Edit tour

Windows Analysis Report
new p o.exe

Overview

General Information

Sample name:	new p o.exe
Analysis ID:	1453072
MD5:	355afaeb273ff043eb0c9255d372c134
SHA1:	1657f3dca4b07257e5c0b0e0293ea55692637963
SHA256:	390b2151f97ed90201b625b089bee042304fe998171e2d9452135eecf416b17a
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

new p o.exe (PID: 3168 cmdline: "C:\Users\user\Desktop\new p o.exe" MD5: 355AFAEB273FF043EB0C9255D372C134)

new p o.exe (PID: 5820 cmdline: "C:\Users\user\Desktop\new p o.exe" MD5: 355AFAEB273FF043EB0C9255D372C134)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3270786167.0000000003026000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3270786167.000000000301E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3268654170.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3268654170.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3270786167.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3270786167.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2041644321.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2041644321.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: new p o.exe PID: 3168	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: new p o.exe PID: 3168	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: new p o.exe PID: 5820	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: new p o.exe PID: 5820	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.new p o.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.new p o.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.new p o.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334a1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33513:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3359d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3362f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33699:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3370b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337a1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33831:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.new p o.exe.3c75370.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.new p o.exe.3c75370.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.new p o.exe.3c75370.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316a1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31713:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3179d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3182f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31899:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3190b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319a1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a31:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.new p o.exe.3cafd90.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.new p o.exe.3cafd90.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.new p o.exe.3cafd90.10.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316a1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31713:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3179d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3182f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31899:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3190b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319a1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a31:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.new p o.exe.3c75370.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.new p o.exe.3c75370.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.new p o.exe.3c75370.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.new p o.exe.3c75370.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334a1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dec1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa86e1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33513:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df33:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa8753:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3359d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dfbd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa87dd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3362f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e04f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa886f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33699:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e0b9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa88d9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3370b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e12b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa894b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337a1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e1c1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa89e1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.new p o.exe.3cafd90.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.new p o.exe.3cafd90.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.new p o.exe.3cafd90.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.new p o.exe.3cafd90.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334a1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dcc1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33513:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd33:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3359d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ddbd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3362f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de4f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33699:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6deb9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3370b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df2b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337a1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6dfc1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33831:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e051:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 12 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.222.226.100, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\new p o.exe, Initiated: true, ProcessId: 5820, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49708

Snort Signatures

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.5 - Destination IP: 162.222.226.100

Timestamp:	06/06/24-16:24:59.300675
SID:	2839723
Source Port:	49708
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.5 - Destination IP: 162.222.226.100

Timestamp:	06/06/24-16:24:59.300675
SID:	2030171
Source Port:	49708
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.5 - Destination IP: 162.222.226.100

Timestamp:	06/06/24-16:24:59.300762
SID:	2851779
Source Port:	49708
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.5 - Destination IP: 162.222.226.100

Timestamp:	06/06/24-16:24:59.300762
SID:	2855542
Source Port:	49708
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.5 - Destination IP: 162.222.226.100

Timestamp:	06/06/24-16:24:59.300762
SID:	2855245
Source Port:	49708
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.5 - Destination IP: 162.222.226.100

Timestamp:	06/06/24-16:24:59.300762
SID:	2840032
Source Port:	49708
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: new p o.exe

Avira: detected

Found malware configuration

Source: 0.2.new p o.exe.3cafd90.10.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}

Multi AV Scanner detection for submitted file

Source: new p o.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: new p o.exe

Joe Sandbox ML: detected

Source: new p o.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: new p o.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49708 -> 162.222.226.100:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49708 -> 162.222.226.100:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49708 -> 162.222.226.100:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49708 -> 162.222.226.100:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49708 -> 162.222.226.100:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49708 -> 162.222.226.100:587

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.new p o.exe.3c75370.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3cafd90.10.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 162.222.226.100:587

Source: Joe Sandbox View

IP Address: 162.222.226.100 162.222.226.100

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 162.222.226.100:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.thelamalab.com

Source: new p o.exe	String found in binary or memory: http://aliez.tv/
Source: new p o.exe, 00000003.00000002.3270786167.0000000003026000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.thelamalab.com
Source: new p o.exe	String found in binary or memory: http://ozon.ru/
Source: new p o.exe, 00000000.00000002.2041644321.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp, new p o.exe, 00000003.00000002.3268654170.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: new p o.exe	String found in binary or memory: https://raw.github.com/natrim/Sign-Control/master/release.txt

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, abAX9N.cs	.Net Code: K8VU1S
Source: 0.2.new p o.exe.3c75370.8.raw.unpack, abAX9N.cs	.Net Code: K8VU1S

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.new p o.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.new p o.exe.3c75370.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.new p o.exe.3cafd90.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.new p o.exe.3c75370.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.new p o.exe.7220000.11.raw.unpack, .cs	Large array initialization: : array initializer size 28702
Source: 0.2.new p o.exe.2a4b598.4.raw.unpack, .cs	Large array initialization: : array initializer size 28702

Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_00D3EFF0	0_2_00D3EFF0
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_00D3DC00	0_2_00D3DC00
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_05D50040	0_2_05D50040
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_05D50006	0_2_05D50006
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_05EBAB88	0_2_05EBAB88
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_05EBAB98	0_2_05EBAB98
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_072B5EE0	0_2_072B5EE0
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_072B3473	0_2_072B3473
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_072B5AA8	0_2_072B5AA8
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_072BA128	0_2_072BA128
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_072B38F8	0_2_072B38F8
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_072B50F8	0_2_072B50F8
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_01559B28	3_2_01559B28
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_01554A98	3_2_01554A98
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_0155CDA0	3_2_0155CDA0
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_01553E80	3_2_01553E80
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_015541C8	3_2_015541C8
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_064426E0	3_2_064426E0
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_06448778	3_2_06448778
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_064452C8	3_2_064452C8
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_06440040	3_2_06440040
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_06443B38	3_2_06443B38
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_0644D8F0	3_2_0644D8F0
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_0644B8F8	3_2_0644B8F8
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_06442E30	3_2_06442E30
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_06444BE8	3_2_06444BE8

Source: new p o.exe, 00000000.00000002.2044550222.0000000007220000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs new p o.exe
Source: new p o.exe, 00000000.00000000.2017351314.00000000006E0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameebdP.exe: vs new p o.exe
Source: new p o.exe, 00000000.00000002.2041644321.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9d02a015-5a5b-4340-adbb-c530e02a0bc4.exe4 vs new p o.exe
Source: new p o.exe, 00000000.00000002.2041644321.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs new p o.exe
Source: new p o.exe, 00000000.00000002.2040128413.0000000002A27000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs new p o.exe
Source: new p o.exe, 00000000.00000002.2040128413.0000000002A27000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9d02a015-5a5b-4340-adbb-c530e02a0bc4.exe4 vs new p o.exe
Source: new p o.exe, 00000000.00000002.2045086989.0000000008D20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs new p o.exe
Source: new p o.exe, 00000003.00000002.3268903267.0000000000DA9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs new p o.exe
Source: new p o.exe, 00000003.00000002.3268654170.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9d02a015-5a5b-4340-adbb-c530e02a0bc4.exe4 vs new p o.exe
Source: new p o.exe	Binary or memory string: OriginalFilenameebdP.exe: vs new p o.exe

Source: new p o.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.new p o.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.new p o.exe.3c75370.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.new p o.exe.3cafd90.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.new p o.exe.3c75370.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: new p o.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, RsYAkkzVoy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, Kqqzixk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, xROdzGigX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, ywes.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, iPVW0zV.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, 1Pi9sgbHwoV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new p o.exe.3cafd90.10.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, KL3L2TdNJS2cUnSj43.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, gOKbyVPa30L87dWtTn.cs	Security API names: _0020.SetAccessControl
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, gOKbyVPa30L87dWtTn.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, gOKbyVPa30L87dWtTn.cs	Security API names: _0020.AddAccessRule
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, gOKbyVPa30L87dWtTn.cs	Security API names: _0020.SetAccessControl
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, gOKbyVPa30L87dWtTn.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, gOKbyVPa30L87dWtTn.cs	Security API names: _0020.AddAccessRule
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, KL3L2TdNJS2cUnSj43.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: new p o.exe, Form1.cs

Suspicious URL: 'http://yandex.ru', 'http://yandex.ru', 'http://yandex.ru', 'http://yandex.ru', 'http://yandex.ru', 'http://yandex.ru/search/?lr=213&text=', 'http://yandex.ru/search/?lr=213&text=', 'http://yandex.ru/search/?lr=213&text=', 'http://yandex.ru', 'http://google.ru/', 'http://rambler.ru/'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\new p o.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new p o.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe

Mutant created: NULL

Source: new p o.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: new p o.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\new p o.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\new p o.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\new p o.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: new p o.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\new p o.exe

File read: C:\Users\user\Desktop\new p o.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\new p o.exe "C:\Users\user\Desktop\new p o.exe"
Source: C:\Users\user\Desktop\new p o.exe	Process created: C:\Users\user\Desktop\new p o.exe "C:\Users\user\Desktop\new p o.exe"
Source: C:\Users\user\Desktop\new p o.exe	Process created: C:\Users\user\Desktop\new p o.exe "C:\Users\user\Desktop\new p o.exe"	Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: new p o.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: new p o.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: new p o.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.new p o.exe.7220000.11.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, gOKbyVPa30L87dWtTn.cs	.Net Code: N1vUg0xmmo System.Reflection.Assembly.Load(byte[])
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, gOKbyVPa30L87dWtTn.cs	.Net Code: N1vUg0xmmo System.Reflection.Assembly.Load(byte[])
Source: 0.2.new p o.exe.2a4b598.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_05EBC7A5 pushad ; retf	0_2_05EBC7A8
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_072B9B20 pushfd ; retf	0_2_072B9B21
Source: C:\Users\user\Desktop\new p o.exe	Code function: 0_2_072B9A58 pushad ; retf	0_2_072B9A59
Source: C:\Users\user\Desktop\new p o.exe	Code function: 3_2_064436D7 push ebx; iretd	3_2_064436DA

Source: new p o.exe

Static PE information: section name: .text entropy: 7.91897428267625

Source: 0.2.new p o.exe.8d20000.14.raw.unpack, y2nu6ZHW0l0a4H9Mev.cs	High entropy of concatenated method names: 'z74ewKS8g6', 'ssReLQWQfu', 'k8wegiEdoZ', 'ucCemGwYjq', 'wDHe93H88F', 'p7Ne3jfJUP', 'KSZeF0rL9e', 'GRkeOpJQWb', 'V7LeypyCW2', 'diief4FEYJ'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, pgXmSnCTn0WnFjyVFV.cs	High entropy of concatenated method names: 'KGeSeplewJ', 'DKNSIHPjSP', 'Na6SiDoTXb', 'hKdSsdm56t', 'wltS1WxJYn', 'wqYSqEXynb', 'pvZnmC4hqkux48icxv', 'gZwinOwixFJa8UhwWZ', 'vBDtgFbIS0dm9PZmf3', 'WLKSSN8ViE'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, XVqYbIy1CdG59nvyRD.cs	High entropy of concatenated method names: 'oLP4SldJK1', 'Udv4agnTTb', 'ycw4UOCWQl', 'YBR4kCLMW1', 'SK14VRon8l', 'thi4c4k3s0', 'B3Q4pJXFGg', 'wWL8Cc5FZC', 'F7E8QOgoTh', 'QZJ8odRbhN'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, CHqS7jqoYI1WdEU6Iw.cs	High entropy of concatenated method names: 'xT8ekGm6FX', 'cT8ehmwAwB', 'cPbepTm1fB', 'sdbpDyRTOd', 'kRupzgJIlO', 'wQCeTwfJew', 'AwYeSv8cre', 'BD3eHxNNi6', 'WhneaPpEu9', 'FBSeU9HLym'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, xUYryVtpnipYEKt8hy.cs	High entropy of concatenated method names: 'JgkbObKTqq', 'IjdbyKk22s', 'XxYbvqMjW9', 'gMfbNVLZem', 'RbSbZMxDgA', 'IkhbJC6m6q', 'D9UbB4oAHy', 'LnJbuLnLTt', 'Tlfb7jJiuh', 'ArCbY13v3e'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, lkb9y83tn6PWLj88aR.cs	High entropy of concatenated method names: 'C9tgYxiOk', 'CZ5maoMLm', 'fjO3lD6NH', 't6NFoYpDy', 'qkOywxNUN', 'CFqf7XlM9', 'TZVcVmyAsVJEc3s6QT', 'BxjfxcesKhL89gP1Td', 'rA88BGl1H', 'XJEnQe4Wa'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, FxpsrazvTUsO8OVsja.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wrs4baTrLv', 'ysZ41OyiEd', 'c2k4qQ9cqo', 'rde4tOfK6v', 'rY448tkxgk', 'Rlc44e6a4j', 'EAS4nw3i7u'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, S3HuEqKvNyGUSx6ZwV7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xSHnK571nK', 'LZ7nMdf567', 'HFenRum5Vo', 'FUSnWv7wgK', 'B1BnEyx73B', 'iWLn64ymPy', 'NqtnC4tIwQ'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, Mf7CjC7rwfprZM3x5p.cs	High entropy of concatenated method names: 'Y83t4XSDAa', 'EZLtnurBpf', 'ypdtr2i6kq', 'rJGhuCcd1um6HsBPFi5', 'NQUJ7jckDb8ovf2rHJl', 'GvsC8ec3dDJ9M7RXiTy'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, KL3L2TdNJS2cUnSj43.cs	High entropy of concatenated method names: 'EQDVKeHowf', 'ynFVMqSPVa', 'A4gVRrjcyf', 'M8NVWGQAa4', 'bCZVEQeXZE', 'F8pV6OAUaB', 'DRAVCjM0Hp', 'iJBVQuRgqN', 'AxmVola9hT', 'Y4kVDFiIOu'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, osaoiHUqHJhcrUKXGU.cs	High entropy of concatenated method names: 'Lqj17XiQ13', 'g0r10Et8Oh', 'kW51KO4hAO', 'AGm1M4UkpK', 'WyX1NAq33a', 'LJw1lyEXQn', 'CBx1Z01jpk', 'fh91JZJDmT', 'gce1XKnRjo', 'EaE1BiZRaD'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, mVgQMlulMqEv0BUi6Q.cs	High entropy of concatenated method names: 'NYomZx9rA5brkH4YMKZ', 'NarWvp9tiAGhoEJaFGm', 'GXyp8vjrQu', 'qcLp4joByU', 'L0hpnIDVo5', 'm9Qci39aC3PYARPgJSM', 'lLQHZD9g2ARfakeaVj6'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, sJtNZ9SvWFcQO2Hlka.cs	High entropy of concatenated method names: 'qMMc9DvhTG', 'HEvcFajXCb', 'KHBhl6eFeD', 'NB0hZmNxUk', 'nTdhJefJpr', 'XPjhX4AaKw', 'yGchBHZNmy', 'IphhuFOLTo', 'kOBhjNVELg', 'cmqh7mcc9V'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, L9Dpo8XJXVltVOqj0S.cs	High entropy of concatenated method names: 'WOFtiD1s0N', 'zadtsATykC', 'ToString', 'gwdtkGhT3Q', 'WE6tVfR6Px', 'VvxthykKWZ', 'iPStcs71Ii', 'VuXtp2nBrh', 'BUAteah2hm', 'NdDtISCa1M'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, hwtNS3Avuyii6XmVPd.cs	High entropy of concatenated method names: 'ToString', 'gmEqY78HIh', 'QaCqNxZU1W', 'nEoqlLcBx3', 'GXsqZjwFdt', 'mWGqJbBckm', 'rkhqXvKFdl', 'HL9qB9nVPA', 'jAqqub4TiX', 'T5sqjsxfmB'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, wDRoSiccMufmO0QNwg.cs	High entropy of concatenated method names: 'wpC8vGtdHo', 'bOX8NfMi3F', 'tc58lRBsM4', 'di98ZFStR7', 'dwT8KoAoqd', 'sew8JBxEfY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, PjnLd4KNnqrJ4X1igMS.cs	High entropy of concatenated method names: 'Ni94wQCAyd', 'AT64LbpPgM', 'zse4gk8Byg', 'gNH4mwgUkp', 'qKN49c5g1d', 'fgx43Ow9W1', 'TL94FTMsd4', 'koa4Oj3cWv', 'rZi4yO6sNR', 'KHi4fuyuFv'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, gOKbyVPa30L87dWtTn.cs	High entropy of concatenated method names: 'qfsaxIMs60', 'AIcakkoy7W', 'CSNaVZJISR', 'AhUahD9VKM', 'QRlacNVUCo', 'ROEappKfF2', 'WDqaeInqcR', 'xbbaICYcLM', 'ELZaPEG9bV', 'Geiaib3FvL'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, u81Df7Zqn01XxVRaHr.cs	High entropy of concatenated method names: 'PMCpxDTFnh', 'FlBpVtRG2F', 'OccpcWXT3N', 'FL0peUvUCl', 'r33pIQNB3o', 'gM8cEfuur6', 'dGrc6cG0Zc', 'H1lcCBD8Tq', 'HGHcQ8Ru1j', 'qmZcoRgrwK'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, Wlmh3uLjG0JUG1p4Ch.cs	High entropy of concatenated method names: 'WqGhmWJsts', 'wjhh3hJ76S', 'EU6hOvE1sm', 'zV1hy3SxWf', 'YQNh17C6BI', 'qgghqYDG5B', 'kKyhtINM2J', 'zCth8OmG7J', 'nErh41CsIh', 'FDChnugrqd'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, txQKgTYoGrf3l1l24R.cs	High entropy of concatenated method names: 'yoJtQBNa7h', 'Y4TtDtOB3e', 'uJx8ThbxPS', 'yR68SMXHvk', 'WEEtYeIPiO', 'qqBt0asbv2', 'E3Wt2WPtQX', 'mEKtKSvrMl', 'y1ftMspxjG', 'WlEtRBFiCc'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, Lt6e6sI5UT6VKjDI46.cs	High entropy of concatenated method names: 'e328kEPAWm', 'X998V9N88G', 'r9L8hGwZMZ', 'GCZ8c4RlTv', 'EuI8pb1tnA', 'eFE8e8Ivus', 'ANy8IaScy9', 'VIj8PDgNO4', 'Y6w8ibZHu1', 'PN18sZx9Cg'
Source: 0.2.new p o.exe.8d20000.14.raw.unpack, e7Df4eMFKQod3Boejt.cs	High entropy of concatenated method names: 'Dispose', 'H1eSo7XVbA', 'LnNHNcmNPp', 'NMOrrQXECS', 'rDSSDUnx9O', 'qPVSzj18kG', 'ProcessDialogKey', 'fmlHTgP343', 'NVAHSjxTOb', 'xGDHHGk5rB'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, y2nu6ZHW0l0a4H9Mev.cs	High entropy of concatenated method names: 'z74ewKS8g6', 'ssReLQWQfu', 'k8wegiEdoZ', 'ucCemGwYjq', 'wDHe93H88F', 'p7Ne3jfJUP', 'KSZeF0rL9e', 'GRkeOpJQWb', 'V7LeypyCW2', 'diief4FEYJ'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, pgXmSnCTn0WnFjyVFV.cs	High entropy of concatenated method names: 'KGeSeplewJ', 'DKNSIHPjSP', 'Na6SiDoTXb', 'hKdSsdm56t', 'wltS1WxJYn', 'wqYSqEXynb', 'pvZnmC4hqkux48icxv', 'gZwinOwixFJa8UhwWZ', 'vBDtgFbIS0dm9PZmf3', 'WLKSSN8ViE'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, XVqYbIy1CdG59nvyRD.cs	High entropy of concatenated method names: 'oLP4SldJK1', 'Udv4agnTTb', 'ycw4UOCWQl', 'YBR4kCLMW1', 'SK14VRon8l', 'thi4c4k3s0', 'B3Q4pJXFGg', 'wWL8Cc5FZC', 'F7E8QOgoTh', 'QZJ8odRbhN'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, CHqS7jqoYI1WdEU6Iw.cs	High entropy of concatenated method names: 'xT8ekGm6FX', 'cT8ehmwAwB', 'cPbepTm1fB', 'sdbpDyRTOd', 'kRupzgJIlO', 'wQCeTwfJew', 'AwYeSv8cre', 'BD3eHxNNi6', 'WhneaPpEu9', 'FBSeU9HLym'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, xUYryVtpnipYEKt8hy.cs	High entropy of concatenated method names: 'JgkbObKTqq', 'IjdbyKk22s', 'XxYbvqMjW9', 'gMfbNVLZem', 'RbSbZMxDgA', 'IkhbJC6m6q', 'D9UbB4oAHy', 'LnJbuLnLTt', 'Tlfb7jJiuh', 'ArCbY13v3e'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, lkb9y83tn6PWLj88aR.cs	High entropy of concatenated method names: 'C9tgYxiOk', 'CZ5maoMLm', 'fjO3lD6NH', 't6NFoYpDy', 'qkOywxNUN', 'CFqf7XlM9', 'TZVcVmyAsVJEc3s6QT', 'BxjfxcesKhL89gP1Td', 'rA88BGl1H', 'XJEnQe4Wa'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, FxpsrazvTUsO8OVsja.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wrs4baTrLv', 'ysZ41OyiEd', 'c2k4qQ9cqo', 'rde4tOfK6v', 'rY448tkxgk', 'Rlc44e6a4j', 'EAS4nw3i7u'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, S3HuEqKvNyGUSx6ZwV7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xSHnK571nK', 'LZ7nMdf567', 'HFenRum5Vo', 'FUSnWv7wgK', 'B1BnEyx73B', 'iWLn64ymPy', 'NqtnC4tIwQ'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, Mf7CjC7rwfprZM3x5p.cs	High entropy of concatenated method names: 'Y83t4XSDAa', 'EZLtnurBpf', 'ypdtr2i6kq', 'rJGhuCcd1um6HsBPFi5', 'NQUJ7jckDb8ovf2rHJl', 'GvsC8ec3dDJ9M7RXiTy'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, KL3L2TdNJS2cUnSj43.cs	High entropy of concatenated method names: 'EQDVKeHowf', 'ynFVMqSPVa', 'A4gVRrjcyf', 'M8NVWGQAa4', 'bCZVEQeXZE', 'F8pV6OAUaB', 'DRAVCjM0Hp', 'iJBVQuRgqN', 'AxmVola9hT', 'Y4kVDFiIOu'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, osaoiHUqHJhcrUKXGU.cs	High entropy of concatenated method names: 'Lqj17XiQ13', 'g0r10Et8Oh', 'kW51KO4hAO', 'AGm1M4UkpK', 'WyX1NAq33a', 'LJw1lyEXQn', 'CBx1Z01jpk', 'fh91JZJDmT', 'gce1XKnRjo', 'EaE1BiZRaD'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, mVgQMlulMqEv0BUi6Q.cs	High entropy of concatenated method names: 'NYomZx9rA5brkH4YMKZ', 'NarWvp9tiAGhoEJaFGm', 'GXyp8vjrQu', 'qcLp4joByU', 'L0hpnIDVo5', 'm9Qci39aC3PYARPgJSM', 'lLQHZD9g2ARfakeaVj6'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, sJtNZ9SvWFcQO2Hlka.cs	High entropy of concatenated method names: 'qMMc9DvhTG', 'HEvcFajXCb', 'KHBhl6eFeD', 'NB0hZmNxUk', 'nTdhJefJpr', 'XPjhX4AaKw', 'yGchBHZNmy', 'IphhuFOLTo', 'kOBhjNVELg', 'cmqh7mcc9V'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, L9Dpo8XJXVltVOqj0S.cs	High entropy of concatenated method names: 'WOFtiD1s0N', 'zadtsATykC', 'ToString', 'gwdtkGhT3Q', 'WE6tVfR6Px', 'VvxthykKWZ', 'iPStcs71Ii', 'VuXtp2nBrh', 'BUAteah2hm', 'NdDtISCa1M'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, hwtNS3Avuyii6XmVPd.cs	High entropy of concatenated method names: 'ToString', 'gmEqY78HIh', 'QaCqNxZU1W', 'nEoqlLcBx3', 'GXsqZjwFdt', 'mWGqJbBckm', 'rkhqXvKFdl', 'HL9qB9nVPA', 'jAqqub4TiX', 'T5sqjsxfmB'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, wDRoSiccMufmO0QNwg.cs	High entropy of concatenated method names: 'wpC8vGtdHo', 'bOX8NfMi3F', 'tc58lRBsM4', 'di98ZFStR7', 'dwT8KoAoqd', 'sew8JBxEfY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, PjnLd4KNnqrJ4X1igMS.cs	High entropy of concatenated method names: 'Ni94wQCAyd', 'AT64LbpPgM', 'zse4gk8Byg', 'gNH4mwgUkp', 'qKN49c5g1d', 'fgx43Ow9W1', 'TL94FTMsd4', 'koa4Oj3cWv', 'rZi4yO6sNR', 'KHi4fuyuFv'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, gOKbyVPa30L87dWtTn.cs	High entropy of concatenated method names: 'qfsaxIMs60', 'AIcakkoy7W', 'CSNaVZJISR', 'AhUahD9VKM', 'QRlacNVUCo', 'ROEappKfF2', 'WDqaeInqcR', 'xbbaICYcLM', 'ELZaPEG9bV', 'Geiaib3FvL'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, u81Df7Zqn01XxVRaHr.cs	High entropy of concatenated method names: 'PMCpxDTFnh', 'FlBpVtRG2F', 'OccpcWXT3N', 'FL0peUvUCl', 'r33pIQNB3o', 'gM8cEfuur6', 'dGrc6cG0Zc', 'H1lcCBD8Tq', 'HGHcQ8Ru1j', 'qmZcoRgrwK'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, Wlmh3uLjG0JUG1p4Ch.cs	High entropy of concatenated method names: 'WqGhmWJsts', 'wjhh3hJ76S', 'EU6hOvE1sm', 'zV1hy3SxWf', 'YQNh17C6BI', 'qgghqYDG5B', 'kKyhtINM2J', 'zCth8OmG7J', 'nErh41CsIh', 'FDChnugrqd'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, txQKgTYoGrf3l1l24R.cs	High entropy of concatenated method names: 'yoJtQBNa7h', 'Y4TtDtOB3e', 'uJx8ThbxPS', 'yR68SMXHvk', 'WEEtYeIPiO', 'qqBt0asbv2', 'E3Wt2WPtQX', 'mEKtKSvrMl', 'y1ftMspxjG', 'WlEtRBFiCc'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, Lt6e6sI5UT6VKjDI46.cs	High entropy of concatenated method names: 'e328kEPAWm', 'X998V9N88G', 'r9L8hGwZMZ', 'GCZ8c4RlTv', 'EuI8pb1tnA', 'eFE8e8Ivus', 'ANy8IaScy9', 'VIj8PDgNO4', 'Y6w8ibZHu1', 'PN18sZx9Cg'
Source: 0.2.new p o.exe.3d793b0.9.raw.unpack, e7Df4eMFKQod3Boejt.cs	High entropy of concatenated method names: 'Dispose', 'H1eSo7XVbA', 'LnNHNcmNPp', 'NMOrrQXECS', 'rDSSDUnx9O', 'qPVSzj18kG', 'ProcessDialogKey', 'fmlHTgP343', 'NVAHSjxTOb', 'xGDHHGk5rB'

Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\new p o.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\new p o.exe	Memory allocated: D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Memory allocated: 2A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Memory allocated: 4A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Memory allocated: 8DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Memory allocated: 9DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Memory allocated: A0B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Memory allocated: B0B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Memory allocated: 1550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe	Window / User API: threadDelayed 3632			Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Window / User API: threadDelayed 1049			Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe TID: 2556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 6524	Thread sleep count: 3632 > 30	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 6524	Thread sleep count: 1049 > 30	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -99282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -99157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -99032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -98918s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -98790s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -98575s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -98469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe TID: 4592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\new p o.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\new p o.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 99157	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 99032	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 98918	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 98790	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 98575	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: new p o.exe, 00000003.00000002.3269111190.0000000001257000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\new p o.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\new p o.exe

Memory written: C:\Users\user\Desktop\new p o.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe

Process created: C:\Users\user\Desktop\new p o.exe "C:\Users\user\Desktop\new p o.exe"

Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe	Queries volume information: C:\Users\user\Desktop\new p o.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Queries volume information: C:\Users\user\Desktop\new p o.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\new p o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.new p o.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3c75370.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3cafd90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3c75370.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3cafd90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3270786167.0000000003026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3270786167.000000000301E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3268654170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3270786167.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2041644321.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new p o.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new p o.exe PID: 5820, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\new p o.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\new p o.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\new p o.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\new p o.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\new p o.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 3.2.new p o.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3c75370.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3cafd90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3c75370.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3cafd90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3268654170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3270786167.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2041644321.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new p o.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new p o.exe PID: 5820, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.new p o.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3c75370.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3cafd90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3c75370.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new p o.exe.3cafd90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3270786167.0000000003026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3270786167.000000000301E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3268654170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3270786167.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2041644321.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new p o.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new p o.exe PID: 5820, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
new p o.exe	66%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal
new p o.exe	100%	Avira	HEUR/AGEN.1306292
new p o.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://raw.github.com/natrim/Sign-Control/master/release.txt	0%	Avira URL Cloud	safe
http://aliez.tv/	0%	Avira URL Cloud	safe
http://ozon.ru/	0%	Avira URL Cloud	safe
http://mail.thelamalab.com	0%	Avira URL Cloud	safe
https://account.dyn.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.thelamalab.com	162.222.226.100	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.thelamalab.com	new p o.exe, 00000003.00000002.3270786167.0000000003026000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ozon.ru/	new p o.exe	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	new p o.exe, 00000000.00000002.2041644321.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp, new p o.exe, 00000003.00000002.3268654170.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.github.com/natrim/Sign-Control/master/release.txt	new p o.exe	false	Avira URL Cloud: safe	unknown
http://aliez.tv/	new p o.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.222.226.100	mail.thelamalab.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1453072
Start date and time:	2024-06-06 16:24:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	new p o.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 180 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: new p o.exe

Simulations

Behavior and APIs

Time	Type	Description
10:24:53	API Interceptor	24x Sleep call for process: new p o.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.222.226.100	SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe	Get hash	malicious	AgentTesla	Browse
	DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe	Get hash	malicious	AgentTesla	Browse
	SHIPPING ORDER.exe	Get hash	malicious	AgentTesla	Browse
	receipt-73633T36X90N.exe	Get hash	malicious	AgentTesla	Browse
	AQQ-T7630-CVE8.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.1573.32091.exe	Get hash	malicious	AgentTesla	Browse
	SCAN_INCORRECT_DETAILS.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Heur.26171.30744.exe	Get hash	malicious	AgentTesla	Browse
	INVOICE_FEB-888201-2024.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.thelamalab.com	SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	SHIPPING ORDER.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	receipt-73633T36X90N.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	AQQ-T7630-CVE8.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	SecuriteInfo.com.Win32.CrypterX-gen.1573.32091.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	SCAN_INCORRECT_DETAILS.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	SecuriteInfo.com.Heur.26171.30744.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	INVOICE_FEB-888201-2024.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	xxE73NiLJI.exe	Get hash	malicious	AgentTesla	Browse	119.18.49.36
	#U0395#U039d#U03a4#U03a5#U03a0#U039f #U03a3#U03a5#U039c#U0392#U0391#U03a3#U0397#U03a3-pdf.bat.exe	Get hash	malicious	GuLoader	Browse	216.10.247.128
	#U0395#U039d#U03a4#U03a5#U03a0#U039f #U03a3#U03a5#U039c#U0392#U0391#U03a3#U0397#U03a3-pdf.bat.exe	Get hash	malicious	GuLoader	Browse	216.10.247.128
	New RFQ.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	8tj0P0kLIj.exe	Get hash	malicious	GuLoader	Browse	216.10.247.128
	8tj0P0kLIj.exe	Get hash	malicious	GuLoader	Browse	216.10.247.128
	SecuriteInfo.com.Win32.TrojanX-gen.29322.19421.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	15iXddUX2F.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	oPQtUCeecT.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	td2RgV6HyP.exe	Get hash	malicious	SystemBC	Browse	208.91.198.118

Process:	C:\Users\user\Desktop\new p o.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.897510449967306
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	new p o.exe
File size:	720'896 bytes
MD5:	355afaeb273ff043eb0c9255d372c134
SHA1:	1657f3dca4b07257e5c0b0e0293ea55692637963
SHA256:	390b2151f97ed90201b625b089bee042304fe998171e2d9452135eecf416b17a
SHA512:	4d7c724f0079937568b5f2f7963d8e1e42cc4b9f9808caf8c316a9d09dbfd20b570042079f8af3a2333c602d7ec71e05603165cc1a64627e3fceb1bc78887ae1
SSDEEP:	12288:bT3qyJM+LUGz4liP9QUOp+8r0G1xFozK3hZIvWJOmuLpteT5wOu58b3L:X6ORvzqcQU+rzitOh7
TLSH:	FAE41284276CA302C5BC87F6045A41504F7475265A26E718CDC22EEF9E36BD0EA5FF2B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._f..............0......(......^.... ........@.. .......................@............@................................

File Icon


Icon Hash:	175198939250310f

Static PE Info

General

Entrypoint:	0x4aea5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x665FCDE4 [Wed Jun 5 02:31:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaea0c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x1ec4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaca64	0xad000	040e7f550c25bd04badc4af049c80870	False	0.9348398550397399	data	7.91897428267625	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x1ec4	0x2000	47eb79ee676c48c6c928bb6bd195c2e6	False	0.859375	data	7.361873272599137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x800	41630efbd3eed012138ced98e094141a	False	0.015625	data	0.03037337037012526	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb00c8	0x19f5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9736644093303235
RT_GROUP_ICON	0xb1ad0	0x14	data	1.05
RT_VERSION	0xb1af4	0x3cc	data	0.4434156378600823

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/06/24-16:24:59.300675	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49708	587	192.168.2.5	162.222.226.100
06/06/24-16:24:59.300675	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49708	587	192.168.2.5	162.222.226.100
06/06/24-16:24:59.300762	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49708	587	192.168.2.5	162.222.226.100
06/06/24-16:24:59.300762	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49708	587	192.168.2.5	162.222.226.100
06/06/24-16:24:59.300762	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49708	587	192.168.2.5	162.222.226.100
06/06/24-16:24:59.300762	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49708	587	192.168.2.5	162.222.226.100

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2024 16:24:57.180088997 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:57.185091019 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:57.185177088 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:57.904892921 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:57.905214071 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:57.910192013 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:58.079267025 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:58.090104103 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:58.095113039 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:58.250722885 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:58.254918098 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:58.259848118 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:58.515777111 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:58.516129971 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:58.521049976 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:58.678666115 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:58.678899050 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:58.683878899 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:59.139127970 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:59.139327049 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:59.141402006 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:59.141458988 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:59.144745111 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:59.300041914 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:59.300674915 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:59.300761938 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:59.300797939 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:59.300822020 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:24:59.305668116 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:59.305696964 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:59.305830956 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:59.305859089 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:59.472415924 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:24:59.521845102 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:26:36.917902946 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:26:36.922868013 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:26:37.279983044 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:26:37.280781031 CEST	49708	587	192.168.2.5	162.222.226.100
Jun 6, 2024 16:26:37.286196947 CEST	587	49708	162.222.226.100	192.168.2.5
Jun 6, 2024 16:26:37.286292076 CEST	49708	587	192.168.2.5	162.222.226.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2024 16:24:56.811891079 CEST	53228	53	192.168.2.5	1.1.1.1
Jun 6, 2024 16:24:57.169990063 CEST	53	53228	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 6, 2024 16:24:56.811891079 CEST	192.168.2.5	1.1.1.1	0xe19c	Standard query (0)	mail.thelamalab.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 6, 2024 16:24:57.169990063 CEST	1.1.1.1	192.168.2.5	0xe19c	No error (0)	mail.thelamalab.com		162.222.226.100	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jun 6, 2024 16:24:57.904892921 CEST	587	49708	162.222.226.100	192.168.2.5	220-md-114.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 06 Jun 2024 19:54:57 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jun 6, 2024 16:24:57.905214071 CEST	49708	587	192.168.2.5	162.222.226.100	EHLO 226546
Jun 6, 2024 16:24:58.079267025 CEST	587	49708	162.222.226.100	192.168.2.5	250-md-114.webhostbox.net Hello 226546 [173.254.250.91] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jun 6, 2024 16:24:58.090104103 CEST	49708	587	192.168.2.5	162.222.226.100	AUTH login YmlsbGluZ0B0aGVsYW1hbGFiLmNvbQ==
Jun 6, 2024 16:24:58.250722885 CEST	587	49708	162.222.226.100	192.168.2.5	334 UGFzc3dvcmQ6
Jun 6, 2024 16:24:58.515777111 CEST	587	49708	162.222.226.100	192.168.2.5	235 Authentication succeeded
Jun 6, 2024 16:24:58.516129971 CEST	49708	587	192.168.2.5	162.222.226.100	MAIL FROM:<billing@thelamalab.com>
Jun 6, 2024 16:24:58.678666115 CEST	587	49708	162.222.226.100	192.168.2.5	250 OK
Jun 6, 2024 16:24:58.678899050 CEST	49708	587	192.168.2.5	162.222.226.100	RCPT TO:<jinhux31@gmail.com>
Jun 6, 2024 16:24:59.139127970 CEST	587	49708	162.222.226.100	192.168.2.5	250 Accepted
Jun 6, 2024 16:24:59.139327049 CEST	49708	587	192.168.2.5	162.222.226.100	DATA
Jun 6, 2024 16:24:59.141402006 CEST	587	49708	162.222.226.100	192.168.2.5	250 Accepted
Jun 6, 2024 16:24:59.300041914 CEST	587	49708	162.222.226.100	192.168.2.5	354 Enter message, ending with "." on a line by itself
Jun 6, 2024 16:24:59.300822020 CEST	49708	587	192.168.2.5	162.222.226.100	.
Jun 6, 2024 16:24:59.472415924 CEST	587	49708	162.222.226.100	192.168.2.5	250 OK id=1sFE31-002wfO-0j
Jun 6, 2024 16:26:36.917902946 CEST	49708	587	192.168.2.5	162.222.226.100	QUIT
Jun 6, 2024 16:26:37.279983044 CEST	587	49708	162.222.226.100	192.168.2.5	221 md-114.webhostbox.net closing connection

Target ID:	0
Start time:	10:24:52
Start date:	06/06/2024
Path:	C:\Users\user\Desktop\new p o.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\new p o.exe"
Imagebase:	0x630000
File size:	720'896 bytes
MD5 hash:	355AFAEB273FF043EB0C9255D372C134
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2041644321.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2041644321.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:24:53
Start date:	06/06/2024
Path:	C:\Users\user\Desktop\new p o.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\new p o.exe"
Imagebase:	0xb60000
File size:	720'896 bytes
MD5 hash:	355AFAEB273FF043EB0C9255D372C134
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3270786167.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3270786167.000000000301E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3268654170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3268654170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3270786167.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3270786167.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	2.1%
Total number of Nodes:	419
Total number of Limit Nodes:	16

Executed Functions

Function 05D50040 Relevance: 15.4, Strings: 1, Instructions: 14136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pp]q, xrefs: 05D51C3C

Memory Dump Source

Source File: 00000000.00000002.2043965314.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new p o.jbxd

Similarity

API ID:
String ID: Pp]q
API String ID: 0-2528107101
Opcode ID: 3a9b099f71ab8eb07240ab54cf86760c2e76e259e9ef84f059d226dd15443e6a
Instruction ID: 8ca4d8bc71fe688ec0e768aee58243f055bb3f16101c350d12252cb8d4f4d977
Opcode Fuzzy Hash: 3a9b099f71ab8eb07240ab54cf86760c2e76e259e9ef84f059d226dd15443e6a
Instruction Fuzzy Hash: 0174A434A113198FCB25DF64C898AA9B7B2FF89304F5145E9E4096B362DB31AEC5CF50

Function 05D50006 Relevance: 15.3, Strings: 1, Instructions: 14098
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pp]q, xrefs: 05D51C3C

Memory Dump Source

Source File: 00000000.00000002.2043965314.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new p o.jbxd

Similarity

API ID:
String ID: Pp]q
API String ID: 0-2528107101
Opcode ID: 4cb95e88e82cb5b8c75c0b000168531fdd2ca249c9fd4cd837011b9139baddbf
Instruction ID: bb0a63cc4402c2dc4b8843bcec508a6884a3f4777bc3718e2135629726db20f3
Opcode Fuzzy Hash: 4cb95e88e82cb5b8c75c0b000168531fdd2ca249c9fd4cd837011b9139baddbf
Instruction Fuzzy Hash: 4E74B434A113198FCB25DF64C898AA9B7B2FF89304F5145E9E4096B362DB31AEC5CF50

Function 05EB47D2 Relevance: 26.8, Strings: 21, Instructions: 526COMMON

Download Yara Rule

Strings

$]q, xrefs: 05EB4DFD
$]q, xrefs: 05EB4E96
Te]q, xrefs: 05EB4C7B
$]q, xrefs: 05EB4DDB
$]q, xrefs: 05EB4E86
fbq, xrefs: 05EB496C
XX]q, xrefs: 05EB4AE5
$]q, xrefs: 05EB4D32
fbq, xrefs: 05EB4960
XX]q, xrefs: 05EB4BC9
fbq, xrefs: 05EB48DA
XX]q, xrefs: 05EB4C5C
fbq, xrefs: 05EB4900
fbq, xrefs: 05EB4DCB
XX]q, xrefs: 05EB4C14
Te]q, xrefs: 05EB4C71
$]q, xrefs: 05EB4DF1
fbq, xrefs: 05EB4EEA
\, xrefs: 05EB49C6
XX]q, xrefs: 05EB4B24
XX]q, xrefs: 05EB4C4C

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: fbq$ fbq$ fbq$ fbq$ fbq$ fbq$Te]q$Te]q$XX]q$XX]q$XX]q$XX]q$XX]q$XX]q$$]q$$]q$$]q$$]q$$]q$$]q$\
API String ID: 0-3041585488
Opcode ID: 32551951d8186217b112014c90e757c7af59eb28f93f133390bb06fe3576baca
Instruction ID: bbdbbe2619470b9228c8a7c344c3d68956d0fd62c6c47d299b421622dc69153c
Opcode Fuzzy Hash: 32551951d8186217b112014c90e757c7af59eb28f93f133390bb06fe3576baca
Instruction Fuzzy Hash: B9127F30A00218DFFF14CFA8D595AEE77B3BB84706F249915E4829B2D6DBB49C41CB51

Function 05EB330B Relevance: 12.9, Strings: 10, Instructions: 444
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 05EB335E
Te]q, xrefs: 05EB33B0
$]q, xrefs: 05EB381D
Te]q, xrefs: 05EB3511
Te]q, xrefs: 05EB345F
$]q, xrefs: 05EB3788
$]q, xrefs: 05EB3794
$]q, xrefs: 05EB3829
Te]q, xrefs: 05EB35E6
Te]q, xrefs: 05EB35B6

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: Te]q$Te]q$Te]q$Te]q$Te]q$Te]q$$]q$$]q$$]q$$]q
API String ID: 0-3613213995
Opcode ID: d605598c3ba20268d526c75213a050d36f62d6982283da7629c525b1332f8060
Instruction ID: c06736ae72818144198935c64cd57f86dc24785818466841ea2fe64617ed2ee2
Opcode Fuzzy Hash: d605598c3ba20268d526c75213a050d36f62d6982283da7629c525b1332f8060
Instruction Fuzzy Hash: 50F1A434B002049FEB04CF79C95A7FE7AE3AB88706F149925E582AB395DFB49C41CB51

Function 05EB4C42 Relevance: 12.7, Strings: 10, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XX]q, xrefs: 05EB4BC9
fbq, xrefs: 05EB4DCB
$]q, xrefs: 05EB4E86
$]q, xrefs: 05EB4DDB
XX]q, xrefs: 05EB4C14
Te]q, xrefs: 05EB4C71
$]q, xrefs: 05EB4DF1
fbq, xrefs: 05EB4EEA
XX]q, xrefs: 05EB4C4C
$]q, xrefs: 05EB4D32

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: fbq$ fbq$Te]q$XX]q$XX]q$XX]q$$]q$$]q$$]q$$]q
API String ID: 0-4039791027
Opcode ID: 672da5b2cce8fd8878efa5f91937054a1688df1120e1b4e9bfdc38cdbdf3e933
Instruction ID: 39341996f4f2928af95fb7bd875888946d6d60a434230e1a4976a5aafcbd3b36
Opcode Fuzzy Hash: 672da5b2cce8fd8878efa5f91937054a1688df1120e1b4e9bfdc38cdbdf3e933
Instruction Fuzzy Hash: 1D91A030A04218DFFF14CFA8D584AEE77B3BB80706F25A956E4826B2D6D7B0D841CB41

Function 05EB4C29 Relevance: 10.2, Strings: 8, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 05EB4DCB
$]q, xrefs: 05EB4E86
$]q, xrefs: 05EB4DDB
Te]q, xrefs: 05EB4C71
$]q, xrefs: 05EB4DF1
fbq, xrefs: 05EB4EEA
XX]q, xrefs: 05EB4C4C
$]q, xrefs: 05EB4D32

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: fbq$ fbq$Te]q$XX]q$$]q$$]q$$]q$$]q
API String ID: 0-1505870616
Opcode ID: 3fde5fd5b9d01d939b9d9a2d102cb3f21707110a4f83c86a30200f7c7eb2ec0b
Instruction ID: 0d133d5dbffab14dd87f490557660f2c28f31704a679039611497e25e20987ca
Opcode Fuzzy Hash: 3fde5fd5b9d01d939b9d9a2d102cb3f21707110a4f83c86a30200f7c7eb2ec0b
Instruction Fuzzy Hash: E9815B30A04218DFFF14CFA8D585AEEB7B3BB84706F15A916E4826B2D6D7B0D841CB41

Function 00D3C060 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D3C0DE
GetCurrentThread.KERNEL32 ref: 00D3C11B
GetCurrentProcess.KERNEL32 ref: 00D3C158
GetCurrentThreadId.KERNEL32 ref: 00D3C1B1

Strings

J, xrefs: 00D3C07C

Memory Dump Source

Source File: 00000000.00000002.2033119269.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_new p o.jbxd

Similarity

API ID: Current$ProcessThread
String ID: J
API String ID: 2063062207-1141589763
Opcode ID: e12e84bb7e94d0d218409561b20c5f0eedf0fbc079c3634709e4b6562158f564
Instruction ID: 13b18aa1e42c617634de3c6cf846486ce0f8b73e1d5751ead098a653ffd88f71
Opcode Fuzzy Hash: e12e84bb7e94d0d218409561b20c5f0eedf0fbc079c3634709e4b6562158f564
Instruction Fuzzy Hash: 8A5176B09003498FDB54DFA9D548BAEBBF1EF88304F208459E519B7350D7389984CF65

Function 05EB8AD0 Relevance: 7.7, Strings: 6, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 05EB8B72
LR]q, xrefs: 05EB8B80
LR]q, xrefs: 05EB8CB5
$]q, xrefs: 05EB8C48
LR]q, xrefs: 05EB8CA7
$]q, xrefs: 05EB8C38

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$LR]q$LR]q$$]q$$]q
API String ID: 0-2875722158
Opcode ID: f661fc5ca3772bf5b285af02a697b820750c50cc237ff23b02bfd01849bf4512
Instruction ID: 399c7c71dfe00c39b785b1f4e5f5d2e2e5eb7d5615f8370b7f48bbb2be1bc2ea
Opcode Fuzzy Hash: f661fc5ca3772bf5b285af02a697b820750c50cc237ff23b02bfd01849bf4512
Instruction Fuzzy Hash: 2B71B2B5A0C106CBFB16CF68C485BFEBBBBBB44302F046466D0D2AB381D6B49845CB51

Function 05EB8AC7 Relevance: 3.9, Strings: 3, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 05EB8B72
LR]q, xrefs: 05EB8CA7
$]q, xrefs: 05EB8C38

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q
API String ID: 0-2603884067
Opcode ID: f1cbebb9f7a9be08d2ee882088779126727ed1c3fa8c043834d206f5dee2455d
Instruction ID: a9977563d152b87f4f64ceaa881a298d1fc28e1da8efff8549336d507605fb93
Opcode Fuzzy Hash: f1cbebb9f7a9be08d2ee882088779126727ed1c3fa8c043834d206f5dee2455d
Instruction Fuzzy Hash: 596181B5A0C106CBFB16CF68C485BFAB7BBBB44306F086166E1D1AB391D2B49845CB51

Function 05EB8AC0 Relevance: 3.9, Strings: 3, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 05EB8B72
LR]q, xrefs: 05EB8CA7
$]q, xrefs: 05EB8C38

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q
API String ID: 0-2603884067
Opcode ID: e2da2993b5c049dbe1bd8aabe251fe27999c12837b234d5585df8fab35cadf4d
Instruction ID: 86920feeb43d59c1a2b4880db08fb05c69dc9ff584a15569c2804be28f8158dc
Opcode Fuzzy Hash: e2da2993b5c049dbe1bd8aabe251fe27999c12837b234d5585df8fab35cadf4d
Instruction Fuzzy Hash: C561A0B5A0C116CBFB12CF68C481BFEB7BBBB44306F086166D0D1AB391D2B49845CB11

Function 072B6654 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072B6896

Strings

J, xrefs: 072B669B

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: CreateProcess
String ID: J
API String ID: 963392458-1141589763
Opcode ID: 521ce868077978c4384e16367a3a11ca881e862ac8f0eb605f8199110c814f96
Instruction ID: a628fa020fe9a3061e2f6b7312feb857366b919c8077c04090d72e1ffb79044b
Opcode Fuzzy Hash: 521ce868077978c4384e16367a3a11ca881e862ac8f0eb605f8199110c814f96
Instruction Fuzzy Hash: D0A18DB1D1061ACFEB20CF68C8417EDBBB2FF44354F1485AAD849A7240DB749985CF91

Function 072B6660 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072B6896

Strings

J, xrefs: 072B669B

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: CreateProcess
String ID: J
API String ID: 963392458-1141589763
Opcode ID: 577a43aaa51e4ea21088fb4a488f0e58039fc6430e6041a132f5b55a5035ac86
Instruction ID: c8bd42a869d348b52a4284f054e7ffab6c00da8f10cd1371852f321bff9695e4
Opcode Fuzzy Hash: 577a43aaa51e4ea21088fb4a488f0e58039fc6430e6041a132f5b55a5035ac86
Instruction Fuzzy Hash: 75918DB1D1061ACFEB24CF68C841BEDBBB2FF48354F1485AAD849A7240DB749985CF91

Function 00D3B280 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J, xrefs: 00D3B48F

Memory Dump Source

Source File: 00000000.00000002.2033119269.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_new p o.jbxd

Similarity

API ID: HandleModule
String ID: J
API String ID: 4139908857-1141589763
Opcode ID: 306fb99ff241e69dc30f58988377c5edd92250c7addc9f5f58b0c9b897df4877
Instruction ID: b7601d0458b858f7be4cd6c6fe2176aed1d8179bd12beaf00ad45c74d492317c
Opcode Fuzzy Hash: 306fb99ff241e69dc30f58988377c5edd92250c7addc9f5f58b0c9b897df4877
Instruction Fuzzy Hash: 8C715670A00B058FDB24DF6AD04175ABBF1FF88310F048A2ED58AD7A51DB74E905CBA1

Function 00D35A4C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00D35B09

Strings

J, xrefs: 00D35A8C

Memory Dump Source

Source File: 00000000.00000002.2033119269.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_new p o.jbxd

Similarity

API ID: Create
String ID: J
API String ID: 2289755597-1141589763
Opcode ID: 1c2f2a8fc087347b98fefa3b6ab118ff783a009d88c8b745244ba05a62fe73e9
Instruction ID: 166d03b77a31ff052dc2e9022a67efb2f2843b0d6b59f7fdd3fa4fc0778238b5
Opcode Fuzzy Hash: 1c2f2a8fc087347b98fefa3b6ab118ff783a009d88c8b745244ba05a62fe73e9
Instruction Fuzzy Hash: 9841F1B0C00619CEDB64CFA9C844BDDFBB5BF49304F24806AD409AB255DB75694ACFA0

Function 00D345B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00D35B09

Strings

J, xrefs: 00D35A8C

Memory Dump Source

Source File: 00000000.00000002.2033119269.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_new p o.jbxd

Similarity

API ID: Create
String ID: J
API String ID: 2289755597-1141589763
Opcode ID: c92dac5ae13fe7b99dd446d656af0f0c595f5de0b2ccd4876c9fd0ac7038147d
Instruction ID: 8aae341cb618a599c37251e0b92625c8dfe9d9c0171291b100d714aa59c8e3e7
Opcode Fuzzy Hash: c92dac5ae13fe7b99dd446d656af0f0c595f5de0b2ccd4876c9fd0ac7038147d
Instruction Fuzzy Hash: 5141DFB0C0071DCADB64DFA9C884B9EFBF5BF48304F24806AD409AB255DB756946CFA0

Function 072B4738 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

J, xrefs: 072B8A5A

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 3923399ae4743673181590d4a4706ebc2e30cbda48d891ad5a6e954c82206ee5
Instruction ID: f50d48acb02de2be58759cb0f722a34da5bc87352c78221a8c60aaff2968806f
Opcode Fuzzy Hash: 3923399ae4743673181590d4a4706ebc2e30cbda48d891ad5a6e954c82206ee5
Instruction Fuzzy Hash: 20313AF58183898FD721DFA9C895ADABFF8EF5A310F05448BC584A7253C3786445CBA1

Function 05CD22CC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05CD3825,?,?), ref: 05CD38D7

Strings

J, xrefs: 05CD3865

Memory Dump Source

Source File: 00000000.00000002.2043918480.0000000005CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cd0000_new p o.jbxd

Similarity

API ID: DrawText
String ID: J
API String ID: 2175133113-1141589763
Opcode ID: 01b55926d40096ad73696d9fcd38b99ef3f1cac15403f1c533bc44295909c615
Instruction ID: 577c0b7a8ac15a24e334cf0d6293e626923f23202ca7690bc544f5ffbed2e8db
Opcode Fuzzy Hash: 01b55926d40096ad73696d9fcd38b99ef3f1cac15403f1c533bc44295909c615
Instruction Fuzzy Hash: C531C2B5D002499FDB10CF9AD884A9EFBF5FB48320F14882AE919A7210D775A944CFA5

Function 072B63D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072B6468

Strings

J, xrefs: 072B63F7

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: J
API String ID: 3559483778-1141589763
Opcode ID: 4f1d472a8d82666f793bbe9208e7baa5dea6fa1ad95e8841284f9f3167d9610b
Instruction ID: 386babb0ce7595c86c3919d8392a7172e070c2488dfd687331400e97e29aef90
Opcode Fuzzy Hash: 4f1d472a8d82666f793bbe9208e7baa5dea6fa1ad95e8841284f9f3167d9610b
Instruction Fuzzy Hash: F62148B1D0060A9FDB20DFA9C981BEEBBF1FF48310F108429E919A7240C7789955CBA0

Function 05CD383B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05CD3825,?,?), ref: 05CD38D7

Strings

J, xrefs: 05CD3865

Memory Dump Source

Source File: 00000000.00000002.2043918480.0000000005CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cd0000_new p o.jbxd

Similarity

API ID: DrawText
String ID: J
API String ID: 2175133113-1141589763
Opcode ID: e76d42fe5b75b75654e79bca462ac8cdcc8f3b8cbd67d776a6088b6e21edb845
Instruction ID: 4f0055a2c7f2099b9ca1f892096fba0bd8a5b006c715883635b2d6db42e08d1f
Opcode Fuzzy Hash: e76d42fe5b75b75654e79bca462ac8cdcc8f3b8cbd67d776a6088b6e21edb845
Instruction Fuzzy Hash: 5C21EEB5D003499FDB10CF9AD884A9EFBF5FB48320F14882AE919A7310D775A944CFA5

Function 072B63D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072B6468

Strings

J, xrefs: 072B63F7

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: J
API String ID: 3559483778-1141589763
Opcode ID: 33dcbfdc8c08dbbae045d361259a55482059a2800ba9ba2478b88ac20b2d649c
Instruction ID: fff330ed8f7980ad0a12c469ace419ff1d757e4ea837bc4424e674f311f9cfb9
Opcode Fuzzy Hash: 33dcbfdc8c08dbbae045d361259a55482059a2800ba9ba2478b88ac20b2d649c
Instruction Fuzzy Hash: 97214AB19007099FCB10DFAAC985BEEBBF5FF48310F108429E919A7240C7789945CBA4

Function 072B59C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072B5A4E

Strings

J, xrefs: 072B59EC

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: ContextThreadWow64
String ID: J
API String ID: 983334009-1141589763
Opcode ID: b244c99669285211e0bd5ed8c89f36fbb4464874932940f20f28326d8fa9bb31
Instruction ID: 7b5e265df3e09d8ad14e46d5c5cdc2e4e88373e0ceaf8b784b467b2a3204685c
Opcode Fuzzy Hash: b244c99669285211e0bd5ed8c89f36fbb4464874932940f20f28326d8fa9bb31
Instruction Fuzzy Hash: 462157B1D002098FDB20DFAAC4857EEBBF4EF48364F14842AD419A7240C7789945CFA0

Function 072B64C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072B6548

Strings

J, xrefs: 072B64E7

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: MemoryProcessRead
String ID: J
API String ID: 1726664587-1141589763
Opcode ID: 8d96a0b111c6d34eab95d1c77224b580e7a2ddd2c084863fbbe5ed5029fe97fc
Instruction ID: 21080f9dc7d7e048e3010425433030e4f25c69759516b37137015d386f4ecd08
Opcode Fuzzy Hash: 8d96a0b111c6d34eab95d1c77224b580e7a2ddd2c084863fbbe5ed5029fe97fc
Instruction Fuzzy Hash: 1A2138B1C003499FCB10DFAAC885AEEFBF5FF48320F10842AE519A7240C7399951CBA4

Function 072B64C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072B6548

Strings

J, xrefs: 072B64E7

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: MemoryProcessRead
String ID: J
API String ID: 1726664587-1141589763
Opcode ID: b289e7086400f52eaa81fd696863543632ed18d8742db787e79945523ac20911
Instruction ID: 3d303c7102ec21f7c266eb5f65c6f59d0df2a6dac98e2f0dd767681f30be9ad6
Opcode Fuzzy Hash: b289e7086400f52eaa81fd696863543632ed18d8742db787e79945523ac20911
Instruction Fuzzy Hash: 2A2137B1D002599FDB10DFAAC985AEEFBF5FF48310F14882AE519A7240C7389955CBA4

Function 072B59D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072B5A4E

Strings

J, xrefs: 072B59EC

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: ContextThreadWow64
String ID: J
API String ID: 983334009-1141589763
Opcode ID: 780e3e7f820fc58b8bdd5495bb708d744224766ab64f043fb70c5648541aa14a
Instruction ID: e24f34f2bc84c8ff51e2e0d473add870280c78e0af30836d7a6b6169c866be14
Opcode Fuzzy Hash: 780e3e7f820fc58b8bdd5495bb708d744224766ab64f043fb70c5648541aa14a
Instruction Fuzzy Hash: 552135B19003098FDB10DFAAC485BEEBBF4EF48324F14842AD519A7240CB78A945CFA4

Function 00D3C2A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D3C32F

Strings

J, xrefs: 00D3C2C7

Memory Dump Source

Source File: 00000000.00000002.2033119269.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_new p o.jbxd

Similarity

API ID: DuplicateHandle
String ID: J
API String ID: 3793708945-1141589763
Opcode ID: bd3cf929459288f418c77927b5f6e532365f891f51429d788e9e45139bb5e067
Instruction ID: c34e8c0df6ca251581768e5134677ffbdc649baf88e3de421023b0e9df3b55c0
Opcode Fuzzy Hash: bd3cf929459288f418c77927b5f6e532365f891f51429d788e9e45139bb5e067
Instruction Fuzzy Hash: 9021C4B59002489FDB10CF9AD584ADEBBF9FB48310F14841AE918A3350D379A944CFA5

Function 072B6310 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072B6386

Strings

J, xrefs: 072B632F

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: AllocVirtual
String ID: J
API String ID: 4275171209-1141589763
Opcode ID: 04923b430871eff628de9d156280d9a59da647e1b9fb48fdbb0357d0cf1fd7f3
Instruction ID: 0a5d2d5495ff7cdb469c2b8caf51f2c109b0f4ded42e6872c45da4ff8b607e41
Opcode Fuzzy Hash: 04923b430871eff628de9d156280d9a59da647e1b9fb48fdbb0357d0cf1fd7f3
Instruction Fuzzy Hash: 8D1159B28002498FDB20DFAAC8457DEBFF5EF48310F148819E559A7250C739A945CFA0

Function 072B9FA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,072BAB19,?,?), ref: 072BACC0

Strings

J, xrefs: 072BAC82

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: J
API String ID: 2591292051-1141589763
Opcode ID: 58089c20feacb0412431dffdaf3954dabb149816e22d846ac9e76e0dcb6c36e8
Instruction ID: 7ed4f827a58eeee4c9e87b96ec0ccb70fb32ad1a08f9167d02a5e9154f6717ed
Opcode Fuzzy Hash: 58089c20feacb0412431dffdaf3954dabb149816e22d846ac9e76e0dcb6c36e8
Instruction Fuzzy Hash: 3C1167B18143898FCB20DF99C544BDEBFF4EF49320F14845AD458A7341D338A944CBA9

Function 072B6318 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072B6386

Strings

J, xrefs: 072B632F

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: AllocVirtual
String ID: J
API String ID: 4275171209-1141589763
Opcode ID: b9f3c8cba961008566c84c5e3b1d2801aebe27ec99c2d3a67fdecc9d23a01f15
Instruction ID: fdf29016170e57e2658ce86053a0520ae24679c1b3b5e7ce7f2794d7cfb385de
Opcode Fuzzy Hash: b9f3c8cba961008566c84c5e3b1d2801aebe27ec99c2d3a67fdecc9d23a01f15
Instruction Fuzzy Hash: B4113AB18002499FCB10DFAAC845ADEBFF5EF48310F148419D519A7250C779A944CFA4

Function 072BAC60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,072BAB19,?,?), ref: 072BACC0

Strings

J, xrefs: 072BAC82

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: J
API String ID: 2591292051-1141589763
Opcode ID: a268081c74fd893e410447fcd11e46abd1bdabd4a99d49ee7acd26e0922bcd78
Instruction ID: 0bcabc549dcdb12a73e263d1ee96f6c3357bfadb9b338f857da39fff087955a8
Opcode Fuzzy Hash: a268081c74fd893e410447fcd11e46abd1bdabd4a99d49ee7acd26e0922bcd78
Instruction Fuzzy Hash: 741166B58006098FDB20DFAAC185BDEBBF4FB48320F20841AD958A7340D338A945CFA4

Function 072B5918 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 072B5982

Strings

J, xrefs: 072B5937

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: ResumeThread
String ID: J
API String ID: 947044025-1141589763
Opcode ID: bfc0c8953de5a4636a8e231bb067a2376a5888b6587eb253405a2caabccc3867
Instruction ID: 255505ec5681ceff16f586ef56270fb1bbcb44e08db5448491e509bc4d679911
Opcode Fuzzy Hash: bfc0c8953de5a4636a8e231bb067a2376a5888b6587eb253405a2caabccc3867
Instruction Fuzzy Hash: 4D1158B1D006498FDB20DFAAC4457EEFBF5EF88324F20881AD419A7240C779A945CFA4

Function 00D3B6F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 00D3B762

Strings

J, xrefs: 00D3B717

Memory Dump Source

Source File: 00000000.00000002.2033119269.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_new p o.jbxd

Similarity

API ID: LibraryLoad
String ID: J
API String ID: 1029625771-1141589763
Opcode ID: 2da24f4c4b926e8f0083db1e7b93fd08f98fdf6cce52c437628926e35358a351
Instruction ID: b111ec7a2e24131a7765337ad216fb3cf936c5677ec8d58e6187e8c0c4eee9ba
Opcode Fuzzy Hash: 2da24f4c4b926e8f0083db1e7b93fd08f98fdf6cce52c437628926e35358a351
Instruction Fuzzy Hash: 7D1104B6C003498FDB10CF9AD544ADEFBF5EB88320F14842AD519A7310C379A945CFA5

Function 072B9FAC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,072BAB19,?,?), ref: 072BACC0

Strings

J, xrefs: 072BAC82

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: J
API String ID: 2591292051-1141589763
Opcode ID: 80a0f8277fa97a5fd68a501f61231a03119d1a0b92363aa1a9af09147bf1bc5d
Instruction ID: 1e3c0e934bcd403576e67c841dbd0522d24e8f2fe3862ab9dff78d3b4e65d5b5
Opcode Fuzzy Hash: 80a0f8277fa97a5fd68a501f61231a03119d1a0b92363aa1a9af09147bf1bc5d
Instruction Fuzzy Hash: 751136B18107498FDB20DF9AC545BEEBBF4FB48360F108419D958A7340D778A944CFA5

Function 072B9F94 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,072BAB19,?,?), ref: 072BACC0

Strings

J, xrefs: 072BAC82

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: J
API String ID: 2591292051-1141589763
Opcode ID: 39d20b6a9b9ce8be0557deffec71e347d5760211da2855a84f26db193df315ff
Instruction ID: c0ebd387fee0947a666cf6e2e40cee2c7cbc570194eeec002a0cd3ff57157b74
Opcode Fuzzy Hash: 39d20b6a9b9ce8be0557deffec71e347d5760211da2855a84f26db193df315ff
Instruction Fuzzy Hash: DE1136B18107499FDB20DF9AC545BEEBBF4FB48320F148419D958A7340D778A944CFA5

Function 00D38EF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00D3B29C), ref: 00D3B4D6

Strings

J, xrefs: 00D3B48F

Memory Dump Source

Source File: 00000000.00000002.2033119269.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_new p o.jbxd

Similarity

API ID: HandleModule
String ID: J
API String ID: 4139908857-1141589763
Opcode ID: 31518e4718dc16f1c59c38d7ce2af93fa5c12e02c749fc226dd5dadc7197245f
Instruction ID: a832b39b4aaf5a4ed2dde69edb46e149b7def1732c99cb3bdaa5337e5597f1f0
Opcode Fuzzy Hash: 31518e4718dc16f1c59c38d7ce2af93fa5c12e02c749fc226dd5dadc7197245f
Instruction Fuzzy Hash: B21120B18006088BCB10DF9AC444A9EFBF4EB48324F14841AD959A7301C379A945CFA8

Function 072B8A38 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 072B8A9D

Strings

J, xrefs: 072B8A5A

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: MessagePost
String ID: J
API String ID: 410705778-1141589763
Opcode ID: 4452601de067d502a854dd2ab53fe74991a6b14efe719721f0a213b462b457d9
Instruction ID: ef4f6fe04c82c354023516bb0a9b4cccb0e0f7d301d2c08983a070abd1ddba58
Opcode Fuzzy Hash: 4452601de067d502a854dd2ab53fe74991a6b14efe719721f0a213b462b457d9
Instruction Fuzzy Hash: 1611F5B58006499FDB20DF99D585BDEBFF8FB48310F108419D918A7600C379A945CFA5

Function 072B5920 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 072B5982

Strings

J, xrefs: 072B5937

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: ResumeThread
String ID: J
API String ID: 947044025-1141589763
Opcode ID: 11e2a86f26501f7efefb41c4ed3465d668b7bf0cb73d826a39781d69c7883745
Instruction ID: 4e5a9a6ac03051dc232c1c4910e71b7edb98aad403b716a587baab65fcc5f4c6
Opcode Fuzzy Hash: 11e2a86f26501f7efefb41c4ed3465d668b7bf0cb73d826a39781d69c7883745
Instruction Fuzzy Hash: 1A1136B1D007498FDB20DFAAC4457EEFBF5EF88324F248819D519A7240CB79A944CBA4

Function 072B47DC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 072B8A9D

Strings

J, xrefs: 072B8A5A

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID: MessagePost
String ID: J
API String ID: 410705778-1141589763
Opcode ID: e2cb1db34607a530d28bb8dd78425c7b67f2516aaef568a1e9457e7cdd8782ac
Instruction ID: 876fd631754e1e584726042137fcd54d9a05f427d10ba9f6623f41ae19100970
Opcode Fuzzy Hash: e2cb1db34607a530d28bb8dd78425c7b67f2516aaef568a1e9457e7cdd8782ac
Instruction Fuzzy Hash: DC1103B58103499FDB20DF9AD545BDEFBF8EB48320F148419EA19A7200C379A944CFA5

Function 05EB361C Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

$]q, xrefs: 05EB381D
$]q, xrefs: 05EB3788

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: c638d1d04bef34e48fa5b6a435e59d57d1330c9cf91ccb7b032215528a751c8b
Instruction ID: 3b064fcd303f7fe0300267cd4a0ac171741a629b27dcfa4c9dcfede6f8f93320
Opcode Fuzzy Hash: c638d1d04bef34e48fa5b6a435e59d57d1330c9cf91ccb7b032215528a751c8b
Instruction Fuzzy Hash: E8718534B40204DFEB14CA79D55A7FE7AB3BB88705F109825E582AB398DFB49C41CB91

Function 05EB36C5 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

$]q, xrefs: 05EB381D
$]q, xrefs: 05EB3788

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 17f5dd0037cb8477555251967dc5a799b8c385ea4de4799d21d4bf5df6104482
Instruction ID: ae6772ba78eadb0163e7123aeb1624308c6fd34667256553f96d03a22c300b10
Opcode Fuzzy Hash: 17f5dd0037cb8477555251967dc5a799b8c385ea4de4799d21d4bf5df6104482
Instruction Fuzzy Hash: 56619534B40204DFEB14CA79D55A7EE7AE7BB88705F109825E582A7398DFB09C01CB91

Function 05EBF920 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

Te]q, xrefs: 05EBF9DA
Te]q, xrefs: 05EBFAC6

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: 013475026ecaf7dd853a47ac34a9b18c12863c082a35fd4e3e682a8798063fc6
Instruction ID: 5c8f89b688955e64c5ddf899aaa28fb875e32d0e51d9a0343b47b2d639f96892
Opcode Fuzzy Hash: 013475026ecaf7dd853a47ac34a9b18c12863c082a35fd4e3e682a8798063fc6
Instruction Fuzzy Hash: B061E3B4E04209CFDB08CFE9C885AEEBBF6BF89301F149129D459AB355EB705946CB50

Function 05EB7608 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

V, xrefs: 05EB7988

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 4b840d1be96f3fcde0405c76ed07354d0600209872851cbf31541bbd351da74d
Instruction ID: 8ff3e30e207a44c2fb6b7e41db9b1a71b3a7da2f3eefe878d642525b0bc8d5df
Opcode Fuzzy Hash: 4b840d1be96f3fcde0405c76ed07354d0600209872851cbf31541bbd351da74d
Instruction Fuzzy Hash: A7719631A05215CFE704CF6DC584EEAFBB2FF84302F459596D4929BAA6D3B0E841CB91

Function 05EB6704 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Te]q, xrefs: 05EB9D69

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 287dcaaaa3c59005bb5c782ab619f726c7e92a85d4315067fc4b62f6a449478b
Instruction ID: d0f213ff7f852af64f362152b67a2f344e23962d4a2adb4701fbcab433166728
Opcode Fuzzy Hash: 287dcaaaa3c59005bb5c782ab619f726c7e92a85d4315067fc4b62f6a449478b
Instruction Fuzzy Hash: 4151CD31B002458FDB05DFB998888BFBBF6EFC4321715896AE459DB352EB709D0587A0

Function 05EB7917 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

V, xrefs: 05EB7988

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: e68952313d95c7536d0df7f238f344e0d38ad191d3996d448eb63c90e630981d
Instruction ID: eedaa5bc22d8dc0c1410a31a3e9fa8b82ffa162d4c0c116e889c6d8dac59215b
Opcode Fuzzy Hash: e68952313d95c7536d0df7f238f344e0d38ad191d3996d448eb63c90e630981d
Instruction Fuzzy Hash: 01515330A04104DBFF14CF66C9847FEBBB3FB85306F15A466E4A19A9D2D7B49A908F11

Function 05EB68A4 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

J, xrefs: 05EB9DDD

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 228ad8f1e9afd11059e6c7561ba57c8bbfd7b00460bda354d0a5e411ba0d56e3
Instruction ID: 354a4d8297f4a4d844a691a046fc0d9293ca3c7c5e1b745e77ee34c2a5770365
Opcode Fuzzy Hash: 228ad8f1e9afd11059e6c7561ba57c8bbfd7b00460bda354d0a5e411ba0d56e3
Instruction Fuzzy Hash: A731E3B0D012089FEB20DF99C584BDEBFF5FB48714F249019E544BB251C7BA5845CBA4

Function 05D5FEB8 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

(aq, xrefs: 05D5FEF5

Memory Dump Source

Source File: 00000000.00000002.2043965314.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new p o.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 355e33bcf480321641ca2a4cf78ec5c1478d86e3c06790f622695996147b438b
Instruction ID: c69b9caecbcadb837e672e7e0ace8adf843adeb9f41d8a5ad483701f0a167473
Opcode Fuzzy Hash: 355e33bcf480321641ca2a4cf78ec5c1478d86e3c06790f622695996147b438b
Instruction Fuzzy Hash: AB01DB71B042555FDF095F79A85457F7FE5EBC5610721446AE806D7381DE348C028764

Function 05EB1000 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

W, xrefs: 05EB100C

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: c2c3b6f22f68fca69e2ce6ed483a70ef58d1e9958c4bcc52923ab4b037a08f94
Instruction ID: 09366471ee0c42f3c674feb1663db2fe9068fe657cf5fdd18f324556aa4a4457
Opcode Fuzzy Hash: c2c3b6f22f68fca69e2ce6ed483a70ef58d1e9958c4bcc52923ab4b037a08f94
Instruction Fuzzy Hash: 41210E75E0020A9FCB04DFA9C8849EFFBF5FF88200B10815AE414A7215E7709552CB90

Function 05EB9B28 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te]q, xrefs: 05EB9B93

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: dfd0abda8351323288ecd3db27be19bf2671721d5f9e885ffc06687322091543
Instruction ID: 5cf6478e78e786355a1be3d2498740489f4f039e24cdbd39d9fc0720f3f7b207
Opcode Fuzzy Hash: dfd0abda8351323288ecd3db27be19bf2671721d5f9e885ffc06687322091543
Instruction Fuzzy Hash: 03118C31B0020A8BDB04EFA899505EFB7F2AFC8241B204069C549E7244EB758D02CBA5

Function 05EBA4FC Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

J, xrefs: 05EBB697

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 3735dc22a28071cec788670076e15d3f002e36b662734f21ff7b24630356a862
Instruction ID: 26754ae02acca5916618b8495b7348662d2117803268490fedad68064d3e0513
Opcode Fuzzy Hash: 3735dc22a28071cec788670076e15d3f002e36b662734f21ff7b24630356a862
Instruction Fuzzy Hash: 9E2103B59003499FDB10DF9AD884ADEBFF8FB48310F108419E959A7210C379A954CFA5

Function 05EB128F Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5cb223cd57528959a74c104cc0984700e846b37d1b307b7ee9f3db0794b9bf
Instruction ID: 63909e4fb2510aac95169012087ce0da41789c2c8b704c7f124cd9085bd33652
Opcode Fuzzy Hash: 9e5cb223cd57528959a74c104cc0984700e846b37d1b307b7ee9f3db0794b9bf
Instruction Fuzzy Hash: 0B227DF1A0DF424BFB785BA4DA943DFA690BB02327F20591BC0FACA255E7749085CB45

Function 05EB12E0 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d0e9df97ff29ef686d7cad3c937da6e5c38361e28e4019e5d345ddb1c51d96
Instruction ID: d74150e0ac4b05ffb8905ffe1e0a7809c82691fa8c04cbbf1f33bf86b4c93200
Opcode Fuzzy Hash: 17d0e9df97ff29ef686d7cad3c937da6e5c38361e28e4019e5d345ddb1c51d96
Instruction Fuzzy Hash: 21127CF1A0DF424BFB785FA4DA942DFA690BB06327F20591BC0FAC9254E7749086CB45

Function 05EB12DF Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464d450692e19b78d7354c9aed08ad458165e02229695cecca4d755bbb9be59b
Instruction ID: 896b08a9cb50ebe61efa00dab310221e5f68195d2b1402a80c3a1c9bb8af127a
Opcode Fuzzy Hash: 464d450692e19b78d7354c9aed08ad458165e02229695cecca4d755bbb9be59b
Instruction Fuzzy Hash: 1F125CF1A0DF424BFB785BA4DA942DFA690BB06327F20591BC0FA89254E7749086CB45

Function 05EB5708 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b80862934f3b67200cfa00080daa7fbc1803e4f95ea21885f58472b2834c04c
Instruction ID: 414db7ed5fcb184f6f0ca518d7caec3b3047e010ad49b3bd2f54ece9b5323f78
Opcode Fuzzy Hash: 8b80862934f3b67200cfa00080daa7fbc1803e4f95ea21885f58472b2834c04c
Instruction Fuzzy Hash: BD81BE31E08215CFE701CB68D8856FBBBB2BB45312F0495B7E4A69B2A1F3B4D851CB51

Function 05EB75FA Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8a4907abcb154286e915a02de90466d5bcc7838e3e403d71acf2315b6ae10c
Instruction ID: 2c4c6e326dcd7ed43bb02e332ec61fde8c68dec6b3614b28a76bd7fd80a48417
Opcode Fuzzy Hash: bf8a4907abcb154286e915a02de90466d5bcc7838e3e403d71acf2315b6ae10c
Instruction Fuzzy Hash: C0618F31A05215CFEB04CF6CC584EEAF7B2FF84302F459596D4969BAA6D3B0E841CB91

Function 05EB0900 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723f3bc3fe8680101943ab3b043838e46ae90bc5f46f2fcfb7c498fefdd09feb
Instruction ID: 2a0fd4e0738ce5e2463f4ee87dd592c156d2fbfa95f7333c13a9afaa779088cf
Opcode Fuzzy Hash: 723f3bc3fe8680101943ab3b043838e46ae90bc5f46f2fcfb7c498fefdd09feb
Instruction Fuzzy Hash: A8719E74A01208AFDB15DF98D488DAEBBB6FF48725F114498F942AB361D771EC81CB50

Function 05EBBF3F Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28bdee85c90126edcd9e29337184bf3fea958f13d412607302d39d4325ab2831
Instruction ID: 2fa766f9c0ce51e51fc364737c5feb869acf52893ed33b2ecc5cd4b8646bda17
Opcode Fuzzy Hash: 28bdee85c90126edcd9e29337184bf3fea958f13d412607302d39d4325ab2831
Instruction Fuzzy Hash: AF519030F0420ADFEB04CFA9D8416FEBAB6BF84702F109126E595AB395D7B09D42CB41

Function 05EB08F0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e7298d3fe4c175529b9ef2e5850c0b483df3686c8bb7eef0634c7b54ae9e09
Instruction ID: 9856c1e84316daa8ac4d144a241f858fc9968b284f48b0dd337c684ff685dbd6
Opcode Fuzzy Hash: 78e7298d3fe4c175529b9ef2e5850c0b483df3686c8bb7eef0634c7b54ae9e09
Instruction Fuzzy Hash: 5251A534A01204DFDB15DF68D498DAEBBB2FF89725B114499F942AB361DB31EC81CB50

Function 05EB3A38 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b7e8922049a7a795b9c56475ec7d89e6fe1ea9d78eff15b198d88dc670a498
Instruction ID: 1fe4c20bf29312d947ef7aad3697039d91a873e84e5310f0dbff431f2654deae
Opcode Fuzzy Hash: 48b7e8922049a7a795b9c56475ec7d89e6fe1ea9d78eff15b198d88dc670a498
Instruction Fuzzy Hash: 4451BEB4900209CFDB14DFD8D9569AEBBB2FF84301F24E855C0662B365EB34C942CB61

Function 05EB6F7A Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168c8afc2863663c9b35244507822c7487baa0ef378d41179296622a8e320372
Instruction ID: 9b53b2c01ee4103696166128fa9e6ed12dfb6a0a134d56907891690fac0b3263
Opcode Fuzzy Hash: 168c8afc2863663c9b35244507822c7487baa0ef378d41179296622a8e320372
Instruction Fuzzy Hash: A231EDB4519B808FC3129B3A94516417FF0AF8A20671ADADBC4C1CBBA3CB75A819C712

Function 05EB5F08 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e4d759194bce06e9ef689c5ae4636bbc585d934abadc48fb3f6b10185b5fbd
Instruction ID: 9d26cac7e305aeada8f0eda602969148780f1b1c6b6d93f96fd63961db193e18
Opcode Fuzzy Hash: 06e4d759194bce06e9ef689c5ae4636bbc585d934abadc48fb3f6b10185b5fbd
Instruction Fuzzy Hash: 3A31E371A18124CFE720CF6AD8406FBBBA6FB84306F14A467F5A2CB251F7B58841C751

Function 05EBC2E8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8edad1b9fe26357289596991e31a3d67e4276a11af961f0cf6e7af64cd452fec
Instruction ID: fa94ae915ce069a0f74a4442feb210b3952cc145891df6dca045799c15fbbc46
Opcode Fuzzy Hash: 8edad1b9fe26357289596991e31a3d67e4276a11af961f0cf6e7af64cd452fec
Instruction Fuzzy Hash: FA41E431A08517CBE7148B69C8006FBBAB2FB45317F649267E0FE96281D379D941CA51

Function 05EB5700 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4214fd6edec49f3531f484adb6eb2b2cf619ac72aba834a24f971314e5ae2953
Instruction ID: 7a5978d09009930332b103fa153c90e1b7b11ff86d15cd06742d6da5488f5ee0
Opcode Fuzzy Hash: 4214fd6edec49f3531f484adb6eb2b2cf619ac72aba834a24f971314e5ae2953
Instruction Fuzzy Hash: F041DD35B04225CFEB04CF69C8816FFBBB6FB49302F04A567E9A697251E3B4D841CA51

Function 05EB57FF Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de84c8259b8d37ec0c56043618c63ec92e46a46c9ae5f3c430e876559d6abc99
Instruction ID: 8cfe93fab82bca9c5cd87d9db3ae281d3fae896d75f89590ab53d7ff7b83ce9e
Opcode Fuzzy Hash: de84c8259b8d37ec0c56043618c63ec92e46a46c9ae5f3c430e876559d6abc99
Instruction Fuzzy Hash: 5731DE35B04125CBEB04CF69C8806EFB7B2FF45312F049667E9A286291F3B5D851CB51

Function 05EBD0FF Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04d7ffa400b3e7a8b329b515afa2845d590ba65c550e56c500ec5a03a3df087
Instruction ID: c76df9b85197db9f773fd3b12d3856661508a6f5f3262522cdac82fb40e82cc9
Opcode Fuzzy Hash: c04d7ffa400b3e7a8b329b515afa2845d590ba65c550e56c500ec5a03a3df087
Instruction Fuzzy Hash: 5831A130604604CBF3118F69CE813FBB7A3BB41216F44D567E4E6CA296D6FAC892C711

Function 05EB5DEE Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4fdbaa6f5c1ee13448220cdcd67c67ceb3279f7ba99864428dbb13da47a2b14
Instruction ID: 924e4f4e26b939e15148c12976e92fccb4b07d7d7250d35478e923508c2f70e2
Opcode Fuzzy Hash: c4fdbaa6f5c1ee13448220cdcd67c67ceb3279f7ba99864428dbb13da47a2b14
Instruction Fuzzy Hash: BC31AC70605114CBE720CB68C8842FFB7B2BB45302F449667E4A29B2A5F3B5D941C751

Function 05EB89EA Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f34d28720ca635c6a22125ed52f3c06a377cb7d61573cc4daea1c4186a5611
Instruction ID: 23b7037d7af9b5dd2a8a55ded1b1753d7f12b6388f064fa49168b867c8422aac
Opcode Fuzzy Hash: b4f34d28720ca635c6a22125ed52f3c06a377cb7d61573cc4daea1c4186a5611
Instruction Fuzzy Hash: 7B319871A0C1558BEB41CE64CC407FB7B7AAB85313F049163E8EADB391D2B4C50087A3

Function 00CAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032708866.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9c7a77876f7c6a912d1971a51db7e5164d5c732371d4681f819a7aac559bc3
Instruction ID: e4560d9b8d7a6772098eb5752df8b6097ee4671fae2fcf6e602522a353b5e87b
Opcode Fuzzy Hash: dd9c7a77876f7c6a912d1971a51db7e5164d5c732371d4681f819a7aac559bc3
Instruction Fuzzy Hash: 4621F271604205DFCB14DF24D9C4B26BF65FB89318F20C569E94B4B696C33AD807CA62

Function 00CAD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032708866.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4989ddee4d9c62314dadd9c9f13bdf20a6e3a40a16ffa100f66865069beca8
Instruction ID: 1f5d873f71f1ceae94d0e76d4af4f4a7493523df0c4dd16dba50246d11cf3567
Opcode Fuzzy Hash: ce4989ddee4d9c62314dadd9c9f13bdf20a6e3a40a16ffa100f66865069beca8
Instruction Fuzzy Hash: 83210471504205EFDB05DF24D9C4F26BBA5FB89318F20C6ADE90B4B696C33ADC46CA61

Function 05EBB558 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a0aa876f290d82320aa48c0ad26710414ae44dab4755adc2c1cbe5344a785a
Instruction ID: 0a5cc114577807ee863d4077494ccde5dca6c6d0575834d4fd572c2df6652948
Opcode Fuzzy Hash: 52a0aa876f290d82320aa48c0ad26710414ae44dab4755adc2c1cbe5344a785a
Instruction Fuzzy Hash: 9B11E335B0A3849FDB06DBB4CC1A9FB7FB59E4220171444EBE885C7243E930DE058362

Function 05EB0840 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a1d3df04a8ab1a9689ee058f87bc0588c7d69912c8b671be98b74ab2604789
Instruction ID: 5f9c04877d4fb4d20f14dcf8b3bf84a7a01ffd96250dbc1b8ab0e0738715f559
Opcode Fuzzy Hash: 80a1d3df04a8ab1a9689ee058f87bc0588c7d69912c8b671be98b74ab2604789
Instruction Fuzzy Hash: 9721AE35B002009FEB24DE09D484EABB3B6FF88725F51946EE68687710C7B1F9418BA0

Function 05EB3C68 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5886113d6d4034ac35a32b98c56aa7d6e1b642aba2dc5bbd1ac1f82f18c3ab67
Instruction ID: 45ea49c8361f61b47967d3a91569359046f90366a06576e0de6c8e7d5135dceb
Opcode Fuzzy Hash: 5886113d6d4034ac35a32b98c56aa7d6e1b642aba2dc5bbd1ac1f82f18c3ab67
Instruction Fuzzy Hash: 851186317049108AE7108F68CC022FBB6A2FB88222F159E2AE0F6C62E0D3B8C501C725

Function 05EBFEB8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ffbf5941740adde68b1b450e43020b6a63b727ea0f91d21ae8fd4b9ee90db5f
Instruction ID: 7ff14fc3f270ddba498fbd7115d502f27904bfe87d6929b131a3b38914d1be28
Opcode Fuzzy Hash: 4ffbf5941740adde68b1b450e43020b6a63b727ea0f91d21ae8fd4b9ee90db5f
Instruction Fuzzy Hash: D321AC70E1011A8BDB00DFE8CA006EEBBBAFF89300F109525D05577252EB746E45CBA1

Function 05EB3C67 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219952a90ab6a86c59093f10a39c97ceffd7a157a9b04ae09d923c17a4bda188
Instruction ID: 24bdb14af496c115a55cb00460ba842e2476460db253db8c2d9c0390def21024
Opcode Fuzzy Hash: 219952a90ab6a86c59093f10a39c97ceffd7a157a9b04ae09d923c17a4bda188
Instruction Fuzzy Hash: F51126717049108AE715CF68CC162FBB6A2FB48626F159E2AE0F6C62E0D778C541C725

Function 05EB71B5 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1fea565c13eeed9ffab5cad69bbc8c5487d3ae807806949d949c89588582ee
Instruction ID: 18da23888f640a25cd047941dfa4895f6af2618af926fbb6146b32a52ee639f1
Opcode Fuzzy Hash: 9f1fea565c13eeed9ffab5cad69bbc8c5487d3ae807806949d949c89588582ee
Instruction Fuzzy Hash: 9111EB706083008FFB12CB68EC55BAB7AB5EB84716F056466F187DEAC1DBB49E41C721

Function 05EB9BF8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126b076a08e9866876a73329064911166bac6b674308aa97ee66652579b3ea70
Instruction ID: 44fe78459c9fc30c4d81dc785ef6ad2643458d42e5961a52c30d53ddf57ca17c
Opcode Fuzzy Hash: 126b076a08e9866876a73329064911166bac6b674308aa97ee66652579b3ea70
Instruction Fuzzy Hash: AD11E376A002455B9B11DF7998448FFBBF7EFC4221315452AE4A8D7341EF708E0587A0

Function 00CAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032708866.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcedfef530252ad162394041ac3712d858f290e697791c263d186655efb4ff60
Instruction ID: d0cc208c91d0600a129be518fa982881806770f294ca815bb6d2a14f86c67351
Opcode Fuzzy Hash: fcedfef530252ad162394041ac3712d858f290e697791c263d186655efb4ff60
Instruction Fuzzy Hash: 532165755093C08FDB12CF24D594715BF71EB46314F28C5DAD84A8F6A7C33A990ACB62

Function 05EB083F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33f0688a78d04e3acbe958eb46707fbf864d5d771973ee73f6286dc2683f43f
Instruction ID: 42c5abe4d169b548fc2f412bd45a4f4ce447614f679bb613a131bf9ccfada4d0
Opcode Fuzzy Hash: d33f0688a78d04e3acbe958eb46707fbf864d5d771973ee73f6286dc2683f43f
Instruction Fuzzy Hash: D9117C35B002009FEB24DE19C488EAB77B6FF88715F51946DE98687711C7B1F941CBA0

Function 05EB100F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd422f0caac0243eb3e85035fbda1aae72bb01edf0c3a6c5e80ea2034989eba
Instruction ID: ba2fcd75df250cddf31712dd04b7781fd3244d5f0f8502f967f3b0f5b5fdbcdf
Opcode Fuzzy Hash: 3fd422f0caac0243eb3e85035fbda1aae72bb01edf0c3a6c5e80ea2034989eba
Instruction Fuzzy Hash: B121EA75E0020A9F8B44DFA9C8849EFFBF5FF98300B10865AE418E7211E770A956CB90

Function 05EB1010 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad1f7d8910d63b4c956ac7365d23049ad382976d5dfb6f26a10ea2dc10fe418
Instruction ID: 16cc57a95e4040e09b24b3dde36260c1a585e33e9f69506e3e4a036f745d5e78
Opcode Fuzzy Hash: 5ad1f7d8910d63b4c956ac7365d23049ad382976d5dfb6f26a10ea2dc10fe418
Instruction Fuzzy Hash: 3421FC75E0020A9F8B04DFADC8449AFFBF9FF98300B10851AE518E7211E770A952CB90

Function 00CAD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032708866.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: f18f397ede5c0a60cfa05df4f513d72825549571367850c3921ab75268227678
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 5811BB75504284DFCB02CF10C5C4B15BBA1FB85318F24C6A9D84A4B6A6C33AD84ACB62

Function 05EB70CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7f7e9289f120d0e20f944e1f6aee8d4eaa48e096e487bd36f8890c0bae6c4f
Instruction ID: aaf8116e85cef96e660f191708e4a4c3da6892b995adf88d45fc16d1bb21eb32
Opcode Fuzzy Hash: 9e7f7e9289f120d0e20f944e1f6aee8d4eaa48e096e487bd36f8890c0bae6c4f
Instruction Fuzzy Hash: 4D118230514608DFE740CF65F4421AA7FB2E78830AF20A4D6E4C68A642EFB3D862C741

Function 05EBA4EC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea233b5bd9e853658cc1846a04c9f44e75ed5a52f6c95c6141badf9577e15c7
Instruction ID: c366a349614dbbaef17b69df1c76accb4cf111befb7591e4c375ee93d617eff3
Opcode Fuzzy Hash: fea233b5bd9e853658cc1846a04c9f44e75ed5a52f6c95c6141badf9577e15c7
Instruction Fuzzy Hash: CDF0DC32610108AFDF08EFA8C8899EF7FAAEF45210B10C87AE488D7224EA7199048744

Function 05D5F8F7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043965314.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71dccbae71b5a2111cbf2e672d9a287dbfeae3f8798532ea77ef38278fc6e71
Instruction ID: 8bbe6e7f49e321a96be45c56128b7d298902ec53e4d5a7d1d28589479ce5de0b
Opcode Fuzzy Hash: c71dccbae71b5a2111cbf2e672d9a287dbfeae3f8798532ea77ef38278fc6e71
Instruction Fuzzy Hash: A311C230244B804BD721AB78E4057CBBBD5EF41318F008D5ED1EA5F292C7B6784987A2

Function 05EB70D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffad3ef94ad324cefe2710b014107c36a3214d91461c6645d68f48f4e1d16fe3
Instruction ID: 13297cc740f0d25852d56296d43a9918a5dfdf48bc8296326459dac2698e0eb6
Opcode Fuzzy Hash: ffad3ef94ad324cefe2710b014107c36a3214d91461c6645d68f48f4e1d16fe3
Instruction Fuzzy Hash: 4C012570514608DBE740CF65F4415AA7FB5F78830AF2094D6E4C68A642EBB3D962C745

Function 05EB701F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbe08a8842256008167357dc5320d97df2093343116c48a5dd4379f06cd35db
Instruction ID: d10441277c9ad53b54508260b7597ff2e8508224da9494b99470abc4f1dd59c1
Opcode Fuzzy Hash: 9cbe08a8842256008167357dc5320d97df2093343116c48a5dd4379f06cd35db
Instruction Fuzzy Hash: 8A111571500B40CFD324DF2AE285512BFF0FF88704755899AE0CA87A66CBB2B868CB00

Function 05EB3D88 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28f6ec610307225984efeefba953d272f662fe954000b2fc8d0fb81f7f53108
Instruction ID: 452fe1ee3a837a1f2b787542f531164905e467bfa13c1e9807f25ef15e6f5dc2
Opcode Fuzzy Hash: d28f6ec610307225984efeefba953d272f662fe954000b2fc8d0fb81f7f53108
Instruction Fuzzy Hash: 6301D471E10118EFDB449FB989475EA7BF6EB4C711F1088A5EA86D7344EE345900CBD1

Function 00C9D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032648819.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c9d000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd4bf928029840342c0d180fc3e7ccb3693de1eb8c7cd2543f6fa3f5a2cb7b3
Instruction ID: cd009ed82990d405601a9b1c76a7390493bbed1b78a41160bd48dc928f274f29
Opcode Fuzzy Hash: ebd4bf928029840342c0d180fc3e7ccb3693de1eb8c7cd2543f6fa3f5a2cb7b3
Instruction Fuzzy Hash: 2701203100474099DB104A56CD88B67FFDCEF45320F18C959ED1A1A24AC33D9C40C671

Function 05EB1140 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be38848641040532492d67bc434ccfd471bf79baaf60495429e4b7dbff9fce0
Instruction ID: 2aba7b3208877f1aa6e72a90afb37975cc4367ee5f65dd3944397ae464d3c5ea
Opcode Fuzzy Hash: 2be38848641040532492d67bc434ccfd471bf79baaf60495429e4b7dbff9fce0
Instruction Fuzzy Hash: 26018F303143048FE71CAA69D960A7BB3ABEFC4625F54D87AC44A87254CFB5DC02C7A0

Function 05EB1131 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3669c2cb96d30143e2988d7b6c1ac102e9c8763dbb9b093fcc394e0942e2fa
Instruction ID: 787b8e52bb48bea86a624a7153a45dbb7ceefa0dc70ba34abc3ca30920e102c8
Opcode Fuzzy Hash: 0c3669c2cb96d30143e2988d7b6c1ac102e9c8763dbb9b093fcc394e0942e2fa
Instruction Fuzzy Hash: 5801A2307143008FEB1DAA65D960ABBB3ABEFC5225F54D47AC84A87254DBB1DD02C790

Function 05EB10A8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47612de548b733c2b6fbcb3ecd5c01385a0233efdaa1c010566ec3f2ee80cbf3
Instruction ID: fc37d09472726f102775730cc11935ff4e85b2bdbc86622956a4147e12c7bfd9
Opcode Fuzzy Hash: 47612de548b733c2b6fbcb3ecd5c01385a0233efdaa1c010566ec3f2ee80cbf3
Instruction Fuzzy Hash: 0A01B5342043408FD719DB29D491DA6B7A6EF85226F14D0BAD48587265CBB1DC06CB50

Function 05EB3D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168be03942fd78ce3374387dcbc08d12f89ea45ad0a851ddda261f6cac5adb43
Instruction ID: 33b2888248a21ce52334d956d28753820bcfeeb4d78968c0dd6aba18b07f3118
Opcode Fuzzy Hash: 168be03942fd78ce3374387dcbc08d12f89ea45ad0a851ddda261f6cac5adb43
Instruction Fuzzy Hash: B601A230E20118EFDB449FB999465EA7BF6EB4C712F1088A5EA86D7344EE345901CBD1

Function 05EB113F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f101de87bc9a50fc8b89410f25bef7b6ccac75e7a1463b8b47404d8670572a
Instruction ID: df95de56320f965107f45c0905234ecc42165df7a3fa04d86298da31ecd2ad2c
Opcode Fuzzy Hash: 02f101de87bc9a50fc8b89410f25bef7b6ccac75e7a1463b8b47404d8670572a
Instruction Fuzzy Hash: 48F08F303003008EEB1D9A75D8609BAB3AAEFC0225F149479C44687255CBB1D802CB50

Function 05EB10B8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aae90e3f94a6e1a3e6d27c2b7d659b6ec37026e29de4539b2fb0039f012c7fd
Instruction ID: 6971eff698f890850943ef6fa496d3fbb8399b7a8d41c4305aea6375df6bce7d
Opcode Fuzzy Hash: 9aae90e3f94a6e1a3e6d27c2b7d659b6ec37026e29de4539b2fb0039f012c7fd
Instruction Fuzzy Hash: 3D014B302042008FDB18DB69D595DAAB3EAEF85625F54D479D54987264DBB1EC02CBA0

Function 05EB9EC8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bdddda9d837f73d7b2b8587eeb93f5d991bf7d676d3c732ba0e6a93d606412
Instruction ID: 8646ccef986f84647532faf51867d1a3988174e2394a70d92ad7869b84858ab5
Opcode Fuzzy Hash: 67bdddda9d837f73d7b2b8587eeb93f5d991bf7d676d3c732ba0e6a93d606412
Instruction Fuzzy Hash: D7012170900208DFEB24CF5AC4447EEBEF5FB48325F24C069E5589B291C7B04944CB94

Function 05EB2BF0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51a0e77dc9a57c652b1f05128814d14fe0b694f74342a6f1dbb6f8cb120d1cf
Instruction ID: 390d1404c187c66910f1b7faa18dcf71899792c01c99ae5b9e1b9e8a50353118
Opcode Fuzzy Hash: f51a0e77dc9a57c652b1f05128814d14fe0b694f74342a6f1dbb6f8cb120d1cf
Instruction Fuzzy Hash: E5012570D00209AFCB45EFE8C5516AEBBF6FF44300F5085AAD015AB355EB385A05DB81

Function 05D5F908 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043965314.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00464d31ec85f5b693aeec3e395c2c518a0c6573906261d1198969bc53309194
Instruction ID: 08c8dc73c0a011421d495f2004959bee106ed8e10ea3841a56bcb586e9a78757
Opcode Fuzzy Hash: 00464d31ec85f5b693aeec3e395c2c518a0c6573906261d1198969bc53309194
Instruction Fuzzy Hash: 52015230244B818AD735EB38D405BCBBAD5EF41314F008E1DD1EA1B296CBF6784987A1

Function 05EB7040 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda9890802ab6da0fb7717871ba8cea84c0aed324c60d361ef6bd606fb9b2749
Instruction ID: f54dfcf3e1931f72df202d0050b0dfde82a9e449e2062002f345020bfa01a152
Opcode Fuzzy Hash: cda9890802ab6da0fb7717871ba8cea84c0aed324c60d361ef6bd606fb9b2749
Instruction Fuzzy Hash: 6001F071110F14CBC324DF2AE189812BFF4FF8C704751899AE0CA87A66CBB2B864CB00

Function 05EB2BEF Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75bea581d17e7d2ba0ebe41afaf4de8e0b841dc0f03dcdbde5e15ec1130e5bef
Instruction ID: d6cca222e467354c0caae4b065b7c77678aa4d781b079d72c804ed7b042c4ee2
Opcode Fuzzy Hash: 75bea581d17e7d2ba0ebe41afaf4de8e0b841dc0f03dcdbde5e15ec1130e5bef
Instruction Fuzzy Hash: 91019E70D002099FCF05DFE8C54069EBFB2FF44300F5086A9D061AB352DB395A06DB81

Function 05EBB601 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060309a12f34ec96e0c857b80f7fb9dedbbcaae6cfa88a78b5e7f48ab147f7e9
Instruction ID: 5d67244d8d6996734c87d08c35fbc56309816e19e09c65fffe55e11dc0968d9b
Opcode Fuzzy Hash: 060309a12f34ec96e0c857b80f7fb9dedbbcaae6cfa88a78b5e7f48ab147f7e9
Instruction Fuzzy Hash: 0FF0E2326042086FEF05CFA4DC41DDB7FBAEF44211B0581A7E088E7224E271DE408750

Function 05D5FEA8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043965314.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d20b3b583c75a0ee2ff171bf35b0421e89a7274ee824a8b03408b7ae57d3852
Instruction ID: 7c6868bfe1b094a967c76db7754277710e69934fa0e6b52a561b13c77fc7a7ae
Opcode Fuzzy Hash: 1d20b3b583c75a0ee2ff171bf35b0421e89a7274ee824a8b03408b7ae57d3852
Instruction Fuzzy Hash: FBF0A7B2B041255FDB14C759AD84FBF77FCEF89564B15002AB405DB201EA608C018760

Function 00C9D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032648819.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c9d000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859f8b96345ec51400abdc3d37e5075dbe13f71e88f74315cbfe715f4b061c0b
Instruction ID: 8c57065e287a3ad9c072dd925858e64bf79e190884d270c1bfe159fbe5aaf4a5
Opcode Fuzzy Hash: 859f8b96345ec51400abdc3d37e5075dbe13f71e88f74315cbfe715f4b061c0b
Instruction Fuzzy Hash: 09F0C271004344AEEB208A16DC88B62FFA8EF52734F18C55AED591A38AC3799C40CAB5

Function 05EBA208 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ebc77646bff645a2ad6485a6a95f8c52c4c2f9def28bce532788f4dbaa51a3
Instruction ID: 9de3c55dc79a32b852780d77e14fe5865565b42c660fbeaf6c70dd38ce5149f8
Opcode Fuzzy Hash: a3ebc77646bff645a2ad6485a6a95f8c52c4c2f9def28bce532788f4dbaa51a3
Instruction Fuzzy Hash: 39F05E727042645F93149B6AAC98C67BBE9EBC966031581AAE508CB351D9218C00C3A0

Function 05EBA178 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f48ab0259d82ca613dc202bf622a1e01cd5de19b80a1465adfe07b8d494f88
Instruction ID: 48cf510f296bdba929032f2996712b819eef69c372da9c75b5b93c0c07111355
Opcode Fuzzy Hash: 85f48ab0259d82ca613dc202bf622a1e01cd5de19b80a1465adfe07b8d494f88
Instruction Fuzzy Hash: 9101DAB0804219DFEF14CF65C8043EE7AB1BB45355F509525E8A5AA190D7B44A45CF90

Function 05EBA218 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ded8898b35d52d19feeee350b609202bdf7a6cc001c3d88dcc67a6a7fd8df67
Instruction ID: 0f60b4c415a27db159dd5b2b32693adbf993e59ce6b960045a6226856e667b11
Opcode Fuzzy Hash: 8ded8898b35d52d19feeee350b609202bdf7a6cc001c3d88dcc67a6a7fd8df67
Instruction Fuzzy Hash: 69E039727001286F93049AAED884C6BBBEDEBCC660361807AF508C7311DA319C0186A0

Function 05EB11D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a558e2f8d959cd1e47071dfcb2a1eddd9c314617ef66276049e2c681fd5dc8b
Instruction ID: 417991b1f47dcf7ffdf5c103e381eecbbb4ef646e370d444d35a7a7c29545034
Opcode Fuzzy Hash: 3a558e2f8d959cd1e47071dfcb2a1eddd9c314617ef66276049e2c681fd5dc8b
Instruction Fuzzy Hash: C4F03A7291010D8FDB90DFA8D8417BDBBF0FB04205F4485B9D418D7641EA399A059B81

Function 05EBA17D Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91d9f88734ad631a7001b80da595fb4f88c6e9ed8e7a59f41b465075b272300
Instruction ID: 6f564cb62b07354e7dfb88fc813cbfa88683e40901ab527cca77bf3b9f820d56
Opcode Fuzzy Hash: f91d9f88734ad631a7001b80da595fb4f88c6e9ed8e7a59f41b465075b272300
Instruction Fuzzy Hash: 64F01DB0804319DEFF15CF55C4043EE7BB1BF45325F548629E8A5AA190D7B44645CF80

Function 05EB32A0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52bfd7cc5a240e1fa8ff8c084558d512eaaedc2d7b1d19638d195d90b92a449
Instruction ID: bf54b8fa4e688329395ab8cdec10b9d7bc1561d49b2e1025c3dd25a37a39d662
Opcode Fuzzy Hash: e52bfd7cc5a240e1fa8ff8c084558d512eaaedc2d7b1d19638d195d90b92a449
Instruction Fuzzy Hash: BFF0EC353005005BCB08EB29FD85C9FBB9EDFC4320B409525E9495B3158F74AD45C7A4

Function 05EB11C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d92e986dad702a22d092f939b3303017c0c5f7f860554a35f31d88b9dc02504
Instruction ID: c8883822a29b9279935208e688ea0b91d484a781aa9a400dde9c0762a6fd5473
Opcode Fuzzy Hash: 2d92e986dad702a22d092f939b3303017c0c5f7f860554a35f31d88b9dc02504
Instruction Fuzzy Hash: ABF0907190010A8EEB50DF68C841BECBBF1FB04215F4485B9E055C7641E6388605CB41

Function 05EB11CF Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3ad49d79f824aaf0d4e46625acbbba783b42799065fcec1c7a74eab183c84d
Instruction ID: bebf2efaf6a9ba8cd34a444342757b8308119f28166ceab00cd9761dd62c6e15
Opcode Fuzzy Hash: 1c3ad49d79f824aaf0d4e46625acbbba783b42799065fcec1c7a74eab183c84d
Instruction Fuzzy Hash: 31F03A719101098EDF90DF78D8817EC7BB1FB04201F5485B9D019D7241E6398606CB41

Function 05EB3292 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d3a16489935e9aae79e943d0a2c1869a8a29599a3bf24e2145fd955539c7b9
Instruction ID: ea6dc4169efda57df80c24038382d89630f9d829338ce86fd1da798f30cf4bd3
Opcode Fuzzy Hash: 68d3a16489935e9aae79e943d0a2c1869a8a29599a3bf24e2145fd955539c7b9
Instruction Fuzzy Hash: 3AE0E5393105108BDF09AB25FE859DEA75BDFC0311B00DA2198455A73DCFB499498B91

Function 05EB1238 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a5d004d06b27308d429c1eab0932661c1f229acda76143398bac0146593769
Instruction ID: 07a7e88663ffcffb8ceeb344b1f7955260845c2be646fa0efd83fe51bac4888d
Opcode Fuzzy Hash: 40a5d004d06b27308d429c1eab0932661c1f229acda76143398bac0146593769
Instruction Fuzzy Hash: 2CE092336485248B8B11DF9CF5814FAB3ECF744A6A3288466E84CCA610F3B3D822C7C0

Function 05EB4740 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437e1de03ac404673d20b278e603c80797cb3ebebb9fccbf11d997b8369e417e
Instruction ID: 16315532b042b1d3a501ac73b47b43061aff9f0c28af4b4a8ca1011f97a8b4c4
Opcode Fuzzy Hash: 437e1de03ac404673d20b278e603c80797cb3ebebb9fccbf11d997b8369e417e
Instruction Fuzzy Hash: D9E0D832389364BFFB1516248C12BB73A6FD78A752F44119AE5C99B1D6C6C56800C3E1

Function 05EB4750 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77646ff3f2bce47850989ef895ef263cb4b3383f9ff62c6dcccb8bdf0c2e898b
Instruction ID: c97f58684e25281bb8d6facaf67c29842a2e8f86deffb9a7aff61ad431c0ddd1
Opcode Fuzzy Hash: 77646ff3f2bce47850989ef895ef263cb4b3383f9ff62c6dcccb8bdf0c2e898b
Instruction Fuzzy Hash: 8EE0263138023CBFFA1819695911BB7368FDBC9B22F100515A5898B2C4CED65C01C7E1

Function 05D5FF60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043965314.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc65dbcfabd3e0ab78b477bcbbb3d9301fc9e641a983f87281c26b9aeff2b66
Instruction ID: 4549c495178335b15de997994a18dcaf7487082533a9c4443bcd3dc00f3b1ef9
Opcode Fuzzy Hash: 9cc65dbcfabd3e0ab78b477bcbbb3d9301fc9e641a983f87281c26b9aeff2b66
Instruction Fuzzy Hash: 93C09B5D54828196E45663701DD51ED3BC1E80A5283C541CBDDD5C9C52590C981F4773

Function 05EBB5D8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ea8554967181f917e87edb9d2a389267517da728542eb7535b737d0ff41e2f
Instruction ID: a5338af08bf5b0da8824f0a3206423bb223a34a45effc469ad9d18bd7cb88681
Opcode Fuzzy Hash: 97ea8554967181f917e87edb9d2a389267517da728542eb7535b737d0ff41e2f
Instruction Fuzzy Hash: 4DC04C1A15AB903BE317E161EC17EE33E24C9636E53554193F584A5062C445869581F3

Function 05EB6030 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3696ebd5cdc5752af82c99337b2e6bb3aa39cfcc5417de5c1a616cf905a1897
Instruction ID: d96f7d164482ddd4362e3d8341a0e1fac4eb86f2a3bbce919e41b4e4cc056320
Opcode Fuzzy Hash: c3696ebd5cdc5752af82c99337b2e6bb3aa39cfcc5417de5c1a616cf905a1897
Instruction Fuzzy Hash: B6D022A3104104DFFA306C12CC16BEB348CB3A0B0EF50E011D0C0E7680D5E4C500A712

Function 05EBF1C2 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82329af8b2236b84a7c68ae0a787d1638b453c86f575bdc6854aeffdb917abb5
Instruction ID: 31bde4dae6a9d59c075719ef821e799937fd647bc3bfa0a8b705744b9964473c
Opcode Fuzzy Hash: 82329af8b2236b84a7c68ae0a787d1638b453c86f575bdc6854aeffdb917abb5
Instruction Fuzzy Hash: 9ED05231945108CFDBA0CB24E880AE8BB3AEF85315F00A1A2D40C92228DB312A88CF80

Function 05EB9AF0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8d552bc5efea62f943eb3461635fa5b7901062cec16a13e815548c0e117194
Instruction ID: ca4f60f7cbb4facc7dec69329d667b7a1c32cbde23cb0afa5e75e608297c4e6d
Opcode Fuzzy Hash: db8d552bc5efea62f943eb3461635fa5b7901062cec16a13e815548c0e117194
Instruction Fuzzy Hash: 8AC08C3B2192904FE7032B209C68AC23F30EF9210870B82C3E0C09E033C201851A8361

Function 05D5F9CB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043965314.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acbbf93a1b5c016d2c10a4ded8017b4845517cd9fa727195f4af179bdd4c9c
Instruction ID: de5ae4e860c345d6eb1f01fb46d35fe777a720705456d3349f5235da15c5d972
Opcode Fuzzy Hash: e1acbbf93a1b5c016d2c10a4ded8017b4845517cd9fa727195f4af179bdd4c9c
Instruction Fuzzy Hash: D7C08CB38096508BE710AF24F808342AAE4CF95214F2A8CAE8088DB380E139E88143A0

Function 05EBEFB0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d538f2a71d63551e2fe417f03817a25737ca509cd1a9324b79a2969d12265c5d
Instruction ID: e32761129b5ef6df3eee864a3c9446080172d325363f627103815d3b80292c86
Opcode Fuzzy Hash: d538f2a71d63551e2fe417f03817a25737ca509cd1a9324b79a2969d12265c5d
Instruction Fuzzy Hash: 89C04C304677048BE6556BBAA50E3A57E6CAB0231FF541010F58E515628EB164A0C655

Function 05EB080F Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3b59737ff70a6377434f9b5d9b709ce47c7fd939f49fd92affde291ca567bc
Instruction ID: 1aeaed2e75eb620fefb068d2ec30ee62e2983c8b6874c8fc1e1fdecd91435e6d
Opcode Fuzzy Hash: 2e3b59737ff70a6377434f9b5d9b709ce47c7fd939f49fd92affde291ca567bc
Instruction Fuzzy Hash: CDC01232540108BBCB026EA0E841EACBF36AB54390F288048FB440D022C2B38923EF80

Function 05EB0810 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abec7eab45276a63cea1435aaf67b8926425dafe3a1e5022983c746656ad4f8
Instruction ID: 41d8f7d63781263b4221e662aca859198686e76304856bdfd4e8be5adeafd759
Opcode Fuzzy Hash: 8abec7eab45276a63cea1435aaf67b8926425dafe3a1e5022983c746656ad4f8
Instruction Fuzzy Hash: 56C00236544208BBCB026E81D805E59BF2AAB55694F548055FB040D561D6B3E562AB90

Function 05EBA4A4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07faa6096f0f70ff86a38ae1a2d9524a7a8cf37cb47e3f6649c3a55fe17fe74
Instruction ID: fc0a4b2ef111d2ec284064569b54c44292124d2ab99a5e360033f20be9db5e0b
Opcode Fuzzy Hash: d07faa6096f0f70ff86a38ae1a2d9524a7a8cf37cb47e3f6649c3a55fe17fe74
Instruction Fuzzy Hash: C0B012352D6200B36615A2689A88EFB941AEFF1703B40AC23B3C4800A096E1C929D217

Function 05EB66EA Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1f329603145d757770e22ef6de68f3c30a69915c8a03e227f852d2e36fc518
Instruction ID: b2de189a4bd35e08f7cd668a25b0375c6d33e99c15fb280a32d53db66a32a4a1
Opcode Fuzzy Hash: 5e1f329603145d757770e22ef6de68f3c30a69915c8a03e227f852d2e36fc518
Instruction Fuzzy Hash: C7B09B3A0041009DD605D750C594CD6BAA6BF95301B44D46152C4850359B61C41CD715

Function 05EB2C97 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3424c8ca3145ce3ca89fe75a729e4de3e67916f70ab9039974299a70152341ca
Instruction ID: d00f9d8b9ee68e061faea529d234ab440518b64bb0b552749b5ef31207c803be
Opcode Fuzzy Hash: 3424c8ca3145ce3ca89fe75a729e4de3e67916f70ab9039974299a70152341ca
Instruction Fuzzy Hash: F0B0123344C7484FC7042371F80B12A7F6CA990005FCC086DB1CE92502DB04B401C5C7

Function 05EBA4AA Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4feacfbd756acf5447e309651f30a6b42eaa06a2daac9b9b89228f0bfc5ec09c
Instruction ID: 4a1fb367e1893588958b4704e2d7b9dd1471cd2ad0cfe6dbc8502f44f1f7af33
Opcode Fuzzy Hash: 4feacfbd756acf5447e309651f30a6b42eaa06a2daac9b9b89228f0bfc5ec09c
Instruction Fuzzy Hash: 20B01235185100A3640591609904DFB940A6BB0702B009422A3C44001044A08129D117

Function 05EB93A3 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b105abd8da3b1c2ece5cecc62271d42d69097b18019b67f4d7e69f5308b16bb6
Instruction ID: 278b145b9bd65582a4423e449d2c6da9bfb033ab01c9afb713464b5445a584b6
Opcode Fuzzy Hash: b105abd8da3b1c2ece5cecc62271d42d69097b18019b67f4d7e69f5308b16bb6
Instruction Fuzzy Hash: 7FA0112230028882EE8002A3FA0B30CA820C380B00F28A080F0C8A82C0EAA0B002832A

Function 05EB2CA0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: addceb92c3548ab591dfdadb9596103675ca95c72ae46ad5e4cc188e257fd509
Instruction ID: 278dd2b4167c653124de56daf9ef1d9341df6f0005cec94dde2abadd7ea3a6b1
Opcode Fuzzy Hash: addceb92c3548ab591dfdadb9596103675ca95c72ae46ad5e4cc188e257fd509
Instruction Fuzzy Hash: B190023545560C8F8A4427A6740A5557B5CA644559BC80051B54D415015F557415C596

Function 05D5FF8F Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043965314.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6d20298e3ce957e71441db59ea088ab240fa99dc56daf8939748254d0cd01d
Instruction ID: d83486fa2302c79f515cfc05ef9ec016c83db2e6173887b14a14f05315e0aeba
Opcode Fuzzy Hash: 4a6d20298e3ce957e71441db59ea088ab240fa99dc56daf8939748254d0cd01d
Instruction Fuzzy Hash:

Function 05EB6CB0 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608516722dc704e8945db005de95f7893118ee62c6343d98342b45d45b7e28a8
Instruction ID: 6be2dae356fdd1df59ee870196c4da0bcb5d7d24dc95abe5ada58bcab048702d
Opcode Fuzzy Hash: 608516722dc704e8945db005de95f7893118ee62c6343d98342b45d45b7e28a8
Instruction Fuzzy Hash: C4A001789292059AEB108A62A04D2A97A72A70430AF009055A49251A89AFB821449E55

Non-executed Functions

Function 072BA128 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee3de1d4051983585412dd374c61d9da63c7165501df9d267b15cc5b7b64404
Instruction ID: 0fb1f9da12c42c5c7081d7152ed1c8a9e07bce98df9465466e1778dde7918bc8
Opcode Fuzzy Hash: 2ee3de1d4051983585412dd374c61d9da63c7165501df9d267b15cc5b7b64404
Instruction Fuzzy Hash: 76C1CEB07117028FEB25DB79C4507AE77F6AF89340F14846DE1869B291DF35E902CB62

Function 00D3EFF0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033119269.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97bad3d921c0e245a94ec470d7da3de397d272845c4e00da0ce26cd63165dfa
Instruction ID: de0be0814c32ca865f69ceadbcb2dca9bbe415e4210b1f3854d6777b78911f52
Opcode Fuzzy Hash: f97bad3d921c0e245a94ec470d7da3de397d272845c4e00da0ce26cd63165dfa
Instruction Fuzzy Hash: B712D4F0C897458BD352DF25EA4C1A93BB2BB81319FD24B09C2612F2E5DBB4156ACF44

Function 072B5EE0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3849fa0f1d484cb615d749239263b80d4f88b68576d3345b71a76fa638515483
Instruction ID: 9f21e7e50faa587eb89438a7798fe0cdae2a30d38e4afe4bb1f5f9d768012566
Opcode Fuzzy Hash: 3849fa0f1d484cb615d749239263b80d4f88b68576d3345b71a76fa638515483
Instruction Fuzzy Hash: 5BE129B4E1011A8FDB14DFA9C5809AEFBB2FF89305F248169D415AB356C731A942CFA1

Function 072B5AA8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10db8eef5f6822f77a5221702f08a84719c3d34f31f997c214d66c49b905a912
Instruction ID: 1a29d5f54aace7c444d933846da6f5a1d411cf12842e310f19d76630e4f3addb
Opcode Fuzzy Hash: 10db8eef5f6822f77a5221702f08a84719c3d34f31f997c214d66c49b905a912
Instruction Fuzzy Hash: 36E10DB4E1021A8FCB14DFA9C5809AEFBF2FF89305F248159D415AB356D731A942CFA0

Function 072B38F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24251c3edbf08844c1f91e31d4d728b290cee0405c2e5ae2559c6420b7650c43
Instruction ID: 528adc955a10d98199913e4bb670e5d33a5471b0608257fc5c6f80acacef206a
Opcode Fuzzy Hash: 24251c3edbf08844c1f91e31d4d728b290cee0405c2e5ae2559c6420b7650c43
Instruction Fuzzy Hash: ABE1EAB4E1011A8FCB14DFA9C5809AEFBF2FF89305F248169D415AB356D731A942CFA1

Function 072B50F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6b13635ec7fabe601b24466f8a773abf21126a545f09129e94a987eb63bd4e
Instruction ID: a905c537cc9b88da8e0833ea5ac7761ae11ded04c02a35d69378d1ade21a8341
Opcode Fuzzy Hash: 6f6b13635ec7fabe601b24466f8a773abf21126a545f09129e94a987eb63bd4e
Instruction Fuzzy Hash: 89E1FCB4E10119CFCB14DFA9C5809AEFBB2FF89305F248169E415AB356D731A942CFA1

Function 072B3473 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044867694.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d494a33460abd5426eab930e446fb64134909453b64533af9ec45f9c13465be4
Instruction ID: 83810363f83e2d24a2bd98ed6379909652a83e8e93fed3bdaeb1e5782f7bbd81
Opcode Fuzzy Hash: d494a33460abd5426eab930e446fb64134909453b64533af9ec45f9c13465be4
Instruction Fuzzy Hash: 35E1F9B4E1011A8FCB14DFA9C5809AEFBF2FF89305F248169D415AB356D731A942CFA1

Function 05EBAB88 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311ac7d0ea2848b2955200e702326528fff87eab76271e8d6928ed23fa83b880
Instruction ID: 231c7a031a6cb69c4614b3b4dfa4c2a9d302766237e4ef841740cb945d353deb
Opcode Fuzzy Hash: 311ac7d0ea2848b2955200e702326528fff87eab76271e8d6928ed23fa83b880
Instruction Fuzzy Hash: 55D10831D2075ACACB01EB74D995A9DB7B1FF95300F10979AE0497B224EB706AC9CF81

Function 05EBAB98 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044150630.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e2ba931d8a7558c94a0965b6aacfa2557e8db573c996ac6502f92e7ac4f007
Instruction ID: 5e7f4c830dc8cf26bd538c05ec18d05002dcfbc5eba66c6495c59508049712e2
Opcode Fuzzy Hash: 59e2ba931d8a7558c94a0965b6aacfa2557e8db573c996ac6502f92e7ac4f007
Instruction Fuzzy Hash: B5D11831D2065ACACB01EB74D995A9DB7B1FF95300F10879AE0497B224EB706AC5CB81

Function 00D3DC00 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033119269.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417945e228607e5f50eddf60e5327541ad376c6c62a8d991b858d7c42755a2fb
Instruction ID: de91cced74d4ebc5f924ade5b8a5393edb94dd05642477965cda554bd53f2728
Opcode Fuzzy Hash: 417945e228607e5f50eddf60e5327541ad376c6c62a8d991b858d7c42755a2fb
Instruction Fuzzy Hash: 04A18F32E102158FCF05DFB5D9405AEB7B2FF88300B19456AE905BB2A5DB71E915CF60

Function 05CD39BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000005), ref: 05CD3A16
GetSystemMetrics.USER32(00000006), ref: 05CD3A50

Strings

J, xrefs: 05CD39DF

Memory Dump Source

Source File: 00000000.00000002.2043918480.0000000005CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cd0000_new p o.jbxd

Similarity

API ID: MetricsSystem
String ID: J
API String ID: 4116985748-1141589763
Opcode ID: ad91848afe9e12ea7261cc889df06beb758cf02bf09f186879b94597cfb20d8d
Instruction ID: 7fb205235772ed14ab0e35ea2d96e712347047edc1d20bad22c5b77a41afbe02
Opcode Fuzzy Hash: ad91848afe9e12ea7261cc889df06beb758cf02bf09f186879b94597cfb20d8d
Instruction Fuzzy Hash: 37318BB19047898FDB20DF9AD0487AEFFF4FB48714F14885AD219A7240D3785584CFA6

Function 05CD39C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000005), ref: 05CD3A16
GetSystemMetrics.USER32(00000006), ref: 05CD3A50

Strings

J, xrefs: 05CD39DF

Memory Dump Source

Source File: 00000000.00000002.2043918480.0000000005CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cd0000_new p o.jbxd

Similarity

API ID: MetricsSystem
String ID: J
API String ID: 4116985748-1141589763
Opcode ID: 5a6fc8cae24add596268bbe983ec908cb44d6a07d39177ab182a39bb9932a3b8
Instruction ID: 10bda628568d6a0bff161b44d4a0c9daa6dae2eaa4ff01a474a89825fa979f6b
Opcode Fuzzy Hash: 5a6fc8cae24add596268bbe983ec908cb44d6a07d39177ab182a39bb9932a3b8
Instruction Fuzzy Hash: 252133B09043488FDB50DF9AC5497AEFFF4EB09714F25885AD21AA7340C3796584CFA5

Analysis Process: new p o.exePID: 5820, Parent PID: 3168COMMON

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	24
Total number of Limit Nodes:	5

Executed Functions

Function 01559B28 Relevance: 3.1, Instructions: 3079COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140279969c93a2420b29dfca7e060e5e03d9967ab85a55395520c40f1e43db6f
Instruction ID: 40af31aa708e9d19956eeabc2c528f5a3db469051c681d8da033bc069e4875c2
Opcode Fuzzy Hash: 140279969c93a2420b29dfca7e060e5e03d9967ab85a55395520c40f1e43db6f
Instruction Fuzzy Hash: EA631931D10B1A8ACB51EF68C8905ADF7B1FF99300F15C79AE4587B121EB70AAD5CB81

Function 0155CDA0 Relevance: 2.3, Instructions: 2308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3067511d548fa78068926255d00dea2466279c388cc284d37ebcb254f66e1f29
Instruction ID: 6644c814b605eb9da4f770384df2ccfdd0218490b56e70a6ef271af15e79fef4
Opcode Fuzzy Hash: 3067511d548fa78068926255d00dea2466279c388cc284d37ebcb254f66e1f29
Instruction Fuzzy Hash: 98331F31D1071A8EDB11EF68C8945ADF7B1FF99300F15C79AD458AB221EB70AAC5CB81

Function 01554A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35bd770efaa08710b75d6aa50076ffb7e17fedaec5fd67edeedc0c6b6cb85fa
Instruction ID: c60ba24aa267a94972050e191b4400dfa7c9364f11870ce4e4bd38d933ec6290
Opcode Fuzzy Hash: e35bd770efaa08710b75d6aa50076ffb7e17fedaec5fd67edeedc0c6b6cb85fa
Instruction Fuzzy Hash: 01B15E70E00209CFDF50CFA9C9957ADBBF2BF88354F14852AD819EB254EB749885CB81

Function 01553E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a09dbd1e49230604c964ee9cef3ee157a58b583377a608cc6de4e2a27235c8
Instruction ID: a193b78d2613367ab29073b172819984abd50a2e7084c956c72464819d16d79e
Opcode Fuzzy Hash: 26a09dbd1e49230604c964ee9cef3ee157a58b583377a608cc6de4e2a27235c8
Instruction Fuzzy Hash: B5916370E00209DFDF50CFA9C9957DDBBF2BF88314F14852AE819AB254EB749885CB91

Function 01556ECF Relevance: 2.6, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 01556F06
LR]q, xrefs: 01556FF4

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID: LR]q$LR]q
API String ID: 0-3917262905
Opcode ID: 588e32a85a1f1cba3460fa46d9cbc603f9076303d6244665d7053dc75338f200
Instruction ID: 6e1bc04f7a492039f560741fd7ca4b272bac4034fac984e2f4ff0b2010092e45
Opcode Fuzzy Hash: 588e32a85a1f1cba3460fa46d9cbc603f9076303d6244665d7053dc75338f200
Instruction Fuzzy Hash: 7451C030A002459FDB56CF79C46479EB7B2FF89300F60846AE805EB351DB75AC42CB51

Function 0644DD89 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3274698222.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6440000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610597cc8bee306734709e10988157a4f679fcdbdc6d5be8570919ac9b8039be
Instruction ID: 8cf63cc7692929fe2aee98df0db58feeee03469c2e5d933e8adce05faaf62149
Opcode Fuzzy Hash: 610597cc8bee306734709e10988157a4f679fcdbdc6d5be8570919ac9b8039be
Instruction Fuzzy Hash: 34413272D047958FDB01DFB9C8452EEBFB0EF89210F1485ABD404A7241DB389941CBE0

Function 0644DE70 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0644DED7

Memory Dump Source

Source File: 00000003.00000002.3274698222.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6440000_new p o.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f49ddaea8455b2f0787dee44a39fb0fd7e07efeb3b4b740a80051e856855287f
Instruction ID: e6e8efb64f042fbcc283263d288440545c843240fdef993df870d2220e027e23
Opcode Fuzzy Hash: f49ddaea8455b2f0787dee44a39fb0fd7e07efeb3b4b740a80051e856855287f
Instruction Fuzzy Hash: 741112B1C0065A9BDB10DF9AC945AAEFBF4EF48320F10812AD818A7240D778A940CFA1

Function 0155F2E5 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0155F433

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 662f044257068d11e28af2b2db1fb36c01e2060aca253f90d12695bbbb5588a1
Instruction ID: d318d63b8524e1845f78436e273dd3485ea099ef524b2698dfd32b71b372c2d7
Opcode Fuzzy Hash: 662f044257068d11e28af2b2db1fb36c01e2060aca253f90d12695bbbb5588a1
Instruction Fuzzy Hash: FD31EE307002018FEB569B78D564A6E7BE2BF85240B14487ED806EF396DF38CD46CB91

Function 0155F2F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0155F433

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: b4f9253c5d537c314dc334c1b98536f4338092bf7ecd288feb135d58491da376
Instruction ID: e0aa1e2fe8a75d0daf9053347f1e68122767f61ed2e82f01092ba0bc002f9eb5
Opcode Fuzzy Hash: b4f9253c5d537c314dc334c1b98536f4338092bf7ecd288feb135d58491da376
Instruction Fuzzy Hash: B531DE307002058FDB599B78D564A6E3BE6BF85240B60483ED806EF399EE34DD46C7A5

Function 01556F70 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01556FF4

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 9e60a968af7396c8773a4c7d1cf7feb05250dfd56493e416b9985d48fe4316b5
Instruction ID: e288b94d37e2909476cd641bf38965e0c8c1976d9bb087756333f83c84c5bc21
Opcode Fuzzy Hash: 9e60a968af7396c8773a4c7d1cf7feb05250dfd56493e416b9985d48fe4316b5
Instruction Fuzzy Hash: 4F316134E10209DFDB55CFA9C86479EB7B2FF89300F60852AE805EB351EB71A942CB51

Function 01556B99 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01556BCF

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 50d6cbf4e929c029e59aabb937d21cd433400be934f884a2790472f1790fd955
Instruction ID: e6b9519d09d78bbeb3a6b0ebfca9185ecc8aee6fda81963459edaa8d74ea60c5
Opcode Fuzzy Hash: 50d6cbf4e929c029e59aabb937d21cd433400be934f884a2790472f1790fd955
Instruction Fuzzy Hash: C411CE317092819FC716AB79843425E7FB6EF8B200B1588AFC145CB3A6DA358C4AC792

Function 01557900 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d3305dc66f5bfbb3e8853e713434a58f5e149fc1bf84e5e8fa57e76904d921
Instruction ID: 6e86575a6e33eef4f2002497a8d27977df6903ad2b1d4d94e50f7ecb53e73615
Opcode Fuzzy Hash: b9d3305dc66f5bfbb3e8853e713434a58f5e149fc1bf84e5e8fa57e76904d921
Instruction Fuzzy Hash: DB124E30B01106DFCB56AB7CE8A8A1D33A6FB89254B50493EE906CB769CF35DC56C790

Function 01559441 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e864fca5d1de0df2e6466161f71961a0801337b4c64575feff18e568dc7e7c
Instruction ID: 1fcaa5a2382ec86ea23fd63daa43781966763de7e70f263e1b18bf520c3e91c5
Opcode Fuzzy Hash: 10e864fca5d1de0df2e6466161f71961a0801337b4c64575feff18e568dc7e7c
Instruction Fuzzy Hash: AFF1C234A00105CFDB55DFA8D9A0AADBBB6FF85304F20846AE806DB395DB39DC46CB51

Function 01554A8D Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87e218fe6d6dcdb347c84e39262e22d84c12b217bc9efdd2b0ede932d47592f
Instruction ID: c7e025a13e408884142af40ed8caaf248b6e192882bcbe1e8f4344d6924c6033
Opcode Fuzzy Hash: b87e218fe6d6dcdb347c84e39262e22d84c12b217bc9efdd2b0ede932d47592f
Instruction Fuzzy Hash: 9FB15B70E00209CFDF50CFA9C9A57EDBBF1BF88314F14852AD819AB254EB749885CB91

Function 01553E74 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75aef3c10729717979b1566efe97ab43a898cd3de7e9e3b19a4b9ee8651aa7b5
Instruction ID: 651c98805fdb2c7b65dece7357e7d6b8bf65ca3fdb9b700f2e04d8d336b9d9b6
Opcode Fuzzy Hash: 75aef3c10729717979b1566efe97ab43a898cd3de7e9e3b19a4b9ee8651aa7b5
Instruction Fuzzy Hash: 87A16270E00209DFDF90CFA9C9957DDBBF1BF48314F14852AE819AB254E7749886CB91

Function 01559888 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53b28d320a5e9ed1dd1a3a2d3af60c54bcca7a0ec989de15f498878b5c408bf
Instruction ID: cff9e5e60e2ddf4cf5fd7ae001ec56dff306fb8601a1d468d2564b21fa9ba087
Opcode Fuzzy Hash: b53b28d320a5e9ed1dd1a3a2d3af60c54bcca7a0ec989de15f498878b5c408bf
Instruction Fuzzy Hash: 53818B71A00205CFDB44CFA9D894B9DBBB6FF88314F14C16AE909AF395DBB49840CB90

Function 01554810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416c46fa2d5cad0bca37375935da80689d3c960a73ac434a2e8528c945e8f955
Instruction ID: 3071384f47a9b03e5038b05713ffeea201e3f4900b075fa1e2d21ce51b7c9c74
Opcode Fuzzy Hash: 416c46fa2d5cad0bca37375935da80689d3c960a73ac434a2e8528c945e8f955
Instruction Fuzzy Hash: 4C717F70E00249CFDF54CFA9C9557DEBBF2BF88314F14812AE815AB254EB749881CB95

Function 01554804 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ddeed3ccad5c6e89ba2b8b6b674d9179d004db5e7150c84780accc554df57f6
Instruction ID: 3422a564e6f369d909535eaa59b4f778ae333a876801b78a939577c57183295e
Opcode Fuzzy Hash: 2ddeed3ccad5c6e89ba2b8b6b674d9179d004db5e7150c84780accc554df57f6
Instruction Fuzzy Hash: AB715D70E00249CFDB50CFA9C9557DEBBF2FF88314F14812AE815AB254E7749881CB95

Function 01556CD5 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbb5a0da394eb536c7cea417eeb3d9080f7f6004dc7db6eed97179fae71a444
Instruction ID: 7227d8d8ec51c6fa10725474bd7b0bd052c49fee88dba26018e3979bebc04ecf
Opcode Fuzzy Hash: 1fbb5a0da394eb536c7cea417eeb3d9080f7f6004dc7db6eed97179fae71a444
Instruction Fuzzy Hash: 50513270D002588FDB54CFA9C899B9EBBF1FF48304F54852AE81AAB290D774A844CB95

Function 01556CE0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893e4a9ee0f3762d133c48d800100019ff6f693335591903c5b2a553d6390247
Instruction ID: 1bd72fb32eca482e3a76658d1079c7500ab207a67230768a82737fde6967086b
Opcode Fuzzy Hash: 893e4a9ee0f3762d133c48d800100019ff6f693335591903c5b2a553d6390247
Instruction Fuzzy Hash: 5C512370D002588FDB54CFA9C895B9EBBF1BF48314F54852AE819BB390D774A844CB95

Function 0155112B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5119bee57d1395450bc06d9507bd7e78f9a3863bcc088d5708b5144ba31cc5
Instruction ID: 7ab84f019e50c1dd055295c83fede2c8cde7c539bfb78e3af90896b2a0d2ff0a
Opcode Fuzzy Hash: 4f5119bee57d1395450bc06d9507bd7e78f9a3863bcc088d5708b5144ba31cc5
Instruction Fuzzy Hash: 70511D3020314A9FC71AFF78F9A8A483F67FB563053044979D2419B63EDB20692ADB91

Function 01551138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd30c786de6c39d4458e64ad66e296164451ab56f3c2e9cc18786d3239699403
Instruction ID: cbd62189abc03a7ccb508a53be3739068a526dd1283763e78b9ab5a02a02e74e
Opcode Fuzzy Hash: dd30c786de6c39d4458e64ad66e296164451ab56f3c2e9cc18786d3239699403
Instruction Fuzzy Hash: 5151EB3120314A9FCB1AFF78F9A8A483F67FB557053018979D2019B63DDB20692ADBD1

Function 01559148 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920887c62fa7d00e07a041e94d926f12e7cd225670150b3395c6ab5d8091d586
Instruction ID: 8aa7b22d3cb406c1dcd45d30d5675471c4324f82cd569f30b620902e9f4867bf
Opcode Fuzzy Hash: 920887c62fa7d00e07a041e94d926f12e7cd225670150b3395c6ab5d8091d586
Instruction Fuzzy Hash: 0431D031E04225DBDB56CFA8C96459EB7B2FF8A314F10852AEC05EF241DB749846CB91

Function 0155F1A9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10fad2506a66137de64890218f5e99a8211b3863d7b6c7ea7b0a0275c8aebef0
Instruction ID: e247d3b8dbcc75321adc1b5056ab11da06e55692f30cb3ebd7869dae0ca9cca6
Opcode Fuzzy Hash: 10fad2506a66137de64890218f5e99a8211b3863d7b6c7ea7b0a0275c8aebef0
Instruction Fuzzy Hash: 7B318175E106059FDB56CFA4D8A469EB7B2BF89300F10C51AE806EB754DB30AC47CB51

Function 015526DC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a97810eb7324dccfe2f6e077d6536a06593d34925cc85c05ce904c033d602ee
Instruction ID: c056a49919e8f40b446a6ea0aa3cf2c7d46ca2f95e887c28803738e05bda81b7
Opcode Fuzzy Hash: 2a97810eb7324dccfe2f6e077d6536a06593d34925cc85c05ce904c033d602ee
Instruction Fuzzy Hash: 4641DFB0D00349DFDB14DFA9C594ADEBFB5FF48310F24842AE809AB254DB759945CB90

Function 01555097 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e903ea036ab5093c2b83066b915a7a96669820b57988f38ffd5aef52e8a33d1
Instruction ID: 0467fe4a11732423e9b07e72907cfbcac86e0369d2116fa8b7e9b4cb7e925d5d
Opcode Fuzzy Hash: 9e903ea036ab5093c2b83066b915a7a96669820b57988f38ffd5aef52e8a33d1
Instruction Fuzzy Hash: BF318D30B01216DFDB95EB78C5646AD7BF2BF89204F100469C942AF7A4EB36CD45CB90

Function 0155F1B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1c3fdc5312376a684213d298846e965f92511b0e637d2ee97346a90bb865fb
Instruction ID: af88af1d8940bceffc7a14938e1db08e08915c498aea5ce78033eec0519d0a73
Opcode Fuzzy Hash: ed1c3fdc5312376a684213d298846e965f92511b0e637d2ee97346a90bb865fb
Instruction Fuzzy Hash: 60317E74E006098BCB19CFA9D86469EB7B2BF89300F10852AE816EB354DF70AC42CB51

Function 015526E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fec06479d027f83f4cc42cdebd9c5a4ec1562e4e49cbf19de38288261b27c5
Instruction ID: 27981d8fac77fd3a15e431cbce1bc07b25087beab6ad9977914ef7fae5c8ea9a
Opcode Fuzzy Hash: 52fec06479d027f83f4cc42cdebd9c5a4ec1562e4e49cbf19de38288261b27c5
Instruction Fuzzy Hash: ED41DBB0900349DFDB14DFAAC594ADEBFB5FF48310F24842AE809AB254DB75A945CB90

Function 015550A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0291492aa912b9677675890e90b67a73845f0cfdb262d0942b12999578cb3c
Instruction ID: 6cf5c5aa9e095e9b4317e6c967c3dc9620319eb69c93a6369f7e89e76aa81fbf
Opcode Fuzzy Hash: df0291492aa912b9677675890e90b67a73845f0cfdb262d0942b12999578cb3c
Instruction Fuzzy Hash: E2316B30B10206DFDB95EB78C5646AD7BF6BB88204F100469C902EF7A4EB36CC05CB91

Function 01559247 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2a0260204cc4f20d4380601e2599d9ac21937c9e9d8bcc842b607e6da0284d
Instruction ID: 04c42ebdc57d3fda69c5ba3221e30401dee4d1172fd7d7a7a2a116d9b81c1a03
Opcode Fuzzy Hash: cd2a0260204cc4f20d4380601e2599d9ac21937c9e9d8bcc842b607e6da0284d
Instruction Fuzzy Hash: E9318470E0020ADFDB15CFA9D4A46DEFBB6FF89304F14852AE805AB341DB759846CB91

Function 0155169F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e648358f76af63e6af3734900dcb7c3e4607f5366e3c4acddda143d2b9997463
Instruction ID: 63ac0520131a47f705f27dade4e7667f8384bddaf474c0be23b56bb709ad6289
Opcode Fuzzy Hash: e648358f76af63e6af3734900dcb7c3e4607f5366e3c4acddda143d2b9997463
Instruction Fuzzy Hash: C12191385014069FDF63AB3CE8A8B6D3B6AFB45204F004A67D506CF25ADB24DC16CB62

Function 01559B18 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c584925622ffead775ae52535cec86b84767a52098806be55b6a0816e991a104
Instruction ID: 1f24eaf741ea4f56fe43344060ca73ab05e33449af45355bbf2c413ec9fbfbdd
Opcode Fuzzy Hash: c584925622ffead775ae52535cec86b84767a52098806be55b6a0816e991a104
Instruction Fuzzy Hash: 49210575A04204DFEF41CF64D859B9EBBF0FF84224F15849BD901DF252D6749904C7A1

Function 01559258 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90fcd1844f3765be3fc1f12381a5793cc2a87f24fdf843fb53031b77a51c3662
Instruction ID: ab18567b84eb68a1b0eaba7a213c940eaa493167298001b0a45e8c6572862904
Opcode Fuzzy Hash: 90fcd1844f3765be3fc1f12381a5793cc2a87f24fdf843fb53031b77a51c3662
Instruction Fuzzy Hash: 37219130E0020ADBDB45CFA9D4946DEFBB2FF89304F14C62AE805AB341DB759846CB91

Function 01554F89 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005628028bfcd4c789b00d825b14c359c33a5416c53d0f69eeaa3d445647598e
Instruction ID: 32b6b2e603705c0f0fb8f2af1ddd6a4ccce6adb010926d32a8157dfc9356d34e
Opcode Fuzzy Hash: 005628028bfcd4c789b00d825b14c359c33a5416c53d0f69eeaa3d445647598e
Instruction Fuzzy Hash: 6F211930600209CFCB55DF79C568AAD7BF1FF89300B1104A9E806EB3A5EB359D45CB91

Function 01551878 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fa3a3cbbeb580131fdbcba774de90be03d7e355a609770491730f09e228c65
Instruction ID: 1f5bba8ac94ca9253142128918979fca35e0ad2e5102e8103b691443aa92c1f8
Opcode Fuzzy Hash: f1fa3a3cbbeb580131fdbcba774de90be03d7e355a609770491730f09e228c65
Instruction Fuzzy Hash: B5212C30B00645CFDBA5EB78C5A57AD7BB2BF89200F100469D946EF661DB368D45CB50

Function 0150D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3269855298.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150d000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c3c4f83e4ff8c322c2c36bdb6fc124a02e7417bc5e64169e2be48dd941e21f
Instruction ID: e2824ebf8fc180ca8cccf2d23d6bb1106fba8dd70aae9b0edac5eb384f5fd19d
Opcode Fuzzy Hash: f5c3c4f83e4ff8c322c2c36bdb6fc124a02e7417bc5e64169e2be48dd941e21f
Instruction Fuzzy Hash: B9210071604204DFDB16DFE8D990B26BFB5FB88314F20C969D90E4F296D33AD406CA62

Function 01559158 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154bc5c539e41cf1253586372c2b27ffc855697b72cfa9e8667e71593ba44659
Instruction ID: 7ef85f67dce486de860c0e48f60684c2764deff7e65d927d272ebb91de88bbd4
Opcode Fuzzy Hash: 154bc5c539e41cf1253586372c2b27ffc855697b72cfa9e8667e71593ba44659
Instruction Fuzzy Hash: E2218030E0021ADBDB59CFA9C86459EF7B2BF89304F10851AEC15FB341DB74A845CB91

Function 015517C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2765c8b5dcc5d66f6fa1e3477d9611cc2ed7ec9484737533cd72e47ea8715ac0
Instruction ID: 27b4cbd15b4bab3c65506f5509b61b7bca22ae270e5605d8d7178d2d5b65317d
Opcode Fuzzy Hash: 2765c8b5dcc5d66f6fa1e3477d9611cc2ed7ec9484737533cd72e47ea8715ac0
Instruction Fuzzy Hash: 8C112471E017459FCB52ABB8986426E7FB9BB4A621F000866D80AC7301DA34884187D1

Function 01551888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f532786101e32fb0388d592b862ef3638d3fdd4ae71dc95e3fae982f2cedb3
Instruction ID: c692c54a46de0ac1a12887965c427cba71fd5e6f64e986f21cdcf698e049edaa
Opcode Fuzzy Hash: f1f532786101e32fb0388d592b862ef3638d3fdd4ae71dc95e3fae982f2cedb3
Instruction Fuzzy Hash: 61213B30B00649CFDB94EB78C5A57AE7BF6BB89200F100469D906EF265DB328D05CBA1

Function 01551383 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fc1321776d1cc6a4b85faa2c125663e6b778f2ed79f2cfbec9e59609dfb241
Instruction ID: a6950da5759e4540a705e5d4a1b5af6167b70e2f459c48bff2554189e5659348
Opcode Fuzzy Hash: 75fc1321776d1cc6a4b85faa2c125663e6b778f2ed79f2cfbec9e59609dfb241
Instruction Fuzzy Hash: 55218C30A01642CFDBB75778A4F836D3F6AFB06215F11086BE946CF396DA298C95C742

Function 015516B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab38a72cd3e581df20d3c6d0bddddaec5b8f87797b0bf52643f38a2ae8b3d91
Instruction ID: 729233af641747ed27193f031fee41c712d182617883fcd546aec40d126005a5
Opcode Fuzzy Hash: dab38a72cd3e581df20d3c6d0bddddaec5b8f87797b0bf52643f38a2ae8b3d91
Instruction Fuzzy Hash: F2218E386110068FDF63AB3CE9A8B5D3B5AEB44204F004A32D50ACB25ADB24DC55CB92

Function 01554F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3114a0a64d5773a1a7ff2c263b2993780dc2f1c14c5f25dc67a4dc0ca49cfcca
Instruction ID: f0c1a7585fc981e5779ce58bc76874b97d496144f011cda65930ac5e44d97572
Opcode Fuzzy Hash: 3114a0a64d5773a1a7ff2c263b2993780dc2f1c14c5f25dc67a4dc0ca49cfcca
Instruction Fuzzy Hash: 9F212A30710209CFCB55DB79C568AAD77F1BF89200F104469E806EB3A4EB329D45CB90

Function 01551488 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa4e09e52bd7bc9d7281b805656a5f070e012f86cc3db307de76bc0daaf2371
Instruction ID: 42231802e194b3528b4fe535866af9bdb83a9f0a91259152f310aba48644e051
Opcode Fuzzy Hash: 3aa4e09e52bd7bc9d7281b805656a5f070e012f86cc3db307de76bc0daaf2371
Instruction Fuzzy Hash: 38117271A017568FCFA29BB884A02AD7FF5BF45220B1504BBEC05EB242D635D942CB91

Function 01550838 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b25e593c5a1b17b9963c0276b70102c807bd149e43ea0b029c59c9c3d5c70fd
Instruction ID: c1fa266c66336f71ccf72eeb5fe8535f8f1bd019eddcb9acca45e915d0e248d1
Opcode Fuzzy Hash: 9b25e593c5a1b17b9963c0276b70102c807bd149e43ea0b029c59c9c3d5c70fd
Instruction Fuzzy Hash: A611C130A012059FEFA65A789434B6E37A5FB82314F10497BF802CF2C6DA65CC858BD1

Function 01550848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a274c1474cb09e345e10e889f5e7c1c2b05bdd1dc4bed7bbdeb25624f5a6c5d2
Instruction ID: 0e2f1e4339e0b6335ee761e8fcc73df072d928398f0b786f2c5423f1307c89bd
Opcode Fuzzy Hash: a274c1474cb09e345e10e889f5e7c1c2b05bdd1dc4bed7bbdeb25624f5a6c5d2
Instruction Fuzzy Hash: 18119D30B012049BEFA66A79D424B2E36A5FB41314F20493BE906CF2D6DA25DC858BD1

Function 0150D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3269855298.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150d000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653ad99cd2e7246af734618c237ee6e9a344e848f9ec54541cc706dd632af729
Instruction ID: 7b454239f2fcd3e247036596b5b93cd030a9550a6db5e2792cab81ed9e80107c
Opcode Fuzzy Hash: 653ad99cd2e7246af734618c237ee6e9a344e848f9ec54541cc706dd632af729
Instruction Fuzzy Hash: 372192755093808FDB03CFA4D994715BF71FB46214F28C5DAD8498F6A7C33A980ACB62

Function 01551498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6d333c5124d817bc08c7342fa8aa040f5bad7473a0fc312be99562e37bd581
Instruction ID: 15bbea3f22de84018903e7b15e0b70258172d342bb76f7a5cea9d1a5d4bc1913
Opcode Fuzzy Hash: 2d6d333c5124d817bc08c7342fa8aa040f5bad7473a0fc312be99562e37bd581
Instruction Fuzzy Hash: 45012131A016169FCF65EFB884A029D7FE5FF48210B14047AEC05EB341E735E941CB91

Function 015580E8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42161d318658db23d15baecbb5c3163e6ae00fffc21dd16b0e6ecbdd9269091c
Instruction ID: 2d67f0a94973614248cf3081d5aa2f46a93e9a0704f9963d33f203f30c628056
Opcode Fuzzy Hash: 42161d318658db23d15baecbb5c3163e6ae00fffc21dd16b0e6ecbdd9269091c
Instruction Fuzzy Hash: F601847090124ADFCB0AFFB4FA54A9CBB76EF51304B0046AAC1049B269DB316E1DCB52

Function 01551524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3994c58d6bee555278a121bb265072ff683dee6a190399c902a43603d5221514
Instruction ID: b6dff25e9d40efe3b6b927c67a98dbfaa478fc21e09d5c8fc79451d6a53abae5
Opcode Fuzzy Hash: 3994c58d6bee555278a121bb265072ff683dee6a190399c902a43603d5221514
Instruction Fuzzy Hash: 3BF0F632A04551CBD7628BA884F02AC7FA0FEA421171C04D7DC42DF351D235E502CB11

Function 01557088 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e2e3db74aee60d591a19c2a1979a71d6dfede51ef8461c00f8878098abc2b4
Instruction ID: bc9d042ec1f57dfa56ee17eb4ca4ef7a08b6788ba003c9c4a7d55b0c268dc0a9
Opcode Fuzzy Hash: 93e2e3db74aee60d591a19c2a1979a71d6dfede51ef8461c00f8878098abc2b4
Instruction Fuzzy Hash: 78F01439B40108CFC714EB74D5A8A6CB3F2EF88215F5444A8E506CB3A0CB31AD42CF40

Function 015580F8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3270081814.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1550000_new p o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635b26a141b387fb4e007a01c6aca31649383cd9612edc3432260b8afbabb205
Instruction ID: dbb69e1ba78c8fce030da80e6f7a1e04adcae0147011b3299005f0fada773461
Opcode Fuzzy Hash: 635b26a141b387fb4e007a01c6aca31649383cd9612edc3432260b8afbabb205
Instruction Fuzzy Hash: 46F01D7090110EDFCB09FFB4FA54A9D7BBAEF40304F50467AC2049B269DB316A19CB82

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report new p o.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new p o.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
new p o.exe

Function 05D50040 Relevance: 15.4, Strings: 1, Instructions: 14136
COMMON

Function 05D50006 Relevance: 15.3, Strings: 1, Instructions: 14098
COMMON

Function 05EB330B Relevance: 12.9, Strings: 10, Instructions: 444
COMMON

Function 05EB4C42 Relevance: 12.7, Strings: 10, Instructions: 248
COMMON

Function 05EB4C29 Relevance: 10.2, Strings: 8, Instructions: 206
COMMON

Function 00D3C060 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Function 05EB8AD0 Relevance: 7.7, Strings: 6, Instructions: 203
COMMON

Function 05EB8AC7 Relevance: 3.9, Strings: 3, Instructions: 180
COMMON

Function 05EB8AC0 Relevance: 3.9, Strings: 3, Instructions: 178
COMMON

Function 072B6654 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248
processCOMMON

Function 072B6660 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243
processCOMMON

Function 00D3B280 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre