Edit tour

Windows Analysis Report
rNNA.exe

Overview

General Information

Sample name:	rNNA.exe
Analysis ID:	1427030
MD5:	c71fea294e5bd3beb3f863db4d43a1cb
SHA1:	3a8d98955e1dee1ce2a1d95af5515b43f8744d43
SHA256:	6f786b8f8dd18709b9e4ad44e33cb1074d55aa2f0f3cd1fe3759e8795df0a3a9
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rNNA.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\rNNA.exe" MD5: C71FEA294E5BD3BEB3F863DB4D43A1CB)

powershell.exe (PID: 7236 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7552 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7252 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rNNA.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\rNNA.exe" MD5: C71FEA294E5BD3BEB3F863DB4D43A1CB)

wZnyuP.exe (PID: 7444 cmdline: C:\Users\user\AppData\Roaming\wZnyuP.exe MD5: C71FEA294E5BD3BEB3F863DB4D43A1CB)

schtasks.exe (PID: 7692 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmpA9BF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wZnyuP.exe (PID: 7748 cmdline: "C:\Users\user\AppData\Roaming\wZnyuP.exe" MD5: C71FEA294E5BD3BEB3F863DB4D43A1CB)

wZnyuP.exe (PID: 7756 cmdline: "C:\Users\user\AppData\Roaming\wZnyuP.exe" MD5: C71FEA294E5BD3BEB3F863DB4D43A1CB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pbjv.net", "Username": "m.muthu@pbjv.net", "Password": "muthu12345***"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2910329972.0000000003269000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2910473470.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2910473470.0000000002A89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2910329972.000000000323E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2906608211.000000000042C000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2906608211.000000000042C000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2910473470.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2910473470.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1693403396.000000000412E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1693403396.000000000412E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2910329972.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2910329972.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rNNA.exe PID: 6984	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rNNA.exe PID: 6984	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rNNA.exe PID: 6984	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rNNA.exe PID: 7392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rNNA.exe PID: 7392	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: wZnyuP.exe PID: 7444	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wZnyuP.exe PID: 7756	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wZnyuP.exe PID: 7756	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rNNA.exe.41f0310.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rNNA.exe.41f0310.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rNNA.exe.41f0310.10.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31767:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31883:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3195f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a85:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rNNA.exe.41b58f0.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rNNA.exe.41b58f0.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rNNA.exe.41b58f0.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31767:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31883:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3195f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a85:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rNNA.exe.41f0310.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rNNA.exe.41f0310.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rNNA.exe.41f0310.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rNNA.exe.41f0310.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33567:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33683:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3375f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33885:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rNNA.exe.41b58f0.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rNNA.exe.41b58f0.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rNNA.exe.41b58f0.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rNNA.exe.41b58f0.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df15:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33567:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df87:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e011:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33683:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0a3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e10d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3375f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e17f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e215:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33885:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2a5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rNNA.exe", ParentImage: C:\Users\user\Desktop\rNNA.exe, ParentProcessId: 6984, ParentProcessName: rNNA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe", ProcessId: 7236, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmpA9BF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmpA9BF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\wZnyuP.exe, ParentImage: C:\Users\user\AppData\Roaming\wZnyuP.exe, ParentProcessId: 7444, ParentProcessName: wZnyuP.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmpA9BF.tmp", ProcessId: 7692, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 203.175.171.5, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\rNNA.exe, Initiated: true, ProcessId: 7392, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rNNA.exe", ParentImage: C:\Users\user\Desktop\rNNA.exe, ParentProcessId: 6984, ParentProcessName: rNNA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp", ProcessId: 7252, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rNNA.exe", ParentImage: C:\Users\user\Desktop\rNNA.exe, ParentProcessId: 6984, ParentProcessName: rNNA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe", ProcessId: 7236, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rNNA.exe", ParentImage: C:\Users\user\Desktop\rNNA.exe, ParentProcessId: 6984, ParentProcessName: rNNA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp", ProcessId: 7252, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.rNNA.exe.41f0310.10.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pbjv.net", "Username": "m.muthu@pbjv.net", "Password": "muthu12345***"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wZnyuP.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: rNNA.exe

ReversingLabs: Detection: 42%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\wZnyuP.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: rNNA.exe

Joe Sandbox ML: detected

Source: rNNA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rNNA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.rNNA.exe.41f0310.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNNA.exe.41b58f0.9.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 203.175.171.5:587

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 203.175.171.5:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: mail.pbjv.net

Source: rNNA.exe, 00000006.00000002.2907319846.0000000001406000.00000004.00000020.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2910329972.0000000003246000.00000004.00000800.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2907874313.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2907874313.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2910473470.0000000002A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: rNNA.exe, 00000006.00000002.2907319846.0000000001406000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2907874313.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: rNNA.exe, 00000006.00000002.2907319846.0000000001376000.00000004.00000020.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2907319846.0000000001406000.00000004.00000020.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2910329972.0000000003246000.00000004.00000800.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2907874313.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2920697212.0000000006219000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2910473470.0000000002A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: rNNA.exe, 00000006.00000002.2919997760.0000000006BB2000.00000004.00000020.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2907319846.0000000001406000.00000004.00000020.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2910329972.0000000003246000.00000004.00000800.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2920697212.00000000061F2000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2907874313.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2910473470.0000000002A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: rNNA.exe, 00000006.00000002.2910329972.0000000003246000.00000004.00000800.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2910473470.0000000002A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.pbjv.net
Source: rNNA.exe, 00000006.00000002.2919997760.0000000006BB2000.00000004.00000020.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2907319846.0000000001376000.00000004.00000020.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2907319846.0000000001406000.00000004.00000020.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2910329972.0000000003246000.00000004.00000800.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2920697212.00000000061F2000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2907874313.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2920697212.0000000006219000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2907874313.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2910473470.0000000002A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: rNNA.exe, 00000006.00000002.2910329972.0000000003246000.00000004.00000800.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2910473470.0000000002A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pbjv.net
Source: rNNA.exe, 00000000.00000002.1689121052.0000000003024000.00000004.00000800.00020000.00000000.sdmp, wZnyuP.exe, 00000007.00000002.1718509352.0000000002774000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: rNNA.exe, 00000000.00000002.1698474694.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.coms
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: rNNA.exe, 00000000.00000002.1693403396.000000000412E000.00000004.00000800.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2906608211.000000000042C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: rNNA.exe, 00000006.00000002.2919997760.0000000006BB2000.00000004.00000020.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2907319846.0000000001406000.00000004.00000020.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2910329972.0000000003246000.00000004.00000800.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2920697212.00000000061F2000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2907874313.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2910473470.0000000002A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.rNNA.exe.41f0310.10.raw.unpack, lK61.cs

.Net Code: _1ksIYAzV

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rNNA.exe.41f0310.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rNNA.exe.41b58f0.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rNNA.exe.41f0310.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rNNA.exe.41b58f0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: rNNA.exe, GPResults.cs	Large array initialization: : array initializer size 631432
Source: 0.2.rNNA.exe.7750000.12.raw.unpack, SQL.cs	Large array initialization: : array initializer size 13797

Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_02F1480C	0_2_02F1480C
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_02F1787F	0_2_02F1787F
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_07630040	0_2_07630040
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_076301E8	0_2_076301E8
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_07660720	0_2_07660720
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_076649C0	0_2_076649C0
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_076649B0	0_2_076649B0
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_07664988	0_2_07664988
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_092D4640	0_2_092D4640
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_092D6168	0_2_092D6168
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_092DC280	0_2_092DC280
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_094709F0	0_2_094709F0
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_09477348	0_2_09477348
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_09477358	0_2_09477358
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_094752E8	0_2_094752E8
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_0947570F	0_2_0947570F
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_09476F20	0_2_09476F20
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_09475720	0_2_09475720
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_0947AE30	0_2_0947AE30
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_09474EB0	0_2_09474EB0
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_014D41C8	6_2_014D41C8
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_014D9BF8	6_2_014D9BF8
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_014D4A98	6_2_014D4A98
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_014DCF48	6_2_014DCF48
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_014D3E80	6_2_014D3E80
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066C2EF0	6_2_066C2EF0
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066C56D8	6_2_066C56D8
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066C3F48	6_2_066C3F48
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066CDD20	6_2_066CDD20
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066C05B8	6_2_066C05B8
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066C8B98	6_2_066C8B98
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066C3648	6_2_066C3648
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066C4FF8	6_2_066C4FF8
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066CBFD0	6_2_066CBFD0
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_014D9BF7	6_2_014D9BF7
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_00CB480C	7_2_00CB480C
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_00CB7880	7_2_00CB7880
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_068B4640	7_2_068B4640
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_068B4630	7_2_068B4630
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_068BC513	7_2_068BC513
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_068B6168	7_2_068B6168
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_068D0720	7_2_068D0720
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_068D49B0	7_2_068D49B0
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_068D49C0	7_2_068D49C0
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06D94EB0	7_2_06D94EB0
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06D9570F	7_2_06D9570F
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06D96F20	7_2_06D96F20
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06D95720	7_2_06D95720
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06D952E8	7_2_06D952E8
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06D9A230	7_2_06D9A230
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06D97358	7_2_06D97358
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06D97348	7_2_06D97348
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_00EC4A98	12_2_00EC4A98
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_00EC9B38	12_2_00EC9B38
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_00EC3E80	12_2_00EC3E80
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_00ECCE80	12_2_00ECCE80
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_00ECC06F	12_2_00ECC06F
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_00EC41C8	12_2_00EC41C8
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_0581BD10	12_2_0581BD10
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_0581DD10	12_2_0581DD10
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_05818B8A	12_2_05818B8A
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_05819AE8	12_2_05819AE8
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_05814FF8	12_2_05814FF8
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_05813F48	12_2_05813F48
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_058156D8	12_2_058156D8
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_05812EF0	12_2_05812EF0
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_05813637	12_2_05813637
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 12_2_05810040	12_2_05810040

Source: rNNA.exe, 00000000.00000002.1693403396.000000000412E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename824a3756-845d-44e4-acb3-928574fce78b.exe4 vs rNNA.exe
Source: rNNA.exe, 00000000.00000002.1693403396.000000000412E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rNNA.exe
Source: rNNA.exe, 00000000.00000002.1689121052.0000000003024000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename824a3756-845d-44e4-acb3-928574fce78b.exe4 vs rNNA.exe
Source: rNNA.exe, 00000000.00000002.1700239729.0000000007750000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs rNNA.exe
Source: rNNA.exe, 00000000.00000002.1687177496.000000000145E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rNNA.exe
Source: rNNA.exe, 00000000.00000002.1689121052.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs rNNA.exe
Source: rNNA.exe, 00000000.00000000.1658556443.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemUJu.exe: vs rNNA.exe
Source: rNNA.exe, 00000000.00000002.1702673150.00000000096A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rNNA.exe
Source: rNNA.exe, 00000006.00000002.2907245460.00000000012F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rNNA.exe
Source: rNNA.exe	Binary or memory string: OriginalFilenamemUJu.exe: vs rNNA.exe

Source: rNNA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.rNNA.exe.41f0310.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rNNA.exe.41b58f0.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rNNA.exe.41f0310.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rNNA.exe.41b58f0.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: rNNA.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wZnyuP.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.rNNA.exe.41f0310.10.raw.unpack, B2q.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rNNA.exe.41f0310.10.raw.unpack, B2q.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rNNA.exe.41f0310.10.raw.unpack, JzkeW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rNNA.exe.41f0310.10.raw.unpack, JzkeW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rNNA.exe.41f0310.10.raw.unpack, JzkeW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rNNA.exe.41f0310.10.raw.unpack, JzkeW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rNNA.exe.41f0310.10.raw.unpack, mVrrG0SDJrG.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rNNA.exe.41f0310.10.raw.unpack, mVrrG0SDJrG.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, lw2l7RhtXX8UM9HjGF.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, lw2l7RhtXX8UM9HjGF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, lw2l7RhtXX8UM9HjGF.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, lw2l7RhtXX8UM9HjGF.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, lw2l7RhtXX8UM9HjGF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, lw2l7RhtXX8UM9HjGF.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, oSJuv0s4i9E6iOJbFZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, oSJuv0s4i9E6iOJbFZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/11@1/1

Source: C:\Users\user\Desktop\rNNA.exe

File created: C:\Users\user\AppData\Roaming\wZnyuP.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03

Source: C:\Users\user\Desktop\rNNA.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp

Jump to behavior

Source: rNNA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rNNA.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\rNNA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rNNA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\rNNA.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rNNA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rNNA.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\rNNA.exe

File read: C:\Users\user\Desktop\rNNA.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rNNA.exe "C:\Users\user\Desktop\rNNA.exe"
Source: C:\Users\user\Desktop\rNNA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rNNA.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rNNA.exe	Process created: C:\Users\user\Desktop\rNNA.exe "C:\Users\user\Desktop\rNNA.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wZnyuP.exe C:\Users\user\AppData\Roaming\wZnyuP.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmpA9BF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process created: C:\Users\user\AppData\Roaming\wZnyuP.exe "C:\Users\user\AppData\Roaming\wZnyuP.exe"
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process created: C:\Users\user\AppData\Roaming\wZnyuP.exe "C:\Users\user\AppData\Roaming\wZnyuP.exe"
Source: C:\Users\user\Desktop\rNNA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process created: C:\Users\user\Desktop\rNNA.exe "C:\Users\user\Desktop\rNNA.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmpA9BF.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process created: C:\Users\user\AppData\Roaming\wZnyuP.exe "C:\Users\user\AppData\Roaming\wZnyuP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process created: C:\Users\user\AppData\Roaming\wZnyuP.exe "C:\Users\user\AppData\Roaming\wZnyuP.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\rNNA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\rNNA.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\rNNA.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: rNNA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rNNA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, lw2l7RhtXX8UM9HjGF.cs	.Net Code: AuSuv14xWT4hLXMXdi2 System.Reflection.Assembly.Load(byte[])
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, lw2l7RhtXX8UM9HjGF.cs	.Net Code: AuSuv14xWT4hLXMXdi2 System.Reflection.Assembly.Load(byte[])
Source: 0.2.rNNA.exe.7750000.12.raw.unpack, SQL.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_0766FB3B push FFFFFF8Bh; retf	0_2_0766FB3F
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_0768223B push ebp; ret	0_2_07682248
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_092D5390 push 0C418B05h; ret	0_2_092D53A3
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_092DF64F push C0335005h; mov dword ptr [esp], eax	0_2_092DF663
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 0_2_092DF694 push C0335005h; mov dword ptr [esp], eax	0_2_092DF663
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066CDB5C push FFFFFFE8h; retf	6_2_066CDB61
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066C235B push edx; iretd	6_2_066C2372
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066C2350 push edx; iretd	6_2_066C235A
Source: C:\Users\user\Desktop\rNNA.exe	Code function: 6_2_066C8B8A push es; iretd	6_2_066C8B96
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_068F0EE2 push es; ret	7_2_068F0EF0
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_068F223B push ebp; ret	7_2_068F2248
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06A03FA2 push es; ret	7_2_06A03FA8
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06A03F4A push es; iretd	7_2_06A03F50
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06A04096 push es; iretd	7_2_06A0409C
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06A0401D push es; retf	7_2_06A04024
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06D9CF95 push FFFFFF8Bh; iretd	7_2_06D9CF97
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06D99260 pushad ; retf	7_2_06D99261
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Code function: 7_2_06D9D874 push edx; ret	7_2_06D9D87B

Source: rNNA.exe	Static PE information: section name: .text entropy: 7.784489676422327
Source: wZnyuP.exe.0.dr	Static PE information: section name: .text entropy: 7.784489676422327

Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, TFU7OEOCenJdNgHXXR.cs	High entropy of concatenated method names: 'e9U10rpNqt', 'piV1pNc1sQ', 'slt1Zyg675', 'xdm18ncu9m', 'o1T1g96IUW', 'wO81PDMH4r', 'v701tgBc8C', 'XCg17KI5Eg', 'M0k1SAg51a', 'kwC1bIuOZk'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, oSJuv0s4i9E6iOJbFZ.cs	High entropy of concatenated method names: 'Vbd4GfC2D5', 'MSt49nHAPl', 'uPP43ncY1F', 'fxJ4v43vCp', 'IX04yZbN5p', 'D6g4MF5B7w', 'Qli4AajjSV', 'haF4JJ5rCp', 'wbV4BZXO67', 'zIX4Ip0UD9'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, CFkMRMnOrncPkNcVM7.cs	High entropy of concatenated method names: 'Dispose', 'b3LaBIfqsn', 'UaQmi8LfSS', 'kGRRRud94L', 'm15aIicPoW', 'AJTazuvGUx', 'ProcessDialogKey', 'moIm5ATcGM', 'GXema4WnDr', 'uR9mmQ4K7P'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, gLFgNTpDvFFQ0Quoh76.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WKp2GZFgEk', 'IQe29uIMdn', 'MQS23ZM0Le', 'lrf2v3uksq', 'MGo2yqJEij', 'Igl2MpBWkT', 'iG72A0i14t'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, J79WTJpmftIhoTV9FiW.cs	High entropy of concatenated method names: 'swud0dHfGW', 'PPwdpULMNF', 't6TdZo1syt', 'IdDd8VjWT4', 'wR6dgufVYF', 'DSidPLjU39', 'fG7dt0o6dV', 'LCVd7DOXwe', 't6RdSRBh4M', 'T2jdb7RV4M'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, Q8tcVrfcpwla0nUGDY.cs	High entropy of concatenated method names: 'ToString', 'hOFwLGxYBa', 'Db5wiX1siu', 's06wDjrxQ0', 'bcOwW7vwID', 'Y1DwFXKyRS', 'mjGwj3vJ3I', 'L3FwhmjRyP', 'lIowN8cuAe', 'k1Fwk8hGUP'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, ioAaKJeTMiDIDcxpTF.cs	High entropy of concatenated method names: 'H0ta1EA5SG', 'PIkaoPYFmR', 'JYGaq6AZ56', 'vD3aYKhk5v', 'jmmalCs5Kq', 'i4yawHdLao', 'NDvXDaMWjMAgtjFgE2', 'cyfoJ9Uc13e5YsK45W', 'zAmaa8CmGq', 'LEtaOhhqew'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, dCKYUrjXOXcIT9y3vI.cs	High entropy of concatenated method names: 'MmffT3XATF', 'bhcfiNdEPA', 'KUlfD2JnYL', 'L52fW5j5EV', 'iwpfGBMyDq', 'FY2fFiV4G7', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, MrT2AfiN81blrM7ofh.cs	High entropy of concatenated method names: 'Fil68wRVKh', 'uV96PgsEAu', 'wGW67Fa14W', 'iLi6SF1QQU', 'R3D6lF5cYk', 'YyD6wFTLn3', 'r5s6cAOTPE', 'uT26fMxvgs', 'Axv6dcNtid', 'EWW62x0JWN'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, V3prQuAj3Ol4OExEGv.cs	High entropy of concatenated method names: 'VPKfngqLZD', 'ctvf4lSqmn', 't6Kf6sTWFR', 'eN6frFr9NH', 'DqvfsFFBEL', 'g7Of1PbsFF', 'nL5foJpBCl', 'ArufXnEolv', 'WFnfqPavWT', 'fMJfYK3LF9'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, ywb8dSUlRHcITytTBP.cs	High entropy of concatenated method names: 'v1Trghfk51', 'zWCrt9RyXT', 'qRn6DM2aH8', 'rF36WuVWFf', 'Yfi6FbSECt', 'j4d6jpQxwE', 'tLn6hNNvuC', 'duX6NaTxcD', 'eLs6kfqbPN', 'wQq6KvsqVR'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, L0scfAZViKfKXE4Hg6.cs	High entropy of concatenated method names: 'GoUsHUjcLE', 'l4Bs4ciWeA', 'A1lsrYmU5u', 'J6ls12hdkG', 'pH4soEeAmi', 'r6Vryqm8uA', 'MWhrMRmkfC', 'X3UrA9E4wb', 'adyrJkqPpD', 'BJ8rB91Q1I'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, JUWfI2zWuid0Q7O0ZT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FvCdVBYBY3', 'MMcdlKhE7Q', 'R7bdwcBg53', 'grDdcV5P3D', 'Iokdfwtdsv', 'vV0ddqQBBj', 'DiNd2bJVBk'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, lw2l7RhtXX8UM9HjGF.cs	High entropy of concatenated method names: 'qwxOHLyv85', 'xo4On4KijT', 'tGtO4MU2X3', 'UhqO64N7nm', 'e9FOrnTEMX', 'mdbOsDJZkN', 'ie2O1uJP7v', 'RAKOoD8Zdj', 'IiROXmk3Un', 'mu1Oqlj2iW'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, LaiKv15nLAvK9HiqXE.cs	High entropy of concatenated method names: 'KJodaK2pB4', 'OUgdOLHLjB', 'FcTdQEkgb6', 'GxDdnTyJVg', 'Uhdd4kL5ud', 'sKvdrq8S3n', 'sCpdsG6tT0', 'H82fAm2Mn1', 'OFOfJ69G0i', 'LQvfBe4xgp'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, UhXjfdrLjoQJACNZXp.cs	High entropy of concatenated method names: 'k8AV7MDF0Z', 'gIOVS8JeGK', 'mYtVT1H95B', 'StuViTsro7', 'grVVW8cgVJ', 'Tt2VFSFurG', 'M7AVhqmqlC', 'oCPVNN60k4', 'QoBVK4Aqu3', 'smoVL7l3c3'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, yfLSmUJL7Z9ql1Bg8U.cs	High entropy of concatenated method names: 'QTj1n7xIKB', 'npi16AYrGb', 'xAs1sceBq5', 'tUisIqWQAK', 'MgVszLQQd6', 'Q0D15V1Y1m', 'Dkd1a1vQGX', 'owu1mkSP8e', 'o081O2TZHc', 'yrZ1QecFU0'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, U3WXjgkIoYPtq8pCPP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uWXmBfuuuN', 'yxUmIZRFLx', 'Ms5mzKCgrU', 'n4BO5S4upY', 'q0oOakFsbK', 'YUMOmyKRPt', 'wonOOOvjan', 'ipKWIs4qRCkvW7cqTIw'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, jCHoQs4nofL44OacKx.cs	High entropy of concatenated method names: 'D9JZv46aD', 'rvC8A2YCm', 'iPMPwl4E6', 'tC1trdkLt', 'y67SMuhcv', 'MyJbUeo1v', 'WnpxdWkCYxRA8Cqd8F', 'tORjKHPvhoxhZEc91h', 'mref77Ptw', 'vVZ2ymoiE'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, NlMwpiGmyTNGuLogXe.cs	High entropy of concatenated method names: 'tOacqJh5GA', 'FVacYsgqrj', 'ToString', 'xlQcnZlWp7', 'eMdc4fbHbx', 'a3Zc6JGUdo', 'grYcrMfBZK', 'sOLcsRU0UH', 'o3vc1emvxq', 'v8JcoHUN0F'
Source: 0.2.rNNA.exe.96a0000.16.raw.unpack, RTRqeKChxrikX2k2eR.cs	High entropy of concatenated method names: 'GiNVSGKySP8VUaHonO9', 'zN47tQKTVDeCUjajadx', 'eSEsfXAcdM', 'qjLsdhHFta', 'sAJs27ejYo', 'BPuhBiKwWQiXDZXhk26', 'EII46jKvsnjp64ihgik'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, TFU7OEOCenJdNgHXXR.cs	High entropy of concatenated method names: 'e9U10rpNqt', 'piV1pNc1sQ', 'slt1Zyg675', 'xdm18ncu9m', 'o1T1g96IUW', 'wO81PDMH4r', 'v701tgBc8C', 'XCg17KI5Eg', 'M0k1SAg51a', 'kwC1bIuOZk'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, oSJuv0s4i9E6iOJbFZ.cs	High entropy of concatenated method names: 'Vbd4GfC2D5', 'MSt49nHAPl', 'uPP43ncY1F', 'fxJ4v43vCp', 'IX04yZbN5p', 'D6g4MF5B7w', 'Qli4AajjSV', 'haF4JJ5rCp', 'wbV4BZXO67', 'zIX4Ip0UD9'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, CFkMRMnOrncPkNcVM7.cs	High entropy of concatenated method names: 'Dispose', 'b3LaBIfqsn', 'UaQmi8LfSS', 'kGRRRud94L', 'm15aIicPoW', 'AJTazuvGUx', 'ProcessDialogKey', 'moIm5ATcGM', 'GXema4WnDr', 'uR9mmQ4K7P'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, gLFgNTpDvFFQ0Quoh76.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WKp2GZFgEk', 'IQe29uIMdn', 'MQS23ZM0Le', 'lrf2v3uksq', 'MGo2yqJEij', 'Igl2MpBWkT', 'iG72A0i14t'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, J79WTJpmftIhoTV9FiW.cs	High entropy of concatenated method names: 'swud0dHfGW', 'PPwdpULMNF', 't6TdZo1syt', 'IdDd8VjWT4', 'wR6dgufVYF', 'DSidPLjU39', 'fG7dt0o6dV', 'LCVd7DOXwe', 't6RdSRBh4M', 'T2jdb7RV4M'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, Q8tcVrfcpwla0nUGDY.cs	High entropy of concatenated method names: 'ToString', 'hOFwLGxYBa', 'Db5wiX1siu', 's06wDjrxQ0', 'bcOwW7vwID', 'Y1DwFXKyRS', 'mjGwj3vJ3I', 'L3FwhmjRyP', 'lIowN8cuAe', 'k1Fwk8hGUP'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, ioAaKJeTMiDIDcxpTF.cs	High entropy of concatenated method names: 'H0ta1EA5SG', 'PIkaoPYFmR', 'JYGaq6AZ56', 'vD3aYKhk5v', 'jmmalCs5Kq', 'i4yawHdLao', 'NDvXDaMWjMAgtjFgE2', 'cyfoJ9Uc13e5YsK45W', 'zAmaa8CmGq', 'LEtaOhhqew'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, dCKYUrjXOXcIT9y3vI.cs	High entropy of concatenated method names: 'MmffT3XATF', 'bhcfiNdEPA', 'KUlfD2JnYL', 'L52fW5j5EV', 'iwpfGBMyDq', 'FY2fFiV4G7', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, MrT2AfiN81blrM7ofh.cs	High entropy of concatenated method names: 'Fil68wRVKh', 'uV96PgsEAu', 'wGW67Fa14W', 'iLi6SF1QQU', 'R3D6lF5cYk', 'YyD6wFTLn3', 'r5s6cAOTPE', 'uT26fMxvgs', 'Axv6dcNtid', 'EWW62x0JWN'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, V3prQuAj3Ol4OExEGv.cs	High entropy of concatenated method names: 'VPKfngqLZD', 'ctvf4lSqmn', 't6Kf6sTWFR', 'eN6frFr9NH', 'DqvfsFFBEL', 'g7Of1PbsFF', 'nL5foJpBCl', 'ArufXnEolv', 'WFnfqPavWT', 'fMJfYK3LF9'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, ywb8dSUlRHcITytTBP.cs	High entropy of concatenated method names: 'v1Trghfk51', 'zWCrt9RyXT', 'qRn6DM2aH8', 'rF36WuVWFf', 'Yfi6FbSECt', 'j4d6jpQxwE', 'tLn6hNNvuC', 'duX6NaTxcD', 'eLs6kfqbPN', 'wQq6KvsqVR'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, L0scfAZViKfKXE4Hg6.cs	High entropy of concatenated method names: 'GoUsHUjcLE', 'l4Bs4ciWeA', 'A1lsrYmU5u', 'J6ls12hdkG', 'pH4soEeAmi', 'r6Vryqm8uA', 'MWhrMRmkfC', 'X3UrA9E4wb', 'adyrJkqPpD', 'BJ8rB91Q1I'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, JUWfI2zWuid0Q7O0ZT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FvCdVBYBY3', 'MMcdlKhE7Q', 'R7bdwcBg53', 'grDdcV5P3D', 'Iokdfwtdsv', 'vV0ddqQBBj', 'DiNd2bJVBk'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, lw2l7RhtXX8UM9HjGF.cs	High entropy of concatenated method names: 'qwxOHLyv85', 'xo4On4KijT', 'tGtO4MU2X3', 'UhqO64N7nm', 'e9FOrnTEMX', 'mdbOsDJZkN', 'ie2O1uJP7v', 'RAKOoD8Zdj', 'IiROXmk3Un', 'mu1Oqlj2iW'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, LaiKv15nLAvK9HiqXE.cs	High entropy of concatenated method names: 'KJodaK2pB4', 'OUgdOLHLjB', 'FcTdQEkgb6', 'GxDdnTyJVg', 'Uhdd4kL5ud', 'sKvdrq8S3n', 'sCpdsG6tT0', 'H82fAm2Mn1', 'OFOfJ69G0i', 'LQvfBe4xgp'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, UhXjfdrLjoQJACNZXp.cs	High entropy of concatenated method names: 'k8AV7MDF0Z', 'gIOVS8JeGK', 'mYtVT1H95B', 'StuViTsro7', 'grVVW8cgVJ', 'Tt2VFSFurG', 'M7AVhqmqlC', 'oCPVNN60k4', 'QoBVK4Aqu3', 'smoVL7l3c3'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, yfLSmUJL7Z9ql1Bg8U.cs	High entropy of concatenated method names: 'QTj1n7xIKB', 'npi16AYrGb', 'xAs1sceBq5', 'tUisIqWQAK', 'MgVszLQQd6', 'Q0D15V1Y1m', 'Dkd1a1vQGX', 'owu1mkSP8e', 'o081O2TZHc', 'yrZ1QecFU0'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, U3WXjgkIoYPtq8pCPP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uWXmBfuuuN', 'yxUmIZRFLx', 'Ms5mzKCgrU', 'n4BO5S4upY', 'q0oOakFsbK', 'YUMOmyKRPt', 'wonOOOvjan', 'ipKWIs4qRCkvW7cqTIw'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, jCHoQs4nofL44OacKx.cs	High entropy of concatenated method names: 'D9JZv46aD', 'rvC8A2YCm', 'iPMPwl4E6', 'tC1trdkLt', 'y67SMuhcv', 'MyJbUeo1v', 'WnpxdWkCYxRA8Cqd8F', 'tORjKHPvhoxhZEc91h', 'mref77Ptw', 'vVZ2ymoiE'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, NlMwpiGmyTNGuLogXe.cs	High entropy of concatenated method names: 'tOacqJh5GA', 'FVacYsgqrj', 'ToString', 'xlQcnZlWp7', 'eMdc4fbHbx', 'a3Zc6JGUdo', 'grYcrMfBZK', 'sOLcsRU0UH', 'o3vc1emvxq', 'v8JcoHUN0F'
Source: 0.2.rNNA.exe.42b9690.11.raw.unpack, RTRqeKChxrikX2k2eR.cs	High entropy of concatenated method names: 'GiNVSGKySP8VUaHonO9', 'zN47tQKTVDeCUjajadx', 'eSEsfXAcdM', 'qjLsdhHFta', 'sAJs27ejYo', 'BPuhBiKwWQiXDZXhk26', 'EII46jKvsnjp64ihgik'

Source: C:\Users\user\Desktop\rNNA.exe

File created: C:\Users\user\AppData\Roaming\wZnyuP.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\rNNA.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: rNNA.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZnyuP.exe PID: 7444, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\rNNA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\rNNA.exe	Memory allocated: 15C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Memory allocated: 4F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Memory allocated: 14D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Memory allocated: 51F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Memory allocated: CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Memory allocated: 2490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Memory allocated: EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Memory allocated: 2A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Memory allocated: 4A10000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8510	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1063	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Window / User API: threadDelayed 3385	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Window / User API: threadDelayed 6474	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Window / User API: threadDelayed 1444
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Window / User API: threadDelayed 7222

Source: C:\Users\user\Desktop\rNNA.exe TID: 4364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7472	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7512	Thread sleep count: 3385 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -99796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -99687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -99578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -99468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -99357s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -99249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7512	Thread sleep count: 6474 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -99140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -99031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -98921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -98812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -98592s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -98479s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -98130s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -97787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -97671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -97452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -96890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -96781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -96671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -96562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -96452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -96343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -96234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -96125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -96014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -95906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -95796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -95687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -95577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -95468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -95359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -95250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -95140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -95031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -94921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -94812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -94703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -94593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe TID: 7504	Thread sleep time: -94484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7484	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7840	Thread sleep count: 1444 > 30
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7840	Thread sleep count: 7222 > 30
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -99671s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -99343s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -99234s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -99125s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -99015s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -98796s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -98686s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -98577s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -98467s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -98140s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -97921s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -97703s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -97593s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -97482s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -97375s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -97265s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -97156s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -97046s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -96937s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -96828s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -96718s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -96609s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -96499s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -96390s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -96281s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -96171s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -96062s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -95953s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -95842s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -95734s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -95624s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -95515s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -95406s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe TID: 7832	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\rNNA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\rNNA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rNNA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 99796	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 99687	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 99578	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 99468	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 99357	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 99249	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 99140	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 99031	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 98921	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 98812	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 98592	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 98479	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 98130	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 97787	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 97452	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 96890	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 96671	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 96452	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 96343	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 96234	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 96125	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 96014	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 95906	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 95796	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 95687	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 95577	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 95468	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 95359	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 95250	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 95140	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 95031	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 94921	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 94812	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 94703	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 94593	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Thread delayed: delay time: 94484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 99671
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 99562
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 99343
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 99234
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 99125
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 99015
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 98906
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 98796
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 98686
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 98577
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 98467
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 98250
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 98140
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 97921
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 97812
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 97703
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 97593
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 97482
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 97375
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 97265
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 97156
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 97046
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 96937
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 96828
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 96718
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 96609
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 96499
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 96390
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 96281
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 96171
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 96062
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 95953
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 95842
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 95734
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 95624
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 95515
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 95406
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Thread delayed: delay time: 922337203685477

Source: rNNA.exe, 00000006.00000002.2907319846.0000000001406000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2907874313.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\rNNA.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\rNNA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe"
Source: C:\Users\user\Desktop\rNNA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rNNA.exe	Memory written: C:\Users\user\Desktop\rNNA.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Memory written: C:\Users\user\AppData\Roaming\wZnyuP.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\rNNA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Process created: C:\Users\user\Desktop\rNNA.exe "C:\Users\user\Desktop\rNNA.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmpA9BF.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process created: C:\Users\user\AppData\Roaming\wZnyuP.exe "C:\Users\user\AppData\Roaming\wZnyuP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Process created: C:\Users\user\AppData\Roaming\wZnyuP.exe "C:\Users\user\AppData\Roaming\wZnyuP.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Users\user\Desktop\rNNA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Users\user\Desktop\rNNA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Queries volume information: C:\Users\user\AppData\Roaming\wZnyuP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Queries volume information: C:\Users\user\AppData\Roaming\wZnyuP.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\rNNA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.rNNA.exe.41f0310.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNNA.exe.41b58f0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNNA.exe.41f0310.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNNA.exe.41b58f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2910329972.0000000003269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2910473470.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2910473470.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2910329972.000000000323E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2906608211.000000000042C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2910473470.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1693403396.000000000412E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2910329972.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rNNA.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rNNA.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZnyuP.exe PID: 7756, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\rNNA.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\rNNA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\rNNA.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\wZnyuP.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.rNNA.exe.41f0310.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNNA.exe.41b58f0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNNA.exe.41f0310.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNNA.exe.41b58f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2906608211.000000000042C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2910473470.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1693403396.000000000412E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2910329972.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rNNA.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rNNA.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZnyuP.exe PID: 7756, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.rNNA.exe.41f0310.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNNA.exe.41b58f0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNNA.exe.41f0310.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNNA.exe.41b58f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2910329972.0000000003269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2910473470.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2910473470.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2910329972.000000000323E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2906608211.000000000042C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2910473470.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1693403396.000000000412E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2910329972.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rNNA.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rNNA.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZnyuP.exe PID: 7756, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	2 Obfuscated Files or Information	1 Credentials in Registry	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rNNA.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
rNNA.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\wZnyuP.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wZnyuP.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
pbjv.net	203.175.171.5	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown
mail.pbjv.net	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	rNNA.exe, 00000006.00000002.2919997760.0000000006BB2000.00000004.00000020.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2907319846.0000000001406000.00000004.00000020.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2910329972.0000000003246000.00000004.00000800.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2920697212.00000000061F2000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2907874313.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2910473470.0000000002A66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.pbjv.net	rNNA.exe, 00000006.00000002.2910329972.0000000003246000.00000004.00000800.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2910473470.0000000002A66000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/?	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.dyn.com/	rNNA.exe, 00000000.00000002.1693403396.000000000412E000.00000004.00000800.00020000.00000000.sdmp, rNNA.exe, 00000006.00000002.2906608211.000000000042C000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pbjv.net	rNNA.exe, 00000006.00000002.2910329972.0000000003246000.00000004.00000800.00020000.00000000.sdmp, wZnyuP.exe, 0000000C.00000002.2910473470.0000000002A66000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.tiro.com	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/staff/dennis.htm	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/frere-user.html	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.coms	rNNA.exe, 00000000.00000002.1698474694.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.jiyu-kobo.co.jp/	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rNNA.exe, 00000000.00000002.1689121052.0000000003024000.00000004.00000800.00020000.00000000.sdmp, wZnyuP.exe, 00000007.00000002.1718509352.0000000002774000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	rNNA.exe, 00000000.00000002.1698525882.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
203.175.171.5	pbjv.net	Singapore		24482	SGGS-AS-APSGGSSG	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427030
Start date and time:	2024-04-16 22:50:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rNNA.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/11@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 246 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: rNNA.exe

Simulations

Behavior and APIs

Time	Type	Description
21:50:59	Task Scheduler	Run new task: wZnyuP path: C:\Users\user\AppData\Roaming\wZnyuP.exe
22:50:58	API Interceptor	55x Sleep call for process: rNNA.exe modified
22:50:59	API Interceptor	14x Sleep call for process: powershell.exe modified
22:51:01	API Interceptor	44x Sleep call for process: wZnyuP.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://samartrace.co.ke/resu/repnu03/pDm2uA4djQME/transportforum@stanstedairport.com	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://r20.rs6.net/tn.jsp?f=001hdorddfRVpfBhjmCzZP_M9e3n-9HvwH5WndewdVBwOCaKywXuTP72YftDf8G7EZegNKDuHDStGd0F_YqHq-dwkMezptPaVTW7z3GmrsquDjOTUdJWUiPwtfYdeAV_V719niRmATzLmr1i2Q4VD5Hjq7GD9AIQnalZTS2xJ4NBmEjoOsyfi4JfmCXpI8wp394l5knVxHSX1M-okruwnPJWWbuauOcxTMO&c=&ch=#YmdyYWltZUBuZXhwb2ludC5jb20=	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://docs.google.com/forms/d/e/1FAIpQLScaqr8AS5UHJLhHgsk75Su6KzT5rrqw0atzmeeQYQGFlm3rfA/viewform?usp=sf_link	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	http://cubes.concordia.ca/track?type=click&enid=bWFpbGluZ2lkPTM2MjMmbWVzc2FnZWlkPTQxMjEmZGF0YWJhc2VpZD05MDEmc2VyaWFsPTEyNzU1MDM1NzUmZW1haWxpZD13YXJpZXN0NTkzMzgud2Vla2x5bWFpbEBibG9nZ2VyLmNvbSZ1c2VyaWQ9NDcxJmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&2028&&&http://gbmaucstans.com/?No5zl=ZGFuQHZpcnR1YWxpbnRlbGxpZ2VuY2VicmllZmluZy5jb20=	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://00f82de.blob.core.windows.net/00f82de/1.html?4SdhQu6964HfYs43wfnwuulljn913CWVGBFRQHRPAHNP32199OVKO12176b14#14/43-6964/913-32199-12176	Get hash	malicious	Phisher	Browse	192.229.211.108
	https://00f82de.blob.core.windows.net/00f82de/1.html?4SdhQu6964HfYs43wfnwuulljn913CWVGBFRQHRPAHNP32199OVKO12176b14#14/43-6964/913-32199-12176	Get hash	malicious	Phisher	Browse	192.229.211.108
	SecuriteInfo.com.Win32.PWSX-gen.12913.5952.exe	Get hash	malicious	PureLog Stealer	Browse	192.229.211.108
	http://asap911.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	KqWnIt1164.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	192.229.211.108
	DHL Shipping Documents_pdf.vbs	Get hash	malicious	AgentTesla	Browse	192.229.211.108

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SGGS-AS-APSGGSSG	wg2vKIF0SU.elf	Get hash	malicious	Gafgyt	Browse	103.14.247.45
	LF6B2XTwcV.elf	Get hash	malicious	Gafgyt, Mirai	Browse	103.14.247.32
	JzaLI8CCY4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	103.14.247.67
	cIUrcTpbFS.elf	Get hash	malicious	Gafgyt	Browse	103.14.247.79
	Wv63rJCTZB.elf	Get hash	malicious	Gafgyt, Mirai	Browse	103.14.247.67
	3FKykOcbPa.elf	Get hash	malicious	Mirai	Browse	103.14.247.74
	2tneBBzaBb.elf	Get hash	malicious	Mirai	Browse	103.14.247.18
	64Tgzu2FKh.exe	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	203.175.174.69
	zp.exe	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	203.175.174.69
	eua.ps1	Get hash	malicious	GuLoader	Browse	203.175.174.69

Process:	C:\Users\user\Desktop\rNNA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wZnyuP.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\wZnyuP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZLiUyus:fLHxvIIwLgZ2KRHWLOug4Xs
MD5:	3C929F86A4BCF6EA2EF05B32A5282873
SHA1:	B31ACF630E7F284B08F13E3A547C60DB3231D912
SHA-256:	1737438BA668B9A48ED2E86DE3FC8BF4B92F095346F3F42364AC37EC66495EC1
SHA-512:	1129658D9368A8D947C64ABE88D1DEF20FACFC1384A34F362493588A1E8B965F0813608B8A4CBAE128F21EADF23408831608D9E8BF7AEA4365EE762D94B718AB
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ezau15k.i1s.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5na5kd2y.dae.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdbwlku4.wyp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ja5cq2ml.oyx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp

Download File

Process:	C:\Users\user\Desktop\rNNA.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.107658884241085
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtakxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTlv
MD5:	9181834AB2429428FBE89F17A790AD42
SHA1:	D0DC3FD90A332B5265ED909FB89B5C5794DF9685
SHA-256:	092BEF66FE0E5CD74822BEC169BAAF18F942E344DB91F9B11213E85103875056
SHA-512:	D932CEF769C5C8A873A00389F147B17F7E6B7320A8704873DAC16F645BA7B1BFB60ACA0F04BA84BE6B9E541D5275989CAD2F688A58417A7E70A6E442C55A824C
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpA9BF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZnyuP.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.107658884241085
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtakxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTlv
MD5:	9181834AB2429428FBE89F17A790AD42
SHA1:	D0DC3FD90A332B5265ED909FB89B5C5794DF9685
SHA-256:	092BEF66FE0E5CD74822BEC169BAAF18F942E344DB91F9B11213E85103875056
SHA-512:	D932CEF769C5C8A873A00389F147B17F7E6B7320A8704873DAC16F645BA7B1BFB60ACA0F04BA84BE6B9E541D5275989CAD2F688A58417A7E70A6E442C55A824C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\wZnyuP.exe

Download File

Process:	C:\Users\user\Desktop\rNNA.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	788480
Entropy (8bit):	7.776898369498585
Encrypted:	false
SSDEEP:	12288:a4h+TTJ1/EszZRDuH0z3NjVEejVWciWH4X62Fn6OfdcfelbF0w3:I8CtuH0rNjV9jpiWHZ2x6O+feZF0w3
MD5:	C71FEA294E5BD3BEB3F863DB4D43A1CB
SHA1:	3A8D98955E1DEE1CE2A1D95AF5515B43F8744D43
SHA-256:	6F786B8F8DD18709B9E4AD44E33CB1074D55AA2F0F3CD1FE3759E8795DF0A3A9
SHA-512:	54B3AC1D89777080978BA955D8C21D8E1C3A7D67CACFC1D2AD39F27DF11F97C1AB7794C964498F3A28CF10EE515A3AE86433B9C608836C2FC9CDDB8C2388345A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%.f................................. ........@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........W...............................................................0..A....... .........%.X...(.....Y... .........%.1...(.....2...(b........&...~(b....(......(.....s....(.....&.(.........0..........~Y..........E.......).......).......Z....~.........,... ..... ....Y..+....A..9Y+..r...p.....(....o....s...............O. ....Y..+.~........0...........~........."...........0...........(....rE..p~....o......t.......6(b........&*...0..........~2.....+B..E............

C:\Users\user\AppData\Roaming\wZnyuP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\rNNA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.776898369498585
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	rNNA.exe
File size:	788'480 bytes
MD5:	c71fea294e5bd3beb3f863db4d43a1cb
SHA1:	3a8d98955e1dee1ce2a1d95af5515b43f8744d43
SHA256:	6f786b8f8dd18709b9e4ad44e33cb1074d55aa2f0f3cd1fe3759e8795df0a3a9
SHA512:	54b3ac1d89777080978ba955d8c21d8e1c3a7d67cacfc1d2ad39f27df11f97c1ab7794c964498f3a28cf10ee515a3ae86433b9c608836c2fc9cddb8c2388345a
SSDEEP:	12288:a4h+TTJ1/EszZRDuH0z3NjVEejVWciWH4X62Fn6OfdcfelbF0w3:I8CtuH0rNjV9jpiWHZ2x6O+feZF0w3
TLSH:	46F4F16436ABBF2AD9BD47F2486198344BF5705FA975D24F0FCA24D61820FC24981F2B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%.f................................. ........@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4c1d1e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x661E25F3 [Tue Apr 16 07:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc1cc4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc2000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbfd24	0xbfe00	6cee77f404f7ac6ecc462fee1964053a	False	0.8812016490228013	data	7.784489676422327	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc2000	0x600	0x600	a1552114be0c991d21b61e215c2d9022	False	0.421875	data	4.083960454946654	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc4000	0xc	0x200	f46dfb1e05f08a8feac1612266f85f73	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc2090	0x31c	data			0.435929648241206
RT_MANIFEST	0xc23bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 22:51:01.854096889 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:02.199212074 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:02.199309111 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:02.966861963 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:02.968027115 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:03.313569069 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:03.313824892 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:03.661017895 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:03.691731930 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:03.735189915 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:04.045502901 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:04.045563936 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:04.045619011 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:04.045654058 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:04.045670033 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:04.045707941 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:04.047735929 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:04.063440084 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:04.083204031 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:04.083837986 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:04.408978939 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:04.424916029 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:04.435477972 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:04.435808897 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:04.770693064 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:04.772397041 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:04.783956051 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:04.784244061 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:05.118319035 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:05.119580984 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:05.133930922 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:05.142704010 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:05.470122099 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:05.470361948 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:05.498545885 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:05.498562098 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:05.498625994 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:05.498631001 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:05.498694897 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:05.498995066 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:05.500946999 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:05.502569914 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:05.815785885 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:05.816148043 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:05.850625992 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:05.862535000 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:06.172132015 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:06.172308922 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:06.210298061 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:06.210628986 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:06.517574072 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:06.518198013 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:06.518289089 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:06.518289089 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:06.518289089 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:06.558824062 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:06.559087038 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:06.863620043 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:06.863643885 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:06.863653898 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:06.879101038 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:06.912214994 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:06.912662029 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:06.928644896 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:07.260503054 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:07.260730982 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:07.619255066 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:07.619443893 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:07.968316078 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:07.969104052 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:07.969188929 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:07.969189882 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:07.969189882 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:51:08.317159891 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:08.317219019 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:08.317308903 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:08.340780973 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:51:08.381795883 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:52:40.866630077 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:52:41.212932110 CEST	587	49738	203.175.171.5	192.168.2.4
Apr 16, 2024 22:52:41.216686964 CEST	49738	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:52:43.757395029 CEST	49741	587	192.168.2.4	203.175.171.5
Apr 16, 2024 22:52:44.106854916 CEST	587	49741	203.175.171.5	192.168.2.4
Apr 16, 2024 22:52:44.111320019 CEST	49741	587	192.168.2.4	203.175.171.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 22:51:00.851244926 CEST	53614	53	192.168.2.4	1.1.1.1
Apr 16, 2024 22:51:01.845228910 CEST	53	53614	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 16, 2024 22:51:00.851244926 CEST	192.168.2.4	1.1.1.1	0xc362	Standard query (0)	mail.pbjv.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 16, 2024 22:50:51.561738968 CEST	1.1.1.1	192.168.2.4	0x4426	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 16, 2024 22:50:51.561738968 CEST	1.1.1.1	192.168.2.4	0x4426	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 16, 2024 22:51:01.845228910 CEST	1.1.1.1	192.168.2.4	0xc362	No error (0)	mail.pbjv.net	pbjv.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 16, 2024 22:51:01.845228910 CEST	1.1.1.1	192.168.2.4	0xc362	No error (0)	pbjv.net		203.175.171.5	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 16, 2024 22:51:02.966861963 CEST	587	49738	203.175.171.5	192.168.2.4	220-bh.pbjv.net ESMTP Exim 4.96.2 #2 Wed, 17 Apr 2024 04:51:02 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 16, 2024 22:51:02.968027115 CEST	49738	587	192.168.2.4	203.175.171.5	EHLO 506407
Apr 16, 2024 22:51:03.313569069 CEST	587	49738	203.175.171.5	192.168.2.4	250-bh.pbjv.net Hello 506407 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 16, 2024 22:51:03.313824892 CEST	49738	587	192.168.2.4	203.175.171.5	STARTTLS
Apr 16, 2024 22:51:03.661017895 CEST	587	49738	203.175.171.5	192.168.2.4	220 TLS go ahead
Apr 16, 2024 22:51:04.435477972 CEST	587	49741	203.175.171.5	192.168.2.4	220-bh.pbjv.net ESMTP Exim 4.96.2 #2 Wed, 17 Apr 2024 04:51:04 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 16, 2024 22:51:04.435808897 CEST	49741	587	192.168.2.4	203.175.171.5	EHLO 506407
Apr 16, 2024 22:51:04.783956051 CEST	587	49741	203.175.171.5	192.168.2.4	250-bh.pbjv.net Hello 506407 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 16, 2024 22:51:04.784244061 CEST	49741	587	192.168.2.4	203.175.171.5	STARTTLS
Apr 16, 2024 22:51:05.133930922 CEST	587	49741	203.175.171.5	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	22:50:56
Start date:	16/04/2024
Path:	C:\Users\user\Desktop\rNNA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rNNA.exe"
Imagebase:	0xbc0000
File size:	788'480 bytes
MD5 hash:	C71FEA294E5BD3BEB3F863DB4D43A1CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1693403396.000000000412E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1693403396.000000000412E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:50:58
Start date:	16/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZnyuP.exe"
Imagebase:	0xdb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:50:58
Start date:	16/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:50:59
Start date:	16/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp"
Imagebase:	0xde0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:50:59
Start date:	16/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:50:59
Start date:	16/04/2024
Path:	C:\Users\user\Desktop\rNNA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rNNA.exe"
Imagebase:	0xdc0000
File size:	788'480 bytes
MD5 hash:	C71FEA294E5BD3BEB3F863DB4D43A1CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2910329972.0000000003269000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2910329972.000000000323E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2906608211.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2906608211.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2910329972.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2910329972.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	22:50:59
Start date:	16/04/2024
Path:	C:\Users\user\AppData\Roaming\wZnyuP.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wZnyuP.exe
Imagebase:	0x260000
File size:	788'480 bytes
MD5 hash:	C71FEA294E5BD3BEB3F863DB4D43A1CB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:51:00
Start date:	16/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:51:02
Start date:	16/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZnyuP" /XML "C:\Users\user\AppData\Local\Temp\tmpA9BF.tmp"
Imagebase:	0xde0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:51:02
Start date:	16/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:51:02
Start date:	16/04/2024
Path:	C:\Users\user\AppData\Roaming\wZnyuP.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\wZnyuP.exe"
Imagebase:	0x340000
File size:	788'480 bytes
MD5 hash:	C71FEA294E5BD3BEB3F863DB4D43A1CB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:51:02
Start date:	16/04/2024
Path:	C:\Users\user\AppData\Roaming\wZnyuP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\wZnyuP.exe"
Imagebase:	0x5c0000
File size:	788'480 bytes
MD5 hash:	C71FEA294E5BD3BEB3F863DB4D43A1CB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2910473470.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2910473470.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2910473470.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2910473470.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1%
Total number of Nodes:	315
Total number of Limit Nodes:	14

Executed Functions

Function 07660720 Relevance: .9, Instructions: 927COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699858056.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7660000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70845d3faf3d2fed0accbb6578a4098cdf8a2286a9d828d09859a4c28ee28e9b
Instruction ID: ab3586ee2d2aa7c96e99ebe1ff206ce21a67b93af8a2e15bcb557efa4dba877a
Opcode Fuzzy Hash: 70845d3faf3d2fed0accbb6578a4098cdf8a2286a9d828d09859a4c28ee28e9b
Instruction Fuzzy Hash: 07A23B71E102598FDB15DF68C8586EDB7B2FF89300F1486A9D80AA7351EB70AE95CF40

Uniqueness

Uniqueness Score: -1.00%

Function 092D4640 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702097796.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b64670d02b5f1d303dc67c5d6592a5ca01a6fc9400e74c0bbb33c5a5457bb3
Instruction ID: 69cd03d7257232c913e2aa1fa1cc0f05cb7e3d3b64e9a91891ab4f987ddca2a1
Opcode Fuzzy Hash: 54b64670d02b5f1d303dc67c5d6592a5ca01a6fc9400e74c0bbb33c5a5457bb3
Instruction Fuzzy Hash: 535227306116058FCB54EF68C688A5DB7F2FF88315F6585A8E44A9B7B5CB30ED46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 07630040 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699464736.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c000e2d217a0950859d4de7884d94f7b6c858e06dc1104990fe011e659e45d1c
Instruction ID: 11a59f2d49a3e8c4d422607b041471a3afe485f6316bf076d65639c88266cc31
Opcode Fuzzy Hash: c000e2d217a0950859d4de7884d94f7b6c858e06dc1104990fe011e659e45d1c
Instruction Fuzzy Hash: 5932FC71D0061A8FCB54DF68C8906EDF7B1FF89300F1486AAD459AB311EB70AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 076301E8 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699464736.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7630000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e435b3e87262316b67563c1894a3e4365f8dc91bff3946b4def63373885712e
Instruction ID: 2dda3e6fb46371aa3ee6ec0918c2aded4c2697028f9efe7e339ad8ee2f29b4c9
Opcode Fuzzy Hash: 5e435b3e87262316b67563c1894a3e4365f8dc91bff3946b4def63373885712e
Instruction Fuzzy Hash: 1B12B775D1071A8FCB15DF68C880AE9F7B1BF49300F15C6AAD959A7211EB70AAC5CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02F1787F Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688837943.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2e702433051fc75f6ed14991314cccc1b07ce916c256613a2a59210fe9f777
Instruction ID: 2ea5fd80307cda1eca53b8d83a09f775b6bc09ea0cbf022d772b7b25715a7997
Opcode Fuzzy Hash: ae2e702433051fc75f6ed14991314cccc1b07ce916c256613a2a59210fe9f777
Instruction Fuzzy Hash: 203107352056148BD32ABB35CC507DBB7A3AFC9355F89886D825A4F354CE3AA486CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F1480C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688837943.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210b6263a6857fee4386b52d336e19c4aba970db58d9802fdc778b445ecf7ba0
Instruction ID: 679b4e722c81b3d6e0e058fabef3ad248318dc75756da39dadacca2f971b08cc
Opcode Fuzzy Hash: 210b6263a6857fee4386b52d336e19c4aba970db58d9802fdc778b445ecf7ba0
Instruction Fuzzy Hash: 1F2163346017148BD32EBB358C546ABB3A7AFC9355F95887D825A0B354CF36A442DB90

Uniqueness

Uniqueness Score: -1.00%

Function 094709F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488d84784685b5ae197e486db839cf176aac1e8d04bbbf5f2e5d8ebe95d14101
Instruction ID: e475a815cac6f65ec95b93596f5426a7bfda80e445dc2d00a61e96527d1a8d87
Opcode Fuzzy Hash: 488d84784685b5ae197e486db839cf176aac1e8d04bbbf5f2e5d8ebe95d14101
Instruction Fuzzy Hash: 4C213072E0574C8BEB18CF6B98012EEFBF79FC9250F18C17BD418AA265DA7405418F65

Uniqueness

Uniqueness Score: -1.00%

Function 07794ACD Relevance: 14.0, Strings: 11, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 07794B95
XX^q, xrefs: 07794AF0
$^q, xrefs: 07794D70
fcq, xrefs: 07794C77
Te^q, xrefs: 07794B15
XX^q, xrefs: 07794B00
fcq, xrefs: 07794DDB
$^q, xrefs: 07794CCB
Te^q, xrefs: 07794B1F
fcq, xrefs: 07794DCB
$^q, xrefs: 07794CA1

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID: fcq$ fcq$ fcq$Te^q$Te^q$XX^q$XX^q$$^q$$^q$$^q$$^q
API String ID: 0-4077753186
Opcode ID: 1638cf34d21d24eb284f9ce0126bd15912b73e5af98cf1568ded4bcfad328172
Instruction ID: 0ae036d116899574fb0b370dd85f0e3647b62042028bb8f0a844d345def319ba
Opcode Fuzzy Hash: 1638cf34d21d24eb284f9ce0126bd15912b73e5af98cf1568ded4bcfad328172
Instruction Fuzzy Hash: ACA16CB5E15298DFDF18CB94E448AAEB7B2FB82340F158866E512AF294D7309C52CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07794AE6 Relevance: 12.8, Strings: 10, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 07794B95
XX^q, xrefs: 07794A73
XX^q, xrefs: 07794AF0
$^q, xrefs: 07794D70
fcq, xrefs: 07794C77
Te^q, xrefs: 07794B15
XX^q, xrefs: 07794AB8
$^q, xrefs: 07794CCB
fcq, xrefs: 07794DCB
$^q, xrefs: 07794CA1

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID: fcq$ fcq$Te^q$XX^q$XX^q$XX^q$$^q$$^q$$^q$$^q
API String ID: 0-3245395079
Opcode ID: 20e9163dd3b7d929d99243cad84876fad9d8ec75fa5bc3a33b40502162b50e69
Instruction ID: 0187e39aaaf8f0497504a32c780a7a7fc68bb3d9cb35e5c4a2877edf85a406b8
Opcode Fuzzy Hash: 20e9163dd3b7d929d99243cad84876fad9d8ec75fa5bc3a33b40502162b50e69
Instruction Fuzzy Hash: CDB1BDB5E16288CFDF19CB94E448AAEB7B2FF42381F154876D512AB295D7309843CB44

Uniqueness

Uniqueness Score: -1.00%

Function 02F1DBF8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02F1DC76
GetCurrentThread.KERNEL32 ref: 02F1DCB3
GetCurrentProcess.KERNEL32 ref: 02F1DCF0
GetCurrentThreadId.KERNEL32 ref: 02F1DD49

Memory Dump Source

Source File: 00000000.00000002.1688837943.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_rNNA.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 92b90a957ddd36961be1ad8cee46a321fb1762a522e7de63c51cd66ed8cf6cc1
Instruction ID: dc90c8be7a0db205ac766d5ef83c19f3d44e69d621be8b0c7e1e41bf3ee02ea4
Opcode Fuzzy Hash: 92b90a957ddd36961be1ad8cee46a321fb1762a522e7de63c51cd66ed8cf6cc1
Instruction Fuzzy Hash: 235155B09003098FDB18DFAAD649BDEBFF1EB88304F208459E519A7360DB749984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0768C018 Relevance: 4.1, Strings: 3, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

04), xrefs: 0768C1C4
04), xrefs: 0768C1D4
PH^q, xrefs: 0768C275

Memory Dump Source

Source File: 00000000.00000002.1700142878.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7680000_rNNA.jbxd

Similarity

API ID:
String ID: 04)$04)$PH^q
API String ID: 0-3584892208
Opcode ID: e51b762b980485ead780e1601cdaaf6ee2e1a6ce5aef843039179beea9a783f9
Instruction ID: b4cf0059dcde952cb65dadf292df4c199d9c7afc62e3bbcc2a2c9f9ceb5ca3a5
Opcode Fuzzy Hash: e51b762b980485ead780e1601cdaaf6ee2e1a6ce5aef843039179beea9a783f9
Instruction Fuzzy Hash: 0CB1AFB1A00216CFCB58EB78D854AA977F2FF89311F1542A9D4169B3A1CB35DC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07681540 Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

$^q, xrefs: 07681553
Hbq, xrefs: 07681703

Memory Dump Source

Source File: 00000000.00000002.1700142878.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7680000_rNNA.jbxd

Similarity

API ID:
String ID: Hbq$$^q
API String ID: 0-3942533163
Opcode ID: 2436903d3e6cae368913c80bb049726dfbcd52b83b88c2034e98ae2e9cd7143e
Instruction ID: a5f39a176fe3b9463e28c367982848e91a75d20122bad3a6e9fe137a24616cbf
Opcode Fuzzy Hash: 2436903d3e6cae368913c80bb049726dfbcd52b83b88c2034e98ae2e9cd7143e
Instruction Fuzzy Hash: E1517BB1A001198FDB48EF68C44466EBBE2FFC5350F14C66AD91A9F365DA30DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 09478044 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09478286

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0af8cea97c54562ef683764cac41e483f7e61c09229ba55888d55ff8325fea7c
Instruction ID: 0d82ba6f42b152819a4331890e6a3098c876d40e13f7c770740174c50d12a80c
Opcode Fuzzy Hash: 0af8cea97c54562ef683764cac41e483f7e61c09229ba55888d55ff8325fea7c
Instruction Fuzzy Hash: F3A13871D007199FDB14CFA8C8857EEBBB2AF44314F1485AAE808A7350DB759985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09478050 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09478286

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 58e41c57564f125001b3a659109cfcb752b596900f9f6e5afbbdc1ff53902284
Instruction ID: f21fefd7c0a84a33ad1c54459c25917d40da6e1699b64590a936c20648ee8037
Opcode Fuzzy Hash: 58e41c57564f125001b3a659109cfcb752b596900f9f6e5afbbdc1ff53902284
Instruction Fuzzy Hash: D9912871D0071D9FDB14CFA8C8857EEBBB2AF44314F1485AAE808A7350DB759985CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02F1B960 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F1BBC6

Memory Dump Source

Source File: 00000000.00000002.1688837943.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_rNNA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 67ec2fe9f03e748b23984810bf2c07252b29f98af467c3bd0abb33d8e992ee15
Instruction ID: d01955d7ecb01d10154d896024bd6535a3d13bf5e2f00148075007be2d7a7d5b
Opcode Fuzzy Hash: 67ec2fe9f03e748b23984810bf2c07252b29f98af467c3bd0abb33d8e992ee15
Instruction Fuzzy Hash: 3F813370A00B05CFD724DF6AD55079ABBF1FF88388F408A29D58ADBA50DB74E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02F1495C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02F15EF1

Memory Dump Source

Source File: 00000000.00000002.1688837943.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_rNNA.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 620519889430882eae5e159b78b8d3d07c8a7092bd11922e4de63ac726e2c22f
Instruction ID: 9b3790f914c78504e736e39f3b1199ad1b0238165214c3ea9b4e90b37c7bbf2d
Opcode Fuzzy Hash: 620519889430882eae5e159b78b8d3d07c8a7092bd11922e4de63ac726e2c22f
Instruction Fuzzy Hash: B341D1B0C00619CFDB24CFA9C884BDEBBB5BF89304F64806AD508AB255DBB56945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F15E36 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02F15EF1

Memory Dump Source

Source File: 00000000.00000002.1688837943.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_rNNA.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 45dca3dd22742bacef75f7f5a0117e830adac66e75cfe2be25016ee676b94b7d
Instruction ID: 13f385164b12b510bcced972dc8e1ee96f86261fa7a39c04c8a66bc6cabad24f
Opcode Fuzzy Hash: 45dca3dd22742bacef75f7f5a0117e830adac66e75cfe2be25016ee676b94b7d
Instruction Fuzzy Hash: B841F2B0C00619CFDB24CFA9C844BDEBBF5BF89304F64816AD508AB255DB755949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 09477DC4 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09477E58

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7013bbd5965ea2905c01de7f03e771b9b7cc99eff64858461799e65cf7dfeab5
Instruction ID: 8f75f90789e35ae4759bd9e0ed60bcf67619b9fa277691e1bb07d98a0dd40f85
Opcode Fuzzy Hash: 7013bbd5965ea2905c01de7f03e771b9b7cc99eff64858461799e65cf7dfeab5
Instruction Fuzzy Hash: 632125B1900359DFCB10CFA9C985BEEBBF1FF88314F50842AE958A7250D7789945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 09477DC8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09477E58

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 770353e01f6c5f19371ca94d241ca3cb3dfdeb4ff02c5168fcc7af528030b431
Instruction ID: f491b4b47648aa31cbd65881202d09643a7aa6bdfc888720f00858eca3800111
Opcode Fuzzy Hash: 770353e01f6c5f19371ca94d241ca3cb3dfdeb4ff02c5168fcc7af528030b431
Instruction Fuzzy Hash: DF2124B1900359DFCB10CFA9C985BDEBBF5FF48310F10842AE958A7250D7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 09477C28 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09477CAE

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d6b140fd6749023d4bea083162faa4b6ad56369baad5beacf87ad475a4e4a768
Instruction ID: e28c515032b6da7e0ff7f02191270f72792056cb20b5e5763dd407f33a70c698
Opcode Fuzzy Hash: d6b140fd6749023d4bea083162faa4b6ad56369baad5beacf87ad475a4e4a768
Instruction Fuzzy Hash: 932148719003099FDB10CFAAC4857EEFFF0EB48324F54842AD459A7340C7789545CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 09477EB0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09477F38

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9beabab37e742ba5d7c217a7dec6a0abd92f7db658897165ccbf3b8f98be2f56
Instruction ID: 3165660af31ea6b75767e2aa3bf67ad3b12e5d3bec4bc92f1902f08e4f54e558
Opcode Fuzzy Hash: 9beabab37e742ba5d7c217a7dec6a0abd92f7db658897165ccbf3b8f98be2f56
Instruction Fuzzy Hash: 362139B18003499FCB10CFA9C985ADEFBF1FF48310F50842AE558A7250D7349545CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F1B388 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F1BC41,00000800,00000000,00000000), ref: 02F1BE52

Memory Dump Source

Source File: 00000000.00000002.1688837943.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_rNNA.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 03b397b207bf4d8a8ec992dc4a54699e4ddfa81aeabaee54ed764041d3962666
Instruction ID: 590aa0bd92147c9f6eb8469c75c70bc2a9d933a5276e9c091c7de74428245233
Opcode Fuzzy Hash: 03b397b207bf4d8a8ec992dc4a54699e4ddfa81aeabaee54ed764041d3962666
Instruction Fuzzy Hash: 392147B6904348CFDB10CFAAC844ADEFFF4EB99324F04846AD659AB211C375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09477C30 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09477CAE

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 064f6e9fbac1828495288f74d89f2bf3f342190d31d017c54d3c0eebe564530f
Instruction ID: f2aa2412d9206a654d36ff700c02e2106a37509e0bbf9c5505df868a670ac87b
Opcode Fuzzy Hash: 064f6e9fbac1828495288f74d89f2bf3f342190d31d017c54d3c0eebe564530f
Instruction Fuzzy Hash: BC2139719003098FDB10DFAAC4857EEFBF4AB48314F10842AD459A7240D7789544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09477EB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09477F38

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d9b81c11f3a973f8a20d994999320fabc8ab881457c792ae414aec21d44e75ab
Instruction ID: 974738a17ce448085f578b11c50e586886c7a5e0e4b130d359b1ab2c579cf10e
Opcode Fuzzy Hash: d9b81c11f3a973f8a20d994999320fabc8ab881457c792ae414aec21d44e75ab
Instruction Fuzzy Hash: 162128B18003599FCB10DFAAC981ADEFBF5FF48310F50842AE558A7250D7349544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F1DE40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F1DEC7

Memory Dump Source

Source File: 00000000.00000002.1688837943.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_rNNA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 35774a983889d081793f4d0c349e581099ce4d1deb424280fcf138c32cfb6856
Instruction ID: 074a9f395064c76b74df6c10350d23b92486e705de3dd0048c1f2c54b5afbb9a
Opcode Fuzzy Hash: 35774a983889d081793f4d0c349e581099ce4d1deb424280fcf138c32cfb6856
Instruction Fuzzy Hash: C921E4B5900208DFDB10CF9AD984ADEBBF4EB48310F14845AE914A3310D374A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09477D03 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09477D76

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a99f296ad48bd290112064d7484a4bfe16a3ce89e85d33fa0728a4b944d2d1b1
Instruction ID: 80bb558b129e9fc2d71e7c1512be43894318600ade01bafdb5fa0bc3c1dbbfdd
Opcode Fuzzy Hash: a99f296ad48bd290112064d7484a4bfe16a3ce89e85d33fa0728a4b944d2d1b1
Instruction Fuzzy Hash: 1D1114719002499BCB10DFAAC845AEEBFF5EB88320F14882AE559A7250C7759544CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F1B3A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F1BC41,00000800,00000000,00000000), ref: 02F1BE52

Memory Dump Source

Source File: 00000000.00000002.1688837943.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_rNNA.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9b83c09a88e76c266ea0ae9cf053ecb9092ca3d500b76980c53f97cbb205f7d9
Instruction ID: f9b2c66aa27bd29df053f430c2efe761e1a95656f1ae4c09a0b82599eb802acc
Opcode Fuzzy Hash: 9b83c09a88e76c266ea0ae9cf053ecb9092ca3d500b76980c53f97cbb205f7d9
Instruction Fuzzy Hash: 071112B6D00308DFDB14CF9AC884ADEFBF4EB88314F50842AE619A7210C375A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F1BDE0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F1BC41,00000800,00000000,00000000), ref: 02F1BE52

Memory Dump Source

Source File: 00000000.00000002.1688837943.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_rNNA.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d049979b84c89a13d693daf984e8797c052b8265032145f4386f66d347fc3fcc
Instruction ID: bf934b80bbed5b9ce6b6b78b80acfeea600cd9e3842830c945c4b2dbec19c744
Opcode Fuzzy Hash: d049979b84c89a13d693daf984e8797c052b8265032145f4386f66d347fc3fcc
Instruction Fuzzy Hash: C511E4B6D00349DFDB10CF9AC944ADEFBF4EB48314F54842AE519A7210C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09477D08 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09477D76

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1e45c502f5576efaaa01a0f2b511f7338339ee8c5286b23abefd2b85454e47f4
Instruction ID: 256ab106ccfd1ae0efcad300cfc7aabb325435622a02fd041730105ff886bc76
Opcode Fuzzy Hash: 1e45c502f5576efaaa01a0f2b511f7338339ee8c5286b23abefd2b85454e47f4
Instruction Fuzzy Hash: CA1126719003499FCB10DFAAC845AEEFFF5EF88320F10842AE559A7250C775A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09477B78 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09477BE2

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 08156b6c87b7d3a242357b7ae03c673e985d1fcd12062ea6c72feebd8bfb8780
Instruction ID: 65a01d7783da310d9ea646e5d19536d2cbccaab584ebc8fa55a8654148c93703
Opcode Fuzzy Hash: 08156b6c87b7d3a242357b7ae03c673e985d1fcd12062ea6c72feebd8bfb8780
Instruction Fuzzy Hash: 521146B19002498FDB14DFAAC445BDEFBF4EB88324F20842AD419A7250C778A944CB94

Uniqueness

Uniqueness Score: -1.00%

Function 09477B80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09477BE2

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ef6d78cdee7692a23886951bfef2fea94462b2478d1e08d8ce34315c4f8cd25f
Instruction ID: 442330d5732e52a66cbd3759192153ef097d535a6ea0150b1acb0be19e658fcd
Opcode Fuzzy Hash: ef6d78cdee7692a23886951bfef2fea94462b2478d1e08d8ce34315c4f8cd25f
Instruction Fuzzy Hash: 24113AB19003498FDB10DFAAC4457DEFBF4EB88324F20842AD459A7250CB75A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0947CFF8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0947D05D

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3901d93bb91c0ea74d4df146414bc7a8f147b1f8da0944a6198ae88f745cac5c
Instruction ID: 0e7140d714de1d4bb86dda83346d51eca000ed66d100446a4d413f9a1222dd22
Opcode Fuzzy Hash: 3901d93bb91c0ea74d4df146414bc7a8f147b1f8da0944a6198ae88f745cac5c
Instruction Fuzzy Hash: C1110FB58002489FDB10DF99D889BDEFBF8EB48324F10841AE458A7240C379A984CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F1BB60 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F1BBC6

Memory Dump Source

Source File: 00000000.00000002.1688837943.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_rNNA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e83a0e70666eea4e955fc6c9a14df0187f506fa3d803859f5c4f6c841b3c17b8
Instruction ID: 8583e6a6afbfcf8e6e7aa139ad6abd6a25f3e20421e6ee36ba6870d302f838ba
Opcode Fuzzy Hash: e83a0e70666eea4e955fc6c9a14df0187f506fa3d803859f5c4f6c841b3c17b8
Instruction Fuzzy Hash: 331110B5C00249CFCB10CF9AC844ADEFBF4AF88328F10842AD518B7610D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 094766CC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0947D05D

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: be5d56ee2b7cd19df07ba2208813e66e51c57e4df22b78114ce97749332abb0f
Instruction ID: abaebcef8c868ac3ff8d6bf619b58c6389942d65a7f0c619ed6b59b4b87b0782
Opcode Fuzzy Hash: be5d56ee2b7cd19df07ba2208813e66e51c57e4df22b78114ce97749332abb0f
Instruction Fuzzy Hash: 3A11E3B58003489FDB10DF99D885BDEFBF8EB48324F10845AE558A7240D375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0768CA60 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

04), xrefs: 0768D061

Memory Dump Source

Source File: 00000000.00000002.1700142878.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7680000_rNNA.jbxd

Similarity

API ID:
String ID: 04)
API String ID: 0-3482799550
Opcode ID: d81a93977028d76f17c1906518f215e51d415b3f18c9ba252f455583d545c352
Instruction ID: 3ea82e2e145aa047e542df71803fd17183928bb54506d88e61a623328dd11119
Opcode Fuzzy Hash: d81a93977028d76f17c1906518f215e51d415b3f18c9ba252f455583d545c352
Instruction Fuzzy Hash: B45193703006069FCB55AF38D484A6AB7E6FF88310F108679D55A8B3A4DB71EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 077964D8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 07796543

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 1d18d9e621bb312bc4aec0ff075b5bbe2322636e4725e1be94ddc096938681da
Instruction ID: 91425849039aeb0cc6d14bab66e8c1cf762a7cfe6289de627a87f5fcac438771
Opcode Fuzzy Hash: 1d18d9e621bb312bc4aec0ff075b5bbe2322636e4725e1be94ddc096938681da
Instruction Fuzzy Hash: F5114C71F0120A9BCB04EBB9A9105EEB7F6AB84650B50457AC509E7244EB32CE06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0779431C Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

!), xrefs: 0779431C

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID: !)
API String ID: 0-793381614
Opcode ID: 61f1e0fa3a2a838dd6f5f84621a58bdb8893f8c8c52b1feaaf8b2af9019fb548
Instruction ID: 1ad956e0a8d3059aa0f72def7a8d82844e06bdfeeb2a493178fdc2a9e7255909
Opcode Fuzzy Hash: 61f1e0fa3a2a838dd6f5f84621a58bdb8893f8c8c52b1feaaf8b2af9019fb548
Instruction Fuzzy Hash: EBC04C76065000EB8E01A7F4D95482ABA95FB55785B40C862A24585035C665D5289716

Uniqueness

Uniqueness Score: -1.00%

Function 07796088 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0988aab66b27342ce7e1b4331a2d88c38fc90b27a9a5c89caef3070957bb6e5
Instruction ID: 7a9e944aa0d53a6a273e169b4ff41c9082db112c39f10939e2f0d66fad17f75b
Opcode Fuzzy Hash: d0988aab66b27342ce7e1b4331a2d88c38fc90b27a9a5c89caef3070957bb6e5
Instruction Fuzzy Hash: E27126B26266559FCB068B34F800AF5FBA2EB422A1F0985BBD0584F163D7319951C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0779B160 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99cd3dc0029b1f426b8de28059ec594335fba2987f776a1cb40ae534db0ace23
Instruction ID: 3bc3115c644fbc808fe8fc0b5ec51ec9c9e2c99599f0987b2c151b2d8947c63d
Opcode Fuzzy Hash: 99cd3dc0029b1f426b8de28059ec594335fba2987f776a1cb40ae534db0ace23
Instruction Fuzzy Hash: A25106F190A2998FCF00CBA9F8402EEBBF5EF86284F1485BBD165DB562D33599018B51

Uniqueness

Uniqueness Score: -1.00%

Function 0779DA28 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67babe8d6ae605f90d77c679f2308d84f37422de4a7daa441589fe1ada51ba54
Instruction ID: 53550c81ac28bad889381d9dd3d0643009d25b4776237c628a12d9e201ae23bb
Opcode Fuzzy Hash: 67babe8d6ae605f90d77c679f2308d84f37422de4a7daa441589fe1ada51ba54
Instruction Fuzzy Hash: 6441B0B4E012199FCF54CFA9D884AEEBBF1BB8A350F14842AD819F7344D7349945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0779B940 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c41ee9c7937a3186eee36b8c4f4f7aec8fd0d5a4875a64871c833ba598e7a9
Instruction ID: 6bb5da2c92a2efec383e27ca9a141354de4d81c2d5397fe62e66dd1fcb6b63ee
Opcode Fuzzy Hash: 11c41ee9c7937a3186eee36b8c4f4f7aec8fd0d5a4875a64871c833ba598e7a9
Instruction Fuzzy Hash: 7841A7F4A2621ADFCF00CFA9F4848EDBBF4FB4E290F419865E456A7225D7309910CB64

Uniqueness

Uniqueness Score: -1.00%

Function 077978F8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29e3380ca9a93e365586e2e7c63fa63838094f53b3840b477b82e05b5c00767
Instruction ID: 8fd39c10b0074064d4969af4e981ada8bddebcf88e1d464b996c537f37252192
Opcode Fuzzy Hash: b29e3380ca9a93e365586e2e7c63fa63838094f53b3840b477b82e05b5c00767
Instruction Fuzzy Hash: 013135B1A152569FCB05CF79D84467AFBB2FF82391F0AC9A6D4589F282D730DA00C791

Uniqueness

Uniqueness Score: -1.00%

Function 07794163 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41198b79c8451c07f8450c1df8d951091c15c9197187be80caca04223612aa80
Instruction ID: a0e8d6c03a94274303b7e7f6aaae9ca0e2efa3ecfbbd0f66fb2d98d515b96fe7
Opcode Fuzzy Hash: 41198b79c8451c07f8450c1df8d951091c15c9197187be80caca04223612aa80
Instruction Fuzzy Hash: 2E21CDB214F3D0AFDB039B38AC655E23F309F53294B1D45EBD0809E0A7C149964AC3A6

Uniqueness

Uniqueness Score: -1.00%

Function 0155D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687659541.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_155d000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660f7d9bd910bf9577f9a06407b907227e07bb40c210d1afc42e2e5171e50e3c
Instruction ID: 8c9abab3ff7a02d073c72583493a732a87b2180f83948fdde9acd6fce72911eb
Opcode Fuzzy Hash: 660f7d9bd910bf9577f9a06407b907227e07bb40c210d1afc42e2e5171e50e3c
Instruction Fuzzy Hash: 49214872100200DFDB45DF48C9C0B6ABFB5FB84314F20C56ADD090F256C37AE446C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0155D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687659541.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_155d000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20dd53f2c0e34d9f0506d84692bea7b636ccec41cb99a1d26625bb73aff72ddd
Instruction ID: c304843dd6d33cd94534c4bf45ae6f6a66d0361d7caf7b0a24586acae3c53a14
Opcode Fuzzy Hash: 20dd53f2c0e34d9f0506d84692bea7b636ccec41cb99a1d26625bb73aff72ddd
Instruction Fuzzy Hash: 71210072500240DFDB46DF98D9D0B2ABFB5FB88318F20C56AED094F256C336D456CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0779AED0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e33516e6c3a0766f06b1e305fae2d5edc13fcb50d9aa7f28d95bd6c609fad5
Instruction ID: 3e73d6e2927f7e774fc55755bfbffc512d72187008f316783061f51d54478be2
Opcode Fuzzy Hash: c0e33516e6c3a0766f06b1e305fae2d5edc13fcb50d9aa7f28d95bd6c609fad5
Instruction Fuzzy Hash: E721D4F1A271298FCF148F68E80157BBBB6EB85290F12C637E812D7245F630C940C791

Uniqueness

Uniqueness Score: -1.00%

Function 0779FE58 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7bb37e40f856715b4cc2f3bfe34631deaceb8e381732aca901853c5f3bce89
Instruction ID: 5c3173022d2a7522226a34cc8cb776db586cb44f0e2f12b8419735451645e6ad
Opcode Fuzzy Hash: 6e7bb37e40f856715b4cc2f3bfe34631deaceb8e381732aca901853c5f3bce89
Instruction Fuzzy Hash: 3E2168F0B02209DFDF189B19E819B29B7A7EB85B90F60C975E105CF396DB318C418B50

Uniqueness

Uniqueness Score: -1.00%

Function 0156D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687728639.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145d19e80d71c1517551abe3b4d20b63922094eb5085f6031c0b1c0546deb5b9
Instruction ID: 2257c8f6d95d891e8c87d4cfb78b89b2ff984b856fe69f6afc0c47818cbef238
Opcode Fuzzy Hash: 145d19e80d71c1517551abe3b4d20b63922094eb5085f6031c0b1c0546deb5b9
Instruction Fuzzy Hash: 4A212971604200DFDB05DF98D5C0B2ABBB9FB84324F24CD6DD9894F256C73AD446CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0156D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687728639.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadb88b7a46546f51fa2c30b8a7ae11e8c00ca268b0bd073ced7096dd9ef5612
Instruction ID: 6caca3536799c28fcb039ef882e840af8c00e27c52f36bef280c115220f368f3
Opcode Fuzzy Hash: aadb88b7a46546f51fa2c30b8a7ae11e8c00ca268b0bd073ced7096dd9ef5612
Instruction Fuzzy Hash: CF210375604200DFCB15DF58D584B2ABBB9FB84324F20C969D8894F256D33BD446CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 07796603 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a3753c43a5be071bbdaf8531aaa267964b9fbf364689f65bb70ea849672621
Instruction ID: 97b6eef17cbe3c83b6c50036e892711cfb69b2553de66fa9998ec9c1fdb6b11b
Opcode Fuzzy Hash: d2a3753c43a5be071bbdaf8531aaa267964b9fbf364689f65bb70ea849672621
Instruction Fuzzy Hash: 5B119DB1700644DFCB259B38E85887EBBB6EFC9660B64466DE41AC7391DE31DC068B50

Uniqueness

Uniqueness Score: -1.00%

Function 0779432F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c8f6b44ceaed16b1f4e05ef3f787d74c3e895cb640fa02801a2b79f1c0ea5c
Instruction ID: fc4d8ab759b733f61e16af84f181ec2562792827e955a6ea4ec575eaf30a6abe
Opcode Fuzzy Hash: a5c8f6b44ceaed16b1f4e05ef3f787d74c3e895cb640fa02801a2b79f1c0ea5c
Instruction Fuzzy Hash: 8C11E7F1A002469F8B11DBB99C544BFBAF7EFC52A07554A3DD419E7340EE3099018761

Uniqueness

Uniqueness Score: -1.00%

Function 0768CEE0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700142878.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7680000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de0ee0064d6d71dde532ef357bf3f4b5b4629f5b4badd50dec591e88691d5ed
Instruction ID: ba6facb5bcd1be7d6465b65963b8d81a2b66f6a142c4360b5827111815698f8d
Opcode Fuzzy Hash: 7de0ee0064d6d71dde532ef357bf3f4b5b4629f5b4badd50dec591e88691d5ed
Instruction Fuzzy Hash: 3A117CB1302701DBC739AB39D41081673A6AF867353244BBDD06B4A7E0CB32D883CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0156D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687728639.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75532f5658f495a87278a2259dae882042a4d0007c7645b434101fd987f2228
Instruction ID: daeddb4c91ae5272e7d09efb087f4099957c6e46ffe3420d3e30601af3fc7e3a
Opcode Fuzzy Hash: d75532f5658f495a87278a2259dae882042a4d0007c7645b434101fd987f2228
Instruction Fuzzy Hash: 532183755093808FD703CF24D594715BF71FB46214F28C5DAD8898F267C33A980ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0779B870 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af531ff6ea88978a9cf6bf29f40ab570b783c8912acac6ca70926213e9351aa6
Instruction ID: 70c332743a4868702c8a77a2fbb8eca0850696c6cf63d9d6d2bbac3423c39b8f
Opcode Fuzzy Hash: af531ff6ea88978a9cf6bf29f40ab570b783c8912acac6ca70926213e9351aa6
Instruction Fuzzy Hash: 2621B7B4A00508DFDB04DF5AE284999BBF1FF8C750B6280E5D444AB329DB31DE25DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0155D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687659541.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_155d000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 1e7b30d0bdd9b0d624380f2053d478e44065ad468a92f53d1629da63c262d0b6
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 2311CD72404240CFDB06CF44D5C4B5ABF72FB94224F24C2AADD090E656C33AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0155D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687659541.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_155d000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 6804d45064e4a2331307ef565dd2953e0f249581afc8ae330e3292a5988715fd
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 1E119D76504280CFDB16CF54D5C4B1ABF71FB84218F24C6AADD490F656C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0156D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687728639.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: dc066152cb4f0e85b0faa5ab5356ad220690b768c576affb0dfd782222e80a10
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F8118E75604240DFDB16CF54D5C4B19BF71FB84224F28CAA9D8494F656C33AD44ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 07680858 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700142878.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7680000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b067a646cb053637471c8d1f5c59e6530fa8511b480b3f70cb542a880aa029
Instruction ID: 4f91d2938a6c1c62b8a68589a77aae081e9034c877ac50a30dd13cc8ffd7dfe1
Opcode Fuzzy Hash: 39b067a646cb053637471c8d1f5c59e6530fa8511b480b3f70cb542a880aa029
Instruction Fuzzy Hash: 6001F2F17047815BEB616679A05836FBBD6FBC0224F144A3DD04B8BB84CF61D84883D1

Uniqueness

Uniqueness Score: -1.00%

Function 077964A0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6edc57f92b94f75046426a9b840d3a4c999afb451ebe75679f76b98e5569d7
Instruction ID: b866efdf3a88e651c7efcf0eea953b15dc04c166bef3835918e4ebc9eb520b21
Opcode Fuzzy Hash: fd6edc57f92b94f75046426a9b840d3a4c999afb451ebe75679f76b98e5569d7
Instruction Fuzzy Hash: 2101B1B5D0A3859ECB02DB7898155DABFF0AF43251B0580BBC444EB112E3350A55CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07798B40 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9002b384652466d5622f984b8cfcd1f1081a7dbc8a9943a22bed25a7537851bb
Instruction ID: 4a8ea8ad810ddb08bf6cbf24897bf2541b9bb8eed464846aba65d8e59420f788
Opcode Fuzzy Hash: 9002b384652466d5622f984b8cfcd1f1081a7dbc8a9943a22bed25a7537851bb
Instruction Fuzzy Hash: C401A7B4E44108ABDF40AFB8950A3AD7BE2E74B781F14C975D90AD7788EA344D508B92

Uniqueness

Uniqueness Score: -1.00%

Function 07794175 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ac43d96c1ede6ea69596ecc80a6aa3a7902cade56f2b2d8bc29e60c0b45f37
Instruction ID: dec715243d175d955841b4a2ee09356575bc642b95c5b0bfabb38cca12284788
Opcode Fuzzy Hash: c7ac43d96c1ede6ea69596ecc80a6aa3a7902cade56f2b2d8bc29e60c0b45f37
Instruction Fuzzy Hash: 63F0D1B228A3C09FEF034620AC22AA33F355B23281F2949D7E144DE193D0160A478722

Uniqueness

Uniqueness Score: -1.00%

Function 07797E40 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025ea621aaa07ce41351e4df86052e66e4b45604dd00c64300fddf88aed95bf9
Instruction ID: 99513a5b8a54dac125315f0c32e2bfb5f4ab7354e2d93d843695513cda975d9e
Opcode Fuzzy Hash: 025ea621aaa07ce41351e4df86052e66e4b45604dd00c64300fddf88aed95bf9
Instruction Fuzzy Hash: E001CCB0D0020EAFCB45EFE8D99069EBBB1FF84340F1086AAC515AB354EB305A05DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0779433C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8787c38765a320a6eb7ed33456d86cbedf91c10a3cd6b822bfc7de3a0b100503
Instruction ID: c92c6d6b2bf846eb6fa8cc6ae7b8366403d5257345691f2b4143bbc46605710b
Opcode Fuzzy Hash: 8787c38765a320a6eb7ed33456d86cbedf91c10a3cd6b822bfc7de3a0b100503
Instruction Fuzzy Hash: 30F0B4B0B00216AB8F44EB7A4C5847FB9F7EFC9280B858939D806D7355EE309D054766

Uniqueness

Uniqueness Score: -1.00%

Function 07799498 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740e2de0d91448172697d0c551dde7c79afde498445d88cceeb408865375ebdd
Instruction ID: 77890b46cf84047110cb0f726bfed620de64a24deef2405498491d81732268d3
Opcode Fuzzy Hash: 740e2de0d91448172697d0c551dde7c79afde498445d88cceeb408865375ebdd
Instruction Fuzzy Hash: F3E0D8F07D032C6FFB1525856815B73318D97C9B90F000829E7059E2D4DDD3A8804B51

Uniqueness

Uniqueness Score: -1.00%

Function 077982D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c815033e59feabea1de826626d90f3f91952e4a3b4a9484333446be287e22d
Instruction ID: dae9982d61852679c3f440dd66bb423616fdf050ad85485c9e9a93844679e604
Opcode Fuzzy Hash: c0c815033e59feabea1de826626d90f3f91952e4a3b4a9484333446be287e22d
Instruction Fuzzy Hash: 71E0863131061457CB49F729E9548AEBB9FDFC57A1B148036E91987324CE749D4287D4

Uniqueness

Uniqueness Score: -1.00%

Function 077941A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614668608971350a30fa4b7a68e61f8370135a0b4160ef673febfed4fc24bf73
Instruction ID: c592a21c43669d1d226388eb5025b29720b59d594e4776e6cee092ce3ad7a87a
Opcode Fuzzy Hash: 614668608971350a30fa4b7a68e61f8370135a0b4160ef673febfed4fc24bf73
Instruction Fuzzy Hash: AFE0C2F47D030CEFEF14A654AC1AB23369EA7A1B81F300A25F3064E2C4D99289024A1A

Uniqueness

Uniqueness Score: -1.00%

Function 0768AF28 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700142878.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7680000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabfb236a9b73451041b2933bd1af75677ea6b944197788cdd3e64498468f7ac
Instruction ID: af1523559fa313282567bb301818737859168caf59b6f575ffcfa69b1b6f9739
Opcode Fuzzy Hash: dabfb236a9b73451041b2933bd1af75677ea6b944197788cdd3e64498468f7ac
Instruction Fuzzy Hash: B3D09E323104149B8614965EE404C9A77EDDBCAA21311406AF209C7321DE619C0287A4

Uniqueness

Uniqueness Score: -1.00%

Function 0779C550 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d097c2aa2335429a5a437b4e672a22e1ba4df8f3ad1aa6e284d5732ce03f47c8
Instruction ID: e3652ee077f6d843c21e04dcf74bd677e5ad1427b54cca0ce46762745eb22a21
Opcode Fuzzy Hash: d097c2aa2335429a5a437b4e672a22e1ba4df8f3ad1aa6e284d5732ce03f47c8
Instruction Fuzzy Hash: F4D0A7F064B208F7DF01DBB4F50ABB977AC9703381F2054A4D40A231518B751B50D576

Uniqueness

Uniqueness Score: -1.00%

Function 0768D5B0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700142878.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7680000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb27a109804d62dc3564ef05261444706d35ade658a923303d4e1bb8850574f
Instruction ID: a5792bd8ea49ccf013012378d8c7ae454a3c22802762e85dca5e7cda7d20f1ca
Opcode Fuzzy Hash: 6bb27a109804d62dc3564ef05261444706d35ade658a923303d4e1bb8850574f
Instruction Fuzzy Hash: 7CD0A930208FA043C319A2BEA4147DBBACA4F9A214F0484AFD18E83340CFA5288502EA

Uniqueness

Uniqueness Score: -1.00%

Function 077967D8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357665e77fdeeb8433102a1003489c1a4b8bdc9d4b10378438ca283334476b3e
Instruction ID: 27c16174f9c4bc4f34d0d991f1df07a36864da8342d8eb953d65a382b0c81aad
Opcode Fuzzy Hash: 357665e77fdeeb8433102a1003489c1a4b8bdc9d4b10378438ca283334476b3e
Instruction Fuzzy Hash: E3C08C32B04E25138A1CF6AA680009EB2CE9FC88A0B05C07AD00E93200DF51184602CE

Uniqueness

Uniqueness Score: -1.00%

Function 0768B1D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700142878.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7680000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ca291cafc6b640a43ec226c270af0aeb6e9629e327bea19eead7d048aa4802
Instruction ID: 98ccc6108d3e853080a5d5466f9017714d965ae6ad3e3b2b84978bcf2e8a3091
Opcode Fuzzy Hash: 45ca291cafc6b640a43ec226c270af0aeb6e9629e327bea19eead7d048aa4802
Instruction Fuzzy Hash: 30C08C32705A2803861CFAAA58000DEB2CE8FC9420B08C16FD10E83200EF61180602CE

Uniqueness

Uniqueness Score: -1.00%

Function 0768E8B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700142878.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7680000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3521308546d6b172f44c42dd8c9e46cd386ac9c6835766694ff670f73b6832
Instruction ID: 286dcce05e8da38dda8e096dcd171289cd4ce2a15a3f6e50d636c65f60c73e2c
Opcode Fuzzy Hash: 7d3521308546d6b172f44c42dd8c9e46cd386ac9c6835766694ff670f73b6832
Instruction Fuzzy Hash: 3BC08C32704A2403860CF6EE580009EB2DE8FC9420B0482AFD10E83210DF6119020AEE

Uniqueness

Uniqueness Score: -1.00%

Function 07684251 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700142878.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7680000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68bfc139613e5b0608ba5edd3f1520aa9b1b0e756f4d70eac1a4d3fd8d49e0d
Instruction ID: bd652e11f4c0ab9375f24be5955a5095dfadabef543010abc57d0bdba734729b
Opcode Fuzzy Hash: a68bfc139613e5b0608ba5edd3f1520aa9b1b0e756f4d70eac1a4d3fd8d49e0d
Instruction Fuzzy Hash: D4D067745245808FD745DB18C499A957B71FF0A704F0441AAE9869F367C775AC11DB01

Uniqueness

Uniqueness Score: -1.00%

Function 0779989C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533ad252743252ed80dd2b3567cfff30072e2218b356f58cb691eba538d67f48
Instruction ID: 0c0917fab74f4f1f62b1f4cac4d6279051ba88de817d9e11ee03f68ab2227e1d
Opcode Fuzzy Hash: 533ad252743252ed80dd2b3567cfff30072e2218b356f58cb691eba538d67f48
Instruction Fuzzy Hash: 7FB012A61F5100F26C01A3784A9493AE4B4EBB6740F40DC2933064021884A1C878D21F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 092DC280 Relevance: 12.2, Strings: 9, Instructions: 982COMMON

Download Yara Rule

Strings

Hbq, xrefs: 092DCB73
(bq, xrefs: 092DC44D
Hbq, xrefs: 092DC751
z., xrefs: 092DC868
Hbq, xrefs: 092DCB14
Hbq, xrefs: 092DC6F2
PH^q, xrefs: 092DC421
Hbq, xrefs: 092DCD32
Hbq, xrefs: 092DC910

Memory Dump Source

Source File: 00000000.00000002.1702097796.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d0000_rNNA.jbxd

Similarity

API ID:
String ID: (bq$Hbq$Hbq$Hbq$Hbq$Hbq$Hbq$PH^q$z.
API String ID: 0-2491262815
Opcode ID: 9a26685e8090ca7b6ca496f24f552139a95ca1ca7e4c520ee9802275f9be328b
Instruction ID: 25bf386d5c87ab391b474c867be7904a61328702a5b5dbadc5f4faf5fbcbd274
Opcode Fuzzy Hash: 9a26685e8090ca7b6ca496f24f552139a95ca1ca7e4c520ee9802275f9be328b
Instruction Fuzzy Hash: 46729C30B502058FCB58EF78C95466E7BAABFC9350B648569E44ADB3A4CF34DC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0947AE30 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0947B01B
PH^q, xrefs: 0947B0F3

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 50bcff01646029e3b7355ef806aa89bffce9703947fd4d4e826b2f90da927386
Instruction ID: 654af25838aba49ec29ad499a4e9be09119f74d7c1267d3b58ffb944d69213ce
Opcode Fuzzy Hash: 50bcff01646029e3b7355ef806aa89bffce9703947fd4d4e826b2f90da927386
Instruction Fuzzy Hash: 65D1BF34A006088FDB18DF69D598AE9B7F1FF8D305F2580A9E419AB361DB31AD44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 092D6168 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702097796.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99637bc9032bb3fd4047a8a38159859ebb2b040f008e8269d4a38d1fb4e6c3eb
Instruction ID: a1bd6d1045e6e11ca65bde82019c68cdfa940cfe2193184bbb31ef88c5512489
Opcode Fuzzy Hash: 99637bc9032bb3fd4047a8a38159859ebb2b040f008e8269d4a38d1fb4e6c3eb
Instruction Fuzzy Hash: 2BA18F70B402559FDB58ABBC846436F6AEBBFC8350F548529D04AEB398CE389C4387D5

Uniqueness

Uniqueness Score: -1.00%

Function 09477358 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7aecabfb7e4b5e28413ea313326642b17da2b44a9e28545ad5826016c33fdf
Instruction ID: fda872b0d8aaddfc8cdd2c282e616b8577856536a32d8af8d3d1626f365ed88f
Opcode Fuzzy Hash: 9c7aecabfb7e4b5e28413ea313326642b17da2b44a9e28545ad5826016c33fdf
Instruction Fuzzy Hash: 95E1FB74E002199FCB14DFA9C5909AEFBF2FF89304F24816AE415AB359D731A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 094752E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7551240289fc11988455c721b2d8f1a54acf20bab02c2969a52b33904d579f
Instruction ID: aff3db2e155e6088f14f71b04dc786caa080426d3330b0cf9cf3259afc91c0db
Opcode Fuzzy Hash: 2a7551240289fc11988455c721b2d8f1a54acf20bab02c2969a52b33904d579f
Instruction Fuzzy Hash: 5AE1FC74E042198FCB14DFA9C5909AEFBB2FF89304F24815AE419AB359D731AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 09476F20 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e1b8b0a8942f5aefb7c882e50e87ca69519076bb1abc79526f9a7c71469cc7
Instruction ID: 8c650eee0efed8cf1937565059866bf5bfd65d4a8bd85df5cb37658bcec55696
Opcode Fuzzy Hash: 45e1b8b0a8942f5aefb7c882e50e87ca69519076bb1abc79526f9a7c71469cc7
Instruction Fuzzy Hash: C7E10C74E002198FCB14DFA9C5909AEFBF2FF89304F24816AE415AB35AD731A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 09475720 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4903b0095a180a93818187f81e727e1168f24a6d84f3f060bd3fa9a0bba030a6
Instruction ID: fb6169dae8c37cef98b334b46d60ca55c65db3fb731b5313500247b40e34786d
Opcode Fuzzy Hash: 4903b0095a180a93818187f81e727e1168f24a6d84f3f060bd3fa9a0bba030a6
Instruction Fuzzy Hash: C0E1FD74E002198FDB14DF99C5909AEFBB2FF89304F24826AE415AB359D731AD42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 09474EB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a7f9fd020341e5cf175ae5a408198506f825b1f4a6bfb00fdff0da5cfefe88
Instruction ID: 2e15ab1be385c8785b7aa7ca3bb9dc679718c34ec872718eef9752611f8cbdfe
Opcode Fuzzy Hash: d4a7f9fd020341e5cf175ae5a408198506f825b1f4a6bfb00fdff0da5cfefe88
Instruction Fuzzy Hash: 0AE1FD74E002598FCB14DFA9C5909AEFBF2FF49304F24826AE415AB35AD731A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 076649B0 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699858056.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7660000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab758e25d55140fedd957ee1902c8dbd5341b1d9a3e4ce6b13ad09ef109c320
Instruction ID: 01abc25cdc20a07c589b514b6b02f9bbbe89a9466c86eb19434baa63ad404312
Opcode Fuzzy Hash: bab758e25d55140fedd957ee1902c8dbd5341b1d9a3e4ce6b13ad09ef109c320
Instruction Fuzzy Hash: D7E1373191071A8ACB01EBA4D964ADDF7B1FFD5300F50879AD50A3B225EB706AC9CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07664988 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699858056.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7660000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cf1eacb0b2fe93fdb1d8d1444513de3e2672c0fb7fe122ac7b32c019cb5640
Instruction ID: 74c19924911eb2d9d4b45d4e158d243b0fd63fa23536746ea612f4de26e1b289
Opcode Fuzzy Hash: 11cf1eacb0b2fe93fdb1d8d1444513de3e2672c0fb7fe122ac7b32c019cb5640
Instruction Fuzzy Hash: A3D1493091071A8ECB01EB64D9A4A9DF7B1FFD5300F50879AD50A3B225EB706AC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 076649C0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699858056.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7660000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060e75d46397ace7c298ae00f3bb001c4a7f4bc2fa64b173816a238e00d6a899
Instruction ID: bacf8dbc9ccfd7983b21c740c7e3211791bf48cffdd86e22147bccca92d7c8f3
Opcode Fuzzy Hash: 060e75d46397ace7c298ae00f3bb001c4a7f4bc2fa64b173816a238e00d6a899
Instruction Fuzzy Hash: 71D1083191071A8ACB01EBA4D9A4A9DF3B1FFD5300F50979AD50A3B225EB706AC9CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0947570F Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0263832ad3c9979623683f2cce11bf091876d9b018f2f4bc28905fc529ef6437
Instruction ID: e3e9dbfa81de7a5ce00992a8657133da201bef5d2e2949e1189c9b9e45929cc8
Opcode Fuzzy Hash: 0263832ad3c9979623683f2cce11bf091876d9b018f2f4bc28905fc529ef6437
Instruction Fuzzy Hash: E0510A74E002198FDB14DFA9C5905AEFBF2BF89304F24C16AE419AB356D7319942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09477348 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702392711.0000000009470000.00000040.00000800.00020000.00000000.sdmp, Offset: 09470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9470000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f141f568be2e7b58450e69fdc057282e42d2414a4eac95ab23748d2eaca08974
Instruction ID: 2871e52278810d2dc0e32b3562241b60bb6841fe2d4e7dacbf89794f578016b9
Opcode Fuzzy Hash: f141f568be2e7b58450e69fdc057282e42d2414a4eac95ab23748d2eaca08974
Instruction Fuzzy Hash: 8C510974E002198BCB14DFA9C5905AEFBF2FF89304F24C16AE418AB356D7319942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0768E5E8 Relevance: 16.4, Strings: 13, Instructions: 118COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0768E79F
4'^q, xrefs: 0768E713
4'^q, xrefs: 0768E5FB
4'^q, xrefs: 0768E6AA
4'^q, xrefs: 0768E759
4'^q, xrefs: 0768E61E
4'^q, xrefs: 0768E687
4'^q, xrefs: 0768E6CD
4'^q, xrefs: 0768E641
4'^q, xrefs: 0768E736
4'^q, xrefs: 0768E664
4'^q, xrefs: 0768E6F0
4'^q, xrefs: 0768E77C

Memory Dump Source

Source File: 00000000.00000002.1700142878.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7680000_rNNA.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-284850411
Opcode ID: f80ab34f1faec1fdeaaae90f8348b4088b45b27099b37461486bbe17d22488fb
Instruction ID: d50138a7abe3475808179e52a294e91f787858db4e72b3db289d617be67b0e2d
Opcode Fuzzy Hash: f80ab34f1faec1fdeaaae90f8348b4088b45b27099b37461486bbe17d22488fb
Instruction Fuzzy Hash: F651A931A4020F9FCF49EFA5E9609DDF7B2FF84704B108569D1496B278DF30698A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 0779E250 Relevance: 6.3, Strings: 5, Instructions: 73COMMON

Download Yara Rule

Strings

"), xrefs: 0779E300
"), xrefs: 0779E30C
8bq, xrefs: 0779E2AD
8bq, xrefs: 0779E2E3
"), xrefs: 0779E31C

Memory Dump Source

Source File: 00000000.00000002.1700463541.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7790000_rNNA.jbxd

Similarity

API ID:
String ID: 8bq$8bq$")$")$")
API String ID: 0-4068889066
Opcode ID: 233ab43b70b6b031716f68f9c2e92f0c94f527f5db6d4221b5c09b83774fdbd9
Instruction ID: 6bfd599b9ee18f5b294ef221e29dd8457af5febbe2a8070a7cdda8da790f18ef
Opcode Fuzzy Hash: 233ab43b70b6b031716f68f9c2e92f0c94f527f5db6d4221b5c09b83774fdbd9
Instruction Fuzzy Hash: DB2105B1B11209DFDF54DAA8E804AAE77EAEBC5780F10413ED205E7380DAB18C00C7D6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rNNA.exePID: 7392, Parent PID: 6984COMMON

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	4

Executed Functions

Function 014D9BF8 Relevance: 2.8, Instructions: 2751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e47bb3970ecde521c4d6b457d5fb43fd6da011bd41fc838dd5b4031cd08ebdc
Instruction ID: be0c85b6ca08dadd7e43ff6ef00efea7fd48da8016d695ae81b82cc100de9cda
Opcode Fuzzy Hash: 4e47bb3970ecde521c4d6b457d5fb43fd6da011bd41fc838dd5b4031cd08ebdc
Instruction Fuzzy Hash: 8653F631D10B1A8ACB11EF68C894599F7B1FF99300F15D79AE458B7221EB70AAD4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 014D9BF7 Relevance: 2.5, Instructions: 2462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f88f0bbc662deda656f87fe4f9b62ea50aa9e106723ce82684485e3e33f8ffe
Instruction ID: 0e74be3cf5fa0e6d3e04f43a17aeb841fdcdcd5a7152ac7a5f9a533aa9edc9e6
Opcode Fuzzy Hash: 0f88f0bbc662deda656f87fe4f9b62ea50aa9e106723ce82684485e3e33f8ffe
Instruction Fuzzy Hash: 9B43F731D10B1A8ACB11EF68C8945A9F7B1FF99300F15D79AE45877221EB70AAD4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 014DCF48 Relevance: 2.2, Instructions: 2227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8edb448210eb1234ba61e3068bb465cd8895f0da64af12832aa9c06449b16d
Instruction ID: 64bfe11f11636ca800215bfe701793dda7d7fe9269d837ff86c1018a2ed4171d
Opcode Fuzzy Hash: 2f8edb448210eb1234ba61e3068bb465cd8895f0da64af12832aa9c06449b16d
Instruction Fuzzy Hash: 63330D31D107198EDB11EF68C8905AEF7B1FF99300F15C79AE459AB221EB70AAC5CB41

Uniqueness

Uniqueness Score: -1.00%

Function 014D41C8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34628ab5456791fd8e3a50596de30dc71ee36718cfe6ebed246cf1e29d899ae
Instruction ID: 6fb2a5305be112cd5ecbdb7d7705624a9cf48b36100ed3ffb4cb160001d20f8c
Opcode Fuzzy Hash: a34628ab5456791fd8e3a50596de30dc71ee36718cfe6ebed246cf1e29d899ae
Instruction Fuzzy Hash: 1EB13070E002098FDF14CFADC9A57AEBBF2BF88314F18812AD515A7764EB749845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18c84cc14b7e21383b1ab5a3c19c99e963586095ddf6abbb611faeafd2fd1d2
Instruction ID: 25d467e642f3b700b383ee7ef1621261b3ed34d89e44805a9398d7b5a5d23e0b
Opcode Fuzzy Hash: d18c84cc14b7e21383b1ab5a3c19c99e963586095ddf6abbb611faeafd2fd1d2
Instruction Fuzzy Hash: C4B15270E002098FDF10CFA9D9957EEBBF2AF88714F18812AD455E7764EB749846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014D3E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e9fe78a8097a4a2d7ca393d9806eff3c4a71800f3ba552eb92c41322beb55d
Instruction ID: 0b831ebdab97802141b631c226648511339b592144c56c9be023ad4050424103
Opcode Fuzzy Hash: f1e9fe78a8097a4a2d7ca393d9806eff3c4a71800f3ba552eb92c41322beb55d
Instruction Fuzzy Hash: DF915EB0E002099FDF10CFA9C9A579EBBF2BF48314F18812AE415E7364EB749845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066CE337 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,066CE20A), ref: 066CE2F7

Strings

Te^q, xrefs: 066CE44A

Memory Dump Source

Source File: 00000006.00000002.2918946689.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66c0000_rNNA.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: Te^q
API String ID: 1890195054-671973202
Opcode ID: b3c91f5d2cd1ba5fc0d6b7e9979b08974b472ee6ac42c8b14dfc33234b5591f4
Instruction ID: 0dfe41efd70249acdc9736803148d0449800601ed1e54b4f42f479c6fff3b10f
Opcode Fuzzy Hash: b3c91f5d2cd1ba5fc0d6b7e9979b08974b472ee6ac42c8b14dfc33234b5591f4
Instruction Fuzzy Hash: D251AE71E106548FDF64DFA9C4847ADBBB2EF89320F24852AE408EB351C739AC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D6ED7 Relevance: 2.6, Strings: 2, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 014D6F93
LR^q, xrefs: 014D6F0E

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: fc7f13503308fb62040f5a4ea77e060e934536dcec2c48928defce34b98e03f8
Instruction ID: b4698ef44e0328e038d2f6d066a5b2340baac5adbd874b68e7910015631eab74
Opcode Fuzzy Hash: fc7f13503308fb62040f5a4ea77e060e934536dcec2c48928defce34b98e03f8
Instruction Fuzzy Hash: 8451BF70A002059FDF1ADF78C4647AEB7B2FF85304F20856AE405EB3A1EB719846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066CE257 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,066CE20A), ref: 066CE2F7

Memory Dump Source

Source File: 00000006.00000002.2918946689.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66c0000_rNNA.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 2393384b49424eb6f2f0d4b85860b6af03db79f02b138cc4b7014916fb97d7f1
Instruction ID: 99bd218b76b25206700e1d8ab8c5905455560a659082bf5ca2f077327f173bcf
Opcode Fuzzy Hash: 2393384b49424eb6f2f0d4b85860b6af03db79f02b138cc4b7014916fb97d7f1
Instruction Fuzzy Hash: 4E2178B5C0069A9FCB10CFA9D5447EEBBB0EF48320F10856AD458A7311D3389941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 066CCE5C Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,066CE20A), ref: 066CE2F7

Memory Dump Source

Source File: 00000006.00000002.2918946689.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66c0000_rNNA.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 006bbdc318d7dbe0b47ddd2d91aa0f9ae9d82179d9d288ac6bbdcf2afbc442c6
Instruction ID: 5608f7d0a6a562aa95b831189dcee5a9c1a27846729ac61d84edeba613437a26
Opcode Fuzzy Hash: 006bbdc318d7dbe0b47ddd2d91aa0f9ae9d82179d9d288ac6bbdcf2afbc442c6
Instruction Fuzzy Hash: 5E1114B1C0066A9BCB10DF9AC544BEEFBF4EB48320F10816AD918B7250D379A954CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 014DF3D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 014DF50B

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 3b82d94c0070ea234a35dee3e68b706005144f7cddb81bb350160c23c002b61e
Instruction ID: 2591d83c66e63f0efe5001c9346e6dbb2469a1075dbcc05077aec9b3eba7b7a2
Opcode Fuzzy Hash: 3b82d94c0070ea234a35dee3e68b706005144f7cddb81bb350160c23c002b61e
Instruction Fuzzy Hash: E331F0307002058FDF269B78D5646AF7BE6EF85200F24457AD006DB3A5EE35DC4ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014DF3CF Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

PH^q, xrefs: 014DF50B

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 6269bfbe104e9315ef9ba688c97e71b3ec332fc9c6770a4168fa4615900ed0e3
Instruction ID: bf18d0460e30fe8eea67f5c2efffeca232aab6fdf3c72873eb7818ad6e522d4e
Opcode Fuzzy Hash: 6269bfbe104e9315ef9ba688c97e71b3ec332fc9c6770a4168fa4615900ed0e3
Instruction Fuzzy Hash: 4931DE71B002018FDF269B78D5646AF7BE6EF84200F24457AD006DB3A5EE35DC4ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014D6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LR^q, xrefs: 014D6F93

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 0d08645702f92f9cbb6d5e1260a5c123f61e384b0b025e82b58d0dc112372bd9
Instruction ID: d88ec648de92de3b24ef4125d3e3d1ffda2397221abb8c8d02595849075efcf4
Opcode Fuzzy Hash: 0d08645702f92f9cbb6d5e1260a5c123f61e384b0b025e82b58d0dc112372bd9
Instruction Fuzzy Hash: 88319074E102098BDF16CFA9C46079EB7B5FF85305F10856AE905EB390EB719946CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014D6BA0 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

LR^q, xrefs: 014D6BD7

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: aade49114dfc33539b728cb725e9a67747c797ad3e9cecc70fad457c63136578
Instruction ID: 27ed871a03d79ef5c241e9ad0671d03ffec2ba5f2dd4f4c210b85ec37b1c0b6f
Opcode Fuzzy Hash: aade49114dfc33539b728cb725e9a67747c797ad3e9cecc70fad457c63136578
Instruction Fuzzy Hash: 2711C6306093805FC716EB79842059E7FB6EF8B714B1588AFD089CB3A6DA355845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014D7908 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f28899de4b3363fb2cc5f8cbad61eb8d3497150f512fd24a70f7cfd8aef911
Instruction ID: 8211e6791552674a2766f9fea3b152a3d005407fa883680fd1bdd5b4ee9eff93
Opcode Fuzzy Hash: c7f28899de4b3363fb2cc5f8cbad61eb8d3497150f512fd24a70f7cfd8aef911
Instruction Fuzzy Hash: B6128FB03002029FCF2A9B3CE55426D77A2FB89705B24497AD105CB369CF76DC8B9B91

Uniqueness

Uniqueness Score: -1.00%

Function 014D41BC Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae84ec710c2f07635674d1e296c6b1ebe7b95efbe1d2282b33dd4fe3c6ac03ae
Instruction ID: 3611f5c3f8765d688cfd5b552f6c61a6894296375f7ec8a83efa524d8c5e62a3
Opcode Fuzzy Hash: ae84ec710c2f07635674d1e296c6b1ebe7b95efbe1d2282b33dd4fe3c6ac03ae
Instruction Fuzzy Hash: B0B13F70E00209CFDF10CFADC99579EBBF1AF48314F18812AD555A7764EB749885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D9378 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf0251ae0d9b9beb869be634d81e01ea1d263663cb78e0145382355e2e07c79
Instruction ID: b33dec5e9084435a02c3e7a857e58793467eae4c531585377842242a39e058e6
Opcode Fuzzy Hash: 7bf0251ae0d9b9beb869be634d81e01ea1d263663cb78e0145382355e2e07c79
Instruction Fuzzy Hash: 6EA14E35A00204DFCF15DFA8D994AADBBB6EF88314F14856AE806D7365DB31EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014D4A8C Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac23d80d4890cd11e9e8113715aabd92e20ea06a8cda966bedbb50bb0cba776
Instruction ID: ad7e30e768762a384f8fca960b47d7af58f6b0a23f19015d54feb315fb79ca0e
Opcode Fuzzy Hash: 5ac23d80d4890cd11e9e8113715aabd92e20ea06a8cda966bedbb50bb0cba776
Instruction Fuzzy Hash: 17B14F70E002098FDF10CFA8D9957DEBBF1AF48714F28812AD459E7764EB749846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D3E74 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845c152e593b23f90f1cbb6280b52425a5d0efa5cc45d4d875a42e60f69c9cd1
Instruction ID: 84b12ffc211ff3dc1e9bca110687a0585baeb67a99d572c12ac6d1f9cb5209c4
Opcode Fuzzy Hash: 845c152e593b23f90f1cbb6280b52425a5d0efa5cc45d4d875a42e60f69c9cd1
Instruction Fuzzy Hash: 74A14BB0E00209DFDF10CFA9D9A579EBBF1BF48314F18812AE459A7364DB349846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D9364 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91881b2685b0d315d5125a6098c3657660ee55a75e4069c6020f045a4e26ddfb
Instruction ID: dee41e385324b2118dc66b1989fb2b3f85646f23a815dfabf6896db9bf5ffb99
Opcode Fuzzy Hash: 91881b2685b0d315d5125a6098c3657660ee55a75e4069c6020f045a4e26ddfb
Instruction Fuzzy Hash: 64915F35A00204DFCF15DF68D994AADBBB6EF88314F14856AE906E7365DB31EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014D9898 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e10184475ea7288c924ed5d7408ec1a32e357cc8bfa8c24f1a854dfa174741
Instruction ID: d1648a71f4a46c5517d9f79c36f10199b259faa3f35206392b59cfa1dc2a8cae
Opcode Fuzzy Hash: a7e10184475ea7288c924ed5d7408ec1a32e357cc8bfa8c24f1a854dfa174741
Instruction Fuzzy Hash: 10716D71A002058FDF04CFA9D994B9ABBF5FF88314F14816AE909EB3A5DB709844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D4804 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2833ef0653f7d1fe4cc58c673bac109c40910c59717298be4242d95daf2a2525
Instruction ID: 9c6bda48bc7def8af828e2a7e62a264d79aa1c5e6e604f6593acaaeaed341063
Opcode Fuzzy Hash: 2833ef0653f7d1fe4cc58c673bac109c40910c59717298be4242d95daf2a2525
Instruction Fuzzy Hash: FB716BB0E00249CFDF10CFA9C99579EBBF1EF48314F18812AE419A7764EB349846CB95

Uniqueness

Uniqueness Score: -1.00%

Function 014D4810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16868649e7793d82b670abfb46b46ecbe25cbc1b341381e311b2ffe319a980b
Instruction ID: 12ab75dfc031cb66eb597d681208ab30a2aec2dc8efd7e71cd40ace55d613e18
Opcode Fuzzy Hash: e16868649e7793d82b670abfb46b46ecbe25cbc1b341381e311b2ffe319a980b
Instruction Fuzzy Hash: 597160B0E00249CFDF10CFA9C99579EBBF2EF48314F18812AE419A7764EB349845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 014D96E0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f820d8743166de61b8f6b521ed0c254ed22f0c4b28466963a7f61456da6124a2
Instruction ID: b26b13409de4e4eef6ead7e1686d85682cd6031543889874a588679fde22e2b9
Opcode Fuzzy Hash: f820d8743166de61b8f6b521ed0c254ed22f0c4b28466963a7f61456da6124a2
Instruction Fuzzy Hash: 0741A534B00206CBDF268E6DD4A177FB7A6EB85618F24482BD50AD7392D634DC458792

Uniqueness

Uniqueness Score: -1.00%

Function 014D6CDD Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1727c633efe137497d7aa9e470baa335ffc24863dd7cbe199521febd3624813
Instruction ID: 060afbd25314620b2bf1ce9c97723244ffdf0a2bcb7c993cec1e3c33786b815e
Opcode Fuzzy Hash: c1727c633efe137497d7aa9e470baa335ffc24863dd7cbe199521febd3624813
Instruction Fuzzy Hash: 1F512270D002188FDF18CFA9D894BAEBBB1FF48314F15812AE819AB365C774A841CF91

Uniqueness

Uniqueness Score: -1.00%

Function 014D6CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6787b9c42ff06211537be121324d1d42774ec0e4637b15352a12bd6f2bfa31e5
Instruction ID: 4b6906117222711322508c1161cc999d0761114ddb7ee9dec537d01c9e7f3b3d
Opcode Fuzzy Hash: 6787b9c42ff06211537be121324d1d42774ec0e4637b15352a12bd6f2bfa31e5
Instruction Fuzzy Hash: 92512170D002188FDF18CFA9C894B9EBBB1BF48314F15812AE819AB361DB74A841CB95

Uniqueness

Uniqueness Score: -1.00%

Function 014D1128 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27fac09196db47a90070163756bbdcf70d6e105d3cb03090055d0a999f7fab5
Instruction ID: 36ffc08a623305cdd5792b90709b9ae3b113f7ccb7cccabb4be85652419ae5ef
Opcode Fuzzy Hash: c27fac09196db47a90070163756bbdcf70d6e105d3cb03090055d0a999f7fab5
Instruction Fuzzy Hash: 9451EDB4206246CFC725DB7AFA90A597FB1F79630430951A9D0104B33ADB396DCBCB92

Uniqueness

Uniqueness Score: -1.00%

Function 014D1138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6623d57d315f427fa54bcb7cd6c22467f33745d5700cff73bf12a9b74c66b9c1
Instruction ID: 1d23ce93c03f347f99037e9bbf72dfdb9e1b67ba2da467ca341a8db699990655
Opcode Fuzzy Hash: 6623d57d315f427fa54bcb7cd6c22467f33745d5700cff73bf12a9b74c66b9c1
Instruction Fuzzy Hash: 9851DBB1201246CFC725DB6EFA90A4C7BB1F79A30434591A9D0144B33ADB396DCBCB92

Uniqueness

Uniqueness Score: -1.00%

Function 014DF290 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab847ab12deb99475124173af4960b04c2aeb789f866a358c8bc319386358c4
Instruction ID: 9ab38dea32708ed4f7b2c45a5d7c789644339b108b5bbe9082ded2c0e8548a58
Opcode Fuzzy Hash: eab847ab12deb99475124173af4960b04c2aeb789f866a358c8bc319386358c4
Instruction Fuzzy Hash: D4314D35E102099BDF19CFA9D85469EB7F2BF89304F15852AE806E7350DF70AC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D26DE Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3849778692725855ff4caf9ea16f702c286c10768f68fa4f109623158a5548
Instruction ID: 10b9a6e77480a2ff585a4c443ce6aeca7a6c5fdc7757a956034d90e96f12703b
Opcode Fuzzy Hash: ce3849778692725855ff4caf9ea16f702c286c10768f68fa4f109623158a5548
Instruction Fuzzy Hash: 82410FB4D00249DFDB10CFA9C594ADEBFB5FF48310F24802AE419AB264DB759949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 014D26E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489be2667809d4ae3f65908af670a86fd19f33d398c5a9ca120d8e414c66f179
Instruction ID: a7e97c244d91ab344a162d0b1db1b32473f156c3a95c9ab606d65211e870fe7d
Opcode Fuzzy Hash: 489be2667809d4ae3f65908af670a86fd19f33d398c5a9ca120d8e414c66f179
Instruction Fuzzy Hash: 7541EDB0D0024D9FDB10DFA9C594ADEBFB5FF48310F24802AE809AB264DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014D50A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba2fb93822d66fc63744c7bfe0f5fb5bfb2b0cf7dd2b8357fbfc21b7e4bb018
Instruction ID: 9ecff004fda05b423fb80831ced89700aac07bf4dd6b3b5914ccec37fb0aeeaf
Opcode Fuzzy Hash: 2ba2fb93822d66fc63744c7bfe0f5fb5bfb2b0cf7dd2b8357fbfc21b7e4bb018
Instruction Fuzzy Hash: 03314074B002158FDF15EB79C6646AE77B2AF49644F2004AAD801AB3B5DF36DC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014DF28F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be0bc6c4190e79499f4842be1f500a4673b426dcade7a385930dc28c9a6fdc1
Instruction ID: 7744d5ed261f03ba9a126cbd191b8bccf5468ec0d507ffc94978c975d5230587
Opcode Fuzzy Hash: 3be0bc6c4190e79499f4842be1f500a4673b426dcade7a385930dc28c9a6fdc1
Instruction Fuzzy Hash: 34318075E002059BDF19CFA9D85469EB7F2BF89300F15851AE806E7350DF70AC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014D5097 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6191cf63326b7974f51c1b5f5ea04e612247f91d886ab8ea46f578e6522a3f0
Instruction ID: aeca3d67373df92bc4027074578f8312a52bc13470d06d074f3895404b5ae67d
Opcode Fuzzy Hash: d6191cf63326b7974f51c1b5f5ea04e612247f91d886ab8ea46f578e6522a3f0
Instruction Fuzzy Hash: A4314F74B00215CFDF15EB79C6646AE77B2EF48244B2005AAD401AB3A5DF3ADC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D1488 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3296d7825f0be8b02f8b0b74b7c0addc74bd9ab776911a223722630f9ead2c
Instruction ID: 30af6eba1a40fb415cdbc2838b3deaddd37669114e7aa64cb4b26c3a5303f689
Opcode Fuzzy Hash: ad3296d7825f0be8b02f8b0b74b7c0addc74bd9ab776911a223722630f9ead2c
Instruction Fuzzy Hash: 5F219171A002118FDF229FBC94742AE7BE1EB55615F1404BBE805D7365D635C9818B91

Uniqueness

Uniqueness Score: -1.00%

Function 014D1382 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16ee76b75cfd2c78fd64925a94bff9580550a01901eb466fa9a932605a4b026
Instruction ID: e666a6e591d9e6dec84c66aa1918c1000955a54c7e16e456adec60f71b14de1a
Opcode Fuzzy Hash: f16ee76b75cfd2c78fd64925a94bff9580550a01901eb466fa9a932605a4b026
Instruction Fuzzy Hash: 0C21A1706052814FEF325B7C94A476E3B61EB43715F18086BE846CB3B6CA3889C9CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014D169F Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d5ca8c650f9571dd5acb7ab47d4fb7b50c4443d80cbb9b8c3d49852f14a2a0
Instruction ID: 54c344fb7c9380939407141846651514216d6f6cc00dec994601dff4660824e6
Opcode Fuzzy Hash: a8d5ca8c650f9571dd5acb7ab47d4fb7b50c4443d80cbb9b8c3d49852f14a2a0
Instruction Fuzzy Hash: 0A21A3706001054FDF22DB3CE954B6A7765EB86704F054667E81ACB376E738DC8B8B92

Uniqueness

Uniqueness Score: -1.00%

Function 014D9150 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc29cf617ced0aa6a193f744906f1f52cad04834c1ad13d8e3a6925a0f8d8f69
Instruction ID: ae329ed366034f3c04cc04d611cdf2e9436d05a8788a5b3db6c3ca5228d5a28e
Opcode Fuzzy Hash: bc29cf617ced0aa6a193f744906f1f52cad04834c1ad13d8e3a6925a0f8d8f69
Instruction Fuzzy Hash: E131A571E00205DBDF09CFA8D4545EEF7B2AF85314F148A2EE815E7351DB709846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014D9260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db56d46c0d8f3a3fefb9c7dc99598f95643f6581c76b2d8c611202400648320
Instruction ID: bc7407788e37d606db8c1589706aab5a430b3c8db3ce1dc2ccca41492e447624
Opcode Fuzzy Hash: 7db56d46c0d8f3a3fefb9c7dc99598f95643f6581c76b2d8c611202400648320
Instruction Fuzzy Hash: 9F216271E0020A9BDF05CFA9D49469EFBB2FF89304F14C51AE905EB351DB709846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D925F Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8213d256cc02c17dee3daf8fecce3eff16a12142409f88c175df4aa55cfc341b
Instruction ID: 7af2c7e6705115a7e81251aac1d9ba332938984f2383ba5595939b91e9847c2c
Opcode Fuzzy Hash: 8213d256cc02c17dee3daf8fecce3eff16a12142409f88c175df4aa55cfc341b
Instruction Fuzzy Hash: 93217471E0020A9BDF05CFA9D59469EF7B2FF89304F14C51AE905EB355DB709846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0148D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908433442.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_148d000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f0fce9a95e7f3303e38df54c2d5abf685b556cf497760dea620d916d2d07fd
Instruction ID: 5481db8710212dd5b5c25c172d06fe47133ee66f0782175b64fc12ad88997363
Opcode Fuzzy Hash: 50f0fce9a95e7f3303e38df54c2d5abf685b556cf497760dea620d916d2d07fd
Instruction Fuzzy Hash: 7D210AB1904204DFDB15EF58D9C0B1ABB65FB85318F24C56ED9094B3A6C336D447C661

Uniqueness

Uniqueness Score: -1.00%

Function 014D1878 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c0623cdebb6184098f93271492fd7b9252ae3af10bf7d0d41675d9ca4b36ba
Instruction ID: a7035143d81e1018c073cf0771c5fa3d441abbc28110b6cd25f0ec0c8c00a4df
Opcode Fuzzy Hash: 51c0623cdebb6184098f93271492fd7b9252ae3af10bf7d0d41675d9ca4b36ba
Instruction Fuzzy Hash: 2D217C30700245CFEF55EB78C6247AE77F1AF49644F2004AAD806EB3A1DB368D81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014D4F8A Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f628d04aca3d176b16b13e209d7cd69fde7088b04dd0eed20a6e6bc49f912188
Instruction ID: 7d74e16d603e51ad3f767283a28bbf00aea7da564d06cc84748b5e55c0b362e2
Opcode Fuzzy Hash: f628d04aca3d176b16b13e209d7cd69fde7088b04dd0eed20a6e6bc49f912188
Instruction Fuzzy Hash: 98214674700244CFDB55DB78D568AAE7BF1AF49204B2044A9E406EB3B5DB369D01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014D9160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6093f92fa3a534573ec4280dfba8bd958776ec4694f6b24e7cee657c21a19d2
Instruction ID: 3222cea596c39a26e440813614d882cd5e58da53911e1baede098bb33df943b2
Opcode Fuzzy Hash: d6093f92fa3a534573ec4280dfba8bd958776ec4694f6b24e7cee657c21a19d2
Instruction Fuzzy Hash: D0216231E0020ADBDF19CFA9D85469EF7B2AF89314F248A1BE815F7351DB709946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014D1888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb1afa973d95c87c3a4a7d7e1c85e5d42d82dc316b5bddcb413d39d1066668d
Instruction ID: 99006e3a4c250e6b5736484af3948cd3ff60a057edc53402bae17a3aba220827
Opcode Fuzzy Hash: 2eb1afa973d95c87c3a4a7d7e1c85e5d42d82dc316b5bddcb413d39d1066668d
Instruction Fuzzy Hash: 0E213B30B002058FDF14EB68C5246AE77F2AF89644F2004AAD805EB365DF36DD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014D16B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccdad9b8e463a3d1b175c22ea5ef150db1f5bf7fc5155abbcc935f11b328fd41
Instruction ID: 236b58327570ac14a175253d2561f37f8a38ac59498ef122b46599457e19359f
Opcode Fuzzy Hash: ccdad9b8e463a3d1b175c22ea5ef150db1f5bf7fc5155abbcc935f11b328fd41
Instruction Fuzzy Hash: BC215E306001054FDF22D76DE994B1E7765E786704F144A26D91ACB376EB38ECCA8B92

Uniqueness

Uniqueness Score: -1.00%

Function 014D4F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c86b08278d79504d010a67d685a853987064d885ee9aea420be5a525ba5ce98
Instruction ID: 85482cd6ba5f68bc8615f5cc722a4905608b4b9e3bc85c8866e84f9dea6cb771
Opcode Fuzzy Hash: 6c86b08278d79504d010a67d685a853987064d885ee9aea420be5a525ba5ce98
Instruction Fuzzy Hash: D32116B0700204CFDB55DB79D568AAE77F6EB49204B2044A9E406EB3B5DF369D01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0148D006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908433442.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_148d000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f125fc7aee546650803025952f395a272c44b9022182eb583d2993aa2df19d0f
Instruction ID: ee1775b4e7049a68a5075fcb43c167f1aefe9d5dbfacd2dd4a2f3326e06f75f2
Opcode Fuzzy Hash: f125fc7aee546650803025952f395a272c44b9022182eb583d2993aa2df19d0f
Instruction Fuzzy Hash: 5C215E7550A3C08FD703DB64C990715BF71AB46214F29C5EBD8898F2A3C23A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 014D0838 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e77cf8b5f7dd387acd498f6c61676caf159da467389a38dcfdb7d0450b8b82d
Instruction ID: efe958cf8850a93b655b41958e8515858d09ea2e3973eb41e675db89bcfd0620
Opcode Fuzzy Hash: 3e77cf8b5f7dd387acd498f6c61676caf159da467389a38dcfdb7d0450b8b82d
Instruction Fuzzy Hash: 4C119130A003044FEF225A7894253BF77A1EB82214F24497BF412DB372DA75CD869BD1

Uniqueness

Uniqueness Score: -1.00%

Function 014D0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c564cc62b6df6176aab0b151504755a87bbdedc663c1962af11138511b3dc077
Instruction ID: 4fe86f2886380c4d2bbe516661b8fc11d07a36da37ffcbdb449eee044fad4b36
Opcode Fuzzy Hash: c564cc62b6df6176aab0b151504755a87bbdedc663c1962af11138511b3dc077
Instruction Fuzzy Hash: 18118C30B002088FDF669A7DD46536E76A1EB85314F20493BF006DB372DA75DC868BD1

Uniqueness

Uniqueness Score: -1.00%

Function 014D17C2 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b68f7dc09e43b92be458267bdeb7210a76848fb1e1813ab0ea7a2d8bc7e12d
Instruction ID: f4c3ed4d9660f1dc58476fff7fd9f07afea10cd4724da519852ef5ea46a51f28
Opcode Fuzzy Hash: 67b68f7dc09e43b92be458267bdeb7210a76848fb1e1813ab0ea7a2d8bc7e12d
Instruction Fuzzy Hash: 88110276B002469FCF519F79984865EBBE1EF49A54B10486AE909D3350EA35C9428B82

Uniqueness

Uniqueness Score: -1.00%

Function 014D1498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7d0c5e32cfc114cc75d184b4aa605e5c72b68fb3cd4b682e5223636742e2c3
Instruction ID: d0acc1027c2a26f1bc52e7e5c93fb10bb61aee00e44dfd345aa0259d9de703e6
Opcode Fuzzy Hash: ec7d0c5e32cfc114cc75d184b4aa605e5c72b68fb3cd4b682e5223636742e2c3
Instruction Fuzzy Hash: 46018031A002158FCF21EFB988701AEBBF5EF58610F2404BFE805E7315E635D8418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 014D9897 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69de9f980577bf1344a8981088959aa1cf712db475ca78438b404943c6c4e477
Instruction ID: 5ede10800ba448197a758815cdadb721a4982ce691cb99ccb27576b1cd52da4f
Opcode Fuzzy Hash: 69de9f980577bf1344a8981088959aa1cf712db475ca78438b404943c6c4e477
Instruction Fuzzy Hash: 24019235A001058FDB04DFA9DA8478ABBA2FF94310F548565C9486F3A9D770D945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D80F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44043aa10b8d5fbbf6cb8ace01687df5edb518ad66b33825f35cb919fe153fec
Instruction ID: e4ea5a1a40e44762b3cb3e4d6e27b30eda83ba2d4bc1027a445a202d908d353d
Opcode Fuzzy Hash: 44043aa10b8d5fbbf6cb8ace01687df5edb518ad66b33825f35cb919fe153fec
Instruction Fuzzy Hash: 58014F7090124DEFCB05EFB9E9509DCBBB5EB80304F5085B9C4049B265EB356E8A8B92

Uniqueness

Uniqueness Score: -1.00%

Function 014D1524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56c05af8f7f934c9550af3c4f7e3ccbf91e8c77fc902fe6c81ad06c2494de77
Instruction ID: ef451d9b4fa15130f4c74745f7f4c3772e2d4997de6de46759d5a326e7ddd619
Opcode Fuzzy Hash: d56c05af8f7f934c9550af3c4f7e3ccbf91e8c77fc902fe6c81ad06c2494de77
Instruction Fuzzy Hash: 9FF02B37A04110CFDF228BA894B01ACBFA1EE75511B5C00EBDC06DB335D235D542C751

Uniqueness

Uniqueness Score: -1.00%

Function 014D7090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900c5b856f7242d74cfed188d6c8afcb2056492308f4c9876959021be75dcf28
Instruction ID: e6772a295b5f68a39da91d3e857fe8de9f7d97a4e6bba9c18fdaef52573da77c
Opcode Fuzzy Hash: 900c5b856f7242d74cfed188d6c8afcb2056492308f4c9876959021be75dcf28
Instruction Fuzzy Hash: 74F0C439B00208CFC714DB74D598A6D77B2EF89716F1440A9E5069B3A4CB35AD42CF41

Uniqueness

Uniqueness Score: -1.00%

Function 014D8100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2908902271.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14d0000_rNNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6987efa27015e9bea94881549d0c6ca1f28439d87495f4a1c7ce8de85c107e54
Instruction ID: c26e58dc8da4b9f37a1519bbd0f419256035643f94ab8adad95d7f4bea435e8b
Opcode Fuzzy Hash: 6987efa27015e9bea94881549d0c6ca1f28439d87495f4a1c7ce8de85c107e54
Instruction Fuzzy Hash: C9F0447090010DEFCB44EFA9F9409DDBBB5EB80304F504679C4049B265DF317E8A8B91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wZnyuP.exePID: 7444, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	163
Total number of Limit Nodes:	8

Executed Functions

Function 06A04ACD Relevance: 14.0, Strings: 11, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A04B95
$^q, xrefs: 06A04CA1
$^q, xrefs: 06A04D70
XX^q, xrefs: 06A04AF0
XX^q, xrefs: 06A04B00
$^q, xrefs: 06A04CCB
Te^q, xrefs: 06A04B1F
Te^q, xrefs: 06A04B15
fcq, xrefs: 06A04DCB
fcq, xrefs: 06A04DDB
fcq, xrefs: 06A04C77

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID: fcq$ fcq$ fcq$Te^q$Te^q$XX^q$XX^q$$^q$$^q$$^q$$^q
API String ID: 0-4077753186
Opcode ID: cc5ce70bee281e1aa7702801d5c394b9c0da7426217b983a600699eaff971b77
Instruction ID: 319f201aeb512821e98a71e92d2c22521b9567ddaf64e7d265643a3e677bef46
Opcode Fuzzy Hash: cc5ce70bee281e1aa7702801d5c394b9c0da7426217b983a600699eaff971b77
Instruction Fuzzy Hash: 2CA13B30E04218DFFB98EB94E544AADB7F2FB49301F258466D612AF2D5C730AC55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A04AE6 Relevance: 12.8, Strings: 10, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XX^q, xrefs: 06A04AB8
$^q, xrefs: 06A04B95
$^q, xrefs: 06A04CA1
$^q, xrefs: 06A04D70
XX^q, xrefs: 06A04AF0
$^q, xrefs: 06A04CCB
Te^q, xrefs: 06A04B15
XX^q, xrefs: 06A04A73
fcq, xrefs: 06A04DCB
fcq, xrefs: 06A04C77

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID: fcq$ fcq$Te^q$XX^q$XX^q$XX^q$$^q$$^q$$^q$$^q
API String ID: 0-3245395079
Opcode ID: b3c5841c526224f1a54c699408fdaa5b87d6b63898796e9c09bb1bd8b6900a8f
Instruction ID: 291817dbd0b01261e3e68880f5927dabc71a079fb731d94a489c7132e9fcac11
Opcode Fuzzy Hash: b3c5841c526224f1a54c699408fdaa5b87d6b63898796e9c09bb1bd8b6900a8f
Instruction Fuzzy Hash: 2DA15731E04208DFFB99EB94E448AACB7F2FB49301F258466D612AF2D5C7309C95CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00CBDBF8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CBDC76
GetCurrentThread.KERNEL32 ref: 00CBDCB3
GetCurrentProcess.KERNEL32 ref: 00CBDCF0
GetCurrentThreadId.KERNEL32 ref: 00CBDD49

Memory Dump Source

Source File: 00000007.00000002.1717777719.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_wZnyuP.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0910713473adebf1ed2f4e8dc1128e9710d1e3f0bbd0dc24d50218b9ad91c9e8
Instruction ID: 5ceb8494bebff95285c2b58f85b1af752d4d5a19b424f9c79bdc94507e98f107
Opcode Fuzzy Hash: 0910713473adebf1ed2f4e8dc1128e9710d1e3f0bbd0dc24d50218b9ad91c9e8
Instruction Fuzzy Hash: 4D5165B09003098FDB14DFAAD548BDEBBF1EF88314F20805AE059A7361D774A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 068F1540 Relevance: 2.7, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 068F1553
Hbq, xrefs: 068F1703

Memory Dump Source

Source File: 00000007.00000002.1725538146.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68f0000_wZnyuP.jbxd

Similarity

API ID:
String ID: Hbq$$^q
API String ID: 0-3942533163
Opcode ID: 8f3f6e649d0b1475e8c081c49a482c5a135dcaf309cbb0aada40b61667604023
Instruction ID: 346aad4b5de49cf4fe92e2b0c7e0fe05f666cb385249ba4a17410b9f606112bf
Opcode Fuzzy Hash: 8f3f6e649d0b1475e8c081c49a482c5a135dcaf309cbb0aada40b61667604023
Instruction Fuzzy Hash: 33519C71A00104CFCB44EF69C444AAEBBE6EFC9310F24C56AE649DB395DA35DC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D98044 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D98286

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7c9fb29b2743e3a2b38c35dec100521680d24c75f9f71d3770f6dc6e486f2a68
Instruction ID: b043816aaf77c27ba57d8ce9bd6bc5f4c78e209ecf74e57dca90cd350968583a
Opcode Fuzzy Hash: 7c9fb29b2743e3a2b38c35dec100521680d24c75f9f71d3770f6dc6e486f2a68
Instruction Fuzzy Hash: 14A16A71D002199FDF60CF68C8417DEBBB2BF46710F0489A9E818A7290DB749985DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D98050 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D98286

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d588f29a9eec0f988022bac61cf88b74bbf9bd233a968e2ef3045ef78c44271b
Instruction ID: 39b7664daa2ef151ea74cb45dd4f6218ccc0160a2ea2dbb1dba69bc456a9dc51
Opcode Fuzzy Hash: d588f29a9eec0f988022bac61cf88b74bbf9bd233a968e2ef3045ef78c44271b
Instruction Fuzzy Hash: 95915A71D002199FDF60CFA8C8417DDBBB2BF46710F0489A9E818B7250DB749985DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB960 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CBBBC6

Memory Dump Source

Source File: 00000007.00000002.1717777719.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_wZnyuP.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 77af78b48ca8647aee922fec2fe34d49b9ec63fdeaf17bde593c7337811f8115
Instruction ID: 43f03c1e522ddbefda6714d9180010800b464cd693f424ad89c7b525491e396d
Opcode Fuzzy Hash: 77af78b48ca8647aee922fec2fe34d49b9ec63fdeaf17bde593c7337811f8115
Instruction Fuzzy Hash: 9C814570A00B458FDB24DF6AD45179ABBF1FF88304F10892ED096D7A50DBB5EA49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5E34 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CB5EF1

Memory Dump Source

Source File: 00000007.00000002.1717777719.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_wZnyuP.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 58d07fc750616e3464aae02ab4067b9f2d1c11215713ffcbab71989b10d6e13d
Instruction ID: 6eb2b831506e8019b85f38e54a01f5cfbb2c2d238f7fdea33848c8b8e6dd69bd
Opcode Fuzzy Hash: 58d07fc750616e3464aae02ab4067b9f2d1c11215713ffcbab71989b10d6e13d
Instruction Fuzzy Hash: 1E41E2B0C00659CEDB24DFA9C8447DDBBF6BF48304F2480AAE408AB255DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CB495C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00CB5EF1

Memory Dump Source

Source File: 00000007.00000002.1717777719.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_wZnyuP.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ba269caede00af95e44ce36e0f0eb14c02015db96775683f254a1301663b9f52
Instruction ID: ff3595fdab7b4feeb4c8c8c9ad035ffefd456d54552350069c6c36be992f60d4
Opcode Fuzzy Hash: ba269caede00af95e44ce36e0f0eb14c02015db96775683f254a1301663b9f52
Instruction Fuzzy Hash: C241E4B0C00659CFDB24DF99C8447DDBBF5BF48304F248059E408AB255D7756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06D97DC2 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D97E58

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7fcf4ab8eabe7a63fe7386a18bce495916fb92fbc6685e973158f759cd8d447c
Instruction ID: d73bceeb1c2d7ea20607444afebdb995a6a0ee724b1048c2549df7ee19546cb8
Opcode Fuzzy Hash: 7fcf4ab8eabe7a63fe7386a18bce495916fb92fbc6685e973158f759cd8d447c
Instruction Fuzzy Hash: 7A2110B19002599FCF10DFA9C885BEEBBF5FF48320F10842AE958A7251D7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06D97DC8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D97E58

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7aee8704f2eedf5bb5550c2d345b287a83731e08a3c1cb8893380b9befbc24f0
Instruction ID: 73867f0d410ccc60e33fdd89f88933172d94dda0f451c13f9cdf3a268e4f42dd
Opcode Fuzzy Hash: 7aee8704f2eedf5bb5550c2d345b287a83731e08a3c1cb8893380b9befbc24f0
Instruction Fuzzy Hash: 912113B19002599FCF10CFA9C885BEEBBF5FF48310F10842AE958A7250D778A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06D97EB0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D97F38

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 140fc896149c5f42fa9c9d098a29c9f0418e4ee4b620c65d55c78d75be8ff6e3
Instruction ID: 71b038f4395df13c502d9e17ec37e98d56cfa17c3c38a89a472c5516639b1793
Opcode Fuzzy Hash: 140fc896149c5f42fa9c9d098a29c9f0418e4ee4b620c65d55c78d75be8ff6e3
Instruction Fuzzy Hash: 282127B1D002599FCB10CFA9C881AEEBBF5FF48314F10842AE558A7251C7359545CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06D97C28 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D97CAE

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9da505d7294f008c60789cccd750c6763164688669c27b2bba033567dd782b5c
Instruction ID: 12810d266ab2172a617448c26522f2b9ab01307dfbf84a59f1fd841c8947264f
Opcode Fuzzy Hash: 9da505d7294f008c60789cccd750c6763164688669c27b2bba033567dd782b5c
Instruction Fuzzy Hash: C62148B1D002499FCB50DFAAC4857EEBBF4AF88324F14842ED459A7241C778A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06D97EB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D97F38

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 25d2e0ad04fb2efeac2d523bc68024109a676bda9890ab4246d6ea19e7f00e5d
Instruction ID: fe1d4cd12d58c2d592192549b19f646963ffdda8f081b8018e63d4e9b481ff84
Opcode Fuzzy Hash: 25d2e0ad04fb2efeac2d523bc68024109a676bda9890ab4246d6ea19e7f00e5d
Instruction Fuzzy Hash: 9E2128B19002599FCB10DFAAC845AEEFBF5FF48314F10842AE558A7250C7359544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06D97C30 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D97CAE

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0a6f1d2e7874f18756ce9fa54eb4db66d2fcaa1feb4b6105ec2a9417ebf898eb
Instruction ID: 34490ab59953a029b2d17ca5ef2acfafad95e309193a069889ec010a61c6e333
Opcode Fuzzy Hash: 0a6f1d2e7874f18756ce9fa54eb4db66d2fcaa1feb4b6105ec2a9417ebf898eb
Instruction Fuzzy Hash: C4211A71D002099FDB10DFAAC4857EEBBF4EF48314F148429D559A7240D7789545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CBDE40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CBDEC7

Memory Dump Source

Source File: 00000007.00000002.1717777719.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_wZnyuP.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fc013ce19e5876eca320282efee3d547954ab2ff37c53ffa9c5b0509b1324d4b
Instruction ID: 33c1af7ea08ca6e0c4e5ce4c7daf6cdb425d65a3e3f21ff2b63b2202097d35f2
Opcode Fuzzy Hash: fc013ce19e5876eca320282efee3d547954ab2ff37c53ffa9c5b0509b1324d4b
Instruction Fuzzy Hash: AF21E2B59002589FDB10CFAAD984ADEBBF8FB48320F14841AE918A7350D374A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06D97D02 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D97D76

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ffd08caba04e3ef123ef169604b2c20a218244024dde93a66553200792857b56
Instruction ID: 219a49232ea90084ba722b11b79807dd13bffd6edf88d84959c67d2bfebca89c
Opcode Fuzzy Hash: ffd08caba04e3ef123ef169604b2c20a218244024dde93a66553200792857b56
Instruction Fuzzy Hash: D51159B1900248DFCF20DFA9C845AEEBFF5EF88320F148419E459A7250C7359945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 068FC018 Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

PH^q, xrefs: 068FC275

Memory Dump Source

Source File: 00000007.00000002.1725538146.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68f0000_wZnyuP.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 4ae6d828a534a799e4a5631320c89dec1613b1407cb8e16228230358971aa2b6
Instruction ID: b7bfd8acc54e0f9970e167f9df9f9b2b434bbbc7ddb3eb5c9f62ca5673c8e45f
Opcode Fuzzy Hash: 4ae6d828a534a799e4a5631320c89dec1613b1407cb8e16228230358971aa2b6
Instruction Fuzzy Hash: 93B1D031B10219CFDBA8DB68C854AAE77F2FF89310B1541A9D606DB3A1CB35DD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB3A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CBBC41,00000800,00000000,00000000), ref: 00CBBE52

Memory Dump Source

Source File: 00000007.00000002.1717777719.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_wZnyuP.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d4af9911fc1cca6bd5f05cb673e7be1322efc4bda3ab79e8fb7139bcf998f23d
Instruction ID: bcf75af7941693fcc4616890b52a69689750b68a21d9f2aa2214b51b15cf65a9
Opcode Fuzzy Hash: d4af9911fc1cca6bd5f05cb673e7be1322efc4bda3ab79e8fb7139bcf998f23d
Instruction Fuzzy Hash: C011F6B69003499FDB10CF9AD444ADEFBF5EF48310F10846EE519A7210C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CBBDE0 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CBBC41,00000800,00000000,00000000), ref: 00CBBE52

Memory Dump Source

Source File: 00000007.00000002.1717777719.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_wZnyuP.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8d726acb81defe27939d506a86c312441e0c4fe7ab45a7740e6e5dcf54f6b1d3
Instruction ID: aef3db64196d703dc395b0a743e45a6671f404141ddfff17787dc421a63decda
Opcode Fuzzy Hash: 8d726acb81defe27939d506a86c312441e0c4fe7ab45a7740e6e5dcf54f6b1d3
Instruction Fuzzy Hash: 821126B6D002498FDB10CF9AD444ADEFBF5AF58310F10842ED559A7210C375A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06D97D08 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D97D76

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 57dd1e0ab7f6de16d19a67d0ab34798a34117852fcb7d683fa21c264936d2460
Instruction ID: 5492c34cb2512541282ddcb0a52b04ae394dd7a50ba9057a691dc599d81d3a65
Opcode Fuzzy Hash: 57dd1e0ab7f6de16d19a67d0ab34798a34117852fcb7d683fa21c264936d2460
Instruction Fuzzy Hash: 111126B1900249DFCB10DFAAC844AEEBFF5EF88320F148419E559A7250C775A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06D97B78 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06D97BE2

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 12830c00866584ad45d2cbbd4c9f77802340508552bbace56de94aff1be402de
Instruction ID: 057d119bc48fce4382e39efa83b68a59ae611de7a082ca039a30b164f9846915
Opcode Fuzzy Hash: 12830c00866584ad45d2cbbd4c9f77802340508552bbace56de94aff1be402de
Instruction Fuzzy Hash: 8A1146B19002488FCB20DFAAC4457EEBBF4AF88324F24842AD459A7250C639A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D97B80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06D97BE2

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2188bd007759495839d240537f5760725d5d62ba30eebc276377f127238e37a7
Instruction ID: ca38780dff1882be2719b96a186f29e86ae770c5e64edf1a9b61bdac36e36136
Opcode Fuzzy Hash: 2188bd007759495839d240537f5760725d5d62ba30eebc276377f127238e37a7
Instruction Fuzzy Hash: 681136B1D002498FCB20DFAAC4457EEFBF5EF88324F20842AD459A7250CB75A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D9C3E8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06D9C44D

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6ae282a0bfbbd785fdd7d4e5189d511a5bce28c418719e7f3468928f352f0e72
Instruction ID: ff691e48c1aac4e649bc0780067d6e73844aa4fd1dd82b8664f10413085c9f80
Opcode Fuzzy Hash: 6ae282a0bfbbd785fdd7d4e5189d511a5bce28c418719e7f3468928f352f0e72
Instruction Fuzzy Hash: C51106B59003489FDB50DF99D985BEEBFF4FB48320F10845AD554A7211C375AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D99BA0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06D9C44D

Memory Dump Source

Source File: 00000007.00000002.1725963680.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d90000_wZnyuP.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bd5471a9982bb3d25356d0b86cf4564c2a7ce9539930b4492f4378c565d35d30
Instruction ID: e10d196bc06c4d54390e4f0d06d521adbd4ef58d4f0c8c43d1e6eda7f0d91bde
Opcode Fuzzy Hash: bd5471a9982bb3d25356d0b86cf4564c2a7ce9539930b4492f4378c565d35d30
Instruction Fuzzy Hash: 8A1103B5900349DFDB10DF9AD884BEEBBF8EB48320F10845AE958B7210C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CBBB60 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CBBBC6

Memory Dump Source

Source File: 00000007.00000002.1717777719.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_wZnyuP.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1cfe183f312e20e986c06ce031b068bff85b2fafe136774f6049bcc261767b5e
Instruction ID: 13dddf7a3c46bff1f15d5273b7dc11780244d1967304f88273ecd2f551daaf77
Opcode Fuzzy Hash: 1cfe183f312e20e986c06ce031b068bff85b2fafe136774f6049bcc261767b5e
Instruction Fuzzy Hash: 6B1110B5C002498FCB10CF9AD844ADEFBF4AF88320F10842AD428B7610C3B9A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A078F8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

`U1, xrefs: 06A07933

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID: `U1
API String ID: 0-562346777
Opcode ID: 780da1fa96b1a5910b45b929f5a1bfac0affd9795f4b768c21803732f18f7b0b
Instruction ID: 330d53ce369dce3907cf401498ff80886252333c3d7f3c45b7f56c41fb6cba21
Opcode Fuzzy Hash: 780da1fa96b1a5910b45b929f5a1bfac0affd9795f4b768c21803732f18f7b0b
Instruction Fuzzy Hash: 3831E631E002559FE701AF79D844ABAFBB2BF82350F1AC966D0589F282D734E954CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A064D8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06A06543

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 56ec33e35ddbf53b468c07c933a467e20ce428ba8eaa7fc01fe57ba899c91432
Instruction ID: 7dd4d40a864dd505e203af799c209e09ee4087c887a169e63209db4dec9ac122
Opcode Fuzzy Hash: 56ec33e35ddbf53b468c07c933a467e20ce428ba8eaa7fc01fe57ba899c91432
Instruction Fuzzy Hash: 30115135F002098FDB44EBB999005EEB7F6AF88314F10406AC505EB244EB32DD15CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 06A0B160 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a164778debef42da1c0dd333236da8c544cf1a629ad40d94b59a5b3efb06a37
Instruction ID: da2f91cacdd5459feff6b9ff5aebd175a70655eb5b69d61181ddb6732908b31b
Opcode Fuzzy Hash: 1a164778debef42da1c0dd333236da8c544cf1a629ad40d94b59a5b3efb06a37
Instruction Fuzzy Hash: 94514871D092548FE740EFA9DA002AEFBF6AF49300F1485ABD065DF692D3369941CB71

Uniqueness

Uniqueness Score: -1.00%

Function 068FCA60 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725538146.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68f0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724c61c91134ad29e979f1657443d25042f69d11f9351ada12824ac7c21d44c1
Instruction ID: dae1cb21f1f74f93e9ebfcec4847114a7def9bbc18abc0e32926142c07a3852f
Opcode Fuzzy Hash: 724c61c91134ad29e979f1657443d25042f69d11f9351ada12824ac7c21d44c1
Instruction Fuzzy Hash: 4E518E307106058FD7559B28D884A6EB7E2EF84324F108A79E70ACB365DB71EC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A0DA28 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7ca7aff32423de3c86b08886b0935dd266ecd77c6c5421e49c336edf80bbc3
Instruction ID: 8c48b32bbdd4aceb915e35bb5324bcac87c0b5418e21e8ecfa704236c6bda455
Opcode Fuzzy Hash: 0a7ca7aff32423de3c86b08886b0935dd266ecd77c6c5421e49c336edf80bbc3
Instruction Fuzzy Hash: 3741C0B5E002198FDB44EFE9D8806EEBBF1AF49310F14842AD409EB345D7349A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06A0B940 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8c3d39d4bbe5c998cc2f93fb1f0be80990a95fab816672ac77baa303700679
Instruction ID: 8553dd37324fb33f72379c401ebe0218798b916d1a5e5c6af8e82694798be5db
Opcode Fuzzy Hash: bc8c3d39d4bbe5c998cc2f93fb1f0be80990a95fab816672ac77baa303700679
Instruction Fuzzy Hash: E0412974E09219DFEB80EFA9E6848EEBBF5FB0E340F105865E416A7350D7319850CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06A07EE8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afce65e6e7e9acfa6b58e3915e6f0ba110a5a105b67a3a79bad79fa6e7fbf23
Instruction ID: 7334ad85e36b3fb20a52e61b7dd87a7348fd89105feff63d9efab406abe17efa
Opcode Fuzzy Hash: 3afce65e6e7e9acfa6b58e3915e6f0ba110a5a105b67a3a79bad79fa6e7fbf23
Instruction Fuzzy Hash: 8841A170909208DFEB04EFA9C59456EBBB2FF40300F14C899D1221F7A9D735D945CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 068FE8E0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725538146.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68f0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f757dcff89f7bc16c383ea17fee678c4999a261eaf2fd4ec712f690b31a21634
Instruction ID: ff963987ff0fec2672722078da5167ce17b42059757a63dba12d4fd94e02f33c
Opcode Fuzzy Hash: f757dcff89f7bc16c383ea17fee678c4999a261eaf2fd4ec712f690b31a21634
Instruction Fuzzy Hash: B231C075E2055AAFD7A0CF79C84966EFBF0BF04204F40822AE765E3260D730E540CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717292556.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c1d000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3103d136bbafbf74e7c970b533f2f9dfb7620fa4b66dcd0671dd854d07f4e6
Instruction ID: 369bbfef46d98731bc576a44d0ef162b7f3990b46f4458bafc00bfb04384728c
Opcode Fuzzy Hash: 0d3103d136bbafbf74e7c970b533f2f9dfb7620fa4b66dcd0671dd854d07f4e6
Instruction Fuzzy Hash: D62137B1500240DFCB05DF14D9C0B67BF66FB99318F20C569E80A0B256C336D996EBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717292556.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c1d000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a34f369274b08296f5e3acbaf823b9170e0504e73e75a2fc90330c3c9e9567a
Instruction ID: 350def7224421c19b6e7454dc20321a81218acf99e23442d4d599367bfa65c3c
Opcode Fuzzy Hash: 5a34f369274b08296f5e3acbaf823b9170e0504e73e75a2fc90330c3c9e9567a
Instruction Fuzzy Hash: 3C213771500204DFDB05DF14D9C0B67BF65FB99324F20C569E90B4B256C33AE896EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06A0AED0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0378ddcbbf824113ec68ce7f532f03ea94045a9bb8ccc1bf91202f35da85e5f9
Instruction ID: c05dedbc224bbc2871fca2e0ae4ba0523123bc87e0252ae22a440fc1df87961d
Opcode Fuzzy Hash: 0378ddcbbf824113ec68ce7f532f03ea94045a9bb8ccc1bf91202f35da85e5f9
Instruction Fuzzy Hash: 2E21D4B1A143398FE794EF69E81057BB7B9EF85310F008626E612D72C6E6318D4487D1

Uniqueness

Uniqueness Score: -1.00%

Function 06A0FE58 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22faa8dd290421652f7ff05209e6e48a5e42961e2224ca6eecfeef21a70a59a
Instruction ID: 6481a083ff117a14803aab0293aa820e48a4c7bca6222664813e95d1dc290e3a
Opcode Fuzzy Hash: e22faa8dd290421652f7ff05209e6e48a5e42961e2224ca6eecfeef21a70a59a
Instruction Fuzzy Hash: E321F930F45204DFF778AB1AE814B2977A6EF86B00F20C566E915AF6D6CB34D841CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717341792.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c2d000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a03369d9443ec8be774f5c4b0546da155d1c362072930f4419e8d689ab3d31
Instruction ID: d776403412aa3bf6cdbf30d0034e27b36ea327f36a9bc4dd75c55cac7735b477
Opcode Fuzzy Hash: 46a03369d9443ec8be774f5c4b0546da155d1c362072930f4419e8d689ab3d31
Instruction Fuzzy Hash: C7212671504200EFDB05DF14E9C4B26BBA5FBA4314F30C6ADE80A4B696C736DC46CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717341792.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c2d000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64ba122855dc905ff3766113eeb746abbc6cb599373478db00106231b2e3d3d
Instruction ID: bfbf37e739df3bf6fd92bc7939412c357f6cbb521e95f4c53d2518e94d4880c5
Opcode Fuzzy Hash: a64ba122855dc905ff3766113eeb746abbc6cb599373478db00106231b2e3d3d
Instruction Fuzzy Hash: F1210475604340DFCB14DF14E9C4B26BFA5FBA4314F20C56DE94A4B6A6C33AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 06A06603 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98815194bdf738901f27d4f1b3fa1b8c31bfdd3afa9c9fafd3a42e15c55c3f2f
Instruction ID: 3a8169160e0283edc96063ec1f0a41bef83f3f13e37b64afa6570b728bdc5052
Opcode Fuzzy Hash: 98815194bdf738901f27d4f1b3fa1b8c31bfdd3afa9c9fafd3a42e15c55c3f2f
Instruction Fuzzy Hash: 9511AF357102049FDB58AB79E85487EBBF6EFC9320B25456AE416C7391DF31DC028B60

Uniqueness

Uniqueness Score: -1.00%

Function 068FCEE0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725538146.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68f0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7ab78a89e206903801dea6032fd24ee720e6d425e46221607bd19c8ce89e75
Instruction ID: 857ffc139d62a33dea375adc5c215dd2373bc34ddfe31caf95c72bd0ccf10fc1
Opcode Fuzzy Hash: fb7ab78a89e206903801dea6032fd24ee720e6d425e46221607bd19c8ce89e75
Instruction Fuzzy Hash: 091130717117049FC7B99B39981042BB6A6EF86635320477DD27A8A3E0CB71D943CB45

Uniqueness

Uniqueness Score: -1.00%

Function 06A0432D Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b5ccab0154a6389152cd7e7b4e29dc55fd0a0f631e495aa83ce5ffa44ee4a3
Instruction ID: b423c3b8608f1d55865eca6516c448d51ff5f80490079d76bdd04763d376a5e9
Opcode Fuzzy Hash: 40b5ccab0154a6389152cd7e7b4e29dc55fd0a0f631e495aa83ce5ffa44ee4a3
Instruction Fuzzy Hash: 2211E371A003055F9B95EB799C504BFB7F7EFC8260B16492DD529D7380EA3099058362

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717341792.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c2d000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681d862e5f6a7238d7164e83e82103321cf3d3ed21cbada4e01b9e2955c893b4
Instruction ID: 869b896d2e9d7e51b443c79ddc5c493e896aea05045b8da22358b0785fa44989
Opcode Fuzzy Hash: 681d862e5f6a7238d7164e83e82103321cf3d3ed21cbada4e01b9e2955c893b4
Instruction Fuzzy Hash: 10218E755093808FCB12CF24D994715BF71EB56314F28C5EAD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06A0B870 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705e0be9ca0372d2c83dd35a694f3eb4e6b9deed769357afe8af6101e92bfa70
Instruction ID: 6280ebd3f2073c9ac76ac6a844286db5e8e9f4771620de3689448b4bc9bcde06
Opcode Fuzzy Hash: 705e0be9ca0372d2c83dd35a694f3eb4e6b9deed769357afe8af6101e92bfa70
Instruction Fuzzy Hash: D921C474A01908DFD704DF5AE284999BBF2FF8D301B6280E4D548AB725DB31EE51DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717292556.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c1d000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 8f18f8e8cd3284b55f4f7bb72c4edd17179fbc3f3ef602ac2092593e25ab68b7
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 11112672404240CFCB16CF00D5C4B56BF71FB94324F24C6A9DC0A0B256C33AE99ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717292556.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c1d000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: d9b5052920e4393c64d6d8f920ad9d2e18fb67167e53715be6598262965ffd75
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: EA1103B2404280CFCB06CF10D5C4B56BF72FB94318F24C6A9D80A0B256C336D99ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717341792.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c2d000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: d28ce6e36912f8e1a4b77c392d77eafa9370a906b8517ebcfe355023d1fd74b2
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 8A11BB75504280DFDB02CF10D5C4B15BBA1FB94314F24C6AAD84A4B696C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 06A067CA Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82cc568d978d801a214b57629cc1aa200fb8cab948a65e16de503cff964d034
Instruction ID: 2a63455510ae4c299d595d1dd0e35df27fd5eea9087abf6de58ecaa2c02268f5
Opcode Fuzzy Hash: f82cc568d978d801a214b57629cc1aa200fb8cab948a65e16de503cff964d034
Instruction Fuzzy Hash: 1F0175357545108FD785EF6DD840819BBE6FF89B1532544EAE149CF371DE22DC058780

Uniqueness

Uniqueness Score: -1.00%

Function 068F0858 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725538146.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68f0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e108e126c01b9d1d9ca8c5cb30b5648f1b55130ce59d3553549c0af8696c59ef
Instruction ID: d6fd181650c56face2f6837f3bfe6ef33e7739adab03a16f4f51eaac1bd6fc24
Opcode Fuzzy Hash: e108e126c01b9d1d9ca8c5cb30b5648f1b55130ce59d3553549c0af8696c59ef
Instruction Fuzzy Hash: 0401F232B647805BDB655779A86836EFBD6ABC0224F14493DC28AC7B41CF61D84983E1

Uniqueness

Uniqueness Score: -1.00%

Function 06A08B40 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7291d51c925bf88704156e9d45a148bce9c9c583772016b3f2bd5290daf23196
Instruction ID: 91bd3ddfc964ffb5891fdb655f87824209307dc1ce14133ae213dcd004bdfed1
Opcode Fuzzy Hash: 7291d51c925bf88704156e9d45a148bce9c9c583772016b3f2bd5290daf23196
Instruction Fuzzy Hash: 2001F234E44108AFEB40AFB8A5053AD7BF2EB4A300F108875EB06D77C5DA3489818B91

Uniqueness

Uniqueness Score: -1.00%

Function 06A04162 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff90ae49b38e9085d7bb7940235fd9cd6226a44a5e3e8da2a75b42c167c35a8
Instruction ID: 1777f556050ec33439e516f49f9d8ad36a390e93403418e355d5b2e91d2a5001
Opcode Fuzzy Hash: 4ff90ae49b38e9085d7bb7940235fd9cd6226a44a5e3e8da2a75b42c167c35a8
Instruction Fuzzy Hash: 1801D62A10E3C1BEE7128B798C24FA23F799B2B700F1912C6E3854B193C5561426CFF2

Uniqueness

Uniqueness Score: -1.00%

Function 06A07E40 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3148c319b7ffd4b15060891a721ddb44ed2d8ea8bb548e9dfe260dac735738e8
Instruction ID: 7817062cbed3ca997519dfc807c2690c327a0af204fefe4117fb7531145bd230
Opcode Fuzzy Hash: 3148c319b7ffd4b15060891a721ddb44ed2d8ea8bb548e9dfe260dac735738e8
Instruction Fuzzy Hash: 04010870D0020D9FCB44EFE8C99069EBBB2FF44300F1086AAD115A7355EB346A44AF81

Uniqueness

Uniqueness Score: -1.00%

Function 06A0433C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6238c01a5cc4984c164bcc6c1fc42bdd0192e8a5e79a6d75049ccd84f6918bf1
Instruction ID: de6782200e4e463d34d2891e4af1fac31f3acd19487f063d363d6a2c6c5e4df7
Opcode Fuzzy Hash: 6238c01a5cc4984c164bcc6c1fc42bdd0192e8a5e79a6d75049ccd84f6918bf1
Instruction Fuzzy Hash: 0DF0B470B002555B9B88FB7D4C5447FBAFBEFC93407459839D915D7384EE709D054262

Uniqueness

Uniqueness Score: -1.00%

Function 06A065A8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771da0f0399e9dc46a05b4fa5efe9a35a7a6d2c20d51137439fd13058125992f
Instruction ID: c71ac39600cc942b95dec34cfccf324948ed659bb95cf68ab66a1929764ca719
Opcode Fuzzy Hash: 771da0f0399e9dc46a05b4fa5efe9a35a7a6d2c20d51137439fd13058125992f
Instruction Fuzzy Hash: DDF0E270E002164BA795FBBA4D5057FAAF79FC9200B068939D814EB380EE30C9054362

Uniqueness

Uniqueness Score: -1.00%

Function 06A09498 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f8cf50c6e1b6d53ad1cdde40e86b2ffadab274fc265a2daf0832f6643e3031
Instruction ID: e5da27b022ae771b181274862201ffec4c0d33126dd89ed3a63d52f01bd87716
Opcode Fuzzy Hash: 22f8cf50c6e1b6d53ad1cdde40e86b2ffadab274fc265a2daf0832f6643e3031
Instruction Fuzzy Hash: 71E0DF70BD432C7FF7643645A811B33319E9789B50F140425F7099E2C5DDA398808B65

Uniqueness

Uniqueness Score: -1.00%

Function 06A082D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09dc770ede65b8c5c5c0101cbb5e439b00178b9b1d3e6c96d4b59961691b4da1
Instruction ID: 5a0f5e81b8d7f86bdccfc4860ba8dc58e8f9895513110a9c7ee3ceb9ba43f309
Opcode Fuzzy Hash: 09dc770ede65b8c5c5c0101cbb5e439b00178b9b1d3e6c96d4b59961691b4da1
Instruction Fuzzy Hash: 3EE0263130020413C744B729E9408AEBB9F9FC0320B048036EC1987324CE30AD8283D4

Uniqueness

Uniqueness Score: -1.00%

Function 06A041A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d5387f054d9611b82808ef51be56e981a4baaeb9ea8df50e459ffc846207aa
Instruction ID: dda7c2516b77465350fd0b3d160861718e704d849dee27750280e718489491fd
Opcode Fuzzy Hash: e2d5387f054d9611b82808ef51be56e981a4baaeb9ea8df50e459ffc846207aa
Instruction Fuzzy Hash: 25E0C2B4B9020CEFF750A656AC29B2232EEF3A4B41F200215E3064E2C4D96299108A75

Uniqueness

Uniqueness Score: -1.00%

Function 068FAF28 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725538146.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68f0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce2cccb896597fa0ccc50e4ad6f65bf03f90ddabdd22e93513d8b064d84a672
Instruction ID: be33462cef2cff4a3f8f122dddd951fee17afcf6d289da644f711868cb9c2957
Opcode Fuzzy Hash: dce2cccb896597fa0ccc50e4ad6f65bf03f90ddabdd22e93513d8b064d84a672
Instruction Fuzzy Hash: AFD09E323104145B8644965EE414C9A77EDDBC9A2631140AAF209C7321DE619C4287A4

Uniqueness

Uniqueness Score: -1.00%

Function 06A0C550 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8b2f03871e17a223fefedbb5bc4c5d03e4585b4373d9da9f384caad98d613a
Instruction ID: 67b3978e8e714e46eee50d0397a021691153d99ae92ff801a73c27f6e9a8938b
Opcode Fuzzy Hash: 1b8b2f03871e17a223fefedbb5bc4c5d03e4585b4373d9da9f384caad98d613a
Instruction Fuzzy Hash: 38D0A77888E108DBF340EBA4F508BBD77FD9703721F005294D50F235908B702A80D596

Uniqueness

Uniqueness Score: -1.00%

Function 068FD5B0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725538146.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68f0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839d9ed1f381c794786e6795d697eca161dcb76710728f16fe7bc510b0cd1731
Instruction ID: a8da7cbe08eb74d5d737522f3cf17c527ad3415c925a0f95c1fef45e16576140
Opcode Fuzzy Hash: 839d9ed1f381c794786e6795d697eca161dcb76710728f16fe7bc510b0cd1731
Instruction Fuzzy Hash: A6D0A720204F5402D755A27D58107DFBAC90F96214F0484EFD29E83240CEA5284002DA

Uniqueness

Uniqueness Score: -1.00%

Function 06A067D8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722e4e3398a3f00ec4780ca24f61fa785c2e645f06c1b50f3e05b55b84a77309
Instruction ID: c78b22c759d312be94c0fafac2c59f8e31b268d5f6aec009ee43d6385cb56f05
Opcode Fuzzy Hash: 722e4e3398a3f00ec4780ca24f61fa785c2e645f06c1b50f3e05b55b84a77309
Instruction Fuzzy Hash: A8C08C22B00E2403AA8CF6AE6C0009EF2CE9FC9820B04C0EBD20E83240DE51284102CE

Uniqueness

Uniqueness Score: -1.00%

Function 068FB1D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725538146.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68f0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00510555952e4abf8086a99d73cccd1b6c1396981e5e6799eb84f910d8b984ef
Instruction ID: 3a8124462a609d743b6dfb1e1bc8f97f131fa166dd21c2d257ba098a246f9b90
Opcode Fuzzy Hash: 00510555952e4abf8086a99d73cccd1b6c1396981e5e6799eb84f910d8b984ef
Instruction Fuzzy Hash: 72C08C32700A24038A5CF6AE5C000EEB2CF4FC5424B08C0EBD60E83200DE61280102CE

Uniqueness

Uniqueness Score: -1.00%

Function 068F4251 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725538146.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68f0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a469b5aac62bb419a035a5cbae01a27f9cdef15666c48b462a54a494b92307
Instruction ID: 2e91e6d13e0b2b2deed921ac275f44b0b3b7d22d83cd1d98d5eba954196e3cf5
Opcode Fuzzy Hash: c9a469b5aac62bb419a035a5cbae01a27f9cdef15666c48b462a54a494b92307
Instruction Fuzzy Hash: 6FD06774214540CFD744DF28C4D9A5577B1FF09304B1440A9E98A8F36BC775AC10DB41

Uniqueness

Uniqueness Score: -1.00%

Function 06A064A0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4cae2f2c0fb8e08104787b7cdb42e350d5d3f906f9fcd302e08149511ea1e39
Instruction ID: 609e98064d6de764bedae0b4130974aeb49c91f0a7e5c3cf2de87083253a7a6e
Opcode Fuzzy Hash: e4cae2f2c0fb8e08104787b7cdb42e350d5d3f906f9fcd302e08149511ea1e39
Instruction Fuzzy Hash: 63C012734150005ED7459B904D064D4BB61FF55204B6690D1D895060219922663A9357

Uniqueness

Uniqueness Score: -1.00%

Function 06A0431C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0c19cea1befa22f03a7ee749a6fab31e08c432e334b27499e7a79b932d27c3
Instruction ID: 1c6443c21340f07869c84ea84dc3a3e189ebf87c80119e7ff24ce28a491dd6e1
Opcode Fuzzy Hash: 9d0c19cea1befa22f03a7ee749a6fab31e08c432e334b27499e7a79b932d27c3
Instruction Fuzzy Hash: 85C08C36000000AFA680B7D0CF4082AFAA0FB48308B40F892A30041030C622E4289702

Uniqueness

Uniqueness Score: -1.00%

Function 06A0989C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f184903a5dcdfcd13c1a51a94d50587cfd4b1f7d7c0c7fa02d4c4449bb9f460
Instruction ID: 49076ad7b5a95c3b949884614fafb0517baecda35ccee25aa70eae9b463408a6
Opcode Fuzzy Hash: 1f184903a5dcdfcd13c1a51a94d50587cfd4b1f7d7c0c7fa02d4c4449bb9f460
Instruction Fuzzy Hash: EAB012391D4100A7758573B84D9193ED5B0FBB6700B00DC153305E10548563D874E62B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 068FE5E8 Relevance: 16.4, Strings: 13, Instructions: 118COMMON

Download Yara Rule

Strings

4'^q, xrefs: 068FE6F0
4'^q, xrefs: 068FE79F
4'^q, xrefs: 068FE77C
4'^q, xrefs: 068FE736
4'^q, xrefs: 068FE6CD
4'^q, xrefs: 068FE687
4'^q, xrefs: 068FE5FB
4'^q, xrefs: 068FE759
4'^q, xrefs: 068FE641
4'^q, xrefs: 068FE6AA
4'^q, xrefs: 068FE61E
4'^q, xrefs: 068FE713
4'^q, xrefs: 068FE664

Memory Dump Source

Source File: 00000007.00000002.1725538146.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68f0000_wZnyuP.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-284850411
Opcode ID: 7140b83a2a37b2f071b0e47363fc33e7dabc06a6af667406735ceb10afd33cd0
Instruction ID: 6b1168172f9509860fb980a339e8af09e467a57f5e332f9d30622c53eb1ba3a7
Opcode Fuzzy Hash: 7140b83a2a37b2f071b0e47363fc33e7dabc06a6af667406735ceb10afd33cd0
Instruction Fuzzy Hash: E6512C30E0010A9FCF09EFA5E9915DDBBB1FF85704B1095A8D0056B369DF706E8AAF91

Uniqueness

Uniqueness Score: -1.00%

Function 06A053A0 Relevance: 11.6, Strings: 9, Instructions: 390COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06A05775
$^q, xrefs: 06A05896
$^q, xrefs: 06A058DB
LR^q, xrefs: 06A05843
$^q, xrefs: 06A055CA
LR^q, xrefs: 06A05767
$^q, xrefs: 06A058CB
LR^q, xrefs: 06A05851
$^q, xrefs: 06A05886

Memory Dump Source

Source File: 00000007.00000002.1725725114.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a00000_wZnyuP.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$LR^q$LR^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1232298155
Opcode ID: f5ea2b0d16dd93e6b085809e973e32e3c8f904268bf25f108dda31ea7992158e
Instruction ID: b09af07f7481fea66e9a4b5cee15cee6a6ef739f00295c4d84c924b83f47fd36
Opcode Fuzzy Hash: f5ea2b0d16dd93e6b085809e973e32e3c8f904268bf25f108dda31ea7992158e
Instruction Fuzzy Hash: 72F15830E14208DFEB44EFADE684AADBBF2BF48301F158455E415AB295D734E885DF90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wZnyuP.exePID: 7756, Parent PID: 7444COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	4

Executed Functions

Function 00EC9B38 Relevance: 2.8, Instructions: 2843COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c2fbd33660def4c42135ceaff1faf45b8d44374207beff037bbbd47d1ce8a6
Instruction ID: 62f40af6abc91327c2d170f6088e745ffe47c97d719b7a6d30da05a345e135a3
Opcode Fuzzy Hash: 18c2fbd33660def4c42135ceaff1faf45b8d44374207beff037bbbd47d1ce8a6
Instruction Fuzzy Hash: FE63F831D10B1A8ACB11EF68C844A99F7B1FF99300F15D79AE45877221EB70AAD5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00ECCE80 Relevance: 2.3, Instructions: 2310COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80355983feb00c8683c5fdbf9b8a849515a8b5ff37d0a319ca77c52a1874774e
Instruction ID: 01ea995eabaea1b97eb61ae39bdd73d9f0e7c161c008d902c3459d09ec3b3073
Opcode Fuzzy Hash: 80355983feb00c8683c5fdbf9b8a849515a8b5ff37d0a319ca77c52a1874774e
Instruction Fuzzy Hash: 02331D31D107198ECB15EF68C880AADF7B1FF99300F15D69AE458B7221EB71AAC5CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06937aeb68276ffab3e39a816af6791349ad7eb0190173bb90bc9336731ad1e0
Instruction ID: 0449f23db4664245ff162e7d0a55d2bc8a151e182c880fc7bd05aadc698fdb29
Opcode Fuzzy Hash: 06937aeb68276ffab3e39a816af6791349ad7eb0190173bb90bc9336731ad1e0
Instruction Fuzzy Hash: FBB151B0E002098FDB10DFA8C995BDDBBF2AF48318F14952DD819F7294EB759846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00EC3E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ffd31201ed0597efad941825e1f25f004443a9d160b143a23eba306dee6538
Instruction ID: 1d0a64b2da514193058120e95d7a035eab739b1e9662a11a53cc6a6131fd4e0d
Opcode Fuzzy Hash: 17ffd31201ed0597efad941825e1f25f004443a9d160b143a23eba306dee6538
Instruction Fuzzy Hash: AB917FB0E002498FDF10CFA8CA95BDDBBF2AF48308F14952DE415B7294DB759986CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6ED7 Relevance: 2.6, Strings: 2, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 00EC6F0E
LR^q, xrefs: 00EC6F93

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: 84d644cade8efa918dc2800d7cd9655fb2c5f67ca6a2a0d7deae73a61d5a3a91
Instruction ID: ff6c9a2f09746d3058e66067091b934cd5a4e1f0b2431776bf5c3f051044da3c
Opcode Fuzzy Hash: 84d644cade8efa918dc2800d7cd9655fb2c5f67ca6a2a0d7deae73a61d5a3a91
Instruction Fuzzy Hash: FF51AD30A042059FDB19DF78C551BAEBBB2EF86304F20846EE445EB290EB729C47CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0581E1A9 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2919795291.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5810000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a340d0285e9f485ca68b26420e0a54bc16a742cc4cd8b17e61bab92db6c172
Instruction ID: 5b0613736c297bdce117f99ad27a0d60776b121fb29595d4eaccced620847588
Opcode Fuzzy Hash: 03a340d0285e9f485ca68b26420e0a54bc16a742cc4cd8b17e61bab92db6c172
Instruction Fuzzy Hash: 10411272E003598FCB00CFB9D8447AEBFF5AF89210F14866AE805E7251DB389945CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0581E290 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0581E2F7

Memory Dump Source

Source File: 0000000C.00000002.2919795291.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5810000_wZnyuP.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 4504e56d61e00c17c299404ab3e571c1b292edcd8e6894a1fbf0844efbee852a
Instruction ID: fe0a237d0f28255eddb4757053fac2878265503c0b3e3442deed659f7e576f24
Opcode Fuzzy Hash: 4504e56d61e00c17c299404ab3e571c1b292edcd8e6894a1fbf0844efbee852a
Instruction Fuzzy Hash: 4311F3B1C006699FCB10DF9AD548BDEFBF8BF48320F14816AD918A7250D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00ECF3BD Relevance: 1.4, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 00ECF50B

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: a675f39ed3e06781d1df7d8293bb6d612ebce8b80ee10f14ff57f733c36ad28e
Instruction ID: 9c56b242504b6c51c08ba9384162243e15abb61cf7f6a9d828e5946cc73bf9b0
Opcode Fuzzy Hash: a675f39ed3e06781d1df7d8293bb6d612ebce8b80ee10f14ff57f733c36ad28e
Instruction Fuzzy Hash: 7441DD30B002018FCB19AB74D654B6F7BE3AB88314F24457DD006EB395EE36CD468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6F78 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 00EC6F93

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 8753e4dcf0c0d4c06ddf0188afb6c3d67e05cc00c9b14179976c858ea57338f0
Instruction ID: 2e8e8d1465d92e0cb16c22f4aebfe4a6d74af2fd62acba30cc9086b2b3ca7a13
Opcode Fuzzy Hash: 8753e4dcf0c0d4c06ddf0188afb6c3d67e05cc00c9b14179976c858ea57338f0
Instruction Fuzzy Hash: CE313831E102099BDF18CFA4D551B9EB7B6FB85314F208529E816FB280EB72AD478B51

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6BA0 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00EC6BD7

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 41922dd5404f36e8599f1830b88afec72e35e2111e2cf0073fbc401064eb1607
Instruction ID: 202d1ac563c80e257a081e56fd8d906c1f3bdc60c1465653fe015e2fe2a03028
Opcode Fuzzy Hash: 41922dd5404f36e8599f1830b88afec72e35e2111e2cf0073fbc401064eb1607
Instruction Fuzzy Hash: 0611A3306093805FC716EB78841066E7FF5EF87704B1448EED085CB2A2DA369846C792

Uniqueness

Uniqueness Score: -1.00%

Function 00EC7908 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5992ad7c72cf968af6d11504d1a6fa8b92a89d787220c380735da643cfbadadf
Instruction ID: 7c8bdd69367e9419f204a3eb2be6c2d6d1517cb3c08dc43315d94d639309d0e2
Opcode Fuzzy Hash: 5992ad7c72cf968af6d11504d1a6fa8b92a89d787220c380735da643cfbadadf
Instruction Fuzzy Hash: 70125B30700202AFCF29AB38E59572D77A2FB85354B244939E415DB369DF32EC878B91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC96E0 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482972cbbb2643a3ed742ceb2e939274e5760a761efc0f86b32e155817de35a1
Instruction ID: eea969d5a3ae0f6bfd915ee68e7a86eead1016c14ecad76fc64b54eabe183af1
Opcode Fuzzy Hash: 482972cbbb2643a3ed742ceb2e939274e5760a761efc0f86b32e155817de35a1
Instruction Fuzzy Hash: BCC1C031B002058FDB14CF68D984BAEBBB2EB88314F14956AE409EB396D731DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9364 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c1f2f223396c2450f623dcb2809fbcdcc78288ef8eb7260a2d66e460335c81
Instruction ID: 27e426f2f512468f2fa0c115cee7c3067ac05b71ffb6879913e9460dccfb278c
Opcode Fuzzy Hash: b2c1f2f223396c2450f623dcb2809fbcdcc78288ef8eb7260a2d66e460335c81
Instruction Fuzzy Hash: D8C16F35A002058FCB14DF68DA98AADBBF2FF88314F149569E406E73A6DB35DC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4A8C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8326495dbd08bc595943b70efcc7329e2c5c418fd35bac964e5fbea363aab997
Instruction ID: f29dfee269231430c65464bfb7b9d29d1afa1357e7efba069d2cc62dd47d6f59
Opcode Fuzzy Hash: 8326495dbd08bc595943b70efcc7329e2c5c418fd35bac964e5fbea363aab997
Instruction Fuzzy Hash: 28B14DB0E002098FDB10DFA8D995BDDBBF1AF48318F24912DD819F7294EB759846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC3E74 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655292c8f5c1de988ebaa946d67655a73fd5f845e0afef627b1bfd4380760adc
Instruction ID: 2e6ea83a64cadd123b94e2b1cf6fd2abb6ef6171966ca7347ec0b6960283316c
Opcode Fuzzy Hash: 655292c8f5c1de988ebaa946d67655a73fd5f845e0afef627b1bfd4380760adc
Instruction Fuzzy Hash: CDA16BB0E00249CFDB10CFA8DA91BDDBBF1AF48318F24952DE454B7294DB359986CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6CDD Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a00d36dd574d24f50a3d328205d938382b244d2c6e337f2fa879e250d9717f
Instruction ID: e459aebcaa059ccc2a53c93fb9c7817561f4dc146d7e7a9f11a070d176d6ab18
Opcode Fuzzy Hash: 29a00d36dd574d24f50a3d328205d938382b244d2c6e337f2fa879e250d9717f
Instruction Fuzzy Hash: 72512474E002188FDB14DFA9C944B9EBBB1BF48714F14802EE81ABB391D775A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e391f2814c76767f63601676ab639f8a4b142525f5876d501ee3c7135908357
Instruction ID: 95dc57bc925547386b1aca9cc199b08e9dc3ea5b880086da6a7972c76813d817
Opcode Fuzzy Hash: 5e391f2814c76767f63601676ab639f8a4b142525f5876d501ee3c7135908357
Instruction Fuzzy Hash: 9D512474E002188FDB14DFA9C944B9EBBB1BF48704F14802EE81ABB391D775A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1128 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8fc1e781f4fa7cd36b50928743b651c9630897c3afef0a9219b85487a480ad
Instruction ID: d74c6fbd3f235ff6ece0b9c2ed8e12ee437ebef9c07627e61e14ee7dd7b20528
Opcode Fuzzy Hash: 8f8fc1e781f4fa7cd36b50928743b651c9630897c3afef0a9219b85487a480ad
Instruction Fuzzy Hash: F851C935201281CFCB06FF68F991A567FB2FB9271474489A9D0044B37EDB60AA4BCB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a820448b34f464ec6aa951502a05debcfb79b82383ef07bc743c14753e4a41c8
Instruction ID: c0ddc3cdbd36a709cbeefeb8619371e101d175874ac381ce3258c8ed3e8df0a0
Opcode Fuzzy Hash: a820448b34f464ec6aa951502a05debcfb79b82383ef07bc743c14753e4a41c8
Instruction Fuzzy Hash: 9051A635211181CFCB06FF68FA91A5A7FB2F7927147448969D0044B37EDB60AA4BCB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECF280 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56522b89e445e7a67f7e17411a1c43cc19751c33a0cd9f5f6660fcfd11f7ed6
Instruction ID: 07e42cc32e57272bbfcae44e7d4d6e93e3fd2b98d4004fb871de2d5466e649bd
Opcode Fuzzy Hash: c56522b89e445e7a67f7e17411a1c43cc19751c33a0cd9f5f6660fcfd11f7ed6
Instruction Fuzzy Hash: E5315B35E002069FCB19CFA9D594A9EBBB2AF89304F148529E806E7355DB71AD43CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EC26DE Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9dcb1b9a1794ca2d33c5ea5e174d1bb3ac3644223ba0f6ce4c5f3141a10354
Instruction ID: dd4b032a8d9463d99f903b4dbf6c661a8a4a31fa1e13dbd442610eee12228f49
Opcode Fuzzy Hash: ef9dcb1b9a1794ca2d33c5ea5e174d1bb3ac3644223ba0f6ce4c5f3141a10354
Instruction Fuzzy Hash: 8B41EEB1D003499FDB14CFA9C584ADEBFB5FF48314F24802EE809AB254DB759946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC5097 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5530064e285cc817e6db79579a9e93617d476b90995fd6e11f9b13054cc66da8
Instruction ID: 9a85a9d2a41bd784b6b2794f6c94151b0cfe294883deae54e465672879b22123
Opcode Fuzzy Hash: 5530064e285cc817e6db79579a9e93617d476b90995fd6e11f9b13054cc66da8
Instruction Fuzzy Hash: 7B312A31601B158FDB19EB74C655BAE77F2AF49348B2405ACD401AB3A5DB36EC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECF290 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa678f40ef05cebd0068d66fb4bd156df10894c6b55f8f1e61b6157dc2ac7b33
Instruction ID: 89de363ef02312ef59bf671a23a0dd4308454ce4c3e784e6500d396bf2bf9c23
Opcode Fuzzy Hash: aa678f40ef05cebd0068d66fb4bd156df10894c6b55f8f1e61b6157dc2ac7b33
Instruction Fuzzy Hash: B1314B35E0020A9BCB19CFA9D554A9EBBF2BF89304F148529E806E7355DB71AC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00EC26E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3f480626698f33573fb83a4c58d506cb811a8d43c21d4e44c6571d844766ee
Instruction ID: b5c0de78b174f94a41291a9c3d97a0d9c43b6384716c2874bc0250934ec2f8c3
Opcode Fuzzy Hash: 9f3f480626698f33573fb83a4c58d506cb811a8d43c21d4e44c6571d844766ee
Instruction Fuzzy Hash: 0F41EDB1D00349DFDB14DFA9C584ADEBFB5FF48314F20802AE819AB254DB75A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC50A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c89290b08f15ae416dfafea7b4eadbb5c3fb0177dabf785ede40fd6758f0bf
Instruction ID: 3615844a19b53819e5690c0f881f28f30772abd7ee7642b29cdf5ec7788709ad
Opcode Fuzzy Hash: 02c89290b08f15ae416dfafea7b4eadbb5c3fb0177dabf785ede40fd6758f0bf
Instruction Fuzzy Hash: 14311C31601B148FDB15EB64CA55BAE77F2AF49344B24046CD401EB3A5DF36EC82CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9150 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7778aaa0bd6e5b83d5bd7d0ff1dc64c9afa879536f9a68b8cf72442bda9382f
Instruction ID: fd43a272c2a314ea1575abf15274396dd62358cb2ae177831f80cf465bd9371d
Opcode Fuzzy Hash: b7778aaa0bd6e5b83d5bd7d0ff1dc64c9afa879536f9a68b8cf72442bda9382f
Instruction Fuzzy Hash: F731E331E00206DBCB09CFA4E544AEEB7B2AF85314F24862EE845B7351DB729D07CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EC924F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb83a68b0fdd07072a4b069828608be63252f3b390ca8f74be0031602f39638
Instruction ID: 50bcaea318097caa9ee85a57bd67524342b9ed715f990961a2118be6290bccff
Opcode Fuzzy Hash: cfb83a68b0fdd07072a4b069828608be63252f3b390ca8f74be0031602f39638
Instruction Fuzzy Hash: 23317E31E002069BCB09CFA4E558B9EBBB2FF89304F14852AE805FB251DB719C47CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27ef9584b4a05ac93a09a741c7270301ccef6c94f9c82bcc61d9a3c9b22a066
Instruction ID: 6ed2ba3dbac3bd3a8566619d36b05df87e89c6ad6ae040846187b709e875e3d1
Opcode Fuzzy Hash: d27ef9584b4a05ac93a09a741c7270301ccef6c94f9c82bcc61d9a3c9b22a066
Instruction Fuzzy Hash: 9E214C31E0020A9BCB09CEA5D588B9EB7B2FF89304F149529E805BB255DB719C47CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1382 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1f44e6f7fbd3eeb99a814417c27cb681928ba5d190cfc3bfa98a652e89733c
Instruction ID: e6e2d9d3c519be58d6aabaa1d3d0c665886e3dce673ae49165afc93c0267fbbc
Opcode Fuzzy Hash: 5e1f44e6f7fbd3eeb99a814417c27cb681928ba5d190cfc3bfa98a652e89733c
Instruction Fuzzy Hash: C121AF706042804FDB3A67389654B293B61EB5732DF1418FDE02AE729ADA66CC87C742

Uniqueness

Uniqueness Score: -1.00%

Function 00EC169F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d10d7a0ceca09c7990a0028300dbf813a1af52f712cfab47d7b3be4d66a8a4
Instruction ID: 2ab32f3ffc57a76361ef40515e19e3b5e3193e1ee8e57c7097d5fc355cfe91ef
Opcode Fuzzy Hash: e9d10d7a0ceca09c7990a0028300dbf813a1af52f712cfab47d7b3be4d66a8a4
Instruction Fuzzy Hash: 5F21CD346001014FDF12EB28EA48B5D7765EB53718F1055BAD006D73AEE775CC878B52

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD006 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2907639473.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_bad000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e2ddd4efaf77afc5f802dabd0b27b76d1ca8b9d5db3683335e974dc360e6e6
Instruction ID: 105b9287d4f05fe9784a69dfd9145f63b728258a44b25724ebb297ef3a732b25
Opcode Fuzzy Hash: 06e2ddd4efaf77afc5f802dabd0b27b76d1ca8b9d5db3683335e974dc360e6e6
Instruction Fuzzy Hash: 13216D7550D3C49FC7138B24D9A0711BFB1EB56214F28C5DBD9898B6A7C23A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1878 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d608c9e5590566dc58ec982f6749b07a2398fac74420a9302e1b5193cdbea822
Instruction ID: 93227a2c6f3349bec13abe48762c5fa8b8a72cf87e9f75acb8e4467b5a2d218b
Opcode Fuzzy Hash: d608c9e5590566dc58ec982f6749b07a2398fac74420a9302e1b5193cdbea822
Instruction Fuzzy Hash: E1213C306042558FDB54EB34C625BAE77F1AF8A344F2015ADD401FB262DB36CD42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4F8A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601bfdb757805c910bb7b5822b7598050e759115d2107c53040b97040fb3ee4d
Instruction ID: d8ff2db58f86a173cd7d76887db500f454068e782e1ddecf6a17cef56f902200
Opcode Fuzzy Hash: 601bfdb757805c910bb7b5822b7598050e759115d2107c53040b97040fb3ee4d
Instruction Fuzzy Hash: 65212730610644CFCB54EB38C659BAE7BF1EF89344B2045ACE406EB3A1DB729D42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2907639473.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_bad000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315bd5375fb5aca6e87e2878e4b8e6ff4eadf1459e0d90ef1275f61498c4cebd
Instruction ID: 92e9ba1c1687e6e82b581eb4601b6984c2e910b011b638957f9a7b6d5e43a028
Opcode Fuzzy Hash: 315bd5375fb5aca6e87e2878e4b8e6ff4eadf1459e0d90ef1275f61498c4cebd
Instruction Fuzzy Hash: 2F210471608204DFCB24DF14D9D0B26BBE5FB85314F24C6ADD84A4B696C33AD847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a184e696bcfd5f7633301945588eecd8a2c2e74d8ccf6c9b888b7048b7a7050
Instruction ID: 2e58ce1a63842986774b3d7f99d26736c356f7fe088c159da74b6e0c30674c74
Opcode Fuzzy Hash: 6a184e696bcfd5f7633301945588eecd8a2c2e74d8ccf6c9b888b7048b7a7050
Instruction Fuzzy Hash: 7A218031E0060A9BCB09CFA4D948ADEB7B2AF89314F24961AEC15B7351DB71AC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1352b47acefa894776331a833009a305c23ab789dc11a78c3e1440a9239cff
Instruction ID: 67d3ca56730b905797d7e6e5442d9409ee0425b817a6000abe875f06a7cfc5b1
Opcode Fuzzy Hash: cc1352b47acefa894776331a833009a305c23ab789dc11a78c3e1440a9239cff
Instruction Fuzzy Hash: 26212C307042158FDB54EB64C665BAE77F2AB8A344F2014ACD405FB266DF36DD42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC16B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334f9a928745435b3ce6afaf219957f9d160e49188bd5f1ee3214a932080b6cf
Instruction ID: 66a79dc35235dde8d5849813fc7b6670b30070a8f8dac82f97c172c1fa5dc41a
Opcode Fuzzy Hash: 334f9a928745435b3ce6afaf219957f9d160e49188bd5f1ee3214a932080b6cf
Instruction Fuzzy Hash: DC2175346001018FDF22EB28EA84B5D7716EB47728F105979D01AD73AEEB65DC878B92

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489db5697412d9f7b5ca9a5a9a1d2ec7505e32123c6439ee68668b114738d418
Instruction ID: 0b55930babfd800091f6dcccf6fe7e40c1c11f12fc4055ccbc96f9e6e4b11cd4
Opcode Fuzzy Hash: 489db5697412d9f7b5ca9a5a9a1d2ec7505e32123c6439ee68668b114738d418
Instruction Fuzzy Hash: 4721F6316006088FDB14EB68CA59BAE77F2EB49344B105568E406EB3A5DF76DD428B90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72111f39e979c34d29100ba3e08788fc5895de5cb8c953a5ee7f5399eefffe7
Instruction ID: 9aacf2230d780d9b5b9c4bbdec026ec5ccbc186c7301a88ed2add571223c2d2a
Opcode Fuzzy Hash: c72111f39e979c34d29100ba3e08788fc5895de5cb8c953a5ee7f5399eefffe7
Instruction Fuzzy Hash: A9119432B00204CFDF685A78D644B6E72A1EB85728F10993DE016EB355DA62CD879BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC0838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d764ccb891d60ab224150ae9771ee0611446c1a78b1ed56a800099e343a550
Instruction ID: 8c1e5ec83954c93051f3d63bc749d5f8a2637368922ac3ec65997de697c9c083
Opcode Fuzzy Hash: 88d764ccb891d60ab224150ae9771ee0611446c1a78b1ed56a800099e343a550
Instruction Fuzzy Hash: 0711E732B00300CFDF295A748A1077E77A1EB96718F14D97ED012EB255DA62CD878BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1488 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe188feeb6b13ded4a9ad9459c580fc0471ecf744910d4dd7017fb25932803dd
Instruction ID: c17db5b5a18af151c85174e7c6c4739852b74ddacf10467f4d09369cfb786fbc
Opcode Fuzzy Hash: fe188feeb6b13ded4a9ad9459c580fc0471ecf744910d4dd7017fb25932803dd
Instruction Fuzzy Hash: 07115171E002548FDF25ABB88551AADBBF5AF45315F2410BEE805F7203E636C9438B90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC17C2 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bc76d8d07e3d255374d9fcf2a90b7765df6b454a36b5f10e3d5153cacf7a1a
Instruction ID: 5ccb32d938ff6f90c5e253575884313d5504b6d15b4edaf569e81f927a39a032
Opcode Fuzzy Hash: e5bc76d8d07e3d255374d9fcf2a90b7765df6b454a36b5f10e3d5153cacf7a1a
Instruction Fuzzy Hash: 1511E336B003559FCF259F7898086AE7BF1EF4A754B10097AD955E3344EA35C9438B81

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b74888102e2a3d7cabeaaf37eb367cf831aac8a6ffa66ab574d149c21a9701
Instruction ID: 386d456dd8940f9e6dce81b23286d5a4a772a4d8f453085bba5d88464c8eae4b
Opcode Fuzzy Hash: 70b74888102e2a3d7cabeaaf37eb367cf831aac8a6ffa66ab574d149c21a9701
Instruction Fuzzy Hash: D1016131B00214CFCF25EFB88651A9EB7E5EB49314B2414BEE805F7302E636D8828B91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9889 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7ebd33838c015a08d1e9b884bf15a230709083240439ec95d61c4e7c3482d5
Instruction ID: 03afcc715262377cb3c4afb17d04d7656db1cc8a5393251eb5923bcbbdcca65a
Opcode Fuzzy Hash: bc7ebd33838c015a08d1e9b884bf15a230709083240439ec95d61c4e7c3482d5
Instruction Fuzzy Hash: E601C431A002048FCB14DF65DA8578ABBA2EF85310F548679D84C6B2AAE770ED46C791

Uniqueness

Uniqueness Score: -1.00%

Function 00EC80F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae9bb0e43e06a2dd419e41e3cbaa5cb20f049cc635f2f0a5e28a6b60ac80205
Instruction ID: 24ba7f8f4fd6ebd730bc971039d79a2d8d5c4e15ffae056f47ace4358efbae7a
Opcode Fuzzy Hash: 8ae9bb0e43e06a2dd419e41e3cbaa5cb20f049cc635f2f0a5e28a6b60ac80205
Instruction Fuzzy Hash: B1014434D00209AFCF05FF78F941A9DBBB5DF41714F5045B9C4059B2A9EB316E4A8B92

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbf385c7b764cfbbd11609b0ae13f0a35e91f2374016bb156a989b849e3a3c8
Instruction ID: 9ced18a5106769108942f191d9c039d00b7242106baa513db7cdfce2aa654fce
Opcode Fuzzy Hash: 3cbf385c7b764cfbbd11609b0ae13f0a35e91f2374016bb156a989b849e3a3c8
Instruction Fuzzy Hash: 74F0F673A04150CFDB228BA48691BACBBA1FE9631172850DFD806FB213D223D843C751

Uniqueness

Uniqueness Score: -1.00%

Function 00EC7090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36064810edeade6e0bc0bde6df6d8e273b067b4cf3f98fb2a073cf76cd455bd8
Instruction ID: cf9259d393cc1d7b4bee3cd339d3fd64439d19d545fa995284af1e2bc6993c64
Opcode Fuzzy Hash: 36064810edeade6e0bc0bde6df6d8e273b067b4cf3f98fb2a073cf76cd455bd8
Instruction Fuzzy Hash: 18F0C439B00208CFD718EB74D598BAD77B2EF8975AF1040A9E5169B3A4CB35AD42CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2909185815.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ec0000_wZnyuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4058047faaa49addcf7ad6ce5f562194552cac4d65e8bea231f0986d5b507851
Instruction ID: b0c1fa26fd7fd69fefbe512584db36afe171c97830e317a9458b176fb1d5aca7
Opcode Fuzzy Hash: 4058047faaa49addcf7ad6ce5f562194552cac4d65e8bea231f0986d5b507851
Instruction Fuzzy Hash: 66F0F434900109AFCF05FFA8F941A9DBBB5EF40714F505679C4059725DDF316E4A8B91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rNNA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rNNA.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wZnyuP.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ezau15k.i1s.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5na5kd2y.dae.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdbwlku4.wyp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ja5cq2ml.oyx.psm1

C:\Users\user\AppData\Local\Temp\tmp9DF8.tmp

C:\Users\user\AppData\Local\Temp\tmpA9BF.tmp

C:\Users\user\AppData\Roaming\wZnyuP.exe

C:\Users\user\AppData\Roaming\wZnyuP.exe:Zone.Identifier

Static File Info

General

File Icon

Windows Analysis Report
rNNA.exe

Function 07794ACD Relevance: 14.0, Strings: 11, Instructions: 248
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre