D919F0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16943af8b71419dfc8a866f528b10718c8d653cae742620d9bf09e7ef2bd3fb
Instruction ID: 120f39e76599951a94a20e9e0aab82faa105df10254c9fd7ed76cf494843cc62
Opcode Fuzzy Hash: b16943af8b71419dfc8a866f528b10718c8d653cae742620d9bf09e7ef2bd3fb
Instruction Fuzzy Hash: 0C21F3357026128BCB199B29D494A3EB3A6EF88755B188569E906CB350CF30DC4387E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FED01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.505004731.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fed000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8046023e11df6b4a210bd6d03c61550e921219520a2f9838c637f848cd8631a4
Instruction ID: 1fca83ea9c3d1d42d503aaefb02931bb3d18e67c9fd50b4ebb5ab78be719dd63
Opcode Fuzzy Hash: 8046023e11df6b4a210bd6d03c61550e921219520a2f9838c637f848cd8631a4
Instruction Fuzzy Hash: 29210771904280DFCB14CF14D9C4B16BB65FB84328F28C96DD94A4B64AC336D847DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D919E0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d19a39408bbeddeaddd1afc40eaaf8a4634b8a83e97b49149a31603d46876a3
Instruction ID: 395a76c2377a1b98d342b413709ee98f37f88397f5855976204ea43c1029728e
Opcode Fuzzy Hash: 3d19a39408bbeddeaddd1afc40eaaf8a4634b8a83e97b49149a31603d46876a3
Instruction Fuzzy Hash: 751106357426129BDB195629C894A7AB3E6EF887A1F194478E506DB350CF30DC4387E0

Uniqueness

Uniqueness Score: -1.00%

Function 00D92608, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b073d503562912293a91dd6a0af802f987eb5f9c4a5148521bb32249582b022d
Instruction ID: 375fa8fc31e732d9f6c05b9634b22f760b0d077085ec71892efc7c3f50696282
Opcode Fuzzy Hash: b073d503562912293a91dd6a0af802f987eb5f9c4a5148521bb32249582b022d
Instruction Fuzzy Hash: 00216D71900208EFDF20DF94D844BBABBFAEB48320F09842AE5199B651D775DD54CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FED005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.505004731.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fed000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4b882096da5400b1ba032b83c735b3e7ba63c967932b97139edef28ac887de
Instruction ID: 1619a8c54961d16ed708ccd5630c477591c1c0096898d92ee175afdca20c069a
Opcode Fuzzy Hash: cf4b882096da5400b1ba032b83c735b3e7ba63c967932b97139edef28ac887de
Instruction Fuzzy Hash: CA2192755093C08FCB02CF20D994715BF71EB46324F28C5EAD8498F697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504782217.0000000000ECD000.00000040.00000001.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ecd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
Instruction ID: 758d49e470580b1faec3a9f98fa0b6b5a01f6ff9ca2eac6c8401f257b8c26f14
Opcode Fuzzy Hash: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
Instruction Fuzzy Hash: 9211AF76508280CFCB15CF10DAC4B16BF71FB94328F2486ADD8055B656C337D85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504782217.0000000000ECD000.00000040.00000001.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ecd000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
Instruction ID: 03b0442b07078ee0335b5d471bf98cd68ac56a4d44d1063c06758b0e66ebbdf0
Opcode Fuzzy Hash: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
Instruction Fuzzy Hash: 6D11B176504280CFCB02CF10DAC4B16BF72FB94328F2486ADD8095B656C33BD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D95448, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9edaf844002b51306303e938eac5b4bd8a7f79d69c38d762808441eed80e8da
Instruction ID: c79cb57380e1b5902618f869c6fb7b62bd54c59eee249bc9f03f6eb5bfe4a28b
Opcode Fuzzy Hash: e9edaf844002b51306303e938eac5b4bd8a7f79d69c38d762808441eed80e8da
Instruction Fuzzy Hash: 8F116DB1E0521A9FDF11DFA8E8406BFBBF5BF48301F14446AE515E3241D3749A54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D954F1, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa50820184a49dc84ca026466ceaa8805ba010dbacf4085b960a710be48c68b5
Instruction ID: 2347bb5cfed29f7120cbf4367ce4ed99b02875fe761f3befccff2082ecd6c471
Opcode Fuzzy Hash: aa50820184a49dc84ca026466ceaa8805ba010dbacf4085b960a710be48c68b5
Instruction Fuzzy Hash: 3301F5713006018FCB56DF29F4906AA3BE3EF95320B0A8039E44ACB352DA71DC03C761

Uniqueness

Uniqueness Score: -1.00%

Function 00D9162A, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0cbf334fd23c1eed5dbd3f8cccfa1cd1538842b5b6a810fd89c173f5d4cecd1
Instruction ID: af9e9eb7026615c68f6ee2e679a4e5fabe0a64279863fd04645a1174fde0973a
Opcode Fuzzy Hash: c0cbf334fd23c1eed5dbd3f8cccfa1cd1538842b5b6a810fd89c173f5d4cecd1
Instruction Fuzzy Hash: 5001B532B001156FDF119E689811BEF3BE6EBC8350F188029F516D7280CA75CC129BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9AA78, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36c262fb5ed2df49d13e1e0c7739b0b4b63ffe8f203b800dfc1adcc6791ee88
Instruction ID: 7740f5e0a0ee6365e86955487ce06d9b21620395609aa15ca4337089f45d184c
Opcode Fuzzy Hash: f36c262fb5ed2df49d13e1e0c7739b0b4b63ffe8f203b800dfc1adcc6791ee88
Instruction Fuzzy Hash: D601D6A2D0D3944FC702977C58641DA3FB5CE46114B0904F7D085D7153E568490AC7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9323E, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a7042caf793e29b0d2daaff00391f3ae60737cf977ca6c72fe3cb5500f0d19
Instruction ID: e5e0231c07c387201949bcd3660d3ea67d55e53c76421e889bb3c693bf4702dd
Opcode Fuzzy Hash: 87a7042caf793e29b0d2daaff00391f3ae60737cf977ca6c72fe3cb5500f0d19
Instruction Fuzzy Hash: E0011D31A01644CFCB64DFA8E5809C9F7F1FF84328B508D19E4599B611D730BE09CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00D9AAA8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e4b81a366d0eece04773f904fabdaa82551be5719514b9b6a10137717176a8
Instruction ID: 37167a9d1a3c6902193509228ce9a99e5c7648cf4c2fc9c12555ba2834cd78a3
Opcode Fuzzy Hash: 88e4b81a366d0eece04773f904fabdaa82551be5719514b9b6a10137717176a8
Instruction Fuzzy Hash: E9E01276E042299F4B40ABBD98055AE7FF9EA88211B110076E509E3204EA745A01DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D91D70, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a70785902c70d5fd949b4fb712232646c31d451071f428da91df224c9aecdc4
Instruction ID: fa26010a95d9e75930a7f55b52bf014b2785b3dd7f8fdd73e8e58b00463567a7
Opcode Fuzzy Hash: 4a70785902c70d5fd949b4fb712232646c31d451071f428da91df224c9aecdc4
Instruction Fuzzy Hash: B8D05E314982054BE545BBB4FD02FDA77DDD79010DF048C24E00A99629DABE9A4B8355

Uniqueness

Uniqueness Score: -1.00%

Function 00D91D80, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54080d42b7340ffe4cd905db45746bcad07f701f7a8d3a3213f62718e0e5ad6c
Instruction ID: 755b73577eaaadef66c9bc9be534003a1fe4080e5e3ea908af4c93f9a016f23e
Opcode Fuzzy Hash: 54080d42b7340ffe4cd905db45746bcad07f701f7a8d3a3213f62718e0e5ad6c
Instruction Fuzzy Hash: AEC012304582054BC548BBB4F841DA977AE968110C340CD25E00A4A22D9FB5590A8785

Uniqueness

Uniqueness Score: -1.00%

Function 00D9F7C0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.504241691.0000000000D90000.00000040.00000010.sdmp, Offset: 00D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d90000_V5Al4cc8RL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d20f69f42e100108061eb8774c81d89bb2ee308d5e2509842dfe43e54ec31b5
Instruction ID: 28c1c2bef11e2ce0333aa41ed267518fe8fa170ce90c59b16cd265ed3b9fd718
Opcode Fuzzy Hash: 2d20f69f42e100108061eb8774c81d89bb2ee308d5e2509842dfe43e54ec31b5
Instruction Fuzzy Hash: 38C0029180F7C02FEB634335D92A9923F64981325470A05DBE0928A463E58A084AC7AB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report V5Al4cc8RL

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 089F19FC, Relevance: 2.7, Strings: 2, Instructions: 151
COMMON

Function 028C9B10, Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Function 028C4154, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 028C59CD, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 028CBB44, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 028CC030, Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 028C97D0, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 028C9F71, Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Function 028C9CF0, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 089F8C0C, Relevance: 1.3, Strings: 1, Instructions: 79
COMMON