Edit tour

Windows Analysis Report
2AylrL13DwoqmCT.exe

Overview

General Information

Sample name:	2AylrL13DwoqmCT.exe
Analysis ID:	1436307
MD5:	64e6319165840f7649a1f54abd3f226a
SHA1:	6254572c76b925282d6fc5f6d04b610eeb9c2ebf
SHA256:	d6e7c231b0aeee159700e68b79eb19d932e851a64a4a82ad1a1c72efc2faa72b
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses FTP

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

2AylrL13DwoqmCT.exe (PID: 6900 cmdline: "C:\Users\user\Desktop\2AylrL13DwoqmCT.exe" MD5: 64E6319165840F7649A1F54ABD3F226A)

powershell.exe (PID: 5452 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 3008 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5756 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrzbVJsCi" /XML "C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

KrzbVJsCi.exe (PID: 5816 cmdline: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe MD5: 64E6319165840F7649A1F54ABD3F226A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.jeepcommerce.rs", "Username": "w133y@jeepcommerce.rs", "Password": "Q6]7rLSD*gU2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1254083563.0000000005520000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34703:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34775:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x347ff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34891:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x348fb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3496d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a93:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x318f7:$s2: GetPrivateProfileString 0x30fd4:$s3: get_OSFullName 0x32638:$s5: remove_Key 0x3279b:$s5: remove_Key 0x336f3:$s6: FtpWebRequest 0x346e5:$s7: logins 0x34c57:$s7: logins 0x3795c:$s7: logins 0x37a1a:$s7: logins 0x3936d:$s7: logins 0x385b4:$s9: 1.85 (Hash, version 2, native byte-order)
00000000.00000002.3669838888.0000000004042000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3669838888.0000000004042000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.1252121361.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.1252121361.000000000305E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: 2AylrL13DwoqmCT.exe PID: 6900	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2AylrL13DwoqmCT.exe PID: 6900	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 2AylrL13DwoqmCT.exe PID: 6900	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: KrzbVJsCi.exe PID: 5816	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.KrzbVJsCi.exe.2e57480.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.KrzbVJsCi.exe.5520000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.KrzbVJsCi.exe.5520000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.KrzbVJsCi.exe.2e135e4.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.KrzbVJsCi.exe.2e46808.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d67474.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.KrzbVJsCi.exe.2e57480.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d563cc.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.KrzbVJsCi.exe.2e46808.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.407e958.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.407e958.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2AylrL13DwoqmCT.exe.407e958.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32903:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32975:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x329ff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32a91:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32afb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32b6d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32c03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32c93:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.2AylrL13DwoqmCT.exe.407e958.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2faf7:$s2: GetPrivateProfileString 0x2f1d4:$s3: get_OSFullName 0x30838:$s5: remove_Key 0x3099b:$s5: remove_Key 0x318f3:$s6: FtpWebRequest 0x328e5:$s7: logins 0x32e57:$s7: logins 0x35b5c:$s7: logins 0x35c1a:$s7: logins 0x3756d:$s7: logins 0x367b4:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.2AylrL13DwoqmCT.exe.8dc0000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.8dc0000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2AylrL13DwoqmCT.exe.8dc0000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32903:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32975:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x329ff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32a91:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32afb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32b6d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32c03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32c93:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.2AylrL13DwoqmCT.exe.8dc0000.6.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2faf7:$s2: GetPrivateProfileString 0x2f1d4:$s3: get_OSFullName 0x30838:$s5: remove_Key 0x3099b:$s5: remove_Key 0x318f3:$s6: FtpWebRequest 0x328e5:$s7: logins 0x32e57:$s7: logins 0x35b5c:$s7: logins 0x35c1a:$s7: logins 0x3756d:$s7: logins 0x367b4:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.2AylrL13DwoqmCT.exe.4042b38.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.4042b38.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2AylrL13DwoqmCT.exe.4042b38.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32903:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32975:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x329ff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32a91:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32afb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32b6d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32c03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32c93:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.2AylrL13DwoqmCT.exe.4042b38.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2faf7:$s2: GetPrivateProfileString 0x2f1d4:$s3: get_OSFullName 0x30838:$s5: remove_Key 0x3099b:$s5: remove_Key 0x318f3:$s6: FtpWebRequest 0x328e5:$s7: logins 0x32e57:$s7: logins 0x35b5c:$s7: logins 0x35c1a:$s7: logins 0x3756d:$s7: logins 0x367b4:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34703:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34775:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x347ff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34891:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x348fb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3496d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a93:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x318f7:$s2: GetPrivateProfileString 0x30fd4:$s3: get_OSFullName 0x32638:$s5: remove_Key 0x3279b:$s5: remove_Key 0x336f3:$s6: FtpWebRequest 0x346e5:$s7: logins 0x34c57:$s7: logins 0x3795c:$s7: logins 0x37a1a:$s7: logins 0x3936d:$s7: logins 0x385b4:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34703:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34775:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x347ff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34891:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x348fb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3496d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a93:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x318f7:$s2: GetPrivateProfileString 0x30fd4:$s3: get_OSFullName 0x32638:$s5: remove_Key 0x3279b:$s5: remove_Key 0x336f3:$s6: FtpWebRequest 0x346e5:$s7: logins 0x34c57:$s7: logins 0x3795c:$s7: logins 0x37a1a:$s7: logins 0x3936d:$s7: logins 0x385b4:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34703:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x70523:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34775:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x70595:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x347ff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x7061f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34891:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x706b1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x348fb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x7071b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3496d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x7078d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x70823:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a93:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x708b3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x318f7:$s2: GetPrivateProfileString 0x6d717:$s2: GetPrivateProfileString 0x30fd4:$s3: get_OSFullName 0x6cdf4:$s3: get_OSFullName 0x32638:$s5: remove_Key 0x3279b:$s5: remove_Key 0x6e458:$s5: remove_Key 0x6e5bb:$s5: remove_Key 0x336f3:$s6: FtpWebRequest 0x6f513:$s6: FtpWebRequest 0x346e5:$s7: logins 0x34c57:$s7: logins 0x3795c:$s7: logins 0x37a1a:$s7: logins 0x3936d:$s7: logins 0x70505:$s7: logins 0x70a77:$s7: logins 0x7377c:$s7: logins 0x7383a:$s7: logins 0x7518d:$s7: logins 0x385b4:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.KrzbVJsCi.exe.309b62c.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.KrzbVJsCi.exe.3099614.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.KrzbVJsCi.exe.30985fc.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x56c98:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x56d24:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x56dc8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x56e74:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x56ef8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x56f84:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x57034:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x570e0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x45bf0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x45c7c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x45d20:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x45dcc:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x45e50:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x45edc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x45f8c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46038:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x89f54:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x89fe0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8a084:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8a130:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8a1b4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8a240:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8a2f0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8a39c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 49 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2AylrL13DwoqmCT.exe", ParentImage: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe, ParentProcessId: 6900, ParentProcessName: 2AylrL13DwoqmCT.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe", ProcessId: 5452, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrzbVJsCi" /XML "C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrzbVJsCi" /XML "C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\2AylrL13DwoqmCT.exe", ParentImage: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe, ParentProcessId: 6900, ParentProcessName: 2AylrL13DwoqmCT.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrzbVJsCi" /XML "C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp", ProcessId: 5756, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2AylrL13DwoqmCT.exe", ParentImage: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe, ParentProcessId: 6900, ParentProcessName: 2AylrL13DwoqmCT.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe", ProcessId: 5452, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrzbVJsCi" /XML "C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrzbVJsCi" /XML "C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\2AylrL13DwoqmCT.exe", ParentImage: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe, ParentProcessId: 6900, ParentProcessName: 2AylrL13DwoqmCT.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrzbVJsCi" /XML "C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp", ProcessId: 5756, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2AylrL13DwoqmCT.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe

Avira: detection malicious, Label: HEUR/AGEN.1305452

Found malware configuration

Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.jeepcommerce.rs", "Username": "w133y@jeepcommerce.rs", "Password": "Q6]7rLSD*gU2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Virustotal: Detection: 59%			Perma Link

Multi AV Scanner detection for submitted file

Source: 2AylrL13DwoqmCT.exe	Virustotal: Detection: 59%			Perma Link
Source: 2AylrL13DwoqmCT.exe	ReversingLabs: Detection: 60%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 2AylrL13DwoqmCT.exe

Joe Sandbox ML: detected

Source: 2AylrL13DwoqmCT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2AylrL13DwoqmCT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 195.252.110.253 195.252.110.253

Source: Joe Sandbox View

ASN Name: BEOTEL-AShttpwwwbeotelnetRS BEOTEL-AShttpwwwbeotelnetRS

Source: unknown

DNS query: name: ip-api.com

Source: unknown

FTP traffic detected: 195.252.110.253:21 -> 192.168.2.7:49700 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 09:07. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 09:07. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 09:07. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 09:07. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: ftp.jeepcommerce.rs

Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, 2AylrL13DwoqmCT.exe, 00000000.00000002.3669838888.0000000004042000.00000004.00000800.00020000.00000000.sdmp, 2AylrL13DwoqmCT.exe, 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3669838888.0000000004042000.00000004.00000800.00020000.00000000.sdmp, 2AylrL13DwoqmCT.exe, 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, NmHr1WHWKO.cs	.Net Code: _5X3Zzx6JgyO
Source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack, NmHr1WHWKO.cs	.Net Code: _5X3Zzx6JgyO
Source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack, NmHr1WHWKO.cs	.Net Code: _5X3Zzx6JgyO

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_014EEFC4	0_2_014EEFC4
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_05DF77B8	0_2_05DF77B8
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_05DF77A8	0_2_05DF77A8
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_05DF93F0	0_2_05DF93F0
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_05DF93E0	0_2_05DF93E0
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_05DF7380	0_2_05DF7380
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_05DF7373	0_2_05DF7373
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_05DF8FB8	0_2_05DF8FB8
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_05DF8FAB	0_2_05DF8FAB
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_05DF9828	0_2_05DF9828
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_05DF0BC0	0_2_05DF0BC0
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_05DF0BB0	0_2_05DF0BB0
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_062A8E58	0_2_062A8E58
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_062AD4E0	0_2_062AD4E0
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_062A0878	0_2_062A0878
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_062A58B0	0_2_062A58B0
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_062AA981	0_2_062AA981
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_062A6C30	0_2_062A6C30
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_062A2400	0_2_062A2400
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_062A1D20	0_2_062A1D20
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_08E869E0	0_2_08E869E0
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_08E8D518	0_2_08E8D518
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_08E80680	0_2_08E80680
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_08E81298	0_2_08E81298
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_08E8F650	0_2_08E8F650
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_08E8A418	0_2_08E8A418
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_08E809C8	0_2_08E809C8
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Code function: 0_2_08E8C728	0_2_08E8C728
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Code function: 6_2_02BDEFC4	6_2_02BDEFC4

Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs 2AylrL13DwoqmCT.exe
Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3669838888.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 2AylrL13DwoqmCT.exe
Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3669838888.0000000004167000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 2AylrL13DwoqmCT.exe
Source: 2AylrL13DwoqmCT.exe, 00000000.00000000.1189496438.0000000000A0C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDVSq.exe8 vs 2AylrL13DwoqmCT.exe
Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3669838888.0000000004042000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename90cf818a-462d-43ad-9b06-442ae93cc408.exe4 vs 2AylrL13DwoqmCT.exe
Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3657402579.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 2AylrL13DwoqmCT.exe
Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename90cf818a-462d-43ad-9b06-442ae93cc408.exe4 vs 2AylrL13DwoqmCT.exe
Source: 2AylrL13DwoqmCT.exe	Binary or memory string: OriginalFilenameDVSq.exe8 vs 2AylrL13DwoqmCT.exe

Source: 2AylrL13DwoqmCT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 2AylrL13DwoqmCT.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KrzbVJsCi.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, ISZbPXDvPz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, ISZbPXDvPz.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, YpS.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, YpS.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, KlaSVIS0ixltNPkyhS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, KV2B7X8Z1o6fKyhy02.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, KV2B7X8Z1o6fKyhy02.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, KV2B7X8Z1o6fKyhy02.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/9@2/2

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

File created: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Mutant created: \Sessions\1\BaseNamedObjects\mRueOZbwPnpldIORqebpaDEhn
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

File created: C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp

Jump to behavior

Source: 2AylrL13DwoqmCT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2AylrL13DwoqmCT.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2AylrL13DwoqmCT.exe	Virustotal: Detection: 59%
Source: 2AylrL13DwoqmCT.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

File read: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe "C:\Users\user\Desktop\2AylrL13DwoqmCT.exe"
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrzbVJsCi" /XML "C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe C:\Users\user\AppData\Roaming\KrzbVJsCi.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrzbVJsCi" /XML "C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 2AylrL13DwoqmCT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 2AylrL13DwoqmCT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 6.2.KrzbVJsCi.exe.2e57480.1.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 6.2.KrzbVJsCi.exe.5520000.9.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})

.NET source code contains potential unpacker

Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, KV2B7X8Z1o6fKyhy02.cs

.Net Code: FpMVkX0oWv System.Reflection.Assembly.Load(byte[])

Source: 2AylrL13DwoqmCT.exe	Static PE information: section name: .text entropy: 7.975099194385122
Source: KrzbVJsCi.exe.0.dr	Static PE information: section name: .text entropy: 7.975099194385122

Source: 6.2.KrzbVJsCi.exe.2e57480.1.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, cgiECCzxjFhWtfUWsx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aix0ZQqQ2A', 'RhN02G6g6O', 'qDa0EU0oFx', 'H9P0YynSRC', 'QgX0sthGiE', 'jsY0074L3y', 'UEj0PG3MXs'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, j32Z8eBlHNeoNY1wp3.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bbDojKxar3', 'ykgownG2JI', 'htbozaXFR8', 'N5AUbbvNib', 'AbWU4DvxEC', 'BSFUoKl9lg', 'x1bUUfLKsf', 'xw31Xi4eI9fu5J8IU4k'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, KV2B7X8Z1o6fKyhy02.cs	High entropy of concatenated method names: 'pclUMS6Hxc', 'mb6UpM6AIi', 'LrgUaip1gi', 'eurUBA3fgn', 'kuwU9oxfHR', 'MiuUlk3Ksh', 'PLOUXlK5EN', 'endU8IF89O', 'dPyUgMMiwN', 'sutUOtQYkL'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, F23ZBO4bPTbFsYojED5.cs	High entropy of concatenated method names: 'fWH0tulCeC', 'DEx0RgtGW7', 'VBF0kWgeWm', 'zSb0NFI4V2', 'Vdr0vhRTPo', 'piD0FJ3Rtd', 'OS70doBdmG', 'SpL0SU3D7c', 'fBt0KryL3G', 'AHK0JYmelv'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, gkr2vS3VAweL2pqg1O.cs	High entropy of concatenated method names: 'wHcY6CyZmT', 'gTjYwcrOtr', 'qlIsb3jcdH', 'dQOs4gGUZM', 'HHsYfEXkto', 'FiKYhtAFa7', 'wDbY7pi2xD', 'jgfYWeD9ow', 'kwMYCyXvhk', 'alAYrgJNho'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, Qh2qfjj6p4RCYat27j.cs	High entropy of concatenated method names: 'YGZsekDPZA', 'ORNsmV0A18', 'ddgsLAPaT7', 'cLWsxkSkxf', 'nuUsWRWTDA', 'kZysckgtac', 'Next', 'Next', 'Next', 'NextBytes'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, oh3xttoD6pxO5MkmB2.cs	High entropy of concatenated method names: 'dcFkGmWhZ', 'gXJNL36ik', 'Ao8FCnAQh', 'ooMdcxpTc', 'clHKPfSl2', 'WGfJGWujO', 'Fnv76FVGwmMavFEkvM', 'AJWZ41qsgK6dhs1iEV', 'F2ZsshstA', 'X86PfATDy'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, KlaSVIS0ixltNPkyhS.cs	High entropy of concatenated method names: 'QqYaW3pw4U', 'tY8aCyKujs', 'o05araQY2y', 'tiIa1vogFB', 'bHRauYND21', 'eb0a3MN41V', 'U89aqMK6MC', 'F5qa6J2bXu', 'rDDajUgiRZ', 'ADCawFd3v7'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, zfQ0q26yIi94kDYsAg.cs	High entropy of concatenated method names: 'bALsp7gkUn', 'LO7saMg46q', 'zmrsB1R8F2', 'kc0s9ixIKc', 'dP2sl8wvx3', 'j7ssXJmfEv', 'Fsrs8gf2dK', 'Nmrsg0QkJa', 'ORysOTWdU5', 'tgJsyIIi9b'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, G6RyO84UyL1Dup5NFBb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'K2PPWCxG6K', 'JptPCW0et8', 'Yu0PrTbL16', 'J9LP191Pw2', 'FuyPuMxR43', 'xO6P3qlD3P', 'XIvPqoZKjB'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, X37ECbJdXblq73DUeq.cs	High entropy of concatenated method names: 'r6m9vK9vZu', 'Bx09dwi8tu', 'SerBLTI0bW', 'WRDBxwZAxW', 'sUEBc8KR4f', 'NoLB5vFWYj', 'F2mBDfpmcN', 'FumBnXwuth', 'GRtBIrGdMC', 'H70BTIDbvN'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, PPIROl4oH3vaJoMkGQS.cs	High entropy of concatenated method names: 'TSZPtH9Xu9', 'MgGPRk4nsi', 'n5iPk7vjGi', 'x1kbSCM2COSvpojGgS5', 'Dse1ZXMCkXM7CVQQMOs', 'KPel2BMt3Wys35JyB8X', 'dfklv2MgK10X4qLRK3o', 'nvaLNUMw55NTfe91d3r', 'jQuZucM3SSx5ruUjJKA'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, GfKFgJa9v75DSJSlfo.cs	High entropy of concatenated method names: 'Dispose', 'UmH4jpPqrD', 'oflomwbDFp', 'PTwJJGsbmW', 'lkf4wQ0q2y', 'Mi94z4kDYs', 'ProcessDialogKey', 'vg7obh2qfj', 'Wp4o4RCYat', 'o7jooeAtBI'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, vDDDNp7TFjfAvOnxcL.cs	High entropy of concatenated method names: 'DHaZSSInQ7', 'NMyZKBsiEw', 'pFTZeEXGQa', 'ltmZmWWBOB', 'KVPZxCC0TW', 'SK2ZcFFWu1', 'kywZDFKbZS', 'ErBZn7Ix0o', 'kLGZTcLhoy', 'cSEZfJaYsv'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, W6g8h6e7tYR17jgKE1.cs	High entropy of concatenated method names: 'jU7lMx5MHe', 'nUllauXOxy', 'G5El9Y15Nt', 't2XlXeYwvj', 'Ybwl8k8MCw', 'iTI9uwMpNi', 'oTi93e4yJC', 'iHb9qjoi01', 'nZw96afgst', 'FKZ9jeADgU'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, qv9BRi1MoyBa0f8v1a.cs	High entropy of concatenated method names: 'ibvYOAWZaB', 'lFrYyLRjij', 'ToString', 'S2kYpribxJ', 'UGbYagAnhd', 'B4NYBVwDdZ', 'lr8Y9LEH7d', 'z0iYl26rI9', 'UeQYXmrqrR', 'BCBY8S8xS6'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, z641QkWfOUKw8fFaph.cs	High entropy of concatenated method names: 'kt32TOceRh', 'Src2hxgULA', 'eAh2WsCeEh', 'RTX2Cepcvi', 'kvY2m3Gno7', 'GkW2LhLe1L', 'wDP2xQn5xW', 'UKj2chMHSy', 'SxD25QSuPX', 'D7A2DgklPJ'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, tLAoC9IvMlWfvf9x8n.cs	High entropy of concatenated method names: 'emFXtn8Evh', 'RTHXRTDbqF', 'JODXkJo9N0', 'CxDXNy7oo5', 'miGXvogjD0', 'HwiXFvBfLO', 'NwuXdV1U8S', 'b4YXS8Mc7J', 'Sw9XK2Nc1q', 'dYXXJDKKjb'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, FAtBIfwcTLYyoirreW.cs	High entropy of concatenated method names: 'OkO04ikKPP', 'Ulx0U6WguU', 'i2P0VeJCuK', 'HOp0pYl8EB', 'Joc0apY2EV', 'cRh094yVoK', 'n410lnafFD', 'wROsqBZNnO', 'u1ts6HWK2q', 'kcEsj1B0wn'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, mfcsEMVoU8nCM8FYxr.cs	High entropy of concatenated method names: 'rf54XlaSVI', 'rix48ltNPk', 'j6j4OM3Wg1', 'fKM4ybj37E', 'VDU42eq66g', 'kh64E7tYR1', 'wH34XSA97wPWcWFAvp', 'wJlvqqSOPVkqeJ4fLi', 'khl44q9NqA', 'QIH4Usbjeb'
Source: 6.2.KrzbVJsCi.exe.415c3a0.6.raw.unpack, fNMfXlK6jM3Wg1pKMb.cs	High entropy of concatenated method names: 'Q7UBNpBYbh', 'Ed8BFYvCgl', 'u5HBSCiZ5J', 'a6kBKoKhul', 'hNaB2wLUSb', 'y2kBEh7fIS', 'qGvBYycx6c', 'fv1Bs6JBr0', 'DtnB0TKCXs', 't0pBPI5Qpt'
Source: 6.2.KrzbVJsCi.exe.5520000.9.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

File created: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrzbVJsCi" /XML "C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 2AylrL13DwoqmCT.exe PID: 6900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KrzbVJsCi.exe PID: 5816, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3669838888.0000000004042000.00000004.00000800.00020000.00000000.sdmp, 2AylrL13DwoqmCT.exe, 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLLESELECT * FROM WIN32_COMPUTERSYSTEM

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Memory allocated: 2D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Memory allocated: 2C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Memory allocated: 6280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Memory allocated: 7280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Memory allocated: 74C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Memory allocated: 84C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Memory allocated: 6280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Memory allocated: 7280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Memory allocated: 6280000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599754	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598424	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598202	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597764	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597320	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596436	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596327	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595558	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Window / User API: threadDelayed 2124	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Window / User API: threadDelayed 7726	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6366	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1992	Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -599754s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -599640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -599421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -599093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -598546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -598424s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -598202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -597764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -597546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -597320s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -597202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -596546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -596436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -596327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -596218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -595999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -595671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -595558s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -594796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe TID: 6856	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1000	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe TID: 4544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599754	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598424	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598202	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597764	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597320	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596436	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596327	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595558	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: 2AylrL13DwoqmCT.exe, 00000000.00000002.3671821385.00000000056D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

Code function: 0_2_08E82410 CheckRemoteDebuggerPresent,

0_2_08E82410

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe"
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe"			Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe"			Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrzbVJsCi" /XML "C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp"			Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Queries volume information: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Queries volume information: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3669838888.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2AylrL13DwoqmCT.exe PID: 6900, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 6.2.KrzbVJsCi.exe.2e57480.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.5520000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.5520000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.2e135e4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.2e46808.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d67474.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.2e57480.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d563cc.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.2e46808.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.309b62c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.3099614.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.30985fc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1254083563.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1252121361.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1252121361.000000000305E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\2AylrL13DwoqmCT.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior

Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3669838888.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2AylrL13DwoqmCT.exe PID: 6900, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.8dc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.407e958.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.4042b38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3669838888.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2AylrL13DwoqmCT.exe PID: 6900, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 6.2.KrzbVJsCi.exe.2e57480.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.5520000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.5520000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.2e135e4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.2e46808.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d67474.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.2e57480.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d563cc.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.2e46808.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.309b62c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.3099614.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KrzbVJsCi.exe.30985fc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d563cc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d67474.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2AylrL13DwoqmCT.exe.2d23110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1254083563.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1252121361.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1252121361.000000000305E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	23 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	1 Obfuscated Files or Information	Security Account Manager	521 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2AylrL13DwoqmCT.exe	60%	Virustotal		Browse
2AylrL13DwoqmCT.exe	61%	ReversingLabs	Win32.Trojan.SnakeKeyLogger
2AylrL13DwoqmCT.exe	100%	Avira	HEUR/AGEN.1305452
2AylrL13DwoqmCT.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	100%	Avira	HEUR/AGEN.1305452
C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	61%	ReversingLabs	Win32.Trojan.SnakeKeyLogger
C:\Users\user\AppData\Roaming\KrzbVJsCi.exe	60%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ftp.jeepcommerce.rs	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ftp.jeepcommerce.rs	195.252.110.253	true	true	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.dyn.com/	2AylrL13DwoqmCT.exe, 00000000.00000002.3669838888.0000000004042000.00000004.00000800.00020000.00000000.sdmp, 2AylrL13DwoqmCT.exe, 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	2AylrL13DwoqmCT.exe, 00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
195.252.110.253	ftp.jeepcommerce.rs	Serbia		6700	BEOTEL-AShttpwwwbeotelnetRS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436307
Start date and time:	2024-05-04 10:06:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2AylrL13DwoqmCT.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/9@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 198 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:07:00	API Interceptor	6561426x Sleep call for process: 2AylrL13DwoqmCT.exe modified
10:07:03	Task Scheduler	Run new task: KrzbVJsCi path: C:\Users\user\AppData\Roaming\KrzbVJsCi.exe
10:07:04	API Interceptor	13x Sleep call for process: powershell.exe modified
10:07:05	API Interceptor	1x Sleep call for process: KrzbVJsCi.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	DHL_VTER000105453.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	43643456.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	DHL_VTER000105450.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	DHL Receipt_AWB 9899691321..exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Sipari#U015f.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	http://www.open-sora.org	Get hash	malicious	Exela Stealer, Growtopia, Python Stealer	Browse	ip-api.com/json
	nXaujG6G1F.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	NFs_98776.msi	Get hash	malicious	VMdetect	Browse	ip-api.com/json/
195.252.110.253	x4WR1Me6BUaPR7j.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	37#U0e2d.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ooMNej81u4XDt83.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Purchase Order1.exe	Get hash	malicious	AgentTesla	Browse
	6000507958.exe	Get hash	malicious	FormBook, GuLoader	Browse
	lGaZ58sYpVmY9rn.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe	Get hash	malicious	FormBook, GuLoader	Browse
	179XakWwrt2H1Xx.exe	Get hash	malicious	AgentTesla	Browse
	REMITTANCE ADVICE IF01200022823418 Match 2024.exe	Get hash	malicious	AgentTesla	Browse
	POTWIERDZENIE_TRANSAKCJI_20240418145856.exe	Get hash	malicious	GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	DHL_VTER000105453.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	43643456.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DHL_VTER000105450.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL Receipt_AWB 9899691321..exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Sipari#U015f.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	http://www.open-sora.org	Get hash	malicious	Exela Stealer, Growtopia, Python Stealer	Browse	208.95.112.1
	nXaujG6G1F.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	NFs_98776.msi	Get hash	malicious	VMdetect	Browse	208.95.112.1
ftp.jeepcommerce.rs	x4WR1Me6BUaPR7j.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	195.252.110.253
	37#U0e2d.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	195.252.110.253
	ooMNej81u4XDt83.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	195.252.110.253
	Purchase Order1.exe	Get hash	malicious	AgentTesla	Browse	195.252.110.253
	lGaZ58sYpVmY9rn.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	195.252.110.253
	179XakWwrt2H1Xx.exe	Get hash	malicious	AgentTesla	Browse	195.252.110.253
	REMITTANCE ADVICE IF01200022823418 Match 2024.exe	Get hash	malicious	AgentTesla	Browse	195.252.110.253
	Invptapayment19032024.exe	Get hash	malicious	AgentTesla	Browse	195.252.110.253

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	DHL_VTER000105453.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	43643456.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DHL_VTER000105450.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL Receipt_AWB 9899691321..exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Sipari#U015f.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	http://www.open-sora.org	Get hash	malicious	Exela Stealer, Growtopia, Python Stealer	Browse	208.95.112.1
	nXaujG6G1F.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	NFs_98776.msi	Get hash	malicious	VMdetect	Browse	208.95.112.1
BEOTEL-AShttpwwwbeotelnetRS	x4WR1Me6BUaPR7j.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	195.252.110.253
	37#U0e2d.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	195.252.110.253
	ooMNej81u4XDt83.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	195.252.110.253
	Purchase Order1.exe	Get hash	malicious	AgentTesla	Browse	195.252.110.253
	6000507958.exe	Get hash	malicious	FormBook, GuLoader	Browse	195.252.110.253
	lGaZ58sYpVmY9rn.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	195.252.110.253
	SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe	Get hash	malicious	FormBook, GuLoader	Browse	195.252.110.253
	179XakWwrt2H1Xx.exe	Get hash	malicious	AgentTesla	Browse	195.252.110.253
	REMITTANCE ADVICE IF01200022823418 Match 2024.exe	Get hash	malicious	AgentTesla	Browse	195.252.110.253
	POTWIERDZENIE_TRANSAKCJI_20240418145856.exe	Get hash	malicious	GuLoader	Browse	195.252.110.253

Process:	C:\Users\user\AppData\Roaming\KrzbVJsCi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380111671822685
Encrypted:	false
SSDEEP:	48:wWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//ZM0N1Ryus:wLHxvCZfIfSKRHmOugroPs
MD5:	A6CB1EC705D71A125C1DC029711D86D1
SHA1:	8E1943AA5F9D5481ED55DF5FFF87765412BA2D00
SHA-256:	EB8D755EE316C383B0B9D2A4C94AF3DD431189B3567A1DA40673DFC4A7592C79
SHA-512:	8CB955A492972798FCC747F0FFCC0A49A93AA9AE76BFA2A3FF206982B03339992CF9C160E92C52641902667E10FBD95999D5D8DE6906289B0580202C84001314
Malicious:	false
Reputation:	low
Preview:	@...e.................................X..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04yv3fqf.v3j.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1w5iscqo.xmj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5l2m33in.lap.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqbg4zb1.vqo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp

Download File

Process:	C:\Users\user\Desktop\2AylrL13DwoqmCT.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1603
Entropy (8bit):	5.127756174104479
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtpxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTfv
MD5:	70852FA3788F7BEF8A629522FA2826DD
SHA1:	6F0B31D36B9C5F28207439AF4EC18F7933D1F7F4
SHA-256:	681597132C03CEAE946691EA98B24B906109433D7B81362ED36200010BC39E79
SHA-512:	BB03817B80CE01789EAE8802D0ED71016BA2CD1689CB185B846B45DA3B1E33D1999C1BAAE0D429D9F6493FEDCF5BAF1BAEE3828B8467E0BBEC66CEF882C8DC57
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\KrzbVJsCi.exe

Download File

Process:	C:\Users\user\Desktop\2AylrL13DwoqmCT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	706560
Entropy (8bit):	7.956653044118368
Encrypted:	false
SSDEEP:	12288:F3/T3/fVrTtK3/eKGYt+rTNTCRRAuBE2MW62TzaAzvHgC8M/lJXry43/o3/:FrXVrTtKWUiNUylCaADf/w
MD5:	64E6319165840F7649A1F54ABD3F226A
SHA1:	6254572C76B925282D6FC5F6D04B610EEB9C2EBF
SHA-256:	D6E7C231B0AEEE159700E68B79EB19D932E851A64A4A82AD1A1C72EFC2FAA72B
SHA-512:	E01139A68C72571F37FA302F66232D2957F223D8C90D97EA8D9FC42EC69F11763D00AB1FD07A58624F49B763C07EF66D05ADC7497815344D58D02F6D5A7231A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61% Antivirus: Virustotal, Detection: 60%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a3f..............0......8........... ........@.. ....................... ............@.................................l...O........,........................................................................... ............... ..H............text....... ...................... ..`.rsrc....,.......0..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\KrzbVJsCi.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\2AylrL13DwoqmCT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.956653044118368
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	2AylrL13DwoqmCT.exe
File size:	706'560 bytes
MD5:	64e6319165840f7649a1f54abd3f226a
SHA1:	6254572c76b925282d6fc5f6d04b610eeb9c2ebf
SHA256:	d6e7c231b0aeee159700e68b79eb19d932e851a64a4a82ad1a1c72efc2faa72b
SHA512:	e01139a68c72571f37fa302f66232d2957f223d8c90d97ea8d9fc42ec69f11763d00ab1fd07a58624f49b763c07ef66d05adc7497815344d58d02f6d5a7231a3
SSDEEP:	12288:F3/T3/fVrTtK3/eKGYt+rTNTCRRAuBE2MW62TzaAzvHgC8M/lJXry43/o3/:FrXVrTtKWUiNUylCaADf/w
TLSH:	73E4228573F84B2DD00F93F5142ACE4243F639966864E9597F8A88DA5DFEF5B0B0020B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a3f..............0......8........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	0773f1fcfccc6113

Static PE Info

General

Entrypoint:	0x4aa4be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66336112 [Thu May 2 09:46:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
aaa
inc edi
aaa
dec eax
xor eax, 42000000h
xor eax, 4E343531h
xor eax, 32414939h
dec ecx
aaa
aaa
inc ebp
xor al, 56h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaa46c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x2ce4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa84e4	0xa8800	5e91b8cb02257ef304d898ea76491485	False	0.9610693504265578	data	7.975099194385122	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x2ce4	0x3000	632beab92483815240617853001b913e	False	0.8715006510416666	data	7.429818229594035	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb0000	0xc	0x800	d65664eabbf1c34da54e98038dc1aab7	False	0.01611328125	data	0.03037337037012526	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xac100	0x26cd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9980871841336958
RT_GROUP_ICON	0xae7e0	0x14	data	1.05
RT_VERSION	0xae804	0x2e0	data	0.44565217391304346
RT_MANIFEST	0xaeaf4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:07:05.748845100 CEST	49699	80	192.168.2.7	208.95.112.1
May 4, 2024 10:07:05.908523083 CEST	80	49699	208.95.112.1	192.168.2.7
May 4, 2024 10:07:05.908626080 CEST	49699	80	192.168.2.7	208.95.112.1
May 4, 2024 10:07:05.909607887 CEST	49699	80	192.168.2.7	208.95.112.1
May 4, 2024 10:07:06.071086884 CEST	80	49699	208.95.112.1	192.168.2.7
May 4, 2024 10:07:06.136487007 CEST	49699	80	192.168.2.7	208.95.112.1
May 4, 2024 10:07:07.869769096 CEST	49700	21	192.168.2.7	195.252.110.253
May 4, 2024 10:07:08.199057102 CEST	21	49700	195.252.110.253	192.168.2.7
May 4, 2024 10:07:08.199167013 CEST	49700	21	192.168.2.7	195.252.110.253
May 4, 2024 10:07:08.204736948 CEST	49700	21	192.168.2.7	195.252.110.253
May 4, 2024 10:07:08.529671907 CEST	21	49700	195.252.110.253	192.168.2.7
May 4, 2024 10:07:08.529911995 CEST	49700	21	192.168.2.7	195.252.110.253
May 4, 2024 10:07:08.533653975 CEST	21	49700	195.252.110.253	192.168.2.7
May 4, 2024 10:07:08.533714056 CEST	49700	21	192.168.2.7	195.252.110.253
May 4, 2024 10:07:08.534681082 CEST	21	49700	195.252.110.253	192.168.2.7
May 4, 2024 10:07:08.538162947 CEST	49700	21	192.168.2.7	195.252.110.253
May 4, 2024 10:07:37.273715019 CEST	80	49699	208.95.112.1	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:07:05.581926107 CEST	51643	53	192.168.2.7	1.1.1.1
May 4, 2024 10:07:05.743257046 CEST	53	51643	1.1.1.1	192.168.2.7
May 4, 2024 10:07:07.197041035 CEST	60190	53	192.168.2.7	1.1.1.1
May 4, 2024 10:07:07.868992090 CEST	53	60190	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 4, 2024 10:07:05.581926107 CEST	192.168.2.7	1.1.1.1	0x11b0	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
May 4, 2024 10:07:07.197041035 CEST	192.168.2.7	1.1.1.1	0xef83	Standard query (0)	ftp.jeepcommerce.rs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 4, 2024 10:07:05.743257046 CEST	1.1.1.1	192.168.2.7	0x11b0	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
May 4, 2024 10:07:07.868992090 CEST	1.1.1.1	192.168.2.7	0xef83	No error (0)	ftp.jeepcommerce.rs		195.252.110.253	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	208.95.112.1	80	6900	C:\Users\user\Desktop\2AylrL13DwoqmCT.exe

Timestamp	Bytes transferred	Direction	Data
May 4, 2024 10:07:05.909607887 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
May 4, 2024 10:07:06.071086884 CEST	174	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:07:05 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 4, 2024 10:07:08.529671907 CEST	21	49700	195.252.110.253	192.168.2.7	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 09:07. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 09:07. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 09:07. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 09:07. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
May 4, 2024 10:07:08.533653975 CEST	21	49700	195.252.110.253	192.168.2.7	220 Logout.

Target ID:	0
Start time:	10:07:00
Start date:	04/05/2024
Path:	C:\Users\user\Desktop\2AylrL13DwoqmCT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2AylrL13DwoqmCT.exe"
Imagebase:	0x960000
File size:	706'560 bytes
MD5 hash:	64E6319165840F7649A1F54ABD3F226A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.3674919885.0000000008DC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3669838888.0000000004042000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3669838888.0000000004042000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.3665392340.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	10:07:01
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KrzbVJsCi.exe"
Imagebase:	0x370000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:07:01
Start date:	04/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:07:01
Start date:	04/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrzbVJsCi" /XML "C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp"
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:07:01
Start date:	04/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:07:04
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Roaming\KrzbVJsCi.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\KrzbVJsCi.exe
Imagebase:	0x940000
File size:	706'560 bytes
MD5 hash:	64E6319165840F7649A1F54ABD3F226A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.1254083563.0000000005520000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.1252121361.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.1252121361.000000000305E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs Detection: 60%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:07:05
Start date:	04/05/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff75da10000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.3%
Total number of Nodes:	180
Total number of Limit Nodes:	19

Executed Functions

Function 08E8D518 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 08E8DC47
$q, xrefs: 08E8DBFA
$q, xrefs: 08E8DC17
$q, xrefs: 08E8DBEE
$q, xrefs: 08E8DC23
$q, xrefs: 08E8DC3B

Memory Dump Source

Source File: 00000000.00000002.3675143831.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 2c1141e6c0cab7ff321234393dac66d58cfec27e6a67bb5c5464f664e5f70e17
Instruction ID: 4e2aed37ddb506d74c6e7faa02b9a544bf4e24fffda54949ffa35d082d180694
Opcode Fuzzy Hash: 2c1141e6c0cab7ff321234393dac66d58cfec27e6a67bb5c5464f664e5f70e17
Instruction Fuzzy Hash: 27322E31E10719CFCB14EF65D89069DF7B2FF89301F6496AAD409AB254EB70E985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 062AA981 Relevance: 2.8, Strings: 2, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq, xrefs: 062AAA97
$q, xrefs: 062AAA7E

Memory Dump Source

Source File: 00000000.00000002.3674259501.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: c0676aca6e0d2a57ef7fb1b8b78f86ce0ec6434ba27afc9e97ff564719444f29
Instruction ID: 42ba127b20fbb571e03c874731812478a720ca1af4f89191a62b358c9e24970e
Opcode Fuzzy Hash: c0676aca6e0d2a57ef7fb1b8b78f86ce0ec6434ba27afc9e97ff564719444f29
Instruction Fuzzy Hash: B5B1B334B143088FDB58AB75985467E7BB7BFC8301B15842EE897D7289CE788C06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08E869E0 Relevance: 2.8, Instructions: 2833COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3675143831.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ec0c9c6097b36126600093bbf69275886e64c58787bb633dc56848216b2dde
Instruction ID: e970a574bf5bc3c0918df646031bafe99075c7324444998f2d6539cf88ca8189
Opcode Fuzzy Hash: 53ec0c9c6097b36126600093bbf69275886e64c58787bb633dc56848216b2dde
Instruction Fuzzy Hash: 9653D631C10B1ACADB51EF68C8805A9F7B1EF99300F15D79AE45C7B121EB70AAD5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 08E8F650 Relevance: 1.8, Strings: 1, Instructions: 600
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 08E8FD43

Memory Dump Source

Source File: 00000000.00000002.3675143831.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 69bc6bae5e55c1829480223db342a31df0d9f6cec8bb32c485967872cd494582
Instruction ID: 5789b26bb2bba42a833cd7543398b8a8b4608bc7e4b464da444efd7c43b0eb78
Opcode Fuzzy Hash: 69bc6bae5e55c1829480223db342a31df0d9f6cec8bb32c485967872cd494582
Instruction Fuzzy Hash: 6822AE32E40205DFDF24EBA4C4806AEBBB2FF85315F24956AD85DAB354DA35DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 062A8E58 Relevance: 1.8, Strings: 1, Instructions: 579
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 062A90B8

Memory Dump Source

Source File: 00000000.00000002.3674259501.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: ebae013b3fbddb6b49e6e97ed33d058be444511c048b08c3acb04979979edef4
Instruction ID: 665f614f3f12cf265c73c9cefd25f9fee0d9174f5c84d4c4044a55016055fa56
Opcode Fuzzy Hash: ebae013b3fbddb6b49e6e97ed33d058be444511c048b08c3acb04979979edef4
Instruction Fuzzy Hash: 5922A030F202058FDB64DB69C494BADBBF2EF89310F248569D806DB391DA75DC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08E82410 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 08E82487

Memory Dump Source

Source File: 00000000.00000002.3675143831.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 9e9334ae7cc4a6ce742e970194369526b84f4cdd2cd1481e05945c9e078711a3
Instruction ID: 9f714c9d23c5f6a851ada565115a7daf12dd3d551702dc0019a01f197b16c985
Opcode Fuzzy Hash: 9e9334ae7cc4a6ce742e970194369526b84f4cdd2cd1481e05945c9e078711a3
Instruction Fuzzy Hash: 272128B2C00259CFDB10DF9AD445BEEBBF4AF49310F14841AE859A3350D778A944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 08E8C728 Relevance: 1.0, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3675143831.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41250ff6ae09bbfb5ffab42c06208c72941c8fac2654e0735453b7441bc46c7a
Instruction ID: ebc7d4640da25928f4e835ce251f45f067dd7f90f3ff62e1bb92a8ddd045383f
Opcode Fuzzy Hash: 41250ff6ae09bbfb5ffab42c06208c72941c8fac2654e0735453b7441bc46c7a
Instruction Fuzzy Hash: E7A24635A00204CFDB64EB68C584B9DBBF2EB46319F6494A9D40DAB351DB35EC86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 062A0878 Relevance: .8, Instructions: 813COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674259501.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5ff9e4b2fa82905c93d19fc6ec03b4026c038ee31f0e15e97d5ae613937f45
Instruction ID: 011f0a7d3bff5e4ade19c5171ca5909d75c8d8c30044c3592919c7702d541ef1
Opcode Fuzzy Hash: 7d5ff9e4b2fa82905c93d19fc6ec03b4026c038ee31f0e15e97d5ae613937f45
Instruction Fuzzy Hash: 63628A34E103058FDB64DB68D594BADBBF2EB88318F148569D809EB391DB75EC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 062A58B0 Relevance: .6, Instructions: 580COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674259501.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29394eb3aa8178c25b642394137ea5f67c83573aba68a9f23d6f080d0dcfe4c
Instruction ID: 7656f00499a793ee5516de4537b77ad74cbd2d2853592b18e83fa13972fa3427
Opcode Fuzzy Hash: e29394eb3aa8178c25b642394137ea5f67c83573aba68a9f23d6f080d0dcfe4c
Instruction Fuzzy Hash: 7B223E70E2030A8FEB64CB68D5907AEB7B2FB49310F248529E845EB395DB75DC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 062AD4E0 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674259501.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 677ace99df9ee2b2bed7a87c1b4e72e29e074ed314dceb2001a477cbbe522f84
Instruction ID: 983552e8581b3a86be46cdcacdddc57eb5f9d1ebcedde1b156728f331d8636cc
Opcode Fuzzy Hash: 677ace99df9ee2b2bed7a87c1b4e72e29e074ed314dceb2001a477cbbe522f84
Instruction Fuzzy Hash: F0F15934E2030A8FDB54DFA5C944B9DBBF2BF48304F148569E809AB665DBB0E945CF80

Uniqueness

Uniqueness Score: -1.00%

Function 08E81298 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3675143831.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d5cec1bb64942577b592686a47d371e30bb37ed69703c2ed953077bc25a10a
Instruction ID: c212a3b6576e51213362e088753225d02c44cd66756f2738b6936a28d1950a0c
Opcode Fuzzy Hash: 83d5cec1bb64942577b592686a47d371e30bb37ed69703c2ed953077bc25a10a
Instruction Fuzzy Hash: 39B15C71E00309CFDB24DFA9D8817ADBBF2AF48315F149529D81DEB294EB749846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 08E80680 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3675143831.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f29f6b64efbac91e499b9a0d339273f5dfc0413c91796f38b27cd924b56b1c
Instruction ID: a34fdca31eba6706891cdcbd8b4c59bdb3078860dd0c0c6af1d1a04a07530f42
Opcode Fuzzy Hash: 80f29f6b64efbac91e499b9a0d339273f5dfc0413c91796f38b27cd924b56b1c
Instruction Fuzzy Hash: 09918E71E00609CFDF24EFA9C98179DBBF2AF88315F149129D80DA7294DB749886CF81

Uniqueness

Uniqueness Score: -1.00%

Function 014EAE48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 014EB09E

Memory Dump Source

Source File: 00000000.00000002.3665084494.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 72b779caf0c6a809a422d873085543ce4cab656802911ebe49143bb37d2ca2de
Instruction ID: 316ffc317cf5218c84b002a7fd483dab6bd2646cff9c830d6cabc180073fa328
Opcode Fuzzy Hash: 72b779caf0c6a809a422d873085543ce4cab656802911ebe49143bb37d2ca2de
Instruction Fuzzy Hash: CF7137B0A00B058FD724DF2AD45975ABBF1FF88201F10892EE586D7B60DB35E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062AAE1B Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674259501.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03178b9440a28ea70327a08d8a23a70baf5e99d1baa13a29d4a68d9738540f50
Instruction ID: 971f24182606d15c2f043ed9e3306477481158b80d25f35590d43f1bb5f8c6c5
Opcode Fuzzy Hash: 03178b9440a28ea70327a08d8a23a70baf5e99d1baa13a29d4a68d9738540f50
Instruction Fuzzy Hash: 0B415271D143868FCB10CF79D8446EEBBF1AF89310F0986AED844E7241DB789846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014E4508 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 014E59E9

Memory Dump Source

Source File: 00000000.00000002.3665084494.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: eed91ef79d9aa379e4ca9f545967ec075a9d282aa5d4b0574838849ba7053fc5
Instruction ID: ce18245a576bf4e8b90478b0db87973fc1d1ef68c26f66198e17460f7ba28c93
Opcode Fuzzy Hash: eed91ef79d9aa379e4ca9f545967ec075a9d282aa5d4b0574838849ba7053fc5
Instruction Fuzzy Hash: 0841F3B1C0071DCBEB24DFA9C884B8EBBF5BF48304F20806AD408AB250DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 014E592D Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 014E59E9

Memory Dump Source

Source File: 00000000.00000002.3665084494.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b40fd4d3dc8d18e87923766df5d94687e8caa1e2b6ddc86c5d339872976ed967
Instruction ID: abd1d4d62e8e4021ecfb0f30ad94bb24235fc9290a143a2f92e47fe8a16460d0
Opcode Fuzzy Hash: b40fd4d3dc8d18e87923766df5d94687e8caa1e2b6ddc86c5d339872976ed967
Instruction Fuzzy Hash: 3C41D5B5C00719CFEB24DFA9C889B9EBBF1BF49304F24816AD408AB251DB756946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08E835E8 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 08E83661

Memory Dump Source

Source File: 00000000.00000002.3675143831.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 214ff961942a28639c88ebb67d2983070e5ab0865bb05aa90249401a18dc4535
Instruction ID: c4f0206227f0f362415d89fb5ad387b8512ddecbc4a5a0a53e1e8fc0167e720c
Opcode Fuzzy Hash: 214ff961942a28639c88ebb67d2983070e5ab0865bb05aa90249401a18dc4535
Instruction Fuzzy Hash: 7B3126B29002098FDB10DFAAC845BEEFBF5EB88324F14852AD469A7350D774A905CF60

Uniqueness

Uniqueness Score: -1.00%

Function 08E82408 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 08E82487

Memory Dump Source

Source File: 00000000.00000002.3675143831.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 3979f62ae9888b6212d986ea99b0aaaea418b018d59baa1b2a862dc09edcd224
Instruction ID: fc3a89b88897af4c9b252004ce99a1696ded75daa651e5cd70aae9db6aac0983
Opcode Fuzzy Hash: 3979f62ae9888b6212d986ea99b0aaaea418b018d59baa1b2a862dc09edcd224
Instruction Fuzzy Hash: DE2148B2C00259CFDB10DFAAD485BEEBBF4AF48311F14846AE859A3351C7389945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 014ED07C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014ED6EE,?,?,?,?,?), ref: 014ED7AF

Memory Dump Source

Source File: 00000000.00000002.3665084494.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 62b84659a9b293809d5430338c7f82363eef0aae0100caf6d59db4366afac8b1
Instruction ID: 9900241b3f76d34d847a6191347774019341dcda084d9ba5af5d20b7c233a110
Opcode Fuzzy Hash: 62b84659a9b293809d5430338c7f82363eef0aae0100caf6d59db4366afac8b1
Instruction Fuzzy Hash: F521E4B5D003489FDB10CF9AD985ADEBBF9EB48310F14841AE914A7350D375A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 014ED720 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014ED6EE,?,?,?,?,?), ref: 014ED7AF

Memory Dump Source

Source File: 00000000.00000002.3665084494.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a9191980c18f2b17957c521364011b1d8269bda81e6e238c8718c3d359e88e08
Instruction ID: 92093d9bf0fd74fda1d0f8ad9dd580e28cadf052d68e67018f515b412ef86470
Opcode Fuzzy Hash: a9191980c18f2b17957c521364011b1d8269bda81e6e238c8718c3d359e88e08
Instruction Fuzzy Hash: BA21E3B5D002489FDB10CFAAD985ADEFFF9EB48310F14841AE954A7350D375A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08E835F0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 08E83661

Memory Dump Source

Source File: 00000000.00000002.3675143831.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: f57872ad3966c6785646be459a34b3ade2967eca1c6653936e38538896822482
Instruction ID: e2e245f45d5560699327b1f2c9cb96da28b67b7f6e8fc74904ba34120bbb4c3b
Opcode Fuzzy Hash: f57872ad3966c6785646be459a34b3ade2967eca1c6653936e38538896822482
Instruction Fuzzy Hash: D721E5B1D002098FDB14DF9AC845BAEFBF5EB88320F14842AD469A3350D778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 014EA228 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,014EB119,00000800,00000000,00000000), ref: 014EB72A

Memory Dump Source

Source File: 00000000.00000002.3665084494.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d44940424a9c9539891b957303e97c42235b4cbb85bbdca73e4e2bdb400505ed
Instruction ID: 05fcf7087db581918b78c79c93491bf4d937e454ceff60bf1f743c30e1317ea7
Opcode Fuzzy Hash: d44940424a9c9539891b957303e97c42235b4cbb85bbdca73e4e2bdb400505ed
Instruction Fuzzy Hash: 751114B6D003098FDB20CFAAC448B9EFBF4EB48310F14842AE919A7710C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 014EB6BA Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,014EB119,00000800,00000000,00000000), ref: 014EB72A

Memory Dump Source

Source File: 00000000.00000002.3665084494.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a838a2fac894d0991d4c838999531f4a7cf14d5f4fa73c1c13c456f79e5aeb2d
Instruction ID: 5cfe72c889627794cb55e8044690690fd601ca582071df6c57b63758c8e3b86d
Opcode Fuzzy Hash: a838a2fac894d0991d4c838999531f4a7cf14d5f4fa73c1c13c456f79e5aeb2d
Instruction Fuzzy Hash: 191112B6C003499FDB20CFAAD448ADEFFF8EB48310F14842AE959A7610C775A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 062AAF00 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 062AAF67

Memory Dump Source

Source File: 00000000.00000002.3674259501.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3a099606ae3e78969a1ce28ad0f24bbad3af99ae98927c7d7509b53c9b48a9a7
Instruction ID: 205faabf87dc8803c6acd8b3e32aa8e4133d70a1fed7c6bb49ebfdb55c2a7e00
Opcode Fuzzy Hash: 3a099606ae3e78969a1ce28ad0f24bbad3af99ae98927c7d7509b53c9b48a9a7
Instruction Fuzzy Hash: 3D1123B1C0025A9BCB20DF9AC445BDEFBF4EF48320F15812AD818A7240D779A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014EB038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 014EB09E

Memory Dump Source

Source File: 00000000.00000002.3665084494.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bccb6bb6459341ab74bb5558bd91b29796a0c1e88f3881f5a480dfac53e60b63
Instruction ID: ca73f77770dd62b5687cd94e986199b37c924d280c8f44a32000aef161345657
Opcode Fuzzy Hash: bccb6bb6459341ab74bb5558bd91b29796a0c1e88f3881f5a480dfac53e60b63
Instruction Fuzzy Hash: FC11E3B6C003498FDB20DF9AC444BDEFBF4EB88324F14841AD969A7210D375A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062AE1D9 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,062AD807), ref: 062AE23D

Memory Dump Source

Source File: 00000000.00000002.3674259501.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 8719ecb6c19334ad169cb273bebd9b92ba8c83aca837385b77e67da3b16604df
Instruction ID: 5fcdde8c5f836246729806a52315c7eac413a09583eb612ce61bcf19da0d82b2
Opcode Fuzzy Hash: 8719ecb6c19334ad169cb273bebd9b92ba8c83aca837385b77e67da3b16604df
Instruction Fuzzy Hash: 3511F2B5C007499FCB20DF9AD945BCEFBF8EB48314F10842AE869A3610D379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 062ABF8C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,062AD807), ref: 062AE23D

Memory Dump Source

Source File: 00000000.00000002.3674259501.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 92f5989b32c61f5d41ec0649962445633dec7739875003000433f66e8875e1b4
Instruction ID: f0911081e5ae6b8088e60fbd29b7d41f752e1765dbd8fd35bf1dac50ec9ba6cf
Opcode Fuzzy Hash: 92f5989b32c61f5d41ec0649962445633dec7739875003000433f66e8875e1b4
Instruction Fuzzy Hash: 931122B1C107498FCB20DF9AD445BDEFBF4EB48310F10842AE858A3200D3B8A541CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05DF38E8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

Teq, xrefs: 05DF3A5E

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: b8b2d77247aaa0fb09f6992ede0e1bdb59648beb68f36dc94be5f49fcc491853
Instruction ID: fd67a32f09400eb222c791ff8522a4fb54e4c5a9964d7da3e8a225d261ffd503
Opcode Fuzzy Hash: b8b2d77247aaa0fb09f6992ede0e1bdb59648beb68f36dc94be5f49fcc491853
Instruction Fuzzy Hash: 9131E774E043089BDB18DFAAC9447EEBBF6BF89300F15942AD519AB354DB709846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DF38D9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

Teq, xrefs: 05DF3A5E

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 83a257a24aead13385ae51c3b9ea239d1dc079629a61de54ffe19ae82e8e268c
Instruction ID: 6a718fceec1b7e2b88aa0cc4504ae267a5be7e193836f2f383622ffe52c64714
Opcode Fuzzy Hash: 83a257a24aead13385ae51c3b9ea239d1dc079629a61de54ffe19ae82e8e268c
Instruction Fuzzy Hash: EA21F6B0D043488BDB18DFAAC8446EEFBF6BF88300F05C42AD519AB254EB745846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DF3978 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Teq, xrefs: 05DF3992

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: c93be05f2a11fb35c3054dfb9044ef7dfa54503bebb94726b793413bdb3af916
Instruction ID: 2043306460703bbe655fb65a0843039085da33cef2d77c7db5643b67bd4d6e20
Opcode Fuzzy Hash: c93be05f2a11fb35c3054dfb9044ef7dfa54503bebb94726b793413bdb3af916
Instruction Fuzzy Hash: 45119075E00209CFCB08DFE8D9819ADFBB1FB48311F10812AE918AB265C7326946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05DF5246 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

@, xrefs: 05DF525B

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d7f3a9f2c49b5cbc16574ad464ac9d1ea389a9d66d1f65e29ac8bf2fcfd80755
Instruction ID: 5d195a6b352fbd0e9a61cf4cccae32289f5ca07ae81414af5e2ec427154e5b06
Opcode Fuzzy Hash: d7f3a9f2c49b5cbc16574ad464ac9d1ea389a9d66d1f65e29ac8bf2fcfd80755
Instruction Fuzzy Hash: EBE0867090C204DFD705CB21C8565E9BFBDEB9B301B10E459E95A96101DB7445068B40

Uniqueness

Uniqueness Score: -1.00%

Function 05DF3B08 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685eb6be0bccf4c03ac4693ba9d77b04cda402f5bb33ccfb0a9fda227e7e46b3
Instruction ID: fd01dcf65d1445077d5dfe0bfb60b664e1034be92abb7866068030ddcc182022
Opcode Fuzzy Hash: 685eb6be0bccf4c03ac4693ba9d77b04cda402f5bb33ccfb0a9fda227e7e46b3
Instruction Fuzzy Hash: 3CB16F74E0521ACFDB14DFA4C880AEDBBBAFF89300F119A16D549AB345DB30A946CB41

Uniqueness

Uniqueness Score: -1.00%

Function 05DF3B18 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb982122327f04990c91443b37b0c5117306e20429c94fe910c655e2ca4c16d
Instruction ID: 1239d89f8b364aaf5150d9cbc43337ca2e62add625339a5315f0068eb5bb96dc
Opcode Fuzzy Hash: 8fb982122327f04990c91443b37b0c5117306e20429c94fe910c655e2ca4c16d
Instruction Fuzzy Hash: 6CA13E74E15219CFDB14DFA4C880AEDFBBAFF89300F119A16E549AB345DB30A946CB41

Uniqueness

Uniqueness Score: -1.00%

Function 05DFA96D Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0eddcbd88964a75b9185d64c50f95b781a49047bd840c0b4c5002bd2f8511a
Instruction ID: 94fe3398e75c31f29dd8bf04c41ccad66a7dfcfc1b2f8c4040910dede0296a45
Opcode Fuzzy Hash: 1f0eddcbd88964a75b9185d64c50f95b781a49047bd840c0b4c5002bd2f8511a
Instruction Fuzzy Hash: 69613E39819308CFCB14CFA0D9547ECBBB9FB0A306F15616AD54EA7252DB349989CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05DF07B4 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54808efaed71ac83cd88e16c4e332eae71bc172c5df1a15359239792a26e1516
Instruction ID: 1360e12266cc273f65ece4fec3145793143282f2c7ab662d6385cb1f30752212
Opcode Fuzzy Hash: 54808efaed71ac83cd88e16c4e332eae71bc172c5df1a15359239792a26e1516
Instruction Fuzzy Hash: 6E61E775E04218CFDB51DFA8D894BDDBBB2FB49304F14809AD909AB342D731AA46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05DF0ED0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5373a2b95424b9b5682693513dd896c68298ca86d3c691d653c5346929aa5c
Instruction ID: 2bd28f3e65b6047f62ecd34253f75a48e339dcff82ffe0f8bf799983aa349d23
Opcode Fuzzy Hash: de5373a2b95424b9b5682693513dd896c68298ca86d3c691d653c5346929aa5c
Instruction Fuzzy Hash: F351D374E04219EFDB04CFA8D9849ADBBF2BF49310F15852AE916EB351D731A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DF0EC2 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139da2bdd0e2b257c5c27a3b0d326cbad6f0085f90db02ecce0d86a4981489e1
Instruction ID: 63eeb66b5ccfe7df3013d4897e020d8d9397a1c20535ce83c28e82643f01d999
Opcode Fuzzy Hash: 139da2bdd0e2b257c5c27a3b0d326cbad6f0085f90db02ecce0d86a4981489e1
Instruction Fuzzy Hash: F451F378E04249DFDB00CFA8D9849ADBBF2BF49310F15842AE95AEB351E7309942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DF521A Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c265d24791c23b44cabcf88187fd0b49f8e6e4a2c9e6dc9b0c7955603b338a
Instruction ID: 6599ac0a186f4dc40f1875157c5674e9a4af7c4180355f4796e153287da32388
Opcode Fuzzy Hash: 24c265d24791c23b44cabcf88187fd0b49f8e6e4a2c9e6dc9b0c7955603b338a
Instruction Fuzzy Hash: 5C517034D19209DFDB04CF98E8819ADFBBAFF49301B16D256E6469B345DB30E842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD6A0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914dbbaf59d7508f5ed88793d3808b59252ea46a0a5278ee2d63627ba7cfa13a
Instruction ID: e751f840cbca37144209f530f3958f6eb28513e9e087710320f0a4697cbeb27b
Opcode Fuzzy Hash: 914dbbaf59d7508f5ed88793d3808b59252ea46a0a5278ee2d63627ba7cfa13a
Instruction Fuzzy Hash: 80416F75D19208DFDB04EFA5E8456EDBBB7FF8A301F05A026D50AA7260EB308946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DFBA0C Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbfa50e22399f773df36fe9b2e86fcb92ca55a49000993ee3c6a65c00b1d90f6
Instruction ID: 2c4604f6f4efdaefb8e948f42a0ab8b15b576750dd3516f6b73b9f083f246132
Opcode Fuzzy Hash: cbfa50e22399f773df36fe9b2e86fcb92ca55a49000993ee3c6a65c00b1d90f6
Instruction Fuzzy Hash: E5416D74E14208DFEB04CFA5D895BADBBBAFB49301F149027E90AAB394DF705901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB142 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a595a9b04217a2af5b8fad4aadcd47539cee6dd1d4981ffa67f16789b14481ca
Instruction ID: 4106fdd18b5f82f92854c624d84ba42aa2b4b01a6c3657c5e7165ee2602b1340
Opcode Fuzzy Hash: a595a9b04217a2af5b8fad4aadcd47539cee6dd1d4981ffa67f16789b14481ca
Instruction Fuzzy Hash: BB319274D5E108DBEB04CFA4E8446FDBBBAEB0A301F16B117E55AA3252DB349941CB14

Uniqueness

Uniqueness Score: -1.00%

Function 05DFEE5D Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2df8ec2343261158c010a37bcf35e0086fd799c9c1896d55e6fd70a05cdb84
Instruction ID: a81a0aea2f703bd0a4eee24499bdb53ae68e17e75f30341197df5c44983048a7
Opcode Fuzzy Hash: 8f2df8ec2343261158c010a37bcf35e0086fd799c9c1896d55e6fd70a05cdb84
Instruction Fuzzy Hash: 5F41F2B0D003499FDB24DFA9C880ADEBFB5FF48314F14842AE819AB260DB759946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD6D8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a738ab85cfb6e0b4efdccd9e88511929a72016f2227ded878755d9a2d501f3
Instruction ID: ce82f36916db512a0cc68aecbc0e493e1aba487d9d7f8817aab9072a1310bb55
Opcode Fuzzy Hash: 75a738ab85cfb6e0b4efdccd9e88511929a72016f2227ded878755d9a2d501f3
Instruction Fuzzy Hash: 63310A74D15208DFDB04EFA6D8446EDBBBBFF89300F15A02AD51AA7250DB305946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05DFEE68 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e8a0d5642a733f79de1e78d9a48b4d0fb9643c652569f8e319cf3ac57e43c3
Instruction ID: 423599ffd5c89481d3a7cad6ada405d64919c2746d41485fbb70e9356318cfa7
Opcode Fuzzy Hash: e1e8a0d5642a733f79de1e78d9a48b4d0fb9643c652569f8e319cf3ac57e43c3
Instruction Fuzzy Hash: 9741E1B0D003499FDB14DFA9C884A9EBBB5FF48310F54842AE919AB260DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05DFE100 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f7be518144bf7e4798779ff15d906cdcd479ebb47722a513aa4d0a58c55d50
Instruction ID: 96439c3cb462258978d02c02afe5e8e08aea832e65a68d27d74308814eae683b
Opcode Fuzzy Hash: 09f7be518144bf7e4798779ff15d906cdcd479ebb47722a513aa4d0a58c55d50
Instruction Fuzzy Hash: CE21F430A412428BFF751725E44E77D3B2AFB06311F150D27E90ACF3A0DA69D992C752

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB338 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0b74dd6076475b02ae44c916d2b3c65a25056b43a04f3451108a81d533b050
Instruction ID: a7fa3144f525c0e2df5ea1d40fa8641f9978ba0c91472f82e21b84eac95d3f6c
Opcode Fuzzy Hash: 5b0b74dd6076475b02ae44c916d2b3c65a25056b43a04f3451108a81d533b050
Instruction Fuzzy Hash: 1221DE75D49208DFDB04CFA6E9406FCBFFAAB8A201F11A067D509A3251DF304A05CB24

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB378 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ead6da2343212356b992836ec2389a78bcbc626a53c71e90b8dd789a4d2c730
Instruction ID: 2a8b2f492d64a6ec99679b43dbc0b11f1d3c894cf155ab851f923c2f87ff3142
Opcode Fuzzy Hash: 4ead6da2343212356b992836ec2389a78bcbc626a53c71e90b8dd789a4d2c730
Instruction Fuzzy Hash: 65218375D58108DBEB04CFA5D9056FDBBFAEB8E211F15B017E546B3244DF3089018B55

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6DA6 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf22bbd02d277f36085b562c9e7bc06605398011dea91469a40329a3cffcec7
Instruction ID: 74459c1eeb55f14580198d319ae786c0c8b20bb2805e8397d2c62c90b7e0f0fa
Opcode Fuzzy Hash: 1bf22bbd02d277f36085b562c9e7bc06605398011dea91469a40329a3cffcec7
Instruction Fuzzy Hash: F9316B78D0421ACFDB10DFA8D880BADBBF6FB45305F01A5A6E509AB355DB30A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DF9D44 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071ede713ee1cebb98ffc773270daa850d42f36c32e5197a7f4f50d8dc81fb9d
Instruction ID: 8403edeca984bd6a3c5a055a825c657054812fd1dae35e5deeeb9c97fad4004d
Opcode Fuzzy Hash: 071ede713ee1cebb98ffc773270daa850d42f36c32e5197a7f4f50d8dc81fb9d
Instruction Fuzzy Hash: A73104B0D01248DFDB14CFA9D595BDDBBF5AF48314F24801AE409A7360DB759946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DF9C50 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc043a0b4c5fdfbc61caa40e2f70797053182f37ffb63d8a5ba19a0d9fa913ed
Instruction ID: 9ce49e226399bac1951a8d9789a568bb548132e88a9ba9e49bc349aeab563efb
Opcode Fuzzy Hash: bc043a0b4c5fdfbc61caa40e2f70797053182f37ffb63d8a5ba19a0d9fa913ed
Instruction Fuzzy Hash: 0A312774E142099FCB04CFA9D995AEDBBF5FF49310F11902AE915AB350DB349941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010DD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3661936611.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70b13847afeecb2ed829bf2091d46fe6fb80d53353214206449c84725e26348
Instruction ID: b8a6b8a0507768d758e7b5879ddfb95647258bcb4aa543c7e22de073325d9009
Opcode Fuzzy Hash: e70b13847afeecb2ed829bf2091d46fe6fb80d53353214206449c84725e26348
Instruction Fuzzy Hash: A8212871504340DFDB15DF54D9C0B2ABFA5FB84318F60C5A9D8850F29AC336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010DD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3661936611.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b968ba9ddb8e10a7e51dcf36cbad49a5283b7e447c721d692f7e3361a55979d
Instruction ID: 24218d601407ebd84a5390f6d6db9e049cd2353166fa3e242234328035e6d86b
Opcode Fuzzy Hash: 1b968ba9ddb8e10a7e51dcf36cbad49a5283b7e447c721d692f7e3361a55979d
Instruction Fuzzy Hash: 8821F171604304DFDB15DF94D9C0B6ABBA5FB88324F20C1A9E9490B296C736E456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05DF0821 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ade439377be6f705056121c184a140db7d117490144ffa986124b799553ba90
Instruction ID: b071e4f0bd4f9bb3ac4dc98295f332c0f2a5351b552c58f7807f5a78cb7be563
Opcode Fuzzy Hash: 9ade439377be6f705056121c184a140db7d117490144ffa986124b799553ba90
Instruction Fuzzy Hash: E431C974E042198FDB60DFA8D894BADB7B2FB49314F1481AAD949EB342E7309985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB53F Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36399bb7159c070f5493c2d135ffc0ba0e0deed13e7f38e254d6b41bdc485689
Instruction ID: 1f3c3be9254cad9841e077ddbbe374e2c11cb0bcdbfbbf9b98247902a83f7f1e
Opcode Fuzzy Hash: 36399bb7159c070f5493c2d135ffc0ba0e0deed13e7f38e254d6b41bdc485689
Instruction Fuzzy Hash: 2A21217490D288DFDB09CFA4D946BA9BF74AF0A301F0602CBD1488B362C734A909CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05DFC2DD Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b410f1adbda680febe36b301f0844a4527a2b44b9623f222b440c4fad95a9253
Instruction ID: 95e91d03c5ed46a0d70b421e7394ca347dbbc0f8a52eada650de9098865e8bbd
Opcode Fuzzy Hash: b410f1adbda680febe36b301f0844a4527a2b44b9623f222b440c4fad95a9253
Instruction Fuzzy Hash: BB31B474E10308DBDF14DFA4D8946ADBBB6FF8A201F609029D51A6B395CB305C42DF90

Uniqueness

Uniqueness Score: -1.00%

Function 05DFE2D8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6448e2d43ded3c918b4866a94142751b9ca39fe0f64ccd90a40b230bcbefb841
Instruction ID: 4bd36c011399b01ff879aa513b3d8f70a84d90850b4bc598b7aaf2571ab8bd70
Opcode Fuzzy Hash: 6448e2d43ded3c918b4866a94142751b9ca39fe0f64ccd90a40b230bcbefb841
Instruction Fuzzy Hash: 1321F8319003408FDB61E738E888B6D3BAAFF4131AF114562E105CB269DA75DC5ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 05DF1FD4 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8460aaa614cdb6d9121efb4a28df3251a8cbe32f7e7ad4f6569037872900621
Instruction ID: ca77d5fd8d31a348023c7e4953f43e13395c92e585f3d6d84454ac81ff72935c
Opcode Fuzzy Hash: e8460aaa614cdb6d9121efb4a28df3251a8cbe32f7e7ad4f6569037872900621
Instruction Fuzzy Hash: B031E0B0D01248DFDB24DFA9C594B9DBBF5EF48314F20802AE909AB364DB75A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3663176490.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90d1c138ffa86a717af3071bd2d63730a7daed9a80cf4ddbc9cb29fc7666b8e
Instruction ID: 3b1bba1f5f51cb17e5c11e2bf2e08cefaf2473dfe4fd12873f746e0d9820b6f4
Opcode Fuzzy Hash: e90d1c138ffa86a717af3071bd2d63730a7daed9a80cf4ddbc9cb29fc7666b8e
Instruction Fuzzy Hash: 31210071604300DFDB15DF54D988B16BFE1EB84314F28C5ADE88A0B286C336D807CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3663176490.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f9603e0538a161168814b66a5689d0d92225023076504fb2dcb0eccd270495
Instruction ID: b4c8f050fb22cb3d8b3f4522f5feea8b1e5dd02f29e35bafc15b7172971891cc
Opcode Fuzzy Hash: f7f9603e0538a161168814b66a5689d0d92225023076504fb2dcb0eccd270495
Instruction Fuzzy Hash: 5921F575A04200EFDB15DF95D9C8B15BBE5FB94324F20C5ADD8894F292C336D446CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05DFE4B0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d1c4bfe3552ce5104acaa6e8dc9ccb135213c2eaff44481238f831bad62d4d
Instruction ID: 2bfe103585fc8c854268a89242b098442cf74eefad1aadeb9d481d61ba11ea2d
Opcode Fuzzy Hash: 77d1c4bfe3552ce5104acaa6e8dc9ccb135213c2eaff44481238f831bad62d4d
Instruction Fuzzy Hash: 33214C71B042048FDB64EF78D9587AD7BF6FB49205F1104AAD602EB3A1EB359D41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DF9C60 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8fcff69d05202eae248cce2a26f3e472e5485140597b55d4b25e6b7afad98b
Instruction ID: 35d415981c4cd1804f839f534290a09f1cee9d53f103c7f80dbcffd6068a3a1c
Opcode Fuzzy Hash: 6d8fcff69d05202eae248cce2a26f3e472e5485140597b55d4b25e6b7afad98b
Instruction Fuzzy Hash: D531E574E142099FCB04DFA9D894AEDBBF5FF49310F11902AE915AB350DB34A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DFBA70 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e253b924a9173f6cdb40ff6411622f7a62f4dbd4c29f19a909b0834143f3ec
Instruction ID: 29c4c7207ee48b24d4f669e782390b8298f3b643f00d30a9d2bc83ae5c3ac57f
Opcode Fuzzy Hash: c4e253b924a9173f6cdb40ff6411622f7a62f4dbd4c29f19a909b0834143f3ec
Instruction Fuzzy Hash: F631B574E15308DFEB00DFA4E899BADBBBAFB49301F105016E90AAB794CB706941CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB078 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1e05c12f4762de920b93e35144d879eefcb7df06b3329ff061585d6d76258c
Instruction ID: 701a9a286f9cf8fee23bfc75a0aa277ac10073d64ad4c4b1a03aad0053bdc268
Opcode Fuzzy Hash: 5a1e05c12f4762de920b93e35144d879eefcb7df06b3329ff061585d6d76258c
Instruction Fuzzy Hash: 0C21BE74D09289CBEB10CFAAC8443EDBFF6AF4B310F1491ABC568A7291EB344542CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DFE4C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f775baaddaaa7544834c05dd5067a250d657c3d9b5195802b26bfac3ff32ce99
Instruction ID: 043e0a7ebfba9fb9314ade27500610b1b3e5c827611da6c44545c91cdb9a84ec
Opcode Fuzzy Hash: f775baaddaaa7544834c05dd5067a250d657c3d9b5195802b26bfac3ff32ce99
Instruction Fuzzy Hash: E9212A70B042148FDB64EB68C9587AE7BFAFB89205F110469D506EB3A1EF359D40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB1EC Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070345ad5c15b6f6b35f257fe6faa5174bbdfd4f671e18c42d51e0e2254fdd6d
Instruction ID: 541c5c699378d8ffe6e4766a5954b79d8b24b5a2bbc66853efd48034a2478175
Opcode Fuzzy Hash: 070345ad5c15b6f6b35f257fe6faa5174bbdfd4f671e18c42d51e0e2254fdd6d
Instruction Fuzzy Hash: 5711B074D1E108CBEB00CFA5E8441FDBBBAEB4E301F12B117D54AA2245DB349545CB14

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB0B8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5f339c40ab0daaeb36b814e53e510cfe2480c8afdb71d31216fc15ceb6f140
Instruction ID: 1a13511b69890c62b1adbe8cd097419500fab8722a4cdd439ad482e906f0016c
Opcode Fuzzy Hash: 5c5f339c40ab0daaeb36b814e53e510cfe2480c8afdb71d31216fc15ceb6f140
Instruction Fuzzy Hash: 99216DB4D19608CBEB04CFA6C8053EEBBFAAF8A300F05E027C519A6255EB3485018B50

Uniqueness

Uniqueness Score: -1.00%

Function 05DF4A85 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61195109bf40f1ec848a674d3eb5b8b39c73e89d6b10f91d68d367882c3377db
Instruction ID: 82dfdf02884ee0285730069a8349720ed90d069b9c5cc5dfe3118e093ac0b539
Opcode Fuzzy Hash: 61195109bf40f1ec848a674d3eb5b8b39c73e89d6b10f91d68d367882c3377db
Instruction Fuzzy Hash: 0431B434A15219CFDB24CF54C984FA9BBB6FB49301F5151AAD90AA7351DB30AD81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB388 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c8d1ed689dc5cd69121c5a067411528aac7d3602702cce0c25e8ff450cc20e
Instruction ID: 741184df067b5d9584158db9224a03cfe3d4072b0f46972b11786bd133dbea04
Opcode Fuzzy Hash: 63c8d1ed689dc5cd69121c5a067411528aac7d3602702cce0c25e8ff450cc20e
Instruction Fuzzy Hash: 61112975E59208DBDB04CFA5E9445EDBBFAEB8E211F05B027E54AB3240DF3059058B25

Uniqueness

Uniqueness Score: -1.00%

Function 05DFE2E8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ea0ff8defa22eebfb9b47387a507d05f1447ca13c3d32c765a1348ebbab2ca
Instruction ID: 8c3b3e6e699d78544213941c723b47fe4427214213d4f25349a46c19201bf517
Opcode Fuzzy Hash: 81ea0ff8defa22eebfb9b47387a507d05f1447ca13c3d32c765a1348ebbab2ca
Instruction Fuzzy Hash: 5A21BB35A003508FDF60E728F988B6D3BAAFB4571AF114521E105CB368DA75EC55C792

Uniqueness

Uniqueness Score: -1.00%

Function 05DFAE00 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03801329e664d2c07b7b56420d669800d60cb1a3f0dc5216ed36981f305a3fe
Instruction ID: 1b279695e1fc0b26462616549a80f9dbe14ef98fabd80c5a8d8653753e05adb4
Opcode Fuzzy Hash: e03801329e664d2c07b7b56420d669800d60cb1a3f0dc5216ed36981f305a3fe
Instruction Fuzzy Hash: CE11A039A29218DBCB14DEA5E8056FDBB7EFB4B301F016427D64EA3200DA3095058794

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD940 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856981aff9a0b0a509c32c3c073ad36ec09886c42dc58bbd98bf958fd834a09e
Instruction ID: a9ddaa74a5c8c7357d200fa6821e7a5e35a28b9e053ca6d74291b42ec91a61f3
Opcode Fuzzy Hash: 856981aff9a0b0a509c32c3c073ad36ec09886c42dc58bbd98bf958fd834a09e
Instruction Fuzzy Hash: 851101316082028BDF216BB49451BB93BA3FB82318F16497BC547CF285DE22CC468BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF0040 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e58beab661c1be7afffe90d675c37195e1a17f85c2582a5bcfce54c7ee57627
Instruction ID: ac7d444d9e54087fa9d3ce7ec8ffe0412c01b766403f0b2df99570e2d8117532
Opcode Fuzzy Hash: 6e58beab661c1be7afffe90d675c37195e1a17f85c2582a5bcfce54c7ee57627
Instruction Fuzzy Hash: 0011D636F002099FDB04DFA5D845AAEBBBAEFC5310B44856BE514EB250DB30A915CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6D64 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884b0377a4b1c375979818b7f7f0ee4a55e1b8f79a1ad26e395156cfe2f57c03
Instruction ID: f99908fe9008bf6cf5aca873d9a9c581ff589ccf518796e23270dd956999c579
Opcode Fuzzy Hash: 884b0377a4b1c375979818b7f7f0ee4a55e1b8f79a1ad26e395156cfe2f57c03
Instruction Fuzzy Hash: 37213A34E0421ACFDB10DFA8D840BADBBB6FB45305F1195A6E509AB354DB70AD46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DFE238 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f892b1f6d3ab8733865a5e06e42332073d3aa53fa01281e9e86be139b5e9e689
Instruction ID: 371787f7d3b64950d607389aaf65809ce78407ef06a8ba3c7f32274cb71257a4
Opcode Fuzzy Hash: f892b1f6d3ab8733865a5e06e42332073d3aa53fa01281e9e86be139b5e9e689
Instruction Fuzzy Hash: 8211CE31A012529FCB61EFB888552EE7BFAEF8A210B15047BC505E7211E631C8428BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6E82 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07e88f7b6270577b67961e32e4d40222867cb07cb29c1bbe56f9313999814ad
Instruction ID: 5a7d032d38307116d5a291a0649428e2b78b1dc2c47ddf863aa058e2aeb06831
Opcode Fuzzy Hash: f07e88f7b6270577b67961e32e4d40222867cb07cb29c1bbe56f9313999814ad
Instruction Fuzzy Hash: D7213938A14219CFDB20DFA8E944B9DBBB9FB09315F1195A6E509AB384DB30AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3663176490.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561e316a5ed77f6118ff7c5287531a15f3d0b79e0580107bfa2f1c7a8ae6a8d1
Instruction ID: 3fca60750a1f7d4ac2867bebf51ad3ae3d03f390c7e0ca58d2f02e8ffe7832f8
Opcode Fuzzy Hash: 561e316a5ed77f6118ff7c5287531a15f3d0b79e0580107bfa2f1c7a8ae6a8d1
Instruction Fuzzy Hash: 212192755093808FCB13CF64D994715BFB1EB46214F28C5DAD8898F2A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD950 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1362c117507679d3badfa113211fbb18fa7fb306606c75fd3e7954ab47e15ef5
Instruction ID: e9c9247ecbc61713acff81d0ed8e8823b6f700296c644a5ba6ac1d7a90f925bc
Opcode Fuzzy Hash: 1362c117507679d3badfa113211fbb18fa7fb306606c75fd3e7954ab47e15ef5
Instruction Fuzzy Hash: 331191317042068BDF64BAA9C444B793697FB81318F12453BD607CF354DE22DD4687D1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7DA8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898898cf6f397c999f22f1c4511b943d116ce391ec773a72dad6a37f7c49b432
Instruction ID: bc1310330299406c69a24cfedc50132ccb291ae305ef4233e7d13962148e9c92
Opcode Fuzzy Hash: 898898cf6f397c999f22f1c4511b943d116ce391ec773a72dad6a37f7c49b432
Instruction Fuzzy Hash: D2114C34B002068BDB289B799C14BFA76A7FB84760F16812BAA4697380EA309D4187D1

Uniqueness

Uniqueness Score: -1.00%

Function 05DFC899 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5106abfbf30512fffc30c2e3fbfbaf353c23ccdd6226e8791cad55172d76323
Instruction ID: a45f1733fe8eabf75574b263448290fc28a314a0bebde2d24b62b5867620ef07
Opcode Fuzzy Hash: a5106abfbf30512fffc30c2e3fbfbaf353c23ccdd6226e8791cad55172d76323
Instruction Fuzzy Hash: 46213870D1920DDFCB04DFA4D4555AEBFB6EF4A201F20606AD50AA3341DB305A02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DF47F9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8251844d8050f3975aae547a85dfa882cc59a40af058398d4a6644868cfe12ff
Instruction ID: 74bbacf66bab218463988b7e1a25580642b2a67c787b674e2be5637f2490cfc3
Opcode Fuzzy Hash: 8251844d8050f3975aae547a85dfa882cc59a40af058398d4a6644868cfe12ff
Instruction Fuzzy Hash: 642115B1D056588BEB18CFABC94579EBFB7BFC9304F18C06AD408AB264DB7409458F90

Uniqueness

Uniqueness Score: -1.00%

Function 05DFC638 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1830b2216e78eec96c13789092545250d9f51dd193b424b1c20d1117cadbf330
Instruction ID: 3ad17ea7892b92927bca3969615468dd9807d61f6bf1b778a177a87b155039e3
Opcode Fuzzy Hash: 1830b2216e78eec96c13789092545250d9f51dd193b424b1c20d1117cadbf330
Instruction Fuzzy Hash: D8112B75D1D21CDBCB04DFA4D4182FEBBBAEB4A201F01602AD616A32A1DB744E14CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DFE3F8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd47d84079cfb7bce6b741f1f9f2bbb89ab69447ef6e07428039d71f74b84ce
Instruction ID: 78faee9ba3b6df81778302e4e465ded25a2b67c888318a4febbca8246fba1caa
Opcode Fuzzy Hash: 7cd47d84079cfb7bce6b741f1f9f2bbb89ab69447ef6e07428039d71f74b84ce
Instruction Fuzzy Hash: 2B1159B6F002509FCB01AFB898097AE3FFAEB88250F14457ADA09C3355EB30C901C790

Uniqueness

Uniqueness Score: -1.00%

Function 05DF51A0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ced214d116856368663e8f71d8c0fa6f1ef978cf06840b19cab1e20ed8c707
Instruction ID: 3a4aa4ab4de9ff492d45f69ccd174d99a2c9203a0f924a5241dec82805b0fe42
Opcode Fuzzy Hash: e0ced214d116856368663e8f71d8c0fa6f1ef978cf06840b19cab1e20ed8c707
Instruction Fuzzy Hash: 55219A70E19248DFDB08CF6AE9416ADBBF6BF89301F04D1AAE5059B350DB349901CB00

Uniqueness

Uniqueness Score: -1.00%

Function 05DFBB21 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a832b34189d8a33cbbd11116f9a75bd58ea8c6c7daa6ff45faba42b996d6a173
Instruction ID: 520e6c2a00eb5747a117c996e6b277be78a45d0eee5a6f2fcff166e82bc2f843
Opcode Fuzzy Hash: a832b34189d8a33cbbd11116f9a75bd58ea8c6c7daa6ff45faba42b996d6a173
Instruction Fuzzy Hash: 2521B634E553089FEB04CFA0E899BADBBBAFB4A701F205016E909AB794CB705941CB05

Uniqueness

Uniqueness Score: -1.00%

Function 05DFC2CD Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652e3ac9ae1da6254f4a590da16f995c70a73ebc2b60e41ed38c74d369bcc7e5
Instruction ID: ab7a3bda8c6b0b00c0c5797d955fea22379aeeb6b4c2edc9670235f02e96b77f
Opcode Fuzzy Hash: 652e3ac9ae1da6254f4a590da16f995c70a73ebc2b60e41ed38c74d369bcc7e5
Instruction Fuzzy Hash: 19219F74E2521CCFCB14DFA4D9885ADBBBAFF4A300B51902AE90AA7354DB305D41DB10

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6C05 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccea4fdf7441a2a3436d0b18dd64b5ad1b8a46e0083df627a8071b07c5ba80f8
Instruction ID: 0b8c8a65f1b8f8ce3cb64b4014f94a92718596970295b545640b3b1ae835f665
Opcode Fuzzy Hash: ccea4fdf7441a2a3436d0b18dd64b5ad1b8a46e0083df627a8071b07c5ba80f8
Instruction Fuzzy Hash: EC219D34D04219CFCB20DFA8E844B9DBBB5FB45305F0195A6E509AB394CB30AD81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DF3A38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d756a5c6acee2c4ee1d02ee87ef929dd55ac866cc7ab4e9c266ea50cc710b9
Instruction ID: 382cf792d530d4d746554f640b9afbccab9252b9c065cf4ce997a7fe239ee236
Opcode Fuzzy Hash: 35d756a5c6acee2c4ee1d02ee87ef929dd55ac866cc7ab4e9c266ea50cc710b9
Instruction Fuzzy Hash: 30210378D08248CFCF14CFAAD8845ECBBF6BB49301F06A42AD949AB211D7309945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 010DD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3661936611.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: fd71011960e0c51519482612666ffcd8a5fb3d6527f87a0e1fd10f883b673911
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 5A11DF76504240DFCB16CF44D5C0B56BFB2FB84324F24C2A9D8490B297C33AE456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010DD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3661936611.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 421171922d3546c8ebe7e063047164fd0de5c246b74f2b4124a36db51bf36ff6
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 4C11B176504280DFCB16CF54D5C4B16BFB2FB84324F24C6A9D8490B69BC336D456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF0100 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936644ee2d9e0f1c66ade1dcce2a0bb41b107a85582e7cc646e800881b3cf412
Instruction ID: dcaabe4a7bb3cb87f11c5dfa207e202497e799b7bc99b9950715c8fe4d5f363d
Opcode Fuzzy Hash: 936644ee2d9e0f1c66ade1dcce2a0bb41b107a85582e7cc646e800881b3cf412
Instruction Fuzzy Hash: AD2103B5C003499FCB20DF9AD884ACEBBF4FB48310F10841AE919A3210C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DFC8A8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b116a03e93a42864f80ee75caa8809ea389eb79fee669db326361a892baabe
Instruction ID: 0a36c320e5e1c1ff02e17da6869df1cddc5a6bd67c4a969f3dc5a8d0da942d60
Opcode Fuzzy Hash: 05b116a03e93a42864f80ee75caa8809ea389eb79fee669db326361a892baabe
Instruction Fuzzy Hash: AB11E674D1520DDFCB44EFA4D9495AEBBBAFF4A301F20A16AD50AA3351EB305A01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3663176490.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 93e4bef80c547496cfa2731b24e51315127a4aca67b9d572dac2c17b6bc56391
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 0E11BB79504280DFCB06CF54C6C4B15BBA2FB84324F24C6AED8894B296C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 05DF0108 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdfadc5b856b02cdb3744e88bf738ee9523279772afafb7f4ae990c58c736405
Instruction ID: 87dbf4abff0f1308ebd28188afc29657abeb9dc33c07b9b4de58226e42640e4d
Opcode Fuzzy Hash: bdfadc5b856b02cdb3744e88bf738ee9523279772afafb7f4ae990c58c736405
Instruction Fuzzy Hash: 7811E2B5C003499FCB20DF9AD884ADEBFF4FB48320F50841AE919A7210C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB0C8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82979dbe67312c86ef080a2928f3e68069ede057454e24d016764c8c70f64eb
Instruction ID: 75d7d1da56d197bbedaded5996f1debb7394b49b52aff444a2eb5b436999a802
Opcode Fuzzy Hash: e82979dbe67312c86ef080a2928f3e68069ede057454e24d016764c8c70f64eb
Instruction Fuzzy Hash: 4511FA74D19608DBEB04CFABC9443EEFBFAAF8A300F05E02BD519A6254DB7445068F54

Uniqueness

Uniqueness Score: -1.00%

Function 05DFE248 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fb6854382582fc9d6aa5829100e2e8d847e6e1a63b3dc8f4fccd816ef715da
Instruction ID: 0a8568111ad6ddc0b5fbd94fce3bdce03ac92e9fd2699841f04a09fb869324d8
Opcode Fuzzy Hash: 01fb6854382582fc9d6aa5829100e2e8d847e6e1a63b3dc8f4fccd816ef715da
Instruction Fuzzy Hash: 80018C31F002159FCF65EFB988442AEBBFAFF48210B12047BCA05E7301E635C9418BA2

Uniqueness

Uniqueness Score: -1.00%

Function 05DF0007 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5265787ce8c1eb9a399abb62624e2079d7c7fca29af6ec3b202dddf0277026
Instruction ID: 5c0287e887d3a42022eab5a55024cf4d740ade8a49febdadb6c2bac76c7116d8
Opcode Fuzzy Hash: 6e5265787ce8c1eb9a399abb62624e2079d7c7fca29af6ec3b202dddf0277026
Instruction Fuzzy Hash: 6D11A5766083859FC703DB65D8116953F7AEF86350B0981E3D444DF267E5348D098765

Uniqueness

Uniqueness Score: -1.00%

Function 05DF4808 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf33967a1ba5333bdc95e06ade19409dcef4b185337334966439264fe7ef83d
Instruction ID: 09f309b74833eba8b548b7155b5907757009bdf78958ff81cc32f22e888a91fc
Opcode Fuzzy Hash: 5cf33967a1ba5333bdc95e06ade19409dcef4b185337334966439264fe7ef83d
Instruction Fuzzy Hash: BF11C0B1D016189BEB18CFABC94579EFAF7BFC8300F04C16AD408A6264DB7409468F90

Uniqueness

Uniqueness Score: -1.00%

Function 05DFC6E8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec8b5a532ad38221ccd513104ddd6ee0d02b1052dc0078874b98be9b01526a7
Instruction ID: 8d8e37f953aace47ea3687e43449accb10f0c55304269c04cb15993d1b991a06
Opcode Fuzzy Hash: 0ec8b5a532ad38221ccd513104ddd6ee0d02b1052dc0078874b98be9b01526a7
Instruction Fuzzy Hash: FF1118B4D1920DDFCB00CFA9D5452AEBFF5AB4A300F1094AAD959E3352EB344A02DB51

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7D38 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d1a8e1a15884d996be23485bb20f82ece156d71142da52f3685aebae3d6094
Instruction ID: 4618773c4fcc9a809ced740ecd9a1be1ec68e8344e845b58d6ac6ccd08761d5d
Opcode Fuzzy Hash: 21d1a8e1a15884d996be23485bb20f82ece156d71142da52f3685aebae3d6094
Instruction Fuzzy Hash: 3C11CE75E042499FCB14DFA8D8007EDBBB2FB49311F1181ABD958D7380EB344A01DB81

Uniqueness

Uniqueness Score: -1.00%

Function 05DFBBAD Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636d8a026feb974b96c4e5e6e12e7ce7c639b13bb713ca3efdef6920c3ec382e
Instruction ID: b2e22a73ce0f839e7611c23036a7afb1ef0955912ea4e66da187c39f20574f1d
Opcode Fuzzy Hash: 636d8a026feb974b96c4e5e6e12e7ce7c639b13bb713ca3efdef6920c3ec382e
Instruction Fuzzy Hash: 1811F534E50308AFEB00CFE0E895BADBBB6FB49701F105016F90AAB794CB705941CB04

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6B92 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d97c0f67c383a5484c9f8682c3faa8e527c4ae71f5f3047359f36e35875ad1
Instruction ID: 25f0ce5bcd46d12dbea1c1466b2ffa8ef701b361c961c9ce33fc4913c4d7292b
Opcode Fuzzy Hash: e7d97c0f67c383a5484c9f8682c3faa8e527c4ae71f5f3047359f36e35875ad1
Instruction Fuzzy Hash: D6113D34904219CFCB20DFA8D840B9CBBB5FB45315F1195A6E619AB384CB30AD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6BAE Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162cf2a0e0c934df8025838259f49a5e248fb5c470fd2471632dabcf02f9b32a
Instruction ID: 54ef8d3e4a187d4a134636408a81c00909fc99fb48cad76939ee04f01b6f2b7b
Opcode Fuzzy Hash: 162cf2a0e0c934df8025838259f49a5e248fb5c470fd2471632dabcf02f9b32a
Instruction Fuzzy Hash: B1118E75D18208CFDB10DF64D985AADBFFAFF09306701A12AE6468B356DB30E841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05DF55C9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830298654aa8d23818853dbeaf89d348b6770b45ca2445b6eafcdbd945c358aa
Instruction ID: 838803fc3be272512081ce45e31dff610b20f39d51e671d508047d202a811723
Opcode Fuzzy Hash: 830298654aa8d23818853dbeaf89d348b6770b45ca2445b6eafcdbd945c358aa
Instruction Fuzzy Hash: 7101D4B090C244DFCB04CF55E9409BCBFBEBF4A301F16A1A7D1564B212C7308A05DB41

Uniqueness

Uniqueness Score: -1.00%

Function 05DF5641 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc14e26459da599757786a54c3ac573afdfe01e61c9273e71e89e5b4b217fbb
Instruction ID: 7059cf2129a3a18f74e2552b524a539598f0259d6f481a997baf0b825250abba
Opcode Fuzzy Hash: 1bc14e26459da599757786a54c3ac573afdfe01e61c9273e71e89e5b4b217fbb
Instruction Fuzzy Hash: 5D11AD38A08208EFCB10DBA8D685BACBFF6BB49200F1981D5A5599F352CA30CE01DB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DF51D0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bc9ed96b910d02f7349b08ba922003443c2ac37ef77082928dddce48ed56be
Instruction ID: d5d9a207095426cb9aa653ae0d63ad65c488a2ecc1c37fc2a0eb7aeb617dccca
Opcode Fuzzy Hash: 71bc9ed96b910d02f7349b08ba922003443c2ac37ef77082928dddce48ed56be
Instruction Fuzzy Hash: DE113C70E15218DFCB08CF6AE9409ADBBFBBF89301F00D12AE509A7314DB309901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD228 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316f00720de7f6b778d238f790d79dd7b449e52ec8056d9005786fb2dd3f57c8
Instruction ID: ad698e53cb621c646443966984840ae5eab12b0d26c33dd28ee3ddadd850345a
Opcode Fuzzy Hash: 316f00720de7f6b778d238f790d79dd7b449e52ec8056d9005786fb2dd3f57c8
Instruction Fuzzy Hash: 3411F8B4D08249DFCB04DFA5C5856AEBFFAFB4A301F1094AAD459A3351DB348A02CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05DFAF40 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b3d0f0c4d3689dc9e10fc6e95bd80bf9555c8f9e208f6b76de91b24e130b3e
Instruction ID: 8be2e8f0b0a32cd68470313f196443258305087ebb16f811d6ca719dff3c8408
Opcode Fuzzy Hash: 85b3d0f0c4d3689dc9e10fc6e95bd80bf9555c8f9e208f6b76de91b24e130b3e
Instruction Fuzzy Hash: 2B01B5B4D18248EFC704EF75D4456AD7FBAFF4A201F5060A7E41D9B291DA348A05CB45

Uniqueness

Uniqueness Score: -1.00%

Function 05DFBBFE Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43bc90c70e0fe682210eef942fa3061a6e5f0506d6d83ceab2410d9f381e80f
Instruction ID: 0e95bfa44d543ad9386fa540f562ba11df37edab807b6c401388e974ab027303
Opcode Fuzzy Hash: e43bc90c70e0fe682210eef942fa3061a6e5f0506d6d83ceab2410d9f381e80f
Instruction Fuzzy Hash: 6711AC34A503089FEB04CF94E896B9DBBBAFB49711F145116F90AAB7D4CF705941CB05

Uniqueness

Uniqueness Score: -1.00%

Function 05DFC628 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b24e9400bf82e063ea11db09a9cfb7a8ad580a2b8a17e8e08e08bbbe81ad653
Instruction ID: 2026cd8383b85b372b8011c83fec30e36ab6fe70a7379a87433cda81067fc157
Opcode Fuzzy Hash: 6b24e9400bf82e063ea11db09a9cfb7a8ad580a2b8a17e8e08e08bbbe81ad653
Instruction Fuzzy Hash: 2301F23192D2489FCB048BA494193FE7BB9EB4A201F0564ABC245972B2DB754A19CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD238 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0251f08df3734f67c42dd458953005b077bd839df6f9de3195bf036e86a71bc
Instruction ID: 4994f15d268ddb6d2d1dafbfd56652ebdc58a9871f981b31348bb44161a4b871
Opcode Fuzzy Hash: b0251f08df3734f67c42dd458953005b077bd839df6f9de3195bf036e86a71bc
Instruction Fuzzy Hash: 6111F7B4D0820DDFCB44EFA9C5456AEBBFABB49300F10916AD919A3300EB309A01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6BD7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ae947a67034715e8a5c29eaba52658ba622165ccfa7cefbab9c369cb8d6046
Instruction ID: 675949185cb5141da96ac46a360a88101e168f388d355c55be68f23bbe2aaca1
Opcode Fuzzy Hash: 68ae947a67034715e8a5c29eaba52658ba622165ccfa7cefbab9c369cb8d6046
Instruction Fuzzy Hash: C1112874E10309CFCB14DFA4E6855ACBFBAFB89705B10512AE50A9F345DB30A842CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05DFAAC3 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e483b9c87adb06d02722115d6d2915c99ddc0265a3a2f5aa9374ae5b9965dd11
Instruction ID: f1835a6f4b4d352bfbd78a38208b7ecaf089b4da03dfb84a2865becd4fd78310
Opcode Fuzzy Hash: e483b9c87adb06d02722115d6d2915c99ddc0265a3a2f5aa9374ae5b9965dd11
Instruction Fuzzy Hash: FF111078914218CFDB24DFA4D8887ACBBBAFB49305F11A06AD44AE7385DB305985CF11

Uniqueness

Uniqueness Score: -1.00%

Function 010DD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3661936611.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab81512678f4d3764ef68915f3829b6caf84a3a4e56e818a1160ffeabc10622
Instruction ID: 522a8338b6d2be1823c06e06739ee15dd054b13db4559e37ab87889ca8e526a9
Opcode Fuzzy Hash: eab81512678f4d3764ef68915f3829b6caf84a3a4e56e818a1160ffeabc10622
Instruction Fuzzy Hash: 69012B315043809AF7605E55CDC4B2ABFDCEF41225F08C5DAED890F2C2E2399841CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05DFAA71 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1daf0eb22dc58e1dbddd15e9c9e354b94b8976f77e9541c75f546fc4c58326be
Instruction ID: 70ad08e43e1bc0b2df93078c997d03d0a2e9b53da5688102dd6fff34844f95ae
Opcode Fuzzy Hash: 1daf0eb22dc58e1dbddd15e9c9e354b94b8976f77e9541c75f546fc4c58326be
Instruction Fuzzy Hash: 19118B39C18349CFCB11CF74D8946ACBFBAFB4A215F11626AD04A9B396CB306885CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6CB7 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2bb03ac0ff66b5c7b3ffd6176756346f0c72855a3a26976e407316a6e122c7
Instruction ID: 0fb188b1b26cce058071d8ac7c20db4c2a3c870eebd594cdc61942c82b2357b6
Opcode Fuzzy Hash: 0a2bb03ac0ff66b5c7b3ffd6176756346f0c72855a3a26976e407316a6e122c7
Instruction Fuzzy Hash: 3B115134914259CFDB20DF68D845B9CBFB9FB05304F11929AE50AAB395CB70AD86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DFAE10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e38970a3053678c7126d87981e95b51ac84d8c807fe14071b2d16a316477dc
Instruction ID: ebc046aa3bf943ffd568b54f595046cb2221b3bac2bd58a236c715e738b5d3ec
Opcode Fuzzy Hash: c2e38970a3053678c7126d87981e95b51ac84d8c807fe14071b2d16a316477dc
Instruction Fuzzy Hash: 8CF06235E1921897CB048E65A8151FDBB7DEB8B301F01702AD64EB3241DA3099048754

Uniqueness

Uniqueness Score: -1.00%

Function 05DFC6F8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20fa56b79ed38e02ce1fd952be526c93310229c4680f6d71e9ba535260737b1
Instruction ID: 1b56db78bce69d8f7efaa875aa7034c6ee17114c0f27f5a35e7141e783c9b8ac
Opcode Fuzzy Hash: b20fa56b79ed38e02ce1fd952be526c93310229c4680f6d71e9ba535260737b1
Instruction Fuzzy Hash: 7C0129B4D1920DDFCB00DFA9D5452AEBFF9BB49300F10906AD919E3351EB304A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DF5650 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612c0f26db49a98331f8ca404de040b0f605f53eea78b6bf6d7f88f546004bea
Instruction ID: 6b38b65d2288badc473275fbca524160d9f39684b676e36ac50cee302205d328
Opcode Fuzzy Hash: 612c0f26db49a98331f8ca404de040b0f605f53eea78b6bf6d7f88f546004bea
Instruction Fuzzy Hash: EC01FB74A09108EFDB04DFA8DA85AADBBFABF49300F19D095A5499B355DA31DE00DB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DF55D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5fe8995fbb6fdf28c7139413817d59d2d4dd20d27825063b812eae09b3fb4f
Instruction ID: 6741b5de55faf620f9e4f64a6a0a670f267f467767b8ec921e5a15e2b9d16205
Opcode Fuzzy Hash: 3f5fe8995fbb6fdf28c7139413817d59d2d4dd20d27825063b812eae09b3fb4f
Instruction Fuzzy Hash: F4F0AF7090C208EBCB04CF56E9409BCBBFEBF4A300F05A2A6D55A5B212CB30DA45DB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DFC2B2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb70eb81c57cb8dcfe541c0b3612916c09787a9661eaa5b5db9f43c0ab2f8b3b
Instruction ID: 685d2db293833628f193452eb33420db543b8a551b992a4fd088603a01186bb9
Opcode Fuzzy Hash: fb70eb81c57cb8dcfe541c0b3612916c09787a9661eaa5b5db9f43c0ab2f8b3b
Instruction Fuzzy Hash: D4017E78E2924C9FCB00CFE4D5944ADBBB6FB4A300B519016E915AB359DB309D01DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05DFAF50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7495756a8ded3ec2e7bc6a8b6b4d84c0fedb192d09aaed4576224cd2890446e
Instruction ID: 39f25a2f1ed97221dd4821b84e0c00d5ecf258bfc6e3f3aa449dd74af2417397
Opcode Fuzzy Hash: d7495756a8ded3ec2e7bc6a8b6b4d84c0fedb192d09aaed4576224cd2890446e
Instruction Fuzzy Hash: 1FF044B0D14208FFCB04DFB5D4456BDBBB9FF4A200F40A0AAE50AA7290DE305A00CB45

Uniqueness

Uniqueness Score: -1.00%

Function 05DFCF68 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb8d972a5d0292140b2451a670246d55bd99aeddc9d729fe4a42d6339fb922f
Instruction ID: e3040abe74aac6c7670d5fd7ea4324791b46a560ba78acf46e69df96203de7ba
Opcode Fuzzy Hash: 0bb8d972a5d0292140b2451a670246d55bd99aeddc9d729fe4a42d6339fb922f
Instruction Fuzzy Hash: 4DF0DC75419288AFCB11CFB8D90A798BFF4EF0A215F1402DADA48C72A2D6305D02D742

Uniqueness

Uniqueness Score: -1.00%

Function 05DF3A17 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de363b35976966fa107576e52d805b54a77fa7fe9aaf568f291133412e9da01c
Instruction ID: fea3130d5453692223eb5684d0ade3949cc8a89c03bce26b3f749537f7d827b5
Opcode Fuzzy Hash: de363b35976966fa107576e52d805b54a77fa7fe9aaf568f291133412e9da01c
Instruction Fuzzy Hash: 7F01E479E00208DFCF01CFD8D985AEDBBB6FF49311F215556E645AB621C7329952CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD008 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6812663e7e75c3aca5f51515b010170887d7235582602533ebd2495c53369e9
Instruction ID: 02734558abae27621f2c8f2de7fe3e89e347966402ad00008a017ce8bbd6ccfe
Opcode Fuzzy Hash: a6812663e7e75c3aca5f51515b010170887d7235582602533ebd2495c53369e9
Instruction Fuzzy Hash: 9DF0C2319082889FCB11DFB8C80669DBFB2EF02214F6482DAC958573A2C6359A83DB45

Uniqueness

Uniqueness Score: -1.00%

Function 05DFAFC0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2938b05ae3a182a96f0bd52d76548c94b85b28066bcebf5d5554f50aa77742
Instruction ID: 67905babfb46e7c61caf23699f52f9b2f5ead1fce27d1b7b4ef95a705ed9b2a0
Opcode Fuzzy Hash: 7d2938b05ae3a182a96f0bd52d76548c94b85b28066bcebf5d5554f50aa77742
Instruction Fuzzy Hash: 65017D74809388AFCB25DBB9C58175C3FB0AF03211F1001EBD8188F291D7358E06C781

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD179 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716fcdf56538985bf2c6468217af421e0e3dbf55a9fba1f1bcaceff42533893e
Instruction ID: 283dd35d2271360dd3a82208fa8b7ce80d503801b0e9517c7c7fb21d7ba59b26
Opcode Fuzzy Hash: 716fcdf56538985bf2c6468217af421e0e3dbf55a9fba1f1bcaceff42533893e
Instruction Fuzzy Hash: 8E01FF2244C2C45FCB27D7B899A26A83FB1AF43111B2902DFC9D88B1B3D525094BC742

Uniqueness

Uniqueness Score: -1.00%

Function 05DFBA98 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e77c6e837d0b34f4944ba9ffd985b82bf20a6f8b6b7c482e711756433531b8
Instruction ID: 0c390292e1cd9724775a255667b49d50a9822460931003a45f5fe85ac08099f1
Opcode Fuzzy Hash: c4e77c6e837d0b34f4944ba9ffd985b82bf20a6f8b6b7c482e711756433531b8
Instruction Fuzzy Hash: 6801FB70E45208DFEB10CFA5D845BEDB7B6EF49300F119057E519B3341CA7099808F24

Uniqueness

Uniqueness Score: -1.00%

Function 010DD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3661936611.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1047077e08966884dc01b3a01ec359895f315c8a59d86d9c66149bb8d4355356
Instruction ID: 36d37cff5f0974318f263f6d01999ad64f4a3f7b8ee50fcfbeaaf0abbfab1cc4
Opcode Fuzzy Hash: 1047077e08966884dc01b3a01ec359895f315c8a59d86d9c66149bb8d4355356
Instruction Fuzzy Hash: 9EF062714043849EE7609E19C988B66FFD8EB91634F18C59AED484A2C6D2799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF3224 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f9319975758d7757f74efaf29b77c1b0e80f46bca4fe5ebb7aba5e64d020a9
Instruction ID: 97b02b741d07545d3f9f4a07696cc2e9f94e5167e9b7e0f764aaeeec2da80398
Opcode Fuzzy Hash: 38f9319975758d7757f74efaf29b77c1b0e80f46bca4fe5ebb7aba5e64d020a9
Instruction Fuzzy Hash: 4FF0AFB5A0D3198FCB65CF18CC907AC77BABB45201F0758AA824997266DB308A49CB02

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB9D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d35645554b18debca658b11e40c228ef12a03c1587df6311652b0b8ca6f727
Instruction ID: 6a445e8ba3f2c7398c34aa24cc575f99fa7da52af02686c52b22d6a7c07682d6
Opcode Fuzzy Hash: 89d35645554b18debca658b11e40c228ef12a03c1587df6311652b0b8ca6f727
Instruction Fuzzy Hash: 92F0BB71C0D288DFDB18CFA7D9512ADBF77AB86200F15909BC59897212D7704901C761

Uniqueness

Uniqueness Score: -1.00%

Function 05DFAA1D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401a6a7018636a5e85a9e6af4914731741d86d45c74a5ea2ddb765219499ef08
Instruction ID: 96639bcb0b5f3a43deb5386bd0a79c3869f5e3b49f9c86a112658c78379b312f
Opcode Fuzzy Hash: 401a6a7018636a5e85a9e6af4914731741d86d45c74a5ea2ddb765219499ef08
Instruction Fuzzy Hash: F701FB39D14318CFDB10DFA4E9956ACBFBAFB49305F11652AD01A9B355CB306885CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05DF31BE Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be2c81a1a2a8901eaa3622345b12bd71d24488d58d6c51300c4feffe7a063b4
Instruction ID: b4316aec7e878b067beb848eb674b46a8ce01f8c462f69a338eb172ee0e04925
Opcode Fuzzy Hash: 1be2c81a1a2a8901eaa3622345b12bd71d24488d58d6c51300c4feffe7a063b4
Instruction Fuzzy Hash: 20F01D74A0D3298FCB60DF58D9907AC77BABB49301F1299DAD24997219CB305A88CF12

Uniqueness

Uniqueness Score: -1.00%

Function 05DFA945 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d9e1b88d0bb1f2a12513de137ff993af61a13e707651269498e2a520bbafb07
Instruction ID: 2a880e6b4325cb8e8995a907211a5443572a56887c6af0fa6fd283eaee4d9e2e
Opcode Fuzzy Hash: 6d9e1b88d0bb1f2a12513de137ff993af61a13e707651269498e2a520bbafb07
Instruction Fuzzy Hash: CCE0393882D208CBCB10CF50E9150F9BBBAF74B307F1A3453D54E92112DB309A45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB950 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cbedde274bceffd0ca53c4d4d5189a8d49d43c10db3261858a317e01a2860b
Instruction ID: eebbc2df2c2d3ce6c0e8552cab19f5ae7107c9c6837b4e1595d07234a9fa94b1
Opcode Fuzzy Hash: 01cbedde274bceffd0ca53c4d4d5189a8d49d43c10db3261858a317e01a2860b
Instruction Fuzzy Hash: 62F0E57188D288DBEB09DBA4D5812A83FB5AB42205F6551DBC58883252C6744D07C792

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6B53 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd4b0becf48b843151dd994197e6ff4a7fc3feb0d9aff1cddab5360a5894307
Instruction ID: 3c4f78a330656199d481c5637bf1cdb1cdad4020988cd50a465d0e3654bcd111
Opcode Fuzzy Hash: 3cd4b0becf48b843151dd994197e6ff4a7fc3feb0d9aff1cddab5360a5894307
Instruction Fuzzy Hash: 60F02734D18244EBDB24EBB5D8057A87B7EEB49302F01D92A871597395DE70C407CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05DFBD78 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6096ee04141d50c2fea13a0c57bd73e62a2eb80891f90856e2ad8b7a48449da
Instruction ID: fa3e3821cfefd9e4f599108effe5e5e399e22e4da8cbd975d634dba7b07add77
Opcode Fuzzy Hash: e6096ee04141d50c2fea13a0c57bd73e62a2eb80891f90856e2ad8b7a48449da
Instruction Fuzzy Hash: 44F0E57580E388EBDB16DB75C9013A83F76AB13206F2941DFC94A47392C6394A45D782

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf2142797a0a8ddd0105081944386ec0a50430a234affea50fa79f5160cd5a4
Instruction ID: 455788e3b51a2f1ded706c0fe5e648bda2bba35ee3ed11b5abf10f9c2b33cc07
Opcode Fuzzy Hash: fcf2142797a0a8ddd0105081944386ec0a50430a234affea50fa79f5160cd5a4
Instruction Fuzzy Hash: D1F03A74D1120ADFEB50EFA4C50679EBBF4EB04201F61882B8554E6240E7B986428FC1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF3120 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6080235574d3278af7847df5c1660bcda742221b1fc63af2ad1e3d7ae263a367
Instruction ID: c5a2500548b8a0f1c2c59b8c50faa1c074f9d578115c8c9da24e4169ebca5758
Opcode Fuzzy Hash: 6080235574d3278af7847df5c1660bcda742221b1fc63af2ad1e3d7ae263a367
Instruction Fuzzy Hash: 4BF0A7B4A0D319CFCF55CF14CC905EC77BAFB49201F039966C10996125CB305949CB11

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD058 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ed2ef6d3124185a1ab66b23400ad51794d8ee8e05621a709633685f31ea568
Instruction ID: eda25a3917523ceb7f961ac71e8b611d8c1d313e3db4551dc1b8b5d46b5363d1
Opcode Fuzzy Hash: e9ed2ef6d3124185a1ab66b23400ad51794d8ee8e05621a709633685f31ea568
Instruction Fuzzy Hash: 5EE02035A4D1C85BC705D674D5023B83F7ADF03519F5411C7C99D432938D250D47C345

Uniqueness

Uniqueness Score: -1.00%

Function 05DF49B4 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3120eb47501777bb902df38cd58f1f2126e6c16306f1e6f6c4eb265ace3ea8f4
Instruction ID: 0f662d455ab35a07d09ac51c41df1396b45adcd0048addf63a85444fc6fb1fe9
Opcode Fuzzy Hash: 3120eb47501777bb902df38cd58f1f2126e6c16306f1e6f6c4eb265ace3ea8f4
Instruction Fuzzy Hash: D0F0BD7490621ACFDB60CF24D980AA9BBB5AB19200F0120A6E91EA3751E630AA81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD8F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a201a29a253d3c25e78cf0fd472966ad4587305ccc4bd00499d17befa7d5f7
Instruction ID: 68b228243a769f45d7dcb109cf800af0066e01417170dec6e805c0db719f18de
Opcode Fuzzy Hash: 06a201a29a253d3c25e78cf0fd472966ad4587305ccc4bd00499d17befa7d5f7
Instruction Fuzzy Hash: 56F08C70D29388EFCB16DFB8C0512ACBFB2EF4A200F5084FAD44497210D6354A46DF41

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6B60 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfaea9b0b6b5b09ec311d02c7a4d04e1665b96f883eb523b661ba41076190d9c
Instruction ID: 098a13819a644eeae9aac69d7d34742de239da8a99b28fc0250a6669c83dd811
Opcode Fuzzy Hash: bfaea9b0b6b5b09ec311d02c7a4d04e1665b96f883eb523b661ba41076190d9c
Instruction Fuzzy Hash: 31F0E534D182089BDB24EBB5DC047A9BBBEAB49301F00D926820597284CE70D446CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05DF5310 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417ed1a3b8f68d8ad3476bf559eda705354031732777b12f8c9a449f8dd2a335
Instruction ID: 7a42e9dd9ade1d5c9270dfb36af2f7c1b606f30e68eadd7d25c0871e10ad8ba9
Opcode Fuzzy Hash: 417ed1a3b8f68d8ad3476bf559eda705354031732777b12f8c9a449f8dd2a335
Instruction Fuzzy Hash: 25F08234909244DFC751CF24E95596C7FF9BF4A201B056186E549CB153CB34D406CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05DF9FE8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7c70e4760973355c1a6115c3b1e9758192b7af6ea32fef6292cb6eecf14030
Instruction ID: 119477e5f15c96bf6cdd8f150c8dfeac381cc90e194e3a192efb5633134549fb
Opcode Fuzzy Hash: 4e7c70e4760973355c1a6115c3b1e9758192b7af6ea32fef6292cb6eecf14030
Instruction Fuzzy Hash: 26F03974D1420CABDF44DFA9D44179CBBF8EB49301F5080AA9818E7384EA385A42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB42F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5801ee4131789e587570754eeb22032b7719c50bf1ccabb5d5117cf4b65c56
Instruction ID: 6104a12eadb40181752b193d8145733ef3743be1180e6e18cd80b68b19c7455e
Opcode Fuzzy Hash: 8a5801ee4131789e587570754eeb22032b7719c50bf1ccabb5d5117cf4b65c56
Instruction Fuzzy Hash: CAE0E675D5910CDBDB00DFA4E9445FDBB79DB4B326B017417E14DA2500CA3045548B15

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB12A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed119ae8f497baba013fbf324542fd79c7028f4076b89a8af11a3f9cc9c055c
Instruction ID: 2fef26eea3e2178992d9cd9e880893b86f2d8a79b2debbbfcaef65b18f131097
Opcode Fuzzy Hash: 1ed119ae8f497baba013fbf324542fd79c7028f4076b89a8af11a3f9cc9c055c
Instruction Fuzzy Hash: 3EE09274D2E508CBEB04CF66D8041BDBBBAEB8F300F05B027D54AA2605DA3481128F19

Uniqueness

Uniqueness Score: -1.00%

Function 05DFAE6F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130d7f60792b3bd4a909586ae29a4b71e92cfaf09018ca6f202f1bf36a52da69
Instruction ID: 7c44f66a3c069b810a9131a105faaa0ccdcca004fa9c33fc57371be6fa269723
Opcode Fuzzy Hash: 130d7f60792b3bd4a909586ae29a4b71e92cfaf09018ca6f202f1bf36a52da69
Instruction Fuzzy Hash: D8E01A39E1921CCBCF10DFA8E8405ECBBB9FB4D315B015526E549A7200D63095098B55

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7D48 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69925f215bcacfb85723b1b266bd2f3b35d8887bc1cca8a20586af319f85ec21
Instruction ID: 1636e850d23b68d1560ef258e00f76703185791005df66021e3f227b7198101e
Opcode Fuzzy Hash: 69925f215bcacfb85723b1b266bd2f3b35d8887bc1cca8a20586af319f85ec21
Instruction Fuzzy Hash: 0CF03978D1420CEBCF04EFA8D40569CBBB9FB49301F00C0AAE918A7340DA355A51DF41

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB010 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ef9ce0675655ff3a1ebbc55ab6d34fa917fcac08148fd787a18b56f4904134
Instruction ID: d10c06a75ca26d195c07552d3a6c1bf86e23d4380ba5b019919d297494fd0238
Opcode Fuzzy Hash: f4ef9ce0675655ff3a1ebbc55ab6d34fa917fcac08148fd787a18b56f4904134
Instruction Fuzzy Hash: 29E026718093C4EFD719DAB5C5107683F36FB03106F1800DFC5188B252D9768D85E381

Uniqueness

Uniqueness Score: -1.00%

Function 05DFC801 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c526dd5fc40338e266b6bc9675579ee96b01de0db70371975d8ecd22c4f3d772
Instruction ID: 0fb3a7def83407ea3034501d7d0d2e94afa95fda7f9357c7518221a91bb7986b
Opcode Fuzzy Hash: c526dd5fc40338e266b6bc9675579ee96b01de0db70371975d8ecd22c4f3d772
Instruction Fuzzy Hash: 69F06D35A09288AFCB05CFA4C5A56ACBFB4EF06205F1800CAD4868B361D6385E02DB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB740 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653ad97d462e9530cae03adff76b1b47c6a6355a45a27594716d942b737107fe
Instruction ID: 02c7ff0751b88eb71c0ddeba917ab3a5eca08463f35f4fc232f857efe35f9620
Opcode Fuzzy Hash: 653ad97d462e9530cae03adff76b1b47c6a6355a45a27594716d942b737107fe
Instruction Fuzzy Hash: BBE0C270D4130ADFEB50EFB8D4052AEBBF4EB08200FA0886AC504E6240EBB986418FD1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF3765 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09f3cb03ea76045a324ab1529edc73b32c985f8fc225f4a4cf1eda2231b0d4a
Instruction ID: c8f8664367402879c7b81860261db95a45cfcf0f1027a2bcf8e25e8a4004cd51
Opcode Fuzzy Hash: b09f3cb03ea76045a324ab1529edc73b32c985f8fc225f4a4cf1eda2231b0d4a
Instruction Fuzzy Hash: F2E0D87460D7198FCF51DA24D8C465877BDB741205F1259BA834985119DB300A88CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05DFBCFF Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0751cd26697fe2d4356a9d028aa2d77db07ecaf5b0b4ac30a84e044d85faf9
Instruction ID: 275b455106e4852a8fc974760d66a2938a5897c24ae69ffc8dd18539bdc345a0
Opcode Fuzzy Hash: af0751cd26697fe2d4356a9d028aa2d77db07ecaf5b0b4ac30a84e044d85faf9
Instruction Fuzzy Hash: 2FE0DF75909288AFD720DBA4DE0575DBBF8AB46201F21109FD845C3340D6790E00CB42

Uniqueness

Uniqueness Score: -1.00%

Function 05DF9FF8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b69376113683934502d5ba4941562555f1df7c45622af472a021536920d327
Instruction ID: 09c705c90dfdd8fe316fe907eeb72223a8093e1fd9c90cb576f4c9f27a2d02e5
Opcode Fuzzy Hash: e4b69376113683934502d5ba4941562555f1df7c45622af472a021536920d327
Instruction Fuzzy Hash: 42E0E574E1520CABCB14EFA9D44139DBBF8EB85301F1081AAD918A7394DA345A41DB41

Uniqueness

Uniqueness Score: -1.00%

Function 05DF4991 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8081681622a8768bdf83a56d9d6298d47eda2be708dfeba3bba1f55c7303dd7
Instruction ID: bb9a5e0e79fbeb7168f1cdddbd6508328da41ff7b1a3022af4a4ba76fb4ad551
Opcode Fuzzy Hash: b8081681622a8768bdf83a56d9d6298d47eda2be708dfeba3bba1f55c7303dd7
Instruction Fuzzy Hash: 0BE04F3161A204CFDB15CF64E850DA8B779FF5A303B0150E6E50A87262CB32D951CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD900 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a727340e145e3dc7cff6b6d4b2a4dc8903c3fe7525b4a17974491b08cb278e63
Instruction ID: fdbd8b73cca7cca942c3cd5397f4af2bb880e0cc39510b4a99fa1c10bbc3945e
Opcode Fuzzy Hash: a727340e145e3dc7cff6b6d4b2a4dc8903c3fe7525b4a17974491b08cb278e63
Instruction Fuzzy Hash: 1AE0EE70D0520CEFCB54EFA8D50469DBBB5BB48300F1081AA9918A2340EA399A91DF84

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB550 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d6026e9acc3a241cbdb24d19d11fd37aef93d7ddf909736415ddf0d572a4df
Instruction ID: a110caf5e281e5ec3abffe2d49f69629cefc775c6dab50cb43a400bf2f645c4f
Opcode Fuzzy Hash: 34d6026e9acc3a241cbdb24d19d11fd37aef93d7ddf909736415ddf0d572a4df
Instruction Fuzzy Hash: 16E0EC7091D20CEBDB04DFA4E9056BCBBBDA746302F5451AA950A12350CA345945D745

Uniqueness

Uniqueness Score: -1.00%

Function 05DFBD88 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef459f8687e3090d964931efbceebd5394cb99616aee4c58d7b17c31343cbda
Instruction ID: e6df68911e6bad8892b95be5dc9c528273c40459c21e5482d4a7ca00cf705b76
Opcode Fuzzy Hash: 5ef459f8687e3090d964931efbceebd5394cb99616aee4c58d7b17c31343cbda
Instruction Fuzzy Hash: 42D01270809208EBDB14EFA5D9056AD7F7DAB42305F5041AEC50917390CB755945DB85

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6D04 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d013de09089741792934667611b0d47fb14389cce37c15642eeb899b0ba5fa
Instruction ID: 38df75c43a0aa23590c33af3b29f0e5aefc3478d430f2c3c0eca898f79a54df3
Opcode Fuzzy Hash: c8d013de09089741792934667611b0d47fb14389cce37c15642eeb899b0ba5fa
Instruction Fuzzy Hash: F2E01274911118DFDB54DF24EC94BAC7BBAFB94601F1092B6D44EAB344CA306D86CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05DFCF78 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f73c37b8974afa0485d0bf0feef9cd6299373b8ff455bda6b947e0b9d1b78b
Instruction ID: 34ca005027af50e21b1b72315dae4f4d376dbd37acb882dc7fa28c7a23ae47fc
Opcode Fuzzy Hash: 94f73c37b8974afa0485d0bf0feef9cd6299373b8ff455bda6b947e0b9d1b78b
Instruction Fuzzy Hash: 1DE0B674915208EFCB54DFB8D54565CBBF4AB09205F2041A9D909D7360EA309E54DB41

Uniqueness

Uniqueness Score: -1.00%

Function 05DFC810 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788b4d4f9e411724774f7e0376da48a37b0843a318909269c306c851e0ba4373
Instruction ID: 5e05856b7cb3bfb92e542abcba75b164be021e371ebbeb3cc1f108c50bda1abb
Opcode Fuzzy Hash: 788b4d4f9e411724774f7e0376da48a37b0843a318909269c306c851e0ba4373
Instruction Fuzzy Hash: 1CE01234D08208EFCB04DFA9D1456ACBBB4AF49201F1080EAE90597360DA349E00DB81

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD820 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163847172c619e5135d1953634cea41f19aad1963829b630d0df4e0c906c680a
Instruction ID: 9905762d4f47ee1a1a6db010069b206009474ce2ee0de5ef65d66c94a2920b79
Opcode Fuzzy Hash: 163847172c619e5135d1953634cea41f19aad1963829b630d0df4e0c906c680a
Instruction Fuzzy Hash: F0E04F70809288AFCB15DFB8C1926ACBFB8EF06301F1448EFD485972A1CB345A86D702

Uniqueness

Uniqueness Score: -1.00%

Function 05DFCAF1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da069f0736919f2896515be346bb4463a5f087c110be75f898f8f72ac10d470
Instruction ID: 02502c7357bfd748d765adcff2775e5bef4be1e9b553f3f7398727c5712518b3
Opcode Fuzzy Hash: 2da069f0736919f2896515be346bb4463a5f087c110be75f898f8f72ac10d470
Instruction Fuzzy Hash: 9EE0863491D3C4DFC716DB74855166D7FB8AF03102F0404EEC481575A1C6781E06EB51

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD068 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a4ecc9f3e4aedfd2fc29456983006b1dcce1e2d2c5b2ab56fc60917d3487f7
Instruction ID: b8762750a69aaefdb1360a1e97b2347a88814fc378e6fa7435bd233b0ff7967c
Opcode Fuzzy Hash: 37a4ecc9f3e4aedfd2fc29456983006b1dcce1e2d2c5b2ab56fc60917d3487f7
Instruction Fuzzy Hash: BCD05E70C0920CEBCB04EFB8D9056BDBB7DAB41305FA041AAC90923380CA345E86D786

Uniqueness

Uniqueness Score: -1.00%

Function 05DF2F29 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c6e8a24cd70521c5aa78fa844600156a7cd1ef0161a0056b9220e634359563
Instruction ID: 9c2029cfd6841e4152244278283bd62be74ce39878b1edc1dabeb0055e22e0ba
Opcode Fuzzy Hash: 34c6e8a24cd70521c5aa78fa844600156a7cd1ef0161a0056b9220e634359563
Instruction Fuzzy Hash: 29D05B290393C8DBDF215FA2BC053647F283F43213F9510C3A149C64A1CE504D55C751

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB960 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee2c5094d48bc4f5f514e0a30b492ab17195892d67c6f490b3e2e134c375c83
Instruction ID: 5b144d3dc62c4a999b3cd500bfefe8b9419bcffd48f62797b22a5407ea00247e
Opcode Fuzzy Hash: cee2c5094d48bc4f5f514e0a30b492ab17195892d67c6f490b3e2e134c375c83
Instruction Fuzzy Hash: 16D05E3084920CEBDB04DFA8E9417ADBBBCEB42305F5041AAC90923340CA705E56DB95

Uniqueness

Uniqueness Score: -1.00%

Function 05DFBA87 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42505351d9400c0a524f9d90e6cb443a9447bc733fce097e9144ad35d94117dd
Instruction ID: 2d76b23fbdfa2b2449dfddde461907860acc71395acc600bbf6e4012c3607182
Opcode Fuzzy Hash: 42505351d9400c0a524f9d90e6cb443a9447bc733fce097e9144ad35d94117dd
Instruction Fuzzy Hash: 5AD09E70E4A108CBEB00CFA9E8509FEB3BAAF4E200B11A017D555B3311D670D9008F24

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD188 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4529b6917805279e08537ecd50c7905906cb5fe7ac00957621d8c4b2909106b6
Instruction ID: 4510b952a93cd4d5cd13a4482180770799d6260510e276b9f6244066ad844809
Opcode Fuzzy Hash: 4529b6917805279e08537ecd50c7905906cb5fe7ac00957621d8c4b2909106b6
Instruction Fuzzy Hash: 55D01770D1524CAFCB44EFB8D54639CBBB8AB04201F2000EA890893240EA305A54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB088 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da807e94d8204f42b4498cde4ae16d75e06a8d7a82de99b5a0a5e487a95cc16
Instruction ID: 21ee7d3b26ff03b0b21cb3cf4e4d482753e5c8e7cdd199d06ce3ccc0933b8a32
Opcode Fuzzy Hash: 9da807e94d8204f42b4498cde4ae16d75e06a8d7a82de99b5a0a5e487a95cc16
Instruction Fuzzy Hash: 14D01774D1420CAFCB44EFB8D54639DBFB8AB04201F2040AA890893240EA305E84CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD830 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e5113463750636a06da781766131f6a9da01fbc95901710e65dbbf1e87f00c
Instruction ID: 916fcd001248d5d37c8becb26cd67d2acd0f009d487cd062e0f6554a7d393ae0
Opcode Fuzzy Hash: 46e5113463750636a06da781766131f6a9da01fbc95901710e65dbbf1e87f00c
Instruction Fuzzy Hash: 9DD01770D1420CAFCB44EFB8D5463ACBBB8AB05201F5000AA8908A3240EA305A84CB82

Uniqueness

Uniqueness Score: -1.00%

Function 05DFCB00 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae82aa4c529a898b522d0688ebf8c846a2362ff343a4bb72b6bcb1e3f3054bfd
Instruction ID: 42313acebc36eff6554486c7accf60aacc67966e44909cb732b8654307915725
Opcode Fuzzy Hash: ae82aa4c529a898b522d0688ebf8c846a2362ff343a4bb72b6bcb1e3f3054bfd
Instruction Fuzzy Hash: 52D05E34D1934CEBCB14EFB5910536CBFB8AB02202F5001FEC90426290DA754E54DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB020 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475da8d51e83c47d993c3c0809f6b002f4ee619a4fe271292a7bfb68c3bcd58c
Instruction ID: bbd0c33cd3cd2cb75e6bc7f6576f16285161144a7e3f72e4041fdf57bb84b462
Opcode Fuzzy Hash: 475da8d51e83c47d993c3c0809f6b002f4ee619a4fe271292a7bfb68c3bcd58c
Instruction Fuzzy Hash: 54D0A930406308EBC728DAA9C000729772CAB02201F0000ED850802290CA328E80C780

Uniqueness

Uniqueness Score: -1.00%

Function 05DFBD10 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a773231e9a531a3fdd94d8fed6f9f0aa7f1ada7b6a31cdf06f08ff2668bc9f5
Instruction ID: 547fef2b254df18515714e54d8e6efee70d1e88d3fb7e505ba3cf243a81143a8
Opcode Fuzzy Hash: 3a773231e9a531a3fdd94d8fed6f9f0aa7f1ada7b6a31cdf06f08ff2668bc9f5
Instruction Fuzzy Hash: 3BD0C77590524CEFD710DFB9D60575DB7FCE705201F104095D909D3340DA755E40D751

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB5D8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da1ba8a4408b53acd78123729eb51ef4f99d8f3052ee0496212d0e968da0ed2
Instruction ID: fdb51a06d6389b2b54b95e5ef52761b20630224d3f5680fe91345845f2169e8a
Opcode Fuzzy Hash: 3da1ba8a4408b53acd78123729eb51ef4f99d8f3052ee0496212d0e968da0ed2
Instruction Fuzzy Hash: 67D012B051520CEBD714DFA5D516769FB7CE706602F411099A90993290DF751D00D795

Uniqueness

Uniqueness Score: -1.00%

Function 05DFD200 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2de8669fcc7185af62569e439d7ce7f72f1bb11aa03a69c29670a2e196b8b65
Instruction ID: 029b946acef8fcda2710413023511e0cdc3563fa005c9b820b53e7c9bba08fbc
Opcode Fuzzy Hash: d2de8669fcc7185af62569e439d7ce7f72f1bb11aa03a69c29670a2e196b8b65
Instruction Fuzzy Hash: 10C0127045524CBBCB24DAA9D501B6D777CE742211F4000AD9509532A0DE715D00D795

Uniqueness

Uniqueness Score: -1.00%

Function 05DFB9E0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc879c0920d99b33863e17faba14e77d0461c0bb70be9962a9ac5bcd51fdbca4
Instruction ID: e3e201180a3dabd268423e64669fc4e3d9b0e69ae10fae64fbe81ed5e3321b4c
Opcode Fuzzy Hash: cc879c0920d99b33863e17faba14e77d0461c0bb70be9962a9ac5bcd51fdbca4
Instruction Fuzzy Hash: 45C0807144A24CFFD714DFA9D50176DBB7CF702211F10019D961953251DE711E40D795

Uniqueness

Uniqueness Score: -1.00%

Function 05DF2F38 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771c9bf37327bab88c3f3f01fb6365fc8760d6ad44c1227562cb4ab95e65878e
Instruction ID: 13eb7767e91d8bd87a070a31257e64c84ae45e5a29714d95ad20195daba3cf2c
Opcode Fuzzy Hash: 771c9bf37327bab88c3f3f01fb6365fc8760d6ad44c1227562cb4ab95e65878e
Instruction Fuzzy Hash: A9C08C3002420C97DB246FA5F90E3243F6C7B41203F442011B20E404608FB04814CB66

Uniqueness

Uniqueness Score: -1.00%

Function 05DFABC7 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba394f38abf4a04d8cdc08b45709bf65ea0e8aa8a43d0d7d7bae355e8e78ce4
Instruction ID: 5d0b5b8bc0a7b21a1b9db038d3e671fd437c4745dd0ea30c20299dee62586c0a
Opcode Fuzzy Hash: 3ba394f38abf4a04d8cdc08b45709bf65ea0e8aa8a43d0d7d7bae355e8e78ce4
Instruction Fuzzy Hash: D6C00230928309CFCB04DF50E9998BDBB7EEB4B202B21A115A55E6B2518F306904CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7302 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe6c08dab70100d25f08c3510916babfef654350edf39758301e9b757fb1099
Instruction ID: e7bdc576af46505fe6fbb6bd490463809b2fcd13b6068159fcf2d6f151fd96f9
Opcode Fuzzy Hash: 3fe6c08dab70100d25f08c3510916babfef654350edf39758301e9b757fb1099
Instruction Fuzzy Hash: C1C01278A1068ADBCB10DFF0C25159C3B7AEB453067109624A0068BA08CA34AA0ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 05DFC3D6 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17ceb91891771eb10ab559381b0f475de2d0d364be5690814517ff8d6480613
Instruction ID: e77378cbd07938053b3677f20742f580a9864294ac6fe186801aabcf8ca98d7c
Opcode Fuzzy Hash: d17ceb91891771eb10ab559381b0f475de2d0d364be5690814517ff8d6480613
Instruction Fuzzy Hash: 9FB01234A3D10CCFC700CF94E864CEC773AFB4E2017109400E016231158B305C05CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 062A1D20 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$q, xrefs: 062A1E60
$q, xrefs: 062A1E91
$q, xrefs: 062A2211
$q, xrefs: 062A221D
$q, xrefs: 062A1E54
$q, xrefs: 062A22D2
$q, xrefs: 062A1E85
$q, xrefs: 062A22C6
$q, xrefs: 062A22B0
$q, xrefs: 062A22BC

Memory Dump Source

Source File: 00000000.00000002.3674259501.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-1298971921
Opcode ID: 4a43e5a1c7d798e3a8c592073e10a2fa3955bc1a242e4fdad20580206f016d35
Instruction ID: 56b88d17a657a7ab29609d6c68c4c340017e4d4279c26bb6d6f65566cf3aa25b
Opcode Fuzzy Hash: 4a43e5a1c7d798e3a8c592073e10a2fa3955bc1a242e4fdad20580206f016d35
Instruction Fuzzy Hash: 26123830E11319CFDB64DF65D844A9DB7B2BF89301F2485A9D80AAB254DB719D82CF80

Uniqueness

Uniqueness Score: -1.00%

Function 062A2400 Relevance: 3.0, Strings: 2, Instructions: 471COMMON

Download Yara Rule

Strings

$q, xrefs: 062A273D
$q, xrefs: 062A2749

Memory Dump Source

Source File: 00000000.00000002.3674259501.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 0e4d3431268fb3abba3e3572080a5cdbbf9f4924de0a293574493a827114d1e7
Instruction ID: 3996cfe9825feb8dd561ceaf33ee1734df921a557befc3ca0e77d508e13abfee
Opcode Fuzzy Hash: 0e4d3431268fb3abba3e3572080a5cdbbf9f4924de0a293574493a827114d1e7
Instruction Fuzzy Hash: 39028D30B11316CFDB54DB68D9507AEBBA2FF84310F288529D805AB354DA75EE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08E8A418 Relevance: 2.0, Instructions: 1977COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3675143831.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c7ac5dbaa0105d2c8c4c80dd2f5d00baee3d3a9d0b6f495f772fd7fafe0161
Instruction ID: 17a52d1a02a52a0b19887a079b285dba0bbc51c58bc066a33da5d0ef9c9b3429
Opcode Fuzzy Hash: 62c7ac5dbaa0105d2c8c4c80dd2f5d00baee3d3a9d0b6f495f772fd7fafe0161
Instruction Fuzzy Hash: 0723FA31D10A19CEDB11EB68C8846ADF7B1FF99300F15D79AE45CA7221EB70AAC5CB41

Uniqueness

Uniqueness Score: -1.00%

Function 062A6C30 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3674259501.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62a0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda0399aab2538bfedf829af3426436ae3d75368c103ad8ee835ec3f4363eac9
Instruction ID: 200e8380cffb5d2c2cfd33ccb810fb13b9b15b910429af0b7a81c91321a26b9d
Opcode Fuzzy Hash: dda0399aab2538bfedf829af3426436ae3d75368c103ad8ee835ec3f4363eac9
Instruction Fuzzy Hash: 2A329F34B102058FDB54DF68D990BAEBBB2FB88310F148529E805EB355DB79EC42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05DF77B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68335e4b8c04e00c44af4f0b034dd7dc8b51de7ba9f5522e4c268cede3e819f0
Instruction ID: 5c333488d257a9bd7ad768daf3ada922b98cad3b0dbbf8d5eb04fb35ce8931b0
Opcode Fuzzy Hash: 68335e4b8c04e00c44af4f0b034dd7dc8b51de7ba9f5522e4c268cede3e819f0
Instruction Fuzzy Hash: 7EE10474E042598FDB14DFA8C580AAEBBF2FF89304F24816AD554AB356D730AD41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DF93F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b76e7efcb9d9e28609c49c30cce33bc677c2d6a691fbb451fe70138cf1c9a1
Instruction ID: 11b9746ef631dd782dbd559d32f35ff0c3ee38d56890be3fd56dc287b293c00b
Opcode Fuzzy Hash: 01b76e7efcb9d9e28609c49c30cce33bc677c2d6a691fbb451fe70138cf1c9a1
Instruction Fuzzy Hash: AFE11774E042598FDB14DFA9C590AAEFBF2BF89304F24816AD514AB355D730AD42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7380 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9eaf633fb5904e0315d9e5f02da58c4ad8073a527b71f9aa41aebd67588347
Instruction ID: c122ef21613d57bddf8386e02130496b25ac1dbdf411404181714c911cf74fea
Opcode Fuzzy Hash: cc9eaf633fb5904e0315d9e5f02da58c4ad8073a527b71f9aa41aebd67588347
Instruction Fuzzy Hash: 6DE1D474E042598FDB14DFA9C580AAEBBF2FF89304F24816AD515AB355D730AD42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DF8FB8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b8e4c6852a6b3bfcb0fe8b964b33b776a93587635dfbe743045ad49ea6cca3
Instruction ID: 2b52baabd4d821c2d4ac9e23d832a721c9301b002c5c1e4c4198a43645e44c0a
Opcode Fuzzy Hash: c5b8e4c6852a6b3bfcb0fe8b964b33b776a93587635dfbe743045ad49ea6cca3
Instruction Fuzzy Hash: A4E11774E042598FDB14DFA9C590AAEFBF2BF89304F24816AD514AB355D730AD42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DF9828 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bbab83fdbc5fbec7900be601d953f501cf1f817fb3e8f284f8b8dd771cc0206
Instruction ID: 45e1e5dc00c1d7ebcb0b9922f094ac543f145864b3c23e889628cb7b9e4eb461
Opcode Fuzzy Hash: 6bbab83fdbc5fbec7900be601d953f501cf1f817fb3e8f284f8b8dd771cc0206
Instruction Fuzzy Hash: C0E11874E042598FDB14DFA8C590AAEFBF2BF89304F25816AD554AB355C730AD41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08E809C8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3675143831.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bee5015d2fa54a8b9b0980c5c91fd950e74b50e9e1b8413b3d73af873ccaf43
Instruction ID: 1b0835e715e5b18edad3cfc92e0c5ad09d7fa141f9d632b2c7d0f5883ae4c206
Opcode Fuzzy Hash: 7bee5015d2fa54a8b9b0980c5c91fd950e74b50e9e1b8413b3d73af873ccaf43
Instruction Fuzzy Hash: EAB18E71E00A09CFDB24DFA8C88579DBBF2BF48319F149529D81DAB294EB749845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 014EEFC4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3665084494.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d056ca79fe4e3bcbae564b2780148213986bb4c665f4dfad3ece6866d5f8e4fa
Instruction ID: fd2e79f7f54cd72ded2cdc34aece56d3ffeeb50e5ab0439c99494a7952934d19
Opcode Fuzzy Hash: d056ca79fe4e3bcbae564b2780148213986bb4c665f4dfad3ece6866d5f8e4fa
Instruction Fuzzy Hash: 82A18F32E10219CFCF05DFB5C48859EBBF2FF94301B15856AE905AB261DB71E95ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DF0BC0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db5f4270c4f00f5d27418e6f25f96cbc2cf392d6507ec9c88936b6130969094
Instruction ID: 0d4714869a584a58f86404cd35f2bb8704e9d16935dac55fbd5f473bd069a29f
Opcode Fuzzy Hash: 1db5f4270c4f00f5d27418e6f25f96cbc2cf392d6507ec9c88936b6130969094
Instruction Fuzzy Hash: 7451F4B4E052199FCB04DFAAD9849EEFBF6BF89300F15C126D509A7355DB30A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05DF77A8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a17bb55102107ac8a143fc5b1378b38b1af4a40422f7f14add6b8c14d2651b7
Instruction ID: d64769caf5ccd8db0ab8b2c0250dd94180281cad3548739e72138e45ad278306
Opcode Fuzzy Hash: 7a17bb55102107ac8a143fc5b1378b38b1af4a40422f7f14add6b8c14d2651b7
Instruction Fuzzy Hash: 5F511974E042198BDB14CFA9C5806EEFBF2FF89205F24816AD518AB355D7309D41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF8FAB Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af50e80d6471f59e40e026ec3751f6c84f55cdd17c5a6c54b54cbee9ab314ae1
Instruction ID: 176e497372f7eedc0c7531c7397f5b8b838411d1b4c122be44647f3033725b50
Opcode Fuzzy Hash: af50e80d6471f59e40e026ec3751f6c84f55cdd17c5a6c54b54cbee9ab314ae1
Instruction Fuzzy Hash: DB512B70E002198FDB14CFA9C9906AEFBF2BF89304F24816AD518AB355D7319D42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF93E0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84ea2e5be3f80babe763cb0671f656de5ac53df5389f08c9a5060f0a14d49ec
Instruction ID: 9498964f1a3ac32f1fe1839c4c636ce206510348f41661b680318d55c2e958dc
Opcode Fuzzy Hash: e84ea2e5be3f80babe763cb0671f656de5ac53df5389f08c9a5060f0a14d49ec
Instruction Fuzzy Hash: 78510770E042198FDB14CFA9C5806AEFBF2BF89304F2481AAD518AB355D7319D42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7373 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0573e72551758f0deca8285e4026a74e68f88c3cc3cfec08a556e1733d7993c6
Instruction ID: c24fa4b5f9dbff63021e43a477d4e4925f8268f594ec30a8a53dfa563f14f1a3
Opcode Fuzzy Hash: 0573e72551758f0deca8285e4026a74e68f88c3cc3cfec08a556e1733d7993c6
Instruction Fuzzy Hash: EE510974E042198BDB15CFA9C980AAEFBF2FF89304F24816AD518AB355D7319D41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF0BB0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672463142.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5df0000_2AylrL13DwoqmCT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cdff9f5f1dea137147beb0ffb692cdf656b722f7a81c5f5b70e6fd9396f037e
Instruction ID: 333339813a61511a379f3f179586406cb3a3dfd5466d00b639949d25f6ead636
Opcode Fuzzy Hash: 0cdff9f5f1dea137147beb0ffb692cdf656b722f7a81c5f5b70e6fd9396f037e
Instruction Fuzzy Hash: C04105B5E016089FDB08DFAAD9846EEFBF2FF88300F14C02AD449A7355DB3099428B50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: KrzbVJsCi.exePID: 5816, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	53
Total number of Limit Nodes:	10

Executed Functions

Function 02BDD4D0 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02BDD55E
GetCurrentThread.KERNEL32 ref: 02BDD59B
GetCurrentProcess.KERNEL32 ref: 02BDD5D8
GetCurrentThreadId.KERNEL32 ref: 02BDD631

Memory Dump Source

Source File: 00000006.00000002.1251559937.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2bd0000_KrzbVJsCi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bd76f1fa8446d9219ba60d1e747bcc6fd41805558c220d2db38435db41ed8133
Instruction ID: 73f03deeb0c8884bb1e82630e61d51d3763b8939cbe15b339005efab86e629f7
Opcode Fuzzy Hash: bd76f1fa8446d9219ba60d1e747bcc6fd41805558c220d2db38435db41ed8133
Instruction Fuzzy Hash: 395152B190034ACFDB14DFAAD548BDEBBF1AF48308F248499D009A7361DB346845CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02BDD4E0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02BDD55E
GetCurrentThread.KERNEL32 ref: 02BDD59B
GetCurrentProcess.KERNEL32 ref: 02BDD5D8
GetCurrentThreadId.KERNEL32 ref: 02BDD631

Memory Dump Source

Source File: 00000006.00000002.1251559937.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2bd0000_KrzbVJsCi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f85c5ae5a3c99b96e2abb6b0d541def07cfd366e71825916a002cbe5995a1ae1
Instruction ID: c090c605789dfa2c844cf42ad565e2252d3fbf1cab05978ec90dcaca4e75dcb3
Opcode Fuzzy Hash: f85c5ae5a3c99b96e2abb6b0d541def07cfd366e71825916a002cbe5995a1ae1
Instruction Fuzzy Hash: 1D5143B190024ACFDB14DFAAD548BDEBBF1EF88308F208499E419A7351DB34A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02BDAE48 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02BDB09E

Memory Dump Source

Source File: 00000006.00000002.1251559937.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2bd0000_KrzbVJsCi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0bad041100c399486e593798278ee3f2d94fc4755f730ee7d4ed50c0c88b88e7
Instruction ID: 534a3159c3f1387921d97bd6cf39e05036989ea7a6402849d269a499b5aec2e1
Opcode Fuzzy Hash: 0bad041100c399486e593798278ee3f2d94fc4755f730ee7d4ed50c0c88b88e7
Instruction Fuzzy Hash: 977144B1A00B058FD728DF2AD45479ABBF1FF88304F00896DD49AD7A50E735E945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4508 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02BD59E9

Memory Dump Source

Source File: 00000006.00000002.1251559937.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2bd0000_KrzbVJsCi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 47ca6c73a0f47c476d6b37aad5fda92be74550ca5a132c71067f03a29ae2fcf1
Instruction ID: 7aa95cd06725240fdab4fb7481af4f52628a89dd87233fe67d9432c1b2d07b39
Opcode Fuzzy Hash: 47ca6c73a0f47c476d6b37aad5fda92be74550ca5a132c71067f03a29ae2fcf1
Instruction Fuzzy Hash: 0241D371C00729CBEB25DFA9C844BCDBBB5BF48304F60816AD419AB251DB75694ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD592D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02BD59E9

Memory Dump Source

Source File: 00000006.00000002.1251559937.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2bd0000_KrzbVJsCi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8d1e6cb3cb7e45b881c0de82709abb326ff71b095ba23cb62ba9f1d23318d422
Instruction ID: 3ac8220c66056793d036236ea6e3b6abc562d32d79da3a75b6f8b8919e4b4f56
Opcode Fuzzy Hash: 8d1e6cb3cb7e45b881c0de82709abb326ff71b095ba23cb62ba9f1d23318d422
Instruction Fuzzy Hash: 9A41E271C00769CBEB24DFA9C884BCDFBB1BF49304F2081AAD419AB250DB75694ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 02BDD720 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BDD7AF

Memory Dump Source

Source File: 00000006.00000002.1251559937.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2bd0000_KrzbVJsCi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f02de489148a443eb02edd007ed9002697aebc5b4303deb0350c3332f4a2ee8e
Instruction ID: 67737af1fed9f523d0cdc53457824eb5e38b5876b158c8334beb274d067508ec
Opcode Fuzzy Hash: f02de489148a443eb02edd007ed9002697aebc5b4303deb0350c3332f4a2ee8e
Instruction Fuzzy Hash: 1B21E3B6D002099FDB10CF9AD985BDEBBF5FB08310F14845AE954A7250D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02BDD728 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BDD7AF

Memory Dump Source

Source File: 00000006.00000002.1251559937.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2bd0000_KrzbVJsCi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e3e41c8857958a909e6099dc601e878eb8c6692f578b98d324d3357f6fca6b34
Instruction ID: d078b0c94ff8a266f3271ce4920a96e9e979314e862c6f38d032905e6ceef7e3
Opcode Fuzzy Hash: e3e41c8857958a909e6099dc601e878eb8c6692f578b98d324d3357f6fca6b34
Instruction Fuzzy Hash: 8C21E4B5D002099FDB10CF9AD985ADEBBF5FB48310F14845AE954A3350D375A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BDA228 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BDB119,00000800,00000000,00000000), ref: 02BDB72A

Memory Dump Source

Source File: 00000006.00000002.1251559937.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2bd0000_KrzbVJsCi.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 06da7deb2ee27ba98e463f24c4ba17ab3bc321bbb4f2ad1d69dd1e39cdf60c9d
Instruction ID: 6e897aa0dde96cc2cc82cd70d7406c64e3ef2a0e72b2659b75b4d02a7840aa70
Opcode Fuzzy Hash: 06da7deb2ee27ba98e463f24c4ba17ab3bc321bbb4f2ad1d69dd1e39cdf60c9d
Instruction Fuzzy Hash: 9A1122B6D002098BCB20CF9AC444BDEFBF4EB48314F10846EE819A7200C375A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02BDB6BB Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BDB119,00000800,00000000,00000000), ref: 02BDB72A

Memory Dump Source

Source File: 00000006.00000002.1251559937.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2bd0000_KrzbVJsCi.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 365e3eb2e47222c0e243a4e339b38d1be882764eb2a1606c439d01e1db8ae5f2
Instruction ID: 9e0daed0fd340485d97bbe89404d586c40b95f89eb6e25c531b595c7e398315c
Opcode Fuzzy Hash: 365e3eb2e47222c0e243a4e339b38d1be882764eb2a1606c439d01e1db8ae5f2
Instruction Fuzzy Hash: 491142B6C003098FDB20CFAAC484BDEFBF4EB48314F10846AD818A7200C374A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BDB038 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02BDB09E

Memory Dump Source

Source File: 00000006.00000002.1251559937.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2bd0000_KrzbVJsCi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0a67981c0d76178178258b15a1a34fea678600986d1d5412216b5bb7122a31d2
Instruction ID: 7b2626291fa6b7ddb1c59dfc5f0eb54951f2934e7cdc0986ff82d0bf4f642893
Opcode Fuzzy Hash: 0a67981c0d76178178258b15a1a34fea678600986d1d5412216b5bb7122a31d2
Instruction Fuzzy Hash: BB1102B6C002498FCB20DF9AC444BDEFBF5EB88314F11845AD828A7610D375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011ED1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1251215396.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11ed000_KrzbVJsCi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc01cb472b6e0c5dea013a8621d6cb3c5572bdd2e3c1bead30f27259d667c4be
Instruction ID: 11b28995d5c2b018f27cb60e442c4f070d673f7ff64452dce925ffaeb7304562
Opcode Fuzzy Hash: fc01cb472b6e0c5dea013a8621d6cb3c5572bdd2e3c1bead30f27259d667c4be
Instruction Fuzzy Hash: EE21D376504641DFDF19DFD4E9C8B26BBA5FB88320F24C5A9E9090B246C336D416CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1251258651.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11fd000_KrzbVJsCi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13794409a39e38d5a081b674387dec987c849dea83603539986696ae49684c8d
Instruction ID: 7491c787da90909f6c42242d79ddcb8a9c79b2cf68bd7e4dc5ebed75206b259d
Opcode Fuzzy Hash: 13794409a39e38d5a081b674387dec987c849dea83603539986696ae49684c8d
Instruction Fuzzy Hash: C7212271604300DFDF19DF54E9C4B26BB61EB84314F20C6ADEA0A4B386C336D807CA62

Uniqueness

Uniqueness Score: -1.00%

Function 011FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1251258651.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11fd000_KrzbVJsCi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7a296ccc2161fb71be784f867b39864c46110953c7aee1e01cc223df27368d
Instruction ID: 235df789ae218eb38418105323c4d190912505553ea39b1d7ba9c4d60edca704
Opcode Fuzzy Hash: 2f7a296ccc2161fb71be784f867b39864c46110953c7aee1e01cc223df27368d
Instruction Fuzzy Hash: 13210779604300DFDF19DF94E9C4B26BB65FB84324F20C56DEA494B256C336D446CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 011FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1251258651.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11fd000_KrzbVJsCi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97a630965075ff6fd2852d8d0032f8c24943a70e4eaf36e7529cf5c194c12e1
Instruction ID: 8fdba49c0a5557d4b42ab9c2b201303bbd852304e64042943590de2d43968c35
Opcode Fuzzy Hash: e97a630965075ff6fd2852d8d0032f8c24943a70e4eaf36e7529cf5c194c12e1
Instruction Fuzzy Hash: B821AE755093808FCB07CF24D990B15BF71EB46214F28C5EED9498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 011ED1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1251215396.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11ed000_KrzbVJsCi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
Instruction ID: 693449163cf68a2eb364748041ecaad919082c29079bbcd0e554ca83650836af
Opcode Fuzzy Hash: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
Instruction Fuzzy Hash: 8621CD76504640CFCF0ACF94D9C4B16BFA2FB84320F24C1A9DC090A256C33AD426CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1251258651.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11fd000_KrzbVJsCi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: dd30b6fd3983e5965601338168f49421bd9e6f4e628ee86a2786c56f03c41fae
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: EA11BE79504240DFCB06CF54D5C0B25BB61FB84324F24C6AED9494B296C33AD40ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 011ED745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1251215396.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11ed000_KrzbVJsCi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db7f629ff2b83775ce6c6661a9f069967b0cf83e8dba1fa5118b99e00492c5a
Instruction ID: e46b2e525707b11e397458a3d4b5e297dbba55390aee4e8fc502b197d3969735
Opcode Fuzzy Hash: 2db7f629ff2b83775ce6c6661a9f069967b0cf83e8dba1fa5118b99e00492c5a
Instruction Fuzzy Hash: 8801F731944F809AFB285BD5DCC8B26BFD8DF41229F08C51AED190A282D3399841CBB3

Uniqueness

Uniqueness Score: -1.00%

Function 011ED744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1251215396.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11ed000_KrzbVJsCi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63007f6b0ff16339bae0d4ccd25dd7b867cbdc345ca40ff0563499a78f25e7f0
Instruction ID: 92cb12fd087324befba906d18b740ad56ce55f2415412910094eafdb0622bb68
Opcode Fuzzy Hash: 63007f6b0ff16339bae0d4ccd25dd7b867cbdc345ca40ff0563499a78f25e7f0
Instruction Fuzzy Hash: 02F0C2314447809EEB148F9ADC88B62FFE8EB41234F18C45AED080A286C3799840CBB2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2AylrL13DwoqmCT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KrzbVJsCi.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04yv3fqf.v3j.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1w5iscqo.xmj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5l2m33in.lap.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqbg4zb1.vqo.ps1

C:\Users\user\AppData\Local\Temp\tmpBBC2.tmp

C:\Users\user\AppData\Roaming\KrzbVJsCi.exe

C:\Users\user\AppData\Roaming\KrzbVJsCi.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
2AylrL13DwoqmCT.exe

Function 08E8D518 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Function 062AA981 Relevance: 2.8, Strings: 2, Instructions: 340
COMMON

Function 08E8F650 Relevance: 1.8, Strings: 1, Instructions: 600
COMMON

Function 062A8E58 Relevance: 1.8, Strings: 1, Instructions: 579
COMMON

Function 014EAE48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre